Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Bg6DyC7lDh

Overview

General Information

Sample Name:Bg6DyC7lDh (renamed file extension from none to dll)
Analysis ID:562461
MD5:3fa1bec287b995a7f96dc3866eff577d
SHA1:c721507f4a11e090f107d071a99aaeffbdc0ea43
SHA256:f7a5f6bc0833474da5450e33786893ac7b996ba5e91ed0f7d3243dc4d7db5486
Tags:32dllexetrojan
Infos:

Detection

Emotet
Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Changes security center settings (notifications, updates, antivirus, firewall)
Machine Learning detection for sample
Sigma detected: Suspicious Call by Ordinal
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Creates a DirectInput object (often for capturing keystrokes)
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Tries to load missing DLLs
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Detected TCP or UDP traffic on non-standard ports
Connects to several IPs in different countries
Potential key logger detected (key state polling based)
Registers a DLL
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries disk information (often used to detect virtual machines)
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 972 cmdline: loaddll32.exe "C:\Users\user\Desktop\Bg6DyC7lDh.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938)
    • cmd.exe (PID: 6152 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Bg6DyC7lDh.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 6176 cmdline: rundll32.exe "C:\Users\user\Desktop\Bg6DyC7lDh.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • rundll32.exe (PID: 6380 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\Bg6DyC7lDh.dll",DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • BackgroundTransferHost.exe (PID: 6380 cmdline: "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1 MD5: 02BA81746B929ECC9DB6665589B68335)
    • regsvr32.exe (PID: 6164 cmdline: regsvr32.exe /s C:\Users\user\Desktop\Bg6DyC7lDh.dll MD5: 426E7499F6A7346F0410DEAD0805586B)
      • rundll32.exe (PID: 6324 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\Bg6DyC7lDh.dll",DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6184 cmdline: rundll32.exe C:\Users\user\Desktop\Bg6DyC7lDh.dll,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • rundll32.exe (PID: 6484 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Lvetlyszixrl\grmpeubxplti.rrq",FloWMCkThX MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • rundll32.exe (PID: 6524 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Lvetlyszixrl\grmpeubxplti.rrq",DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6388 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\Bg6DyC7lDh.dll",DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • svchost.exe (PID: 6300 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6504 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6600 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6808 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • SgrmBroker.exe (PID: 6872 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)
  • svchost.exe (PID: 6900 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • MpCmdRun.exe (PID: 5556 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: A267555174BFA53844371226F482B86B)
      • conhost.exe (PID: 5728 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • svchost.exe (PID: 6168 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6704 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6852 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

Threatname: Emotet

{"C2 list": ["74.207.230.120:8080", "139.196.72.155:8080", "37.44.244.177:8080", "37.59.209.141:8080", "116.124.128.206:8080", "217.182.143.207:443", "54.37.228.122:443", "203.153.216.46:443", "168.197.250.14:80", "207.148.81.119:8080", "195.154.146.35:443", "78.46.73.125:443", "191.252.103.16:80", "210.57.209.142:8080", "185.168.130.138:443", "142.4.219.173:8080", "118.98.72.86:443", "78.47.204.80:443", "159.69.237.188:443", "190.90.233.66:443", "104.131.62.48:8080", "62.171.178.147:8080", "185.148.168.15:8080", "54.38.242.185:443", "198.199.98.78:8080", "194.9.172.107:8080", "85.214.67.203:8080", "66.42.57.149:443", "185.148.168.220:8080", "103.41.204.169:8080", "128.199.192.135:8080", "195.77.239.39:8080", "59.148.253.194:443"], "Public Key": ["RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0", "RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW"]}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
Bg6DyC7lDh.dllJoeSecurity_Emotet_1Yara detected EmotetJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000007.00000002.287494272.0000000005381000.00000020.00000800.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
      0000000B.00000002.780209080.0000000005701000.00000020.00000800.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
        00000004.00000002.296338746.0000000004F71000.00000020.00000800.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
          0000000B.00000002.779999636.0000000005491000.00000020.00000800.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
            00000003.00000002.268531340.0000000000DE0000.00000040.00000800.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
              Click to see the 60 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              11.2.rundll32.exe.5250000.12.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                11.2.rundll32.exe.5700000.21.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                  11.2.rundll32.exe.46f0000.2.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                    11.2.rundll32.exe.5000000.8.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                      4.2.rundll32.exe.4c00000.4.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                        Click to see the 89 entries

                        Sigma Overview

                        System Summary

                        barindex
                        Sigma detected: Suspicious Call by Ordinal
                        Source: Process startedAuthor: Florian Roth: Data: Command: rundll32.exe "C:\Users\user\Desktop\Bg6DyC7lDh.dll",#1, CommandLine: rundll32.exe "C:\Users\user\Desktop\Bg6DyC7lDh.dll",#1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Bg6DyC7lDh.dll",#1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6152, ProcessCommandLine: rundll32.exe "C:\Users\user\Desktop\Bg6DyC7lDh.dll",#1, ProcessId: 6176

                        Jbx Signature Overview

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Found malware configuration
                        Source: 11.2.rundll32.exe.5650000.18.raw.unpackMalware Configuration Extractor: Emotet {"C2 list": ["74.207.230.120:8080", "139.196.72.155:8080", "37.44.244.177:8080", "37.59.209.141:8080", "116.124.128.206:8080", "217.182.143.207:443", "54.37.228.122:443", "203.153.216.46:443", "168.197.250.14:80", "207.148.81.119:8080", "195.154.146.35:443", "78.46.73.125:443", "191.252.103.16:80", "210.57.209.142:8080", "185.168.130.138:443", "142.4.219.173:8080", "118.98.72.86:443", "78.47.204.80:443", "159.69.237.188:443", "190.90.233.66:443", "104.131.62.48:8080", "62.171.178.147:8080", "185.148.168.15:8080", "54.38.242.185:443", "198.199.98.78:8080", "194.9.172.107:8080", "85.214.67.203:8080", "66.42.57.149:443", "185.148.168.220:8080", "103.41.204.169:8080", "128.199.192.135:8080", "195.77.239.39:8080", "59.148.253.194:443"], "Public Key": ["RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0", "RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW"]}
                        Multi AV Scanner detection for submitted file
                        Source: Bg6DyC7lDh.dllVirustotal: Detection: 14%Perma Link
                        Machine Learning detection for sample
                        Source: Bg6DyC7lDh.dllJoe Sandbox ML: detected
                        Source: Bg6DyC7lDh.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10021854 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_10021854 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10021854 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,

                        Networking

                        barindex
                        System process connects to network (likely due to code injection or exploit)
                        Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 74.207.230.120 144
                        Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 139.196.72.155 144
                        C2 URLs / IPs found in malware configuration
                        Source: Malware configuration extractorIPs: 74.207.230.120:8080
                        Source: Malware configuration extractorIPs: 139.196.72.155:8080
                        Source: Malware configuration extractorIPs: 37.44.244.177:8080
                        Source: Malware configuration extractorIPs: 37.59.209.141:8080
                        Source: Malware configuration extractorIPs: 116.124.128.206:8080
                        Source: Malware configuration extractorIPs: 217.182.143.207:443
                        Source: Malware configuration extractorIPs: 54.37.228.122:443
                        Source: Malware configuration extractorIPs: 203.153.216.46:443
                        Source: Malware configuration extractorIPs: 168.197.250.14:80
                        Source: Malware configuration extractorIPs: 207.148.81.119:8080
                        Source: Malware configuration extractorIPs: 195.154.146.35:443
                        Source: Malware configuration extractorIPs: 78.46.73.125:443
                        Source: Malware configuration extractorIPs: 191.252.103.16:80
                        Source: Malware configuration extractorIPs: 210.57.209.142:8080
                        Source: Malware configuration extractorIPs: 185.168.130.138:443
                        Source: Malware configuration extractorIPs: 142.4.219.173:8080
                        Source: Malware configuration extractorIPs: 118.98.72.86:443
                        Source: Malware configuration extractorIPs: 78.47.204.80:443
                        Source: Malware configuration extractorIPs: 159.69.237.188:443
                        Source: Malware configuration extractorIPs: 190.90.233.66:443
                        Source: Malware configuration extractorIPs: 104.131.62.48:8080
                        Source: Malware configuration extractorIPs: 62.171.178.147:8080
                        Source: Malware configuration extractorIPs: 185.148.168.15:8080
                        Source: Malware configuration extractorIPs: 54.38.242.185:443
                        Source: Malware configuration extractorIPs: 198.199.98.78:8080
                        Source: Malware configuration extractorIPs: 194.9.172.107:8080
                        Source: Malware configuration extractorIPs: 85.214.67.203:8080
                        Source: Malware configuration extractorIPs: 66.42.57.149:443
                        Source: Malware configuration extractorIPs: 185.148.168.220:8080
                        Source: Malware configuration extractorIPs: 103.41.204.169:8080
                        Source: Malware configuration extractorIPs: 128.199.192.135:8080
                        Source: Malware configuration extractorIPs: 195.77.239.39:8080
                        Source: Malware configuration extractorIPs: 59.148.253.194:443
                        Source: Joe Sandbox ViewASN Name: AS-CHOOPAUS AS-CHOOPAUS
                        Source: Joe Sandbox ViewASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
                        Source: Joe Sandbox ViewIP Address: 207.148.81.119 207.148.81.119
                        Source: Joe Sandbox ViewIP Address: 104.131.62.48 104.131.62.48
                        Source: global trafficTCP traffic: 192.168.2.7:49762 -> 74.207.230.120:8080
                        Source: global trafficTCP traffic: 192.168.2.7:49765 -> 139.196.72.155:8080
                        Source: unknownNetwork traffic detected: IP country count 15
                        Source: unknownTCP traffic detected without corresponding DNS query: 74.207.230.120
                        Source: unknownTCP traffic detected without corresponding DNS query: 74.207.230.120
                        Source: unknownTCP traffic detected without corresponding DNS query: 74.207.230.120
                        Source: unknownTCP traffic detected without corresponding DNS query: 139.196.72.155
                        Source: unknownTCP traffic detected without corresponding DNS query: 139.196.72.155
                        Source: unknownTCP traffic detected without corresponding DNS query: 139.196.72.155
                        Source: unknownTCP traffic detected without corresponding DNS query: 139.196.72.155
                        Source: unknownTCP traffic detected without corresponding DNS query: 139.196.72.155
                        Source: unknownTCP traffic detected without corresponding DNS query: 139.196.72.155
                        Source: unknownTCP traffic detected without corresponding DNS query: 139.196.72.155
                        Source: unknownTCP traffic detected without corresponding DNS query: 139.196.72.155
                        Source: unknownTCP traffic detected without corresponding DNS query: 139.196.72.155
                        Source: unknownTCP traffic detected without corresponding DNS query: 139.196.72.155
                        Source: unknownTCP traffic detected without corresponding DNS query: 139.196.72.155
                        Source: unknownTCP traffic detected without corresponding DNS query: 139.196.72.155
                        Source: svchost.exe, 0000001A.00000003.451274453.000002DEDAF44000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","N equals www.facebook.com (Facebook)
                        Source: svchost.exe, 0000001A.00000003.451274453.000002DEDAF44000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","N equals www.twitter.com (Twitter)
                        Source: svchost.exe, 0000001A.00000003.451210365.000002DEDAF90000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-01-21T16:24:38.4044683Z||.||031efeb6-e916-442f-a665-3e8426d4bc5a||1152921505694396307||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
                        Source: svchost.exe, 0000001A.00000003.451210365.000002DEDAF90000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-01-21T16:24:38.4044683Z||.||031efeb6-e916-442f-a665-3e8426d4bc5a||1152921505694396307||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
                        Source: svchost.exe, 0000001A.00000003.451210365.000002DEDAF90000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify - Music and Podcasts","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","A equals www.facebook.com (Facebook)
                        Source: svchost.exe, 0000001A.00000003.451210365.000002DEDAF90000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify - Music and Podcasts","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","A equals www.twitter.com (Twitter)
                        Source: svchost.exe, 00000005.00000002.614981477.000002FA99060000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001A.00000002.473621700.000002DEDAF00000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                        Source: svchost.exe, 00000005.00000002.614917318.000002FA99012000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001A.00000002.473526103.000002DEDA6ED000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
                        Source: 77EC63BDA74BD0D0E0426DC8F80085060.11.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                        Source: rundll32.exe, 0000000B.00000003.338094646.0000000005511000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?bd5fe19e122a6
                        Source: svchost.exe, 0000001A.00000003.443630985.000002DEDAF90000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.444014442.000002DEDAF7E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://help.disneyplus.com.
                        Source: svchost.exe, 0000000D.00000002.322076624.000001A9C1413000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.bingmapsportal.com
                        Source: svchost.exe, 0000000A.00000002.779027574.000001FEA5042000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://%s.dnet.xboxlive.com
                        Source: svchost.exe, 0000000A.00000002.779027574.000001FEA5042000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://%s.xboxlive.com
                        Source: svchost.exe, 0000000A.00000002.779027574.000001FEA5042000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.com
                        Source: svchost.exe, 0000000A.00000002.779027574.000001FEA5042000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.comr
                        Source: svchost.exe, 0000000D.00000003.321017680.000001A9C1460000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
                        Source: svchost.exe, 0000000A.00000002.779027574.000001FEA5042000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
                        Source: svchost.exe, 0000000A.00000002.779027574.000001FEA5042000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
                        Source: svchost.exe, 0000000D.00000003.321127969.000001A9C144B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
                        Source: svchost.exe, 0000000D.00000002.322127503.000001A9C144D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.321127969.000001A9C144B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
                        Source: svchost.exe, 0000000D.00000003.321017680.000001A9C1460000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
                        Source: svchost.exe, 0000000D.00000002.322108516.000001A9C143E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
                        Source: svchost.exe, 0000000D.00000002.322127503.000001A9C144D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.321127969.000001A9C144B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
                        Source: svchost.exe, 0000000D.00000003.320908225.000001A9C1467000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.322149285.000001A9C146A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
                        Source: svchost.exe, 0000000D.00000003.321017680.000001A9C1460000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
                        Source: svchost.exe, 0000000D.00000002.322127503.000001A9C144D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.321127969.000001A9C144B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
                        Source: svchost.exe, 0000000D.00000003.321017680.000001A9C1460000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
                        Source: svchost.exe, 0000000D.00000002.322108516.000001A9C143E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
                        Source: svchost.exe, 0000000D.00000003.321017680.000001A9C1460000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
                        Source: svchost.exe, 0000000D.00000003.321017680.000001A9C1460000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
                        Source: svchost.exe, 0000000D.00000003.321017680.000001A9C1460000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
                        Source: svchost.exe, 0000000D.00000003.299068688.000001A9C1431000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
                        Source: svchost.exe, 0000000D.00000002.322115623.000001A9C1442000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.321477876.000001A9C1441000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
                        Source: svchost.exe, 0000000D.00000002.322115623.000001A9C1442000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.321477876.000001A9C1441000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
                        Source: svchost.exe, 0000000D.00000003.321017680.000001A9C1460000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
                        Source: svchost.exe, 0000000D.00000002.322122135.000001A9C1447000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.322090596.000001A9C1429000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.321252960.000001A9C1446000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
                        Source: svchost.exe, 0000001A.00000003.443630985.000002DEDAF90000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.444014442.000002DEDAF7E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://disneyplus.com/legal.
                        Source: svchost.exe, 0000000D.00000003.321127969.000001A9C144B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
                        Source: svchost.exe, 0000000D.00000002.322122135.000001A9C1447000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.321252960.000001A9C1446000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
                        Source: svchost.exe, 0000000D.00000002.322122135.000001A9C1447000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.321252960.000001A9C1446000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
                        Source: svchost.exe, 0000000D.00000003.321127969.000001A9C144B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.322115623.000001A9C1442000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.321477876.000001A9C1441000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://dynamic.t
                        Source: svchost.exe, 0000000D.00000003.321017680.000001A9C1460000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
                        Source: svchost.exe, 0000000D.00000002.322108516.000001A9C143E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
                        Source: svchost.exe, 0000000D.00000003.299068688.000001A9C1431000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
                        Source: svchost.exe, 0000000D.00000002.322108516.000001A9C143E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
                        Source: svchost.exe, 0000000D.00000002.322108516.000001A9C143E000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.322076624.000001A9C1413000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
                        Source: svchost.exe, 0000000D.00000003.299068688.000001A9C1431000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
                        Source: svchost.exe, 0000000D.00000003.321367338.000001A9C1445000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
                        Source: svchost.exe, 0000000D.00000003.299068688.000001A9C1431000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
                        Source: svchost.exe, 0000000D.00000003.299068688.000001A9C1431000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.321593288.000001A9C143A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
                        Source: svchost.exe, 0000000D.00000002.322127503.000001A9C144D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.321127969.000001A9C144B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
                        Source: svchost.exe, 0000001A.00000003.443630985.000002DEDAF90000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.444014442.000002DEDAF7E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
                        Source: svchost.exe, 0000001A.00000003.443630985.000002DEDAF90000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.444014442.000002DEDAF7E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
                        Source: svchost.exe, 0000001A.00000003.447105193.000002DEDB402000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.446901322.000002DEDAFC2000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.446829559.000002DEDAF8A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.446821206.000002DEDAF79000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.447041610.000002DEDAFAB000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.446970410.000002DEDAFC2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.tiktok.com/legal/report/feedback
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_10012C30 _memset,connect,send,recv,
                        Source: loaddll32.exe, 00000000.00000002.276483841.000000000153B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1001B43F GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1001B43F GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1001B43F GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,

                        E-Banking Fraud

                        barindex
                        Yara detected Emotet
                        Source: Yara matchFile source: Bg6DyC7lDh.dll, type: SAMPLE
                        Source: Yara matchFile source: 11.2.rundll32.exe.5250000.12.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.5700000.21.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.46f0000.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.5000000.8.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.rundll32.exe.4c00000.4.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.53a0000.15.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.5650000.18.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.rundll32.exe.4e40000.8.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.5460000.16.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.rundll32.exe.4fa0000.10.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 7.2.rundll32.exe.5380000.7.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.rundll32.exe.4fa0000.10.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.rundll32.exe.4f70000.9.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 7.2.rundll32.exe.5170000.4.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.rundll32.exe.5100000.12.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.2.rundll32.exe.de0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 7.2.rundll32.exe.54e0000.9.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 2.2.regsvr32.exe.4cd0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.rundll32.exe.4de0000.6.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.loaddll32.exe.14d0000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.rundll32.exe.11c0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 7.2.rundll32.exe.5350000.6.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 7.2.rundll32.exe.5510000.10.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.rundll32.exe.4e10000.7.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.5280000.13.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.4dc0000.4.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.rundll32.exe.4fd0000.11.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 7.2.rundll32.exe.51a0000.5.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.rundll32.exe.5100000.12.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 7.2.rundll32.exe.1280000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 7.2.rundll32.exe.5670000.12.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 9.2.rundll32.exe.4870000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 7.2.rundll32.exe.5350000.6.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.rundll32.exe.1180000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.5650000.18.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.rundll32.exe.4af0000.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 7.2.rundll32.exe.53b0000.8.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.rundll32.exe.4e40000.8.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.5060000.10.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.46f0000.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.4ea0000.6.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.rundll32.exe.4c30000.5.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.5190000.11.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 7.2.rundll32.exe.4af0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.5370000.14.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.4ea0000.6.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.loaddll32.exe.1500000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 2.2.regsvr32.exe.4cd0000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 7.2.rundll32.exe.56a0000.13.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 9.2.rundll32.exe.48a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.rundll32.exe.5130000.13.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.4dc0000.4.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.c40000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.2.rundll32.exe.e10000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.56d0000.20.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.5490000.17.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.rundll32.exe.4de0000.6.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.c40000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 7.2.rundll32.exe.53b0000.8.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 2.2.regsvr32.exe.10000000.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 7.2.rundll32.exe.5070000.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 9.2.rundll32.exe.4870000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 7.2.rundll32.exe.5510000.10.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.5680000.19.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.5000000.8.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.rundll32.exe.4af0000.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.e50000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 7.2.rundll32.exe.5070000.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 7.2.rundll32.exe.1280000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.rundll32.exe.1180000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.4ed0000.7.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.5460000.16.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 7.2.rundll32.exe.50c0000.3.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.56d0000.20.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.5250000.12.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.5370000.14.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.rundll32.exe.4b20000.3.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.loaddll32.exe.14d0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.5030000.9.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 2.2.regsvr32.exe.4d10000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 7.2.rundll32.exe.5540000.11.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.4df0000.5.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.10000000.22.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 7.2.rundll32.exe.5670000.12.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.rundll32.exe.4c00000.4.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.4730000.3.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.2.rundll32.exe.de0000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 7.2.rundll32.exe.5170000.4.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.rundll32.exe.10000000.14.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.loaddll32.exe.10000000.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.5060000.10.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 7.2.rundll32.exe.10000000.14.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 9.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000007.00000002.287494272.0000000005381000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.780209080.0000000005701000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.296338746.0000000004F71000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.779999636.0000000005491000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000002.268531340.0000000000DE0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.296293943.0000000004E11000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000009.00000002.288455858.0000000004870000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.274458477.0000000001501000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000007.00000002.287862922.0000000005541000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.779143719.0000000000E51000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.294626282.0000000001180000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.779418909.0000000004DC0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000002.266354631.0000000004D11000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.296431152.0000000005131000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000007.00000002.287111363.0000000005170000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000007.00000002.287132788.00000000051A1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000002.262826472.0000000004CD0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000009.00000002.288482327.00000000048A1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.779603939.0000000005000000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000007.00000002.287038579.0000000005070000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.778637126.0000000000C40000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.779449781.0000000004DF1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.779771482.0000000005281000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.779542982.0000000004ED1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.296459967.0000000010001000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.296356591.0000000004FA0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.779971740.0000000005460000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.295961219.0000000004C00000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000007.00000002.285682496.0000000001280000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.296375902.0000000004FD1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.779631051.0000000005031000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000007.00000002.287469423.0000000005350000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.779317583.0000000004731000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.295334948.0000000004B21000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000007.00000002.287075796.00000000050C1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000007.00000002.285736531.0000000004AF1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.780141318.0000000005681000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.779684590.0000000005191000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000002.268562280.0000000000E11000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.271956434.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.779867718.0000000005370000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.295156896.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000007.00000002.287604820.00000000053B0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.296406434.0000000005100000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.296276538.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000009.00000002.293864491.0000000010001000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.779237002.00000000046F0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.779911189.00000000053A1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.780100280.0000000005650000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000007.00000002.287829918.0000000005510000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.779726684.0000000005250000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000007.00000002.287729935.00000000054E1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.296314729.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.296141210.0000000004C31000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000007.00000002.288375637.0000000010001000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000002.266639849.0000000010001000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.779504243.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.780181061.00000000056D0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.779651988.0000000005060000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.780299654.0000000010001000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.294816386.00000000011C1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000007.00000002.288125580.00000000056A1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000007.00000002.288102612.0000000005670000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.276915244.0000000010001000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000002.268591855.0000000010001000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY

                        System Summary

                        barindex
                        Source: Bg6DyC7lDh.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                        Source: C:\Windows\SysWOW64\rundll32.exeFile deleted: C:\Windows\SysWOW64\Lvetlyszixrl\grmpeubxplti.rrq:Zone.IdentifierJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\SysWOW64\Lvetlyszixrl\Jump to behavior
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10036007
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10041050
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1003130F
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10030460
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10041592
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1003E59F
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_10036007
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_10041050
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1003130F
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_10030460
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_10041592
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1003E59F
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_10040B0E
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_10041C56
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_10036CB5
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1001CD16
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_10042D21
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10036007
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10041050
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1003130F
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10030460
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10041592
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1003E59F
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10040B0E
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10041C56
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10036CB5
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1001CD16
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10042D21
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_011D3512
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_011C9700
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_011CF93D
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_011E1B54
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_011C8D95
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_011DB391
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_011CE243
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_011DE498
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_011CEC9B
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_011DEE94
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_011DBE8C
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_011D74DD
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_011C68DE
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_011D5CF9
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_011C70ED
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_011C911A
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_011CBD0F
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_011CC309
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_011DFF31
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_011D0D33
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_011C472E
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_011E0D5B
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_011CF154
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_011DA156
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_011D4B56
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_011C1950
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_011D2753
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_011C194C
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_011CBB4B
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_011D0946
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_011D3D41
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_011C777B
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_011D8D71
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_011CAB66
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_011C1F9B
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_011E1993
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_011CFD8C
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_011DC38F
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_011CF58F
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_011D9186
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_011C7B82
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_011C3FB8
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_011DC9A9
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_011D99AA
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_011D41A7
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_011C2FA1
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_011D45CD
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_011CCFCE
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_011DD3C8
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_011D7BCA
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_011DEBFF
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_011D2BF6
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_011D561F
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_011C6A1F
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_011CB41A
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_011D363D
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_011D1831
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_011C2830
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_011D542E
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_011DA429
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_011C6C29
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_011CB821
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_011CC850
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_011C8650
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_011D5040
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_011CCA43
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_011C9A7D
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_011E3672
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_011E146E
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_011CE86A
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_011D026B
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_011E0867
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_011D6864
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_011D129C
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_011D109E
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_011CAE9A
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_011DCC89
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_011C6083
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_011D04B8
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_011E04DE
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_011C6ED6
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_011DD8D7
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_011DACD3
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_011C44FA
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_011C88F4
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_011D64F1
                        Source: C:\Windows\System32\loaddll32.exeCode function: String function: 10032B38 appears 32 times
                        Source: C:\Windows\System32\loaddll32.exeCode function: String function: 10030D27 appears 91 times
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: String function: 10032B38 appears 45 times
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: String function: 10030D5A appears 32 times
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: String function: 10030D27 appears 106 times
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 10032B38 appears 45 times
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 10030D5A appears 32 times
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 10030D27 appears 118 times
                        Source: Bg6DyC7lDh.dllBinary or memory string: OriginalFilenameFinalChatSocketCli.exe> vs Bg6DyC7lDh.dll
                        Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: xboxlivetitleid.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: cdpsgshims.dll
                        Source: Bg6DyC7lDh.dllVirustotal: Detection: 14%
                        Source: Bg6DyC7lDh.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                        Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                        Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\Bg6DyC7lDh.dll"
                        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Bg6DyC7lDh.dll",#1
                        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\Bg6DyC7lDh.dll
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Bg6DyC7lDh.dll",#1
                        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Bg6DyC7lDh.dll,DllRegisterServer
                        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                        Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\Bg6DyC7lDh.dll",DllRegisterServer
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\Bg6DyC7lDh.dll",DllRegisterServer
                        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\Bg6DyC7lDh.dll",DllRegisterServer
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Lvetlyszixrl\grmpeubxplti.rrq",FloWMCkThX
                        Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Lvetlyszixrl\grmpeubxplti.rrq",DllRegisterServer
                        Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
                        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
                        Source: unknownProcess created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
                        Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
                        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\BackgroundTransferHost.exe "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
                        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                        Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
                        Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Bg6DyC7lDh.dll",#1
                        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\Bg6DyC7lDh.dll
                        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Bg6DyC7lDh.dll,DllRegisterServer
                        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\Bg6DyC7lDh.dll",DllRegisterServer
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Bg6DyC7lDh.dll",#1
                        Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\Bg6DyC7lDh.dll",DllRegisterServer
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\Bg6DyC7lDh.dll",DllRegisterServer
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Lvetlyszixrl\grmpeubxplti.rrq",FloWMCkThX
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Lvetlyszixrl\grmpeubxplti.rrq",DllRegisterServer
                        Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
                        Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32
                        Source: classification engineClassification label: mal92.troj.evad.winDLL@32/9@0/34
                        Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Users\desktop.iniJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Bg6DyC7lDh.dll",#1
                        Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5728:120:WilError_01
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100125C0 _printf,FindResourceW,LoadResource,SizeofResource,VirtualAllocExNuma,VirtualAlloc,_malloc,
                        Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hosts
                        Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hosts
                        Source: Bg6DyC7lDh.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                        Source: Bg6DyC7lDh.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                        Source: Bg6DyC7lDh.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                        Source: Bg6DyC7lDh.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                        Source: Bg6DyC7lDh.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_10032B7D push ecx; ret
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_10030DFF push ecx; ret
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10032B7D push ecx; ret
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10030DFF push ecx; ret
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_011C114C push ds; ret
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_011C15F5 push cs; retf
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1003D873 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__invoke_watson,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__invoke_watson,__decode_pointer,__decode_pointer,__decode_pointer,
                        Source: Bg6DyC7lDh.dllStatic PE information: real checksum: 0x8f55d should be: 0x93bb7
                        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\Bg6DyC7lDh.dll
                        Source: C:\Windows\SysWOW64\rundll32.exePE file moved: C:\Windows\SysWOW64\Lvetlyszixrl\grmpeubxplti.rrqJump to behavior

                        Hooking and other Techniques for Hiding and Protection

                        barindex
                        Hides that the sample has been downloaded from the Internet (zone.identifier)
                        Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Lvetlyszixrl\grmpeubxplti.rrq:Zone.Identifier read attributes | delete
                        Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Zgbnpellpfgcalth\ckic.obq:Zone.Identifier read attributes | delete
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100134F0 IsIconic,
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_100134F0 IsIconic,
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_10018C9A IsIconic,GetWindowPlacement,GetWindowRect,
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100134F0 IsIconic,
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10018C9A IsIconic,GetWindowPlacement,GetWindowRect,
                        Source: C:\Windows\System32\svchost.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\svchost.exe TID: 6344Thread sleep time: -60000s >= -30000s
                        Source: C:\Windows\System32\svchost.exe TID: 6844Thread sleep time: -150000s >= -30000s
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
                        Source: C:\Windows\System32\loaddll32.exeAPI coverage: 4.6 %
                        Source: C:\Windows\SysWOW64\regsvr32.exeAPI coverage: 3.6 %
                        Source: C:\Windows\SysWOW64\rundll32.exeAPI coverage: 3.8 %
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10030334 VirtualQuery,GetSystemInfo,__invoke_watson,GetModuleHandleA,GetProcAddress,VirtualAlloc,VirtualProtect,
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10021854 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_10021854 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10021854 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,
                        Source: C:\Windows\SysWOW64\regsvr32.exeAPI call chain: ExitProcess graph end node
                        Source: C:\Windows\SysWOW64\rundll32.exeAPI call chain: ExitProcess graph end node
                        Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                        Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                        Source: svchost.exe, 00000005.00000002.614981477.000002FA99060000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: "@Hyper-V RAW
                        Source: svchost.exe, 00000005.00000002.614748959.000002FA93C29000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW`3
                        Source: svchost.exe, 00000005.00000002.614970809.000002FA99054000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001A.00000002.473526103.000002DEDA6ED000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001A.00000002.473428981.000002DEDA6A5000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                        Source: svchost.exe, 0000001A.00000002.473503354.000002DEDA6E1000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: 5-A1ED- @Hyper-V RAW
                        Source: svchost.exe, 0000000A.00000002.779103437.000001FEA5066000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.779001338.000002352F429000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10037657 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1003D873 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__invoke_watson,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__invoke_watson,__decode_pointer,__decode_pointer,__decode_pointer,
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10002280 SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,VirtualAlloc,VirtualAlloc,SetLastError,GetProcessHeap,HeapAlloc,VirtualFree,SetLastError,VirtualAlloc,SetLastError,
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_011DD374 mov eax, dword ptr fs:[00000030h]
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10037657 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1002F81E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_10037657 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1002F81E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1003ACCC __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10037657 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1002F81E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1003ACCC __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

                        HIPS / PFW / Operating System Protection Evasion

                        barindex
                        System process connects to network (likely due to code injection or exploit)
                        Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 74.207.230.120 144
                        Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 139.196.72.155 144
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Bg6DyC7lDh.dll",#1
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                        Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoA,
                        Source: C:\Windows\System32\loaddll32.exeCode function: GetThreadLocale,GetLocaleInfoA,GetACP,
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: GetLocaleInfoA,
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: GetThreadLocale,GetLocaleInfoA,GetACP,
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: _strcpy_s,__snprintf_s,GetLocaleInfoA,LoadLibraryA,
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetThreadLocale,GetLocaleInfoA,GetACP,
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: _strcpy_s,__snprintf_s,GetLocaleInfoA,LoadLibraryA,
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1003DAA7 cpuid
                        Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1003906D GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1003CE1A __lock,__invoke_watson,__invoke_watson,__invoke_watson,____lc_codepage_func,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__invoke_watson,__invoke_watson,
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10030A37 GetProcessHeap,GetProcessHeap,HeapAlloc,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,__heap_term,__RTC_Initialize,GetCommandLineA,___crtGetEnvironmentStringsA,__ioinit,__mtterm,__setargv,__setenvp,__cinit,__ioterm,__ioterm,__mtterm,__heap_term,___set_flsgetvalue,__calloc_crt,__decode_pointer,GetCurrentThreadId,__freeptd,

                        Lowering of HIPS / PFW / Operating System Security Settings

                        barindex
                        Changes security center settings (notifications, updates, antivirus, firewall)
                        Source: C:\Windows\System32\svchost.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cvalJump to behavior
                        Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA &apos;AntiVirusProduct&apos; OR TargetInstance ISA &apos;FirewallProduct&apos; OR TargetInstance ISA &apos;AntiSpywareProduct&apos;
                        Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
                        Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
                        Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct
                        Source: svchost.exe, 0000000F.00000002.778982827.000002B012E40000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: (@V%ProgramFiles%\Windows Defender\MsMpeng.exe
                        Source: svchost.exe, 0000000F.00000002.778875427.000002B012E13000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.779041295.000002B012F02000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

                        Stealing of Sensitive Information

                        barindex
                        Yara detected Emotet
                        Source: Yara matchFile source: Bg6DyC7lDh.dll, type: SAMPLE
                        Source: Yara matchFile source: 11.2.rundll32.exe.5250000.12.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.5700000.21.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.46f0000.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.5000000.8.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.rundll32.exe.4c00000.4.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.53a0000.15.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.5650000.18.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.rundll32.exe.4e40000.8.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.5460000.16.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.rundll32.exe.4fa0000.10.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 7.2.rundll32.exe.5380000.7.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.rundll32.exe.4fa0000.10.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.rundll32.exe.4f70000.9.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 7.2.rundll32.exe.5170000.4.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.rundll32.exe.5100000.12.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.2.rundll32.exe.de0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 7.2.rundll32.exe.54e0000.9.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 2.2.regsvr32.exe.4cd0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.rundll32.exe.4de0000.6.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.loaddll32.exe.14d0000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.rundll32.exe.11c0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 7.2.rundll32.exe.5350000.6.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 7.2.rundll32.exe.5510000.10.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.rundll32.exe.4e10000.7.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.5280000.13.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.4dc0000.4.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.rundll32.exe.4fd0000.11.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 7.2.rundll32.exe.51a0000.5.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.rundll32.exe.5100000.12.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 7.2.rundll32.exe.1280000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 7.2.rundll32.exe.5670000.12.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 9.2.rundll32.exe.4870000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 7.2.rundll32.exe.5350000.6.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.rundll32.exe.1180000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.5650000.18.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.rundll32.exe.4af0000.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 7.2.rundll32.exe.53b0000.8.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.rundll32.exe.4e40000.8.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.5060000.10.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.46f0000.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.4ea0000.6.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.rundll32.exe.4c30000.5.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.5190000.11.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 7.2.rundll32.exe.4af0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.5370000.14.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.4ea0000.6.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.loaddll32.exe.1500000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 2.2.regsvr32.exe.4cd0000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 7.2.rundll32.exe.56a0000.13.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 9.2.rundll32.exe.48a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.rundll32.exe.5130000.13.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.4dc0000.4.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.c40000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.2.rundll32.exe.e10000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.56d0000.20.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.5490000.17.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.rundll32.exe.4de0000.6.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.c40000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 7.2.rundll32.exe.53b0000.8.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 2.2.regsvr32.exe.10000000.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 7.2.rundll32.exe.5070000.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 9.2.rundll32.exe.4870000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 7.2.rundll32.exe.5510000.10.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.5680000.19.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.5000000.8.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.rundll32.exe.4af0000.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.e50000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 7.2.rundll32.exe.5070000.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 7.2.rundll32.exe.1280000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.rundll32.exe.1180000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.4ed0000.7.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.5460000.16.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 7.2.rundll32.exe.50c0000.3.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.56d0000.20.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.5250000.12.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.5370000.14.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.rundll32.exe.4b20000.3.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.loaddll32.exe.14d0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.5030000.9.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 2.2.regsvr32.exe.4d10000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 7.2.rundll32.exe.5540000.11.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.4df0000.5.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.10000000.22.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 7.2.rundll32.exe.5670000.12.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.rundll32.exe.4c00000.4.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.4730000.3.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.2.rundll32.exe.de0000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 7.2.rundll32.exe.5170000.4.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.rundll32.exe.10000000.14.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.loaddll32.exe.10000000.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.5060000.10.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 7.2.rundll32.exe.10000000.14.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 9.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000007.00000002.287494272.0000000005381000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.780209080.0000000005701000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.296338746.0000000004F71000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.779999636.0000000005491000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000002.268531340.0000000000DE0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.296293943.0000000004E11000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000009.00000002.288455858.0000000004870000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.274458477.0000000001501000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000007.00000002.287862922.0000000005541000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.779143719.0000000000E51000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.294626282.0000000001180000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.779418909.0000000004DC0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000002.266354631.0000000004D11000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.296431152.0000000005131000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000007.00000002.287111363.0000000005170000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000007.00000002.287132788.00000000051A1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000002.262826472.0000000004CD0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000009.00000002.288482327.00000000048A1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.779603939.0000000005000000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000007.00000002.287038579.0000000005070000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.778637126.0000000000C40000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.779449781.0000000004DF1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.779771482.0000000005281000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.779542982.0000000004ED1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.296459967.0000000010001000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.296356591.0000000004FA0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.779971740.0000000005460000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.295961219.0000000004C00000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000007.00000002.285682496.0000000001280000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.296375902.0000000004FD1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.779631051.0000000005031000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000007.00000002.287469423.0000000005350000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.779317583.0000000004731000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.295334948.0000000004B21000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000007.00000002.287075796.00000000050C1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000007.00000002.285736531.0000000004AF1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.780141318.0000000005681000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.779684590.0000000005191000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000002.268562280.0000000000E11000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.271956434.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.779867718.0000000005370000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.295156896.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000007.00000002.287604820.00000000053B0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.296406434.0000000005100000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.296276538.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000009.00000002.293864491.0000000010001000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.779237002.00000000046F0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.779911189.00000000053A1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.780100280.0000000005650000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000007.00000002.287829918.0000000005510000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.779726684.0000000005250000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000007.00000002.287729935.00000000054E1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.296314729.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.296141210.0000000004C31000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000007.00000002.288375637.0000000010001000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000002.266639849.0000000010001000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.779504243.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.780181061.00000000056D0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.779651988.0000000005060000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.780299654.0000000010001000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.294816386.00000000011C1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000007.00000002.288125580.00000000056A1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000007.00000002.288102612.0000000005670000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.276915244.0000000010001000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000002.268591855.0000000010001000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY

                        Mitre Att&ck Matrix

                        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                        Valid Accounts1
                        Windows Management Instrumentation                        		1
                        DLL Side-Loading                        		1
                        DLL Side-Loading                        		1
                        Disable or Modify Tools                        		2
                        Input Capture                        		2
                        System Time Discovery                        		Remote Services1
                        Archive Collected Data                        		Exfiltration Over Other Network Medium1
                        Ingress Tool Transfer                        		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                        Default Accounts1
                        Native API                        		Boot or Logon Initialization Scripts111
                        Process Injection                        		1
                        Deobfuscate/Decode Files or Information                        		LSASS Memory2
                        File and Directory Discovery                        		Remote Desktop Protocol2
                        Input Capture                        		Exfiltration Over Bluetooth1
                        Encrypted Channel                        		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)2
                        Obfuscated Files or Information                        		Security Account Manager46
                        System Information Discovery                        		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
                        Non-Standard Port                        		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
                        DLL Side-Loading                        		NTDS1
                        Query Registry                        		Distributed Component Object ModelInput CaptureScheduled Transfer1
                        Application Layer Protocol                        		SIM Card SwapCarrier Billing Fraud
                        Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                        File Deletion                        		LSA Secrets51
                        Security Software Discovery                        		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                        Replication Through Removable MediaLaunchdRc.commonRc.common2
                        Masquerading                        		Cached Domain Credentials2
                        Virtualization/Sandbox Evasion                        		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                        External Remote ServicesScheduled TaskStartup ItemsStartup Items2
                        Virtualization/Sandbox Evasion                        		DCSync1
                        Application Window Discovery                        		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                        Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job111
                        Process Injection                        		Proc Filesystem1
                        Remote System Discovery                        		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                        Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)1
                        Hidden Files and Directories                        		/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                        Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)1
                        Regsvr32                        		Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
                        Compromise Software Dependencies and Development ToolsWindows Command ShellCronCron1
                        Rundll32                        		Input CapturePermission Groups DiscoveryReplication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet
                        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 562461 Sample: Bg6DyC7lDh Startdate: 28/01/2022 Architecture: WINDOWS Score: 92 46 210.57.209.142 UNAIR-AS-IDUniversitasAirlanggaID Indonesia 2->46 48 118.98.72.86 TELKOMNET-AS-APPTTelekomunikasiIndonesiaID Indonesia 2->48 50 29 other IPs or domains 2->50 58 Found malware configuration 2->58 60 Multi AV Scanner detection for submitted file 2->60 62 Yara detected Emotet 2->62 64 3 other signatures 2->64 9 loaddll32.exe 1 2->9         started        11 svchost.exe 2->11         started        14 svchost.exe 9 1 2->14         started        17 7 other processes 2->17 signatures3 process4 dnsIp5 19 rundll32.exe 2 9->19         started        22 cmd.exe 1 9->22         started        24 regsvr32.exe 9->24         started        26 rundll32.exe 9->26         started        72 Changes security center settings (notifications, updates, antivirus, firewall) 11->72 28 MpCmdRun.exe 1 11->28         started        56 127.0.0.1 unknown unknown 14->56 signatures6 process7 signatures8 66 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->66 30 rundll32.exe 19->30         started        32 rundll32.exe 22->32         started        34 rundll32.exe 24->34         started        36 conhost.exe 28->36         started        process9 process10 38 rundll32.exe 30->38         started        42 rundll32.exe 2 32->42         started        44 BackgroundTransferHost.exe 13 32->44         started        dnsIp11 52 74.207.230.120, 49762, 8080 LINODE-APLinodeLLCUS United States 38->52 54 139.196.72.155, 49765, 8080 CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd China 38->54 68 System process connects to network (likely due to code injection or exploit) 38->68 70 Hides that the sample has been downloaded from the Internet (zone.identifier) 42->70 signatures12

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                        windows-stand

                        Antivirus, Machine Learning and Genetic Malware Detection

                        Initial Sample

                        SourceDetectionScannerLabelLink
                        Bg6DyC7lDh.dll15%VirustotalBrowse
                        Bg6DyC7lDh.dll100%Joe Sandbox ML

                        Dropped Files

                        No Antivirus matches

                        Unpacked PE Files

                        SourceDetectionScannerLabelLinkDownload
                        4.2.rundll32.exe.4e40000.8.unpack100%AviraHEUR/AGEN.1145233Download File
                        4.2.rundll32.exe.4fa0000.10.unpack100%AviraHEUR/AGEN.1145233Download File
                        3.2.rundll32.exe.de0000.0.unpack100%AviraHEUR/AGEN.1145233Download File
                        4.2.rundll32.exe.4f70000.9.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                        2.2.regsvr32.exe.4cd0000.0.unpack100%AviraHEUR/AGEN.1145233Download File
                        7.2.rundll32.exe.5380000.7.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                        11.2.rundll32.exe.5460000.16.unpack100%AviraHEUR/AGEN.1145233Download File
                        7.2.rundll32.exe.54e0000.9.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                        11.2.rundll32.exe.5700000.21.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                        11.2.rundll32.exe.53a0000.15.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                        7.2.rundll32.exe.5170000.4.unpack100%AviraHEUR/AGEN.1145233Download File
                        4.2.rundll32.exe.4de0000.6.unpack100%AviraHEUR/AGEN.1145233Download File
                        7.2.rundll32.exe.5510000.10.unpack100%AviraHEUR/AGEN.1145233Download File
                        4.2.rundll32.exe.11c0000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                        11.2.rundll32.exe.5280000.13.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                        4.2.rundll32.exe.4e10000.7.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                        7.2.rundll32.exe.51a0000.5.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                        7.2.rundll32.exe.1280000.0.unpack100%AviraHEUR/AGEN.1145233Download File
                        4.2.rundll32.exe.4fd0000.11.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                        4.2.rundll32.exe.5100000.12.unpack100%AviraHEUR/AGEN.1145233Download File
                        7.2.rundll32.exe.5670000.12.unpack100%AviraHEUR/AGEN.1145233Download File
                        9.2.rundll32.exe.4870000.0.unpack100%AviraHEUR/AGEN.1145233Download File
                        11.2.rundll32.exe.5650000.18.unpack100%AviraHEUR/AGEN.1145233Download File
                        7.2.rundll32.exe.5350000.6.unpack100%AviraHEUR/AGEN.1145233Download File
                        7.2.rundll32.exe.53b0000.8.unpack100%AviraHEUR/AGEN.1145233Download File
                        11.2.rundll32.exe.46f0000.2.unpack100%AviraHEUR/AGEN.1145233Download File
                        4.2.rundll32.exe.4af0000.2.unpack100%AviraHEUR/AGEN.1145233Download File
                        4.2.rundll32.exe.4c30000.5.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                        7.2.rundll32.exe.4af0000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                        11.2.rundll32.exe.5370000.14.unpack100%AviraHEUR/AGEN.1145233Download File
                        0.2.loaddll32.exe.1500000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                        11.2.rundll32.exe.5190000.11.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                        4.2.rundll32.exe.5130000.13.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                        9.2.rundll32.exe.48a0000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                        11.2.rundll32.exe.4ea0000.6.unpack100%AviraHEUR/AGEN.1145233Download File
                        7.2.rundll32.exe.56a0000.13.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                        11.2.rundll32.exe.4dc0000.4.unpack100%AviraHEUR/AGEN.1145233Download File
                        11.2.rundll32.exe.c40000.0.unpack100%AviraHEUR/AGEN.1145233Download File
                        3.2.rundll32.exe.e10000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                        11.2.rundll32.exe.5490000.17.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                        11.2.rundll32.exe.5680000.19.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                        11.2.rundll32.exe.5000000.8.unpack100%AviraHEUR/AGEN.1145233Download File
                        11.2.rundll32.exe.e50000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                        7.2.rundll32.exe.5070000.2.unpack100%AviraHEUR/AGEN.1145233Download File
                        4.2.rundll32.exe.1180000.0.unpack100%AviraHEUR/AGEN.1145233Download File
                        11.2.rundll32.exe.4ed0000.7.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                        7.2.rundll32.exe.50c0000.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                        11.2.rundll32.exe.5250000.12.unpack100%AviraHEUR/AGEN.1145233Download File
                        11.2.rundll32.exe.56d0000.20.unpack100%AviraHEUR/AGEN.1145233Download File
                        4.2.rundll32.exe.4b20000.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                        2.2.regsvr32.exe.4d10000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                        0.2.loaddll32.exe.14d0000.0.unpack100%AviraHEUR/AGEN.1145233Download File
                        11.2.rundll32.exe.4df0000.5.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                        11.2.rundll32.exe.5030000.9.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                        7.2.rundll32.exe.5540000.11.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                        4.2.rundll32.exe.4c00000.4.unpack100%AviraHEUR/AGEN.1145233Download File
                        11.2.rundll32.exe.4730000.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                        11.2.rundll32.exe.5060000.10.unpack100%AviraHEUR/AGEN.1145233Download File

                        Domains

                        No Antivirus matches

                        URLs

                        SourceDetectionScannerLabelLink
                        https://www.disneyplus.com/legal/your-california-privacy-rights0%URL Reputationsafe
                        http://crl.ver)0%Avira URL Cloudsafe
                        https://www.tiktok.com/legal/report/feedback0%URL Reputationsafe
                        https://activity.windows.comr0%URL Reputationsafe
                        https://%s.xboxlive.com0%URL Reputationsafe
                        https://www.disneyplus.com/legal/privacy-policy0%URL Reputationsafe
                        https://dynamic.t0%URL Reputationsafe
                        https://disneyplus.com/legal.0%URL Reputationsafe
                        http://help.disneyplus.com.0%URL Reputationsafe
                        https://%s.dnet.xboxlive.com0%URL Reputationsafe

                        Domains and IPs

                        Contacted Domains

                        No contacted domains info

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashxsvchost.exe, 0000000D.00000003.321017680.000001A9C1460000.00000004.00000001.00020000.00000000.sdmpfalse
                          		high
                          https://www.disneyplus.com/legal/your-california-privacy-rightssvchost.exe, 0000001A.00000003.443630985.000002DEDAF90000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.444014442.000002DEDAF7E000.00000004.00000001.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=svchost.exe, 0000000D.00000003.321367338.000001A9C1445000.00000004.00000001.00020000.00000000.sdmpfalse
                            		high
                            https://dev.ditu.live.com/REST/v1/Routes/svchost.exe, 0000000D.00000002.322108516.000001A9C143E000.00000004.00000001.00020000.00000000.sdmpfalse
                              		high
                              https://dev.virtualearth.net/REST/v1/Routes/Drivingsvchost.exe, 0000000D.00000003.321017680.000001A9C1460000.00000004.00000001.00020000.00000000.sdmpfalse
                                		high
                                https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashxsvchost.exe, 0000000D.00000002.322108516.000001A9C143E000.00000004.00000001.00020000.00000000.sdmpfalse
                                  		high
                                  https://dev.ditu.live.com/REST/v1/Traffic/Incidents/svchost.exe, 0000000D.00000002.322127503.000001A9C144D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.321127969.000001A9C144B000.00000004.00000001.00020000.00000000.sdmpfalse
                                    		high
                                    https://dev.ditu.live.com/REST/v1/Transit/Stops/svchost.exe, 0000000D.00000003.320908225.000001A9C1467000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.322149285.000001A9C146A000.00000004.00000001.00020000.00000000.sdmpfalse
                                      		high
                                      https://t0.tiles.ditu.live.com/tiles/gensvchost.exe, 0000000D.00000002.322127503.000001A9C144D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.321127969.000001A9C144B000.00000004.00000001.00020000.00000000.sdmpfalse
                                        		high
                                        https://dev.virtualearth.net/REST/v1/Routes/svchost.exe, 0000000D.00000002.322108516.000001A9C143E000.00000004.00000001.00020000.00000000.sdmpfalse
                                          		high
                                          https://dev.virtualearth.net/REST/v1/Traffic/Incidents/svchost.exe, 0000000D.00000003.299068688.000001A9C1431000.00000004.00000001.00020000.00000000.sdmpfalse
                                            		high
                                            https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=svchost.exe, 0000000D.00000003.299068688.000001A9C1431000.00000004.00000001.00020000.00000000.sdmpfalse
                                              		high
                                              https://dev.virtualearth.net/REST/v1/Routes/Walkingsvchost.exe, 0000000D.00000003.321017680.000001A9C1460000.00000004.00000001.00020000.00000000.sdmpfalse
                                                		high
                                                http://crl.ver)svchost.exe, 00000005.00000002.614917318.000002FA99012000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001A.00000002.473526103.000002DEDA6ED000.00000004.00000001.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		low
                                                https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?svchost.exe, 0000000D.00000002.322122135.000001A9C1447000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.322090596.000001A9C1429000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.321252960.000001A9C1446000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://www.tiktok.com/legal/report/feedbacksvchost.exe, 0000001A.00000003.447105193.000002DEDB402000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.446901322.000002DEDAFC2000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.446829559.000002DEDAF8A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.446821206.000002DEDAF79000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.447041610.000002DEDAFAB000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.446970410.000002DEDAFC2000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://activity.windows.comrsvchost.exe, 0000000A.00000002.779027574.000001FEA5042000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=svchost.exe, 0000000D.00000002.322108516.000001A9C143E000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.322076624.000001A9C1413000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=svchost.exe, 0000000D.00000002.322115623.000001A9C1442000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.321477876.000001A9C1441000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://%s.xboxlive.comsvchost.exe, 0000000A.00000002.779027574.000001FEA5042000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		low
                                                      https://dev.virtualearth.net/REST/v1/Locationssvchost.exe, 0000000D.00000003.321017680.000001A9C1460000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=svchost.exe, 0000000D.00000003.299068688.000001A9C1431000.00000004.00000001.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://dev.virtualearth.net/mapcontrol/logging.ashxsvchost.exe, 0000000D.00000003.321017680.000001A9C1460000.00000004.00000001.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://dev.ditu.live.com/mapcontrol/logging.ashxsvchost.exe, 0000000D.00000003.321017680.000001A9C1460000.00000004.00000001.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://dev.ditu.live.com/REST/v1/Imagery/Copyright/svchost.exe, 0000000D.00000003.321127969.000001A9C144B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=svchost.exe, 0000000D.00000003.299068688.000001A9C1431000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=svchost.exe, 0000000D.00000002.322122135.000001A9C1447000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.321252960.000001A9C1446000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://www.disneyplus.com/legal/privacy-policysvchost.exe, 0000001A.00000003.443630985.000002DEDAF90000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.444014442.000002DEDAF7E000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/svchost.exe, 0000000D.00000002.322127503.000001A9C144D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.321127969.000001A9C144B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://dev.virtualearth.net/REST/v1/Transit/Schedules/svchost.exe, 0000000D.00000002.322115623.000001A9C1442000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.321477876.000001A9C1441000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://dynamic.tsvchost.exe, 0000000D.00000003.321127969.000001A9C144B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.322115623.000001A9C1442000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.321477876.000001A9C1441000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        https://dev.virtualearth.net/REST/v1/Routes/Transitsvchost.exe, 0000000D.00000003.321017680.000001A9C1460000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://disneyplus.com/legal.svchost.exe, 0000001A.00000003.443630985.000002DEDAF90000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.444014442.000002DEDAF7E000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          https://t0.ssl.ak.tiles.virtualearth.net/tiles/gensvchost.exe, 0000000D.00000003.299068688.000001A9C1431000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.321593288.000001A9C143A000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=svchost.exe, 0000000D.00000002.322122135.000001A9C1447000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.321252960.000001A9C1446000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://activity.windows.comsvchost.exe, 0000000A.00000002.779027574.000001FEA5042000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://www.bingmapsportal.comsvchost.exe, 0000000D.00000002.322076624.000001A9C1413000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://dev.ditu.live.com/REST/v1/Locationssvchost.exe, 0000000D.00000003.321017680.000001A9C1460000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://help.disneyplus.com.svchost.exe, 0000001A.00000003.443630985.000002DEDAF90000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.444014442.000002DEDAF7E000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/svchost.exe, 0000000D.00000002.322108516.000001A9C143E000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://%s.dnet.xboxlive.comsvchost.exe, 0000000A.00000002.779027574.000001FEA5042000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                      • URL Reputation: safe
                                                                                      		low
                                                                                      https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/svchost.exe, 0000000D.00000002.322127503.000001A9C144D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.321127969.000001A9C144B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=svchost.exe, 0000000D.00000003.321127969.000001A9C144B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                          		high

                                                                                          World Map of Contacted IPs

                                                                                          • No. of IPs < 25%
                                                                                          • 25% < No. of IPs < 50%
                                                                                          • 50% < No. of IPs < 75%
                                                                                          • 75% < No. of IPs

                                                                                          Public IPs

                                                                                          IPDomainCountryFlagASNASN NameMalicious
                                                                                          207.148.81.119
                                                                                          		unknownUnited States
                                                                                          		20473AS-CHOOPAUStrue
                                                                                          104.131.62.48
                                                                                          		unknownUnited States
                                                                                          		14061DIGITALOCEAN-ASNUStrue
                                                                                          198.199.98.78
                                                                                          		unknownUnited States
                                                                                          		14061DIGITALOCEAN-ASNUStrue
                                                                                          194.9.172.107
                                                                                          		unknownunknown
                                                                                          		207992FEELBFRtrue
                                                                                          59.148.253.194
                                                                                          		unknownHong Kong
                                                                                          		9269HKBN-AS-APHongKongBroadbandNetworkLtdHKtrue
                                                                                          74.207.230.120
                                                                                          		unknownUnited States
                                                                                          		63949LINODE-APLinodeLLCUStrue
                                                                                          103.41.204.169
                                                                                          		unknownIndonesia
                                                                                          		58397INFINYS-AS-IDPTInfinysSystemIndonesiaIDtrue
                                                                                          85.214.67.203
                                                                                          		unknownGermany
                                                                                          		6724STRATOSTRATOAGDEtrue
                                                                                          191.252.103.16
                                                                                          		unknownBrazil
                                                                                          		27715LocawebServicosdeInternetSABRtrue
                                                                                          168.197.250.14
                                                                                          		unknownArgentina
                                                                                          		264776OmarAnselmoRipollTDCNETARtrue
                                                                                          185.148.168.15
                                                                                          		unknownGermany
                                                                                          		44780EVERSCALE-ASDEtrue
                                                                                          66.42.57.149
                                                                                          		unknownUnited States
                                                                                          		20473AS-CHOOPAUStrue
                                                                                          139.196.72.155
                                                                                          		unknownChina
                                                                                          		37963CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtdtrue
                                                                                          217.182.143.207
                                                                                          		unknownFrance
                                                                                          		16276OVHFRtrue
                                                                                          203.153.216.46
                                                                                          		unknownIndonesia
                                                                                          		45291SURF-IDPTSurfindoNetworkIDtrue
                                                                                          159.69.237.188
                                                                                          		unknownGermany
                                                                                          		24940HETZNER-ASDEtrue
                                                                                          116.124.128.206
                                                                                          		unknownKorea Republic of
                                                                                          		9318SKB-ASSKBroadbandCoLtdKRtrue
                                                                                          37.59.209.141
                                                                                          		unknownFrance
                                                                                          		16276OVHFRtrue
                                                                                          78.46.73.125
                                                                                          		unknownGermany
                                                                                          		24940HETZNER-ASDEtrue
                                                                                          210.57.209.142
                                                                                          		unknownIndonesia
                                                                                          		38142UNAIR-AS-IDUniversitasAirlanggaIDtrue
                                                                                          185.148.168.220
                                                                                          		unknownGermany
                                                                                          		44780EVERSCALE-ASDEtrue
                                                                                          54.37.228.122
                                                                                          		unknownFrance
                                                                                          		16276OVHFRtrue
                                                                                          185.168.130.138
                                                                                          		unknownUkraine
                                                                                          		49720GIGACLOUD-ASUAtrue
                                                                                          190.90.233.66
                                                                                          		unknownColombia
                                                                                          		18678INTERNEXASAESPCOtrue
                                                                                          142.4.219.173
                                                                                          		unknownCanada
                                                                                          		16276OVHFRtrue
                                                                                          54.38.242.185
                                                                                          		unknownFrance
                                                                                          		16276OVHFRtrue
                                                                                          195.154.146.35
                                                                                          		unknownFrance
                                                                                          		12876OnlineSASFRtrue
                                                                                          195.77.239.39
                                                                                          		unknownSpain
                                                                                          		60493FICOSA-ASEStrue
                                                                                          78.47.204.80
                                                                                          		unknownGermany
                                                                                          		24940HETZNER-ASDEtrue
                                                                                          118.98.72.86
                                                                                          		unknownIndonesia
                                                                                          		7713TELKOMNET-AS-APPTTelekomunikasiIndonesiaIDtrue
                                                                                          37.44.244.177
                                                                                          		unknownGermany
                                                                                          		47583AS-HOSTINGERLTtrue
                                                                                          62.171.178.147
                                                                                          		unknownUnited Kingdom
                                                                                          		51167CONTABODEtrue
                                                                                          128.199.192.135
                                                                                          		unknownUnited Kingdom
                                                                                          		14061DIGITALOCEAN-ASNUStrue

                                                                                          Private

                                                                                          IP
                                                                                          127.0.0.1

                                                                                          General Information

                                                                                          Joe Sandbox Version:34.0.0 Boulder Opal
                                                                                          Analysis ID:562461
                                                                                          Start date:28.01.2022
                                                                                          Start time:22:20:13
                                                                                          Joe Sandbox Product:CloudBasic
                                                                                          Overall analysis duration:0h 14m 10s
                                                                                          Hypervisor based Inspection enabled:false
                                                                                          Report type:light
                                                                                          Sample file name:Bg6DyC7lDh (renamed file extension from none to dll)
                                                                                          Cookbook file name:default.jbs
                                                                                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                          Number of analysed new started processes analysed:31
                                                                                          Number of new started drivers analysed:0
                                                                                          Number of existing processes analysed:0
                                                                                          Number of existing drivers analysed:0
                                                                                          Number of injected processes analysed:0
                                                                                          Technologies:
                                                                                          • HCA enabled
                                                                                          • EGA enabled
                                                                                          • HDC enabled
                                                                                          • AMSI enabled
                                                                                          Analysis Mode:default
                                                                                          Analysis stop reason:Timeout
                                                                                          Detection:MAL
                                                                                          Classification:mal92.troj.evad.winDLL@32/9@0/34
                                                                                          EGA Information:
                                                                                          • Successful, ratio: 100%
                                                                                          HDC Information:
                                                                                          • Successful, ratio: 100% (good quality ratio 93.4%)
                                                                                          • Quality average: 71.5%
                                                                                          • Quality standard deviation: 26.5%
                                                                                          HCA Information:
                                                                                          • Successful, ratio: 100%
                                                                                          • Number of executed functions: 0
                                                                                          • Number of non-executed functions: 0
                                                                                          Cookbook Comments:
                                                                                          • Adjust boot time
                                                                                          • Enable AMSI
                                                                                          • Override analysis time to 240s for rundll32

                                                                                          Warnings

                                                                                          • Exclude process from analysis (whitelisted): audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, wuapihost.exe
                                                                                          • Excluded IPs from analysis (whitelisted): 204.79.197.200, 13.107.21.200, 2.20.156.69, 92.123.101.210, 92.123.101.170, 92.123.101.179, 92.123.101.169, 40.91.112.76, 20.54.7.98, 20.54.104.15
                                                                                          • Excluded domains from analysis (whitelisted): displaycatalog-rp-uswest.md.mp.microsoft.com.akadns.net, a767.dspw65.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, wus2-displaycatalogrp.useroor.bigcatalog.commerce.microsoft.com, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, www-bing-com.dual-a-0001.a-msedge.net, consumer-displaycatalogrp-aks2aks-uswest.md.mp.microsoft.com.akadns.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, www.bing.com, client.wns.windows.com, fs.microsoft.com, dual-a-0001.a-msedge.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu-shim.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net, download.windowsupdate.com.edgesuite.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-micro
                                                                                          • Not all processes where analyzed, report is missing behavior information
                                                                                          • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                          • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                          • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                          Simulations

                                                                                          Behavior and APIs

                                                                                          TimeTypeDescription
                                                                                          22:21:17API Interceptor10x Sleep call for process: svchost.exe modified
                                                                                          22:22:37API Interceptor1x Sleep call for process: MpCmdRun.exe modified

                                                                                          Joe Sandbox View / Context

                                                                                          IPs

                                                                                          No context

                                                                                          Domains

                                                                                          No context

                                                                                          ASNs

                                                                                          No context

                                                                                          JA3 Fingerprints

                                                                                          No context

                                                                                          Dropped Files

                                                                                          No context

                                                                                          Created / dropped Files

                                                                                          C:\ProgramData\Microsoft\Network\Downloader\edb.chk

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\svchost.exe
                                                                                          File Type:data
                                                                                          Category:dropped
                                                                                          Size (bytes):8192
                                                                                          Entropy (8bit):0.3593198815979092
                                                                                          Encrypted:false
                                                                                          SSDEEP:12:SnaaD0JcaaD0JwQQU2naaD0JcaaD0JwQQU:4tgJctgJw/tgJctgJw
                                                                                          MD5:BF1DC7D5D8DAD7478F426DF8B3F8BAA6
                                                                                          SHA1:C6B0BDE788F553F865D65F773D8F6A3546887E42
                                                                                          SHA-256:BE47C764C38CA7A90A345BE183F5261E89B98743B5E35989E9A8BE0DA498C0F2
                                                                                          SHA-512:00F2412AA04E09EA19A8315D80BE66D2727C713FC0F5AE6A9334BABA539817F568A98CA3A45B2673282BDD325B8B0E2840A393A4DCFADCB16473F5EAF2AF3180
                                                                                          Malicious:false
                                                                                          Preview:.............*..........3...w..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@......................................................*.............................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\svchost.exe
                                                                                          File Type:MPEG-4 LOAS
                                                                                          Category:dropped
                                                                                          Size (bytes):1310720
                                                                                          Entropy (8bit):0.2494418280042947
                                                                                          Encrypted:false
                                                                                          SSDEEP:1536:BJiRdfVzkZm3lyf49uyc0ga04PdHS9LrM/oVMUdSRU4p:BJiRdwfu2SRU4p
                                                                                          MD5:D4CE4F78B74CC0908941E8735F1CF295
                                                                                          SHA1:FF53DF2E0C8F9BEC427525A3A44AF8757CBDFD15
                                                                                          SHA-256:625135E85A1E34931F3EF6426E0D42B77A97BDF07C69EC9FD27BA95353673A1F
                                                                                          SHA-512:829C1B935198054D4013F0E63F9DDFE0689F17B890296624F945BAAD41002540DAF512F39F9E9AC64A8A805C7AAAB6B9ECF3D64F0B222A0EE36B503B957A9021
                                                                                          Malicious:false
                                                                                          Preview:V.d.........@..@.3...w...........................3...w..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@.........................................d#.................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\svchost.exe
                                                                                          File Type:Extensible storage engine DataBase, version 0x620, checksum 0x0f7c94ec, page size 16384, Windows version 10.0
                                                                                          Category:dropped
                                                                                          Size (bytes):786432
                                                                                          Entropy (8bit):0.2506229908050935
                                                                                          Encrypted:false
                                                                                          SSDEEP:384:g/N+W0StseCJ48EApW0StseCJ48E2rTSjlK/ebmLerYSRSY1J2:g/uSB2nSB2RSjlK/+mLesOj1J2
                                                                                          MD5:45415639C5303A0C1C09FED273A52481
                                                                                          SHA1:AF6E77DD80387C01E0DC53EFCF6BF65ABFFC4AB3
                                                                                          SHA-256:EFB44260505B02062337CD61A88FA3DC6A695FF821511AF1765AF8081259123B
                                                                                          SHA-512:A0D0C7DD4DB82C028C1137079717D3E71EBC8969A620E2CDDCB4D9FB262B369DC1B1F6523B07F426FD65B77D0EA73DD25A5558C2EF026F7056EC48E9B69207FD
                                                                                          Malicious:false
                                                                                          Preview:.|..... ................e.f.3...w........................)..........zI......zQ.h.(..........zI...)..............3...w...........................................................................................................B...........@...................................................................................................... ....................................................................................................................................................................................................................................................5......zI....................;.....zI.........................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\svchost.exe
                                                                                          File Type:data
                                                                                          Category:dropped
                                                                                          Size (bytes):16384
                                                                                          Entropy (8bit):0.07576484657716591
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:ynZ7v3+UNG/ts5NfOOrg7///qkrO/tall3Vkttlmlnl:yZrOi9sXZr73
                                                                                          MD5:7E267D71A3A2924510CB2275C9135446
                                                                                          SHA1:F92E6283962D1DF967966ABFE5685BD0F6223552
                                                                                          SHA-256:3244F40C786FC3759E9FE37221A6AFD7E3539EA1563C601EE2F4C53BF5CA6345
                                                                                          SHA-512:00F588D5696E3F55365D320D318F5404E76F35774B3F57D2AE4BF89A27C053638F2F4696FD69DF0A8F76D624D5F2C7B8218C1EF7011BAA46A93904C2E1FA895C
                                                                                          Malicious:false
                                                                                          Preview:`.......................................3...w.......z.......zI..............zI......zI.kN_......z....................;.....zI.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                                                                                          Download File
                                                                                          Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                          File Type:Microsoft Cabinet archive data, 61414 bytes, 1 file
                                                                                          Category:dropped
                                                                                          Size (bytes):61414
                                                                                          Entropy (8bit):7.995245868798237
                                                                                          Encrypted:true
                                                                                          SSDEEP:1536:EysgU6qmzixT64jYMZ8HbVPGfVDwm/xLZ9rP:wF6qmeo4eH1m9wmLvrP
                                                                                          MD5:ACAEDA60C79C6BCAC925EEB3653F45E0
                                                                                          SHA1:2AAAE490BCDACCC6172240FF1697753B37AC5578
                                                                                          SHA-256:6B0CECCF0103AFD89844761417C1D23ACC41F8AEBF3B7230765209B61EEE5658
                                                                                          SHA-512:FEAA6E7ED7DDA1583739B3E531AB5C562A222EE6ECD042690AE7DCFF966717C6E968469A7797265A11F6E899479AE0F3031E8CF5BEBE1492D5205E9C59690900
                                                                                          Malicious:false
                                                                                          Preview:MSCF............,...................I.......;w........RSNj .authroot.stl..>.(.5..CK..8T....c_.d...A.K...+.d.H..*i.RJJ.IQIR..$t)Kd.-[..T\{..ne......<.w......A..B........c...wi......D....c.0D,L........fy....Rg...=........i,3.3..Z....~^ve<...TF.*...f.zy.,...m.@.0.0...m.3..I(..+..v#...(.2....e...L..*y..V.......~U...."<ke.....l.X:Dt..R<7.5\A7L0=..T.V...IDr..8<....r&...I-.^..b.b.".Af....E.._..r.>.`;,.Hob..S.....7'..\.R$.".g..+..64..@nP.....k3...B.`.G..@D.....L.....`^...#OpW.....!....`.....rf:.}.R.@....gR.#7....l..H.#...d.Qh..3..fCX....==#..M.l..~&....[.J9.\..Ww.....Tx.%....]..a4E...q.+...#.*a..x..O..V.t..Y1!.T..`U...-...< _@...|(.....0..3.`.LU...E0.Gu.4KN....5...?.....I.p..'..........N<.d.O..dH@c1t...[w/...T....cYK.X>.0..Z.....O>..9.3.#9X.%.b...5.YK.E.V.....`./.3.._..nN]..=..M.o.F.._..z....._...gY..!Z..?l....vp.l.:.d.Z..W.....~...N.._.k...&.....$......i.F.d.....D!e.....Y..,.E..m.;.1... $.F..O.F.o_}.uG....,.%.>,.Zx.......o....c../.;....g&.....

                                                                                          C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                                                                                          Download File
                                                                                          Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                          File Type:data
                                                                                          Category:modified
                                                                                          Size (bytes):328
                                                                                          Entropy (8bit):3.1122616792999316
                                                                                          Encrypted:false
                                                                                          SSDEEP:6:kKdptk8SN+SkQlPlEGYRMY9z+4KlDA3RUeYlUmlUR/t:Tt9kPlE99SNxAhUeYlUSA/t
                                                                                          MD5:1E4ED718E0D2EF47370B4567A1C2B750
                                                                                          SHA1:F359C1AC5B4A3CE402415DF418E0A834926CBDB1
                                                                                          SHA-256:B24509D0D688AB01F9332DAC5708DAA58319DCE5D48215C66BEBF3682F513A93
                                                                                          SHA-512:D25E0517EB93172332EB284C47BDB5AA9C710B58F25B5CE02C0066289671A0ACEB8508C2BFA19404672566B317B1D369227756C5223ABE9D38634A2132E884C1
                                                                                          Malicious:false
                                                                                          Preview:p...... ..........L.....(....................................................... ........q.\].......&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.7.1.e.1.5.c.5.d.c.4.d.7.1.:.0."...

                                                                                          C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\svchost.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):55
                                                                                          Entropy (8bit):4.306461250274409
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                                          MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                                          SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                                          SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                                          SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                                          Malicious:false
                                                                                          Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                                                          C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log

                                                                                          Download File
                                                                                          Process:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                          File Type:Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
                                                                                          Category:modified
                                                                                          Size (bytes):9062
                                                                                          Entropy (8bit):3.166114821808174
                                                                                          Encrypted:false
                                                                                          SSDEEP:192:cY+38+DJDD+iDtJC+iw3+gF+O5+6tw+EStN+Ej23+dt:j+s+5D+Me+X+u+M+j+l+73+dt
                                                                                          MD5:F095B293720409934FBE10DAF412A8A1
                                                                                          SHA1:FAE8DCB76639C9CE658E43703C3B821E82EC852D
                                                                                          SHA-256:228B5DD614F3486781CC7A7F4EBDC81CB0FC20A9B2BAF25ED54D9DB5B2A7B0DE
                                                                                          SHA-512:3400E5A1CCBFA58FDCDCEA7BA2426BCB8A5E574959EDAB97E91B5D7DD7ADAA5970D310E2C57798AD4E2DC99F35D50BB007ADDA01A3BD535C8F421C1F0C054DA8
                                                                                          Malicious:false
                                                                                          Preview:..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. T.h.u. .. J.u.n. .. 2.7. .. 2.0.1.9. .0.1.:.2.9.:.4.9.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e.....E.R.R.O.R.:. .M.p.W.D.E.n.a.b.l.e.(.T.R.U.E.). .f.a.i.l.e.d. .(.8.0.0.7.0.4.E.C.).....M.p.C.m.d.R.u.n.:. .E.n.d. .T.i.m.e.:. .. T.h.u. .. J.u.n. .. 2.7. .. 2.0.1.9. .0.1.:.2.9.:.4.9.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.............-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.

                                                                                          C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Logs\dosvc.20220129_062134_900.etl

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\svchost.exe
                                                                                          File Type:data
                                                                                          Category:dropped
                                                                                          Size (bytes):12288
                                                                                          Entropy (8bit):3.7803076993140294
                                                                                          Encrypted:false
                                                                                          SSDEEP:96:dTCgblgo+h/5uD9S/YAVCACI2lzfkHc4c+T2hjFzMNMCgGdJRA7dj5EUMCDY5QU8:8Pe4Ee2BltCg2fCpCKC2CUCo
                                                                                          MD5:799E7659320F37DDC20C480DB77CCE14
                                                                                          SHA1:DAF693FA4F3C2411D096690CA673836F403EDB50
                                                                                          SHA-256:5D39D3DA4BB584E3D96B8F0B53205D146D3A01B9ACB2355BA6B63DFA108DB9C8
                                                                                          SHA-512:1A1134DC7EE0AFFD43D0812E556B2049103054709896819476979EA933DC8367E4A949939D0099F768D3B1314E6CED77E9309E8890ADB4842C5BC631CD2583B6
                                                                                          Malicious:false
                                                                                          Preview:.... ... ....................................... ...!............................................................B..............Zb... ... ..........................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1...........................................................N...=..... .....P..v............8.6.9.6.E.A.C.4.-.1.2.8.8.-.4.2.8.8.-.A.4.E.E.-.4.9.E.E.4.3.1.B.0.A.D.9...C.:.\.W.i.n.d.o.w.s.\.S.e.r.v.i.c.e.P.r.o.f.i.l.e.s.\.N.e.t.w.o.r.k.S.e.r.v.i.c.e.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.D.e.l.i.v.e.r.y.O.p.t.i.m.i.z.a.t.i.o.n.\.L.o.g.s.\.d.o.s.v.c...2.0.2.2.0.1.2.9._.0.6.2.1.3.4._.9.0.0...e.t.l.........P.P.................................................................................................................................................................................................................................................................................

                                                                                          Static File Info

                                                                                          General

                                                                                          File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                          Entropy (8bit):7.004123659336167
                                                                                          TrID:
                                                                                          • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
                                                                                          • Generic Win/DOS Executable (2004/3) 0.20%
                                                                                          • DOS Executable Generic (2002/1) 0.20%
                                                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                          File name:Bg6DyC7lDh.dll
                                                                                          File size:557056
                                                                                          MD5:3fa1bec287b995a7f96dc3866eff577d
                                                                                          SHA1:c721507f4a11e090f107d071a99aaeffbdc0ea43
                                                                                          SHA256:f7a5f6bc0833474da5450e33786893ac7b996ba5e91ed0f7d3243dc4d7db5486
                                                                                          SHA512:70304fcf6f6ea1cc3cca75ff01475f97451500d0114f94f19119573c4e34f6f33e4c54de3481d74c37100360ac72720675725bc230ed68d0e8e5a12e84b443b5
                                                                                          SSDEEP:6144:HUNF4UQXTkkAiBuGKDU5PSczbmOTT0DaTMGbUylbdTN1itwRClN6RfcjJxX4R0Zq:AeAa4DU5PSczbmmTzTnwyDx6BrWt
                                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......hs.a,..2,..2,..2...2&..2...27..2,..2...2...26..2...2...2...2...2...2-..2...2-..2...2-..2Rich,..2................PE..L......a...

                                                                                          File Icon

                                                                                          Icon Hash:74f0e4ecccdce0e4

                                                                                          Static PE Info

                                                                                          General

                                                                                          Entrypoint:0x10030d06
                                                                                          Entrypoint Section:.text
                                                                                          Digitally signed:false
                                                                                          Imagebase:0x10000000
                                                                                          Subsystem:windows gui
                                                                                          Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                                                                                          DLL Characteristics:
                                                                                          Time Stamp:0x61F3FA91 [Fri Jan 28 14:15:45 2022 UTC]
                                                                                          TLS Callbacks:
                                                                                          CLR (.Net) Version:
                                                                                          OS Version Major:4
                                                                                          OS Version Minor:0
                                                                                          File Version Major:4
                                                                                          File Version Minor:0
                                                                                          Subsystem Version Major:4
                                                                                          Subsystem Version Minor:0
                                                                                          Import Hash:f4d2f65566a93075f8824e97bf321580

                                                                                          Entrypoint Preview

                                                                                          Instruction
                                                                                          cmp dword ptr [esp+08h], 01h
                                                                                          jne 00007F37F496D067h
                                                                                          call 00007F37F49753C0h
                                                                                          push dword ptr [esp+04h]
                                                                                          mov ecx, dword ptr [esp+10h]
                                                                                          mov edx, dword ptr [esp+0Ch]
                                                                                          call 00007F37F496CF52h
                                                                                          pop ecx
                                                                                          retn 000Ch
                                                                                          push eax
                                                                                          push dword ptr fs:[00000000h]
                                                                                          lea eax, dword ptr [esp+0Ch]
                                                                                          sub esp, dword ptr [esp+0Ch]
                                                                                          push ebx
                                                                                          push esi
                                                                                          push edi
                                                                                          mov dword ptr [eax], ebp
                                                                                          mov ebp, eax
                                                                                          mov eax, dword ptr [100545D4h]
                                                                                          xor eax, ebp
                                                                                          push eax
                                                                                          push dword ptr [ebp-04h]
                                                                                          mov dword ptr [ebp-04h], FFFFFFFFh
                                                                                          lea eax, dword ptr [ebp-0Ch]
                                                                                          mov dword ptr fs:[00000000h], eax
                                                                                          ret
                                                                                          push eax
                                                                                          push dword ptr fs:[00000000h]
                                                                                          lea eax, dword ptr [esp+0Ch]
                                                                                          sub esp, dword ptr [esp+0Ch]
                                                                                          push ebx
                                                                                          push esi
                                                                                          push edi
                                                                                          mov dword ptr [eax], ebp
                                                                                          mov ebp, eax
                                                                                          mov eax, dword ptr [100545D4h]
                                                                                          xor eax, ebp
                                                                                          push eax
                                                                                          mov dword ptr [ebp-10h], esp
                                                                                          push dword ptr [ebp-04h]
                                                                                          mov dword ptr [ebp-04h], FFFFFFFFh
                                                                                          lea eax, dword ptr [ebp-0Ch]
                                                                                          mov dword ptr fs:[00000000h], eax
                                                                                          ret
                                                                                          push eax
                                                                                          push dword ptr fs:[00000000h]
                                                                                          lea eax, dword ptr [esp+0Ch]
                                                                                          sub esp, dword ptr [esp+0Ch]
                                                                                          push ebx
                                                                                          push esi
                                                                                          push edi
                                                                                          mov dword ptr [eax], ebp
                                                                                          mov ebp, eax
                                                                                          mov eax, dword ptr [100545D4h]
                                                                                          xor eax, ebp
                                                                                          push eax
                                                                                          mov dword ptr [ebp-10h], eax
                                                                                          push dword ptr [ebp-04h]
                                                                                          mov dword ptr [ebp-04h], FFFFFFFFh
                                                                                          lea eax, dword ptr [ebp-0Ch]
                                                                                          mov dword ptr fs:[00000000h], eax
                                                                                          ret
                                                                                          push eax
                                                                                          push dword ptr fs:[00000000h]

                                                                                          Rich Headers

                                                                                          Programming Language:
                                                                                          • [RES] VS2005 build 50727
                                                                                          • [ C ] VS2005 build 50727
                                                                                          • [EXP] VS2005 build 50727
                                                                                          • [C++] VS2005 build 50727
                                                                                          • [ASM] VS2005 build 50727
                                                                                          • [LNK] VS2005 build 50727

                                                                                          Data Directories

                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x52d400x52.rdata
                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x510340x104.rdata
                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x5a0000x27650.rsrc
                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x820000x4e30.reloc
                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x4bd900x40.rdata
                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x460000x594.rdata
                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x50fac0x40.rdata
                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                          Sections

                                                                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                          .text0x10000x445390x45000False0.469910552536data6.61687356024IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                          .rdata0x460000xcd920xd000False0.337834284856data5.22670579455IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                          .data0x530000x65800x3000False0.2626953125PGP symmetric key encrypted data -4.05367526692IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                          .rsrc0x5a0000x276500x28000False0.916259765625data7.8318744089IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                          .reloc0x820000x93760xa000False0.346923828125data4.18220950375IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                          Resources

                                                                                          NameRVASizeTypeLanguageCountry
                                                                                          DASHBOARD0x5ab040x23600dataChineseTaiwan
                                                                                          RT_CURSOR0x7e1040x134dataChineseTaiwan
                                                                                          RT_CURSOR0x7e2380xb4dataChineseTaiwan
                                                                                          RT_CURSOR0x7e2ec0x134AmigaOS bitmap fontChineseTaiwan
                                                                                          RT_CURSOR0x7e4200x134dataChineseTaiwan
                                                                                          RT_CURSOR0x7e5540x134dataChineseTaiwan
                                                                                          RT_CURSOR0x7e6880x134dataChineseTaiwan
                                                                                          RT_CURSOR0x7e7bc0x134dataChineseTaiwan
                                                                                          RT_CURSOR0x7e8f00x134dataChineseTaiwan
                                                                                          RT_CURSOR0x7ea240x134dataChineseTaiwan
                                                                                          RT_CURSOR0x7eb580x134dataChineseTaiwan
                                                                                          RT_CURSOR0x7ec8c0x134dataChineseTaiwan
                                                                                          RT_CURSOR0x7edc00x134dataChineseTaiwan
                                                                                          RT_CURSOR0x7eef40x134AmigaOS bitmap fontChineseTaiwan
                                                                                          RT_CURSOR0x7f0280x134dataChineseTaiwan
                                                                                          RT_CURSOR0x7f15c0x134dataChineseTaiwan
                                                                                          RT_CURSOR0x7f2900x134dataChineseTaiwan
                                                                                          RT_BITMAP0x7f3c40xb8dataChineseTaiwan
                                                                                          RT_BITMAP0x7f47c0x144dataChineseTaiwan
                                                                                          RT_DIALOG0x7f5c00x148dataChineseTaiwan
                                                                                          RT_DIALOG0x7f7080x26adataChineseTaiwan
                                                                                          RT_DIALOG0x7f9740xe8dataChineseTaiwan
                                                                                          RT_DIALOG0x7fa5c0x34dataChineseTaiwan
                                                                                          RT_STRING0x7fa900x58dataChineseTaiwan
                                                                                          RT_STRING0x7fae80x82dataChineseTaiwan
                                                                                          RT_STRING0x7fb6c0x2adataChineseTaiwan
                                                                                          RT_STRING0x7fb980x192dataChineseTaiwan
                                                                                          RT_STRING0x7fd2c0x4e2dataChineseTaiwan
                                                                                          RT_STRING0x802100x31adataChineseTaiwan
                                                                                          RT_STRING0x8052c0x2dcdataChineseTaiwan
                                                                                          RT_STRING0x808080x8adataChineseTaiwan
                                                                                          RT_STRING0x808940xacdataChineseTaiwan
                                                                                          RT_STRING0x809400xdedataChineseTaiwan
                                                                                          RT_STRING0x80a200x4c4dataChineseTaiwan
                                                                                          RT_STRING0x80ee40x264dataChineseTaiwan
                                                                                          RT_STRING0x811480x2cdataChineseTaiwan
                                                                                          RT_STRING0x811740x42dataChineseTaiwan
                                                                                          RT_GROUP_CURSOR0x811b80x22Lotus unknown worksheet or configuration, revision 0x2ChineseTaiwan
                                                                                          RT_GROUP_CURSOR0x811dc0x14Lotus unknown worksheet or configuration, revision 0x1ChineseTaiwan
                                                                                          RT_GROUP_CURSOR0x811f00x14Lotus unknown worksheet or configuration, revision 0x1ChineseTaiwan
                                                                                          RT_GROUP_CURSOR0x812040x14Lotus unknown worksheet or configuration, revision 0x1ChineseTaiwan
                                                                                          RT_GROUP_CURSOR0x812180x14Lotus unknown worksheet or configuration, revision 0x1ChineseTaiwan
                                                                                          RT_GROUP_CURSOR0x8122c0x14Lotus unknown worksheet or configuration, revision 0x1ChineseTaiwan
                                                                                          RT_GROUP_CURSOR0x812400x14Lotus unknown worksheet or configuration, revision 0x1ChineseTaiwan
                                                                                          RT_GROUP_CURSOR0x812540x14Lotus unknown worksheet or configuration, revision 0x1ChineseTaiwan
                                                                                          RT_GROUP_CURSOR0x812680x14Lotus unknown worksheet or configuration, revision 0x1ChineseTaiwan
                                                                                          RT_GROUP_CURSOR0x8127c0x14Lotus unknown worksheet or configuration, revision 0x1ChineseTaiwan
                                                                                          RT_GROUP_CURSOR0x812900x14Lotus unknown worksheet or configuration, revision 0x1ChineseTaiwan
                                                                                          RT_GROUP_CURSOR0x812a40x14Lotus unknown worksheet or configuration, revision 0x1ChineseTaiwan
                                                                                          RT_GROUP_CURSOR0x812b80x14Lotus unknown worksheet or configuration, revision 0x1ChineseTaiwan
                                                                                          RT_GROUP_CURSOR0x812cc0x14Lotus unknown worksheet or configuration, revision 0x1ChineseTaiwan
                                                                                          RT_GROUP_CURSOR0x812e00x14Lotus unknown worksheet or configuration, revision 0x1ChineseTaiwan
                                                                                          RT_VERSION0x812f40x304dataChineseTaiwan
                                                                                          RT_MANIFEST0x815f80x56ASCII text, with CRLF line terminatorsEnglishUnited States

                                                                                          Imports

                                                                                          DLLImport
                                                                                          KERNEL32.dllFileTimeToSystemTime, FileTimeToLocalFileTime, GetFileAttributesA, GetFileTime, GetTickCount, RtlUnwind, GetSystemInfo, HeapReAlloc, GetCommandLineA, ExitProcess, ExitThread, CreateThread, RaiseException, HeapSize, TerminateProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, Sleep, HeapDestroy, HeapCreate, GetStdHandle, GetOEMCP, GetFileType, GetStartupInfoA, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, QueryPerformanceCounter, GetSystemTimeAsFileTime, GetACP, GetStringTypeA, GetStringTypeW, GetTimeZoneInformation, GetConsoleCP, GetConsoleMode, LCMapStringA, LCMapStringW, SetStdHandle, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, SetEnvironmentVariableA, GetCPInfo, CreateFileA, GetFullPathNameA, GetVolumeInformationA, FindFirstFileA, FindClose, GetCurrentProcess, DuplicateHandle, GetThreadLocale, GetFileSize, SetEndOfFile, UnlockFile, LockFile, FlushFileBuffers, SetFilePointer, WriteFile, ReadFile, InterlockedIncrement, TlsFree, DeleteCriticalSection, LocalReAlloc, TlsSetValue, TlsAlloc, InitializeCriticalSection, GlobalHandle, GlobalReAlloc, EnterCriticalSection, TlsGetValue, LeaveCriticalSection, LocalAlloc, GlobalFlags, FormatMessageA, LocalFree, InterlockedDecrement, MulDiv, GlobalGetAtomNameA, GlobalFindAtomA, lstrcmpW, GetVersionExA, WritePrivateProfileStringA, GlobalUnlock, GlobalFree, FreeResource, GetCurrentProcessId, GlobalAddAtomA, CreateEventA, SuspendThread, SetEvent, WaitForSingleObject, ResumeThread, SetThreadPriority, CloseHandle, GetCurrentThread, GetCurrentThreadId, ConvertDefaultLocale, GetModuleFileNameA, EnumResourceLanguagesA, GetLocaleInfoA, GlobalLock, lstrcmpA, GlobalAlloc, GlobalDeleteAtom, GetModuleHandleA, GetLastError, lstrlenA, CompareStringA, CompareStringW, MultiByteToWideChar, InterlockedExchange, GetVersion, WideCharToMultiByte, LockResource, FindResourceA, FindResourceW, LoadResource, SizeofResource, HeapFree, GetNativeSystemInfo, GetProcessHeap, HeapAlloc, FreeLibrary, GetProcAddress, LoadLibraryA, IsBadReadPtr, VirtualProtect, SetLastError, VirtualAlloc, VirtualFree, SetHandleCount, VirtualQuery
                                                                                          USER32.dllGetNextDlgGroupItem, MessageBeep, UnregisterClassA, RegisterClipboardFormatA, PostThreadMessageA, LoadCursorA, SetCapture, DestroyMenu, EndPaint, BeginPaint, GetWindowDC, ClientToScreen, GrayStringA, DrawTextExA, DrawTextA, TabbedTextOutA, ShowWindow, MoveWindow, SetWindowTextA, IsDialogMessageA, RegisterWindowMessageA, SendDlgItemMessageA, WinHelpA, GetCapture, GetClassLongA, GetClassNameA, SetPropA, GetPropA, RemovePropA, SetFocus, GetWindowTextLengthA, GetWindowTextA, GetForegroundWindow, InvalidateRgn, GetTopWindow, UnhookWindowsHookEx, GetMessageTime, GetMessagePos, MapWindowPoints, SetForegroundWindow, UpdateWindow, GetMenu, GetSubMenu, GetMenuItemID, GetMenuItemCount, CreateWindowExA, GetClassInfoExA, GetClassInfoA, RegisterClassA, GetSysColor, AdjustWindowRectEx, EqualRect, PtInRect, GetDlgCtrlID, DefWindowProcA, CallWindowProcA, OffsetRect, IntersectRect, SystemParametersInfoA, GetWindowPlacement, GetWindowRect, ReleaseDC, GetDC, CopyRect, SetWindowLongA, GetWindowLongA, GetSystemMetrics, DrawIcon, AppendMenuA, SendMessageA, GetWindow, SetWindowContextHelpId, MapDialogRect, SetWindowPos, GetDesktopWindow, SetActiveWindow, CreateDialogIndirectParamA, DestroyWindow, IsWindow, GetDlgItem, GetNextDlgTabItem, EndDialog, GetWindowThreadProcessId, InvalidateRect, SetRect, IsRectEmpty, CopyAcceleratorTableA, CharNextA, GetLastActivePopup, IsWindowEnabled, GetSysColorBrush, ReleaseCapture, GetSystemMenu, IsIconic, GetClientRect, EnableWindow, LoadIconA, CharUpperA, PostQuitMessage, PostMessageA, CheckMenuItem, EnableMenuItem, GetMenuState, ModifyMenuA, GetParent, GetFocus, LoadBitmapA, GetMenuCheckMarkDimensions, SetMenuItemBitmaps, ValidateRect, GetCursorPos, PeekMessageA, GetKeyState, IsWindowVisible, GetActiveWindow, DispatchMessageA, TranslateMessage, GetMessageA, CallNextHookEx, SetWindowsHookExA, SetCursor, MessageBoxA, IsChild
                                                                                          GDI32.dllExtSelectClipRgn, DeleteDC, GetStockObject, GetDeviceCaps, GetBkColor, GetTextColor, GetRgnBox, GetMapMode, ScaleWindowExtEx, SetWindowExtEx, ScaleViewportExtEx, SetViewportExtEx, OffsetViewportOrgEx, SetViewportOrgEx, SelectObject, Escape, ExtTextOutA, CreateBitmap, RectVisible, PtVisible, GetWindowExtEx, GetViewportExtEx, DeleteObject, SetMapMode, RestoreDC, SaveDC, GetObjectA, SetBkColor, SetTextColor, GetClipBox, CreateRectRgnIndirect, TextOutA
                                                                                          comdlg32.dllGetFileTitleA
                                                                                          WINSPOOL.DRVDocumentPropertiesA, OpenPrinterA, ClosePrinter
                                                                                          ADVAPI32.dllRegQueryValueA, RegSetValueExA, RegCreateKeyExA, RegCloseKey, RegOpenKeyA, RegEnumKeyA, RegDeleteKeyA, RegOpenKeyExA, RegQueryValueExA
                                                                                          COMCTL32.dllInitCommonControlsEx
                                                                                          SHLWAPI.dllPathFindFileNameA, PathStripToRootA, PathFindExtensionA, PathIsUNCA
                                                                                          WS2_32.dllrecv, connect, WSACleanup, socket, WSAStartup, htons, inet_addr, closesocket, send
                                                                                          oledlg.dll
                                                                                          ole32.dllStgOpenStorageOnILockBytes, CoGetClassObject, CoTaskMemAlloc, StgCreateDocfileOnILockBytes, CoTaskMemFree, CLSIDFromString, CLSIDFromProgID, CreateILockBytesOnHGlobal, CoRegisterMessageFilter, OleFlushClipboard, OleIsCurrentClipboard, CoRevokeClassObject, OleInitialize, CoFreeUnusedLibraries, OleUninitialize
                                                                                          OLEAUT32.dllSysAllocStringLen, VariantClear, VariantChangeType, VariantInit, SysStringLen, SysAllocStringByteLen, OleCreateFontIndirect, VariantTimeToSystemTime, SystemTimeToVariantTime, SafeArrayDestroy, SysAllocString, VariantCopy, SysFreeString

                                                                                          Exports

                                                                                          NameOrdinalAddress
                                                                                          DllRegisterServer10x10012860

                                                                                          Version Infos

                                                                                          DescriptionData
                                                                                          LegalCopyrightInnoversal. All rights reserved.
                                                                                          InternalNameFinalChatSocketCli.exe
                                                                                          FileVersion1.0.2.4
                                                                                          CompanyNameInnoversal
                                                                                          ProductNameChar room only
                                                                                          ProductVersion1.0.2.4
                                                                                          FileDescriptionChat room
                                                                                          OriginalFilenameFinalChatSocketCli.exe
                                                                                          Translation0x0404 0x03b6

                                                                                          Possible Origin

                                                                                          Language of compilation systemCountry where language is spokenMap
                                                                                          ChineseTaiwan
                                                                                          EnglishUnited States

                                                                                          Network Behavior

                                                                                          Network Port Distribution

                                                                                          TCP Packets

                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                          Jan 28, 2022 22:21:45.634107113 CET497628080192.168.2.774.207.230.120
                                                                                          Jan 28, 2022 22:21:45.783974886 CET80804976274.207.230.120192.168.2.7
                                                                                          Jan 28, 2022 22:21:46.348982096 CET497628080192.168.2.774.207.230.120
                                                                                          Jan 28, 2022 22:21:46.498123884 CET80804976274.207.230.120192.168.2.7
                                                                                          Jan 28, 2022 22:21:47.036732912 CET497628080192.168.2.774.207.230.120
                                                                                          Jan 28, 2022 22:21:47.187123060 CET80804976274.207.230.120192.168.2.7
                                                                                          Jan 28, 2022 22:21:47.196436882 CET497658080192.168.2.7139.196.72.155
                                                                                          Jan 28, 2022 22:21:47.440165043 CET808049765139.196.72.155192.168.2.7
                                                                                          Jan 28, 2022 22:21:47.440510988 CET497658080192.168.2.7139.196.72.155
                                                                                          Jan 28, 2022 22:21:47.715660095 CET497658080192.168.2.7139.196.72.155
                                                                                          Jan 28, 2022 22:21:47.959338903 CET808049765139.196.72.155192.168.2.7
                                                                                          Jan 28, 2022 22:21:47.970019102 CET808049765139.196.72.155192.168.2.7
                                                                                          Jan 28, 2022 22:21:47.970052004 CET808049765139.196.72.155192.168.2.7
                                                                                          Jan 28, 2022 22:21:47.970172882 CET497658080192.168.2.7139.196.72.155
                                                                                          Jan 28, 2022 22:21:54.870376110 CET497658080192.168.2.7139.196.72.155
                                                                                          Jan 28, 2022 22:21:55.114665031 CET808049765139.196.72.155192.168.2.7
                                                                                          Jan 28, 2022 22:21:55.114808083 CET497658080192.168.2.7139.196.72.155
                                                                                          Jan 28, 2022 22:21:55.119724035 CET497658080192.168.2.7139.196.72.155
                                                                                          Jan 28, 2022 22:21:55.403013945 CET808049765139.196.72.155192.168.2.7
                                                                                          Jan 28, 2022 22:21:56.240480900 CET808049765139.196.72.155192.168.2.7
                                                                                          Jan 28, 2022 22:21:56.240611076 CET497658080192.168.2.7139.196.72.155
                                                                                          Jan 28, 2022 22:21:59.240741014 CET808049765139.196.72.155192.168.2.7
                                                                                          Jan 28, 2022 22:21:59.240775108 CET808049765139.196.72.155192.168.2.7
                                                                                          Jan 28, 2022 22:21:59.240861893 CET497658080192.168.2.7139.196.72.155
                                                                                          Jan 28, 2022 22:21:59.240910053 CET497658080192.168.2.7139.196.72.155
                                                                                          Jan 28, 2022 22:23:35.577542067 CET497658080192.168.2.7139.196.72.155
                                                                                          Jan 28, 2022 22:23:35.577588081 CET497658080192.168.2.7139.196.72.155

                                                                                          Statistics

                                                                                          Behavior

                                                                                          Click to jump to process

                                                                                          System Behavior

                                                                                          General

                                                                                          Target ID:0
                                                                                          Start time:22:21:14
                                                                                          Start date:28/01/2022
                                                                                          Path:C:\Windows\System32\loaddll32.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:loaddll32.exe "C:\Users\user\Desktop\Bg6DyC7lDh.dll"
                                                                                          Imagebase:0x910000
                                                                                          File size:116736 bytes
                                                                                          MD5 hash:7DEB5DB86C0AC789123DEC286286B938
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Yara matches:
                                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000002.274458477.0000000001501000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000002.271956434.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000002.276915244.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                                          Reputation:high

                                                                                          General

                                                                                          Target ID:1
                                                                                          Start time:22:21:14
                                                                                          Start date:28/01/2022
                                                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Bg6DyC7lDh.dll",#1
                                                                                          Imagebase:0x870000
                                                                                          File size:232960 bytes
                                                                                          MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high

                                                                                          General

                                                                                          Target ID:2
                                                                                          Start time:22:21:15
                                                                                          Start date:28/01/2022
                                                                                          Path:C:\Windows\SysWOW64\regsvr32.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:regsvr32.exe /s C:\Users\user\Desktop\Bg6DyC7lDh.dll
                                                                                          Imagebase:0x60000
                                                                                          File size:20992 bytes
                                                                                          MD5 hash:426E7499F6A7346F0410DEAD0805586B
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Yara matches:
                                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000002.00000002.266354631.0000000004D11000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000002.00000002.262826472.0000000004CD0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000002.00000002.266639849.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                          Reputation:high

                                                                                          General

                                                                                          Target ID:3
                                                                                          Start time:22:21:15
                                                                                          Start date:28/01/2022
                                                                                          Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:rundll32.exe "C:\Users\user\Desktop\Bg6DyC7lDh.dll",#1
                                                                                          Imagebase:0x12b0000
                                                                                          File size:61952 bytes
                                                                                          MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Yara matches:
                                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.268531340.0000000000DE0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.268562280.0000000000E11000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.268591855.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                          Reputation:high

                                                                                          General

                                                                                          Target ID:4
                                                                                          Start time:22:21:15
                                                                                          Start date:28/01/2022
                                                                                          Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:rundll32.exe C:\Users\user\Desktop\Bg6DyC7lDh.dll,DllRegisterServer
                                                                                          Imagebase:0x12b0000
                                                                                          File size:61952 bytes
                                                                                          MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Yara matches:
                                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.296338746.0000000004F71000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.296293943.0000000004E11000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.294626282.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.296431152.0000000005131000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.296459967.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.296356591.0000000004FA0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.295961219.0000000004C00000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.296375902.0000000004FD1000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.295334948.0000000004B21000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.295156896.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.296406434.0000000005100000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.296276538.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.296314729.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.296141210.0000000004C31000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.294816386.00000000011C1000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          Reputation:high

                                                                                          General

                                                                                          Target ID:5
                                                                                          Start time:22:21:16
                                                                                          Start date:28/01/2022
                                                                                          Path:C:\Windows\System32\svchost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                          Imagebase:0x7ff641cd0000
                                                                                          File size:51288 bytes
                                                                                          MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high

                                                                                          General

                                                                                          Target ID:6
                                                                                          Start time:22:21:17
                                                                                          Start date:28/01/2022
                                                                                          Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\Bg6DyC7lDh.dll",DllRegisterServer
                                                                                          Imagebase:0x12b0000
                                                                                          File size:61952 bytes
                                                                                          MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high

                                                                                          General

                                                                                          Target ID:7
                                                                                          Start time:22:21:20
                                                                                          Start date:28/01/2022
                                                                                          Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\Bg6DyC7lDh.dll",DllRegisterServer
                                                                                          Imagebase:0x12b0000
                                                                                          File size:61952 bytes
                                                                                          MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Yara matches:
                                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.287494272.0000000005381000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.287862922.0000000005541000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.287111363.0000000005170000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.287132788.00000000051A1000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.287038579.0000000005070000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.285682496.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.287469423.0000000005350000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.287075796.00000000050C1000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.285736531.0000000004AF1000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.287604820.00000000053B0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.287829918.0000000005510000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.287729935.00000000054E1000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.288375637.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.288125580.00000000056A1000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.288102612.0000000005670000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          Reputation:high

                                                                                          General

                                                                                          Target ID:8
                                                                                          Start time:22:21:20
                                                                                          Start date:28/01/2022
                                                                                          Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\Bg6DyC7lDh.dll",DllRegisterServer
                                                                                          Imagebase:0x12b0000
                                                                                          File size:61952 bytes
                                                                                          MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high

                                                                                          General

                                                                                          Target ID:9
                                                                                          Start time:22:21:25
                                                                                          Start date:28/01/2022
                                                                                          Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Lvetlyszixrl\grmpeubxplti.rrq",FloWMCkThX
                                                                                          Imagebase:0x12b0000
                                                                                          File size:61952 bytes
                                                                                          MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Yara matches:
                                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000009.00000002.288455858.0000000004870000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000009.00000002.288482327.00000000048A1000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000009.00000002.293864491.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Author: Joe Security

                                                                                          General

                                                                                          Target ID:10
                                                                                          Start time:22:21:26
                                                                                          Start date:28/01/2022
                                                                                          Path:C:\Windows\System32\svchost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
                                                                                          Imagebase:0x7ff641cd0000
                                                                                          File size:51288 bytes
                                                                                          MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:false
                                                                                          Programmed in:C, C++ or other language

                                                                                          General

                                                                                          Target ID:11
                                                                                          Start time:22:21:27
                                                                                          Start date:28/01/2022
                                                                                          Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Lvetlyszixrl\grmpeubxplti.rrq",DllRegisterServer
                                                                                          Imagebase:0x12b0000
                                                                                          File size:61952 bytes
                                                                                          MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Yara matches:
                                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000B.00000002.780209080.0000000005701000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000B.00000002.779999636.0000000005491000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000B.00000002.779143719.0000000000E51000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000B.00000002.779418909.0000000004DC0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000B.00000002.779603939.0000000005000000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000B.00000002.778637126.0000000000C40000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000B.00000002.779449781.0000000004DF1000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000B.00000002.779771482.0000000005281000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000B.00000002.779542982.0000000004ED1000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000B.00000002.779971740.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000B.00000002.779631051.0000000005031000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000B.00000002.779317583.0000000004731000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000B.00000002.780141318.0000000005681000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000B.00000002.779684590.0000000005191000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000B.00000002.779867718.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000B.00000002.779237002.00000000046F0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000B.00000002.779911189.00000000053A1000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000B.00000002.780100280.0000000005650000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000B.00000002.779726684.0000000005250000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000B.00000002.779504243.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000B.00000002.780181061.00000000056D0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000B.00000002.779651988.0000000005060000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000B.00000002.780299654.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Author: Joe Security

                                                                                          General

                                                                                          Target ID:12
                                                                                          Start time:22:21:29
                                                                                          Start date:28/01/2022
                                                                                          Path:C:\Windows\System32\svchost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
                                                                                          Imagebase:0x7ff641cd0000
                                                                                          File size:51288 bytes
                                                                                          MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:false
                                                                                          Programmed in:C, C++ or other language

                                                                                          General

                                                                                          Target ID:13
                                                                                          Start time:22:21:35
                                                                                          Start date:28/01/2022
                                                                                          Path:C:\Windows\System32\svchost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\System32\svchost.exe -k NetworkService -p
                                                                                          Imagebase:0x7ff641cd0000
                                                                                          File size:51288 bytes
                                                                                          MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:false
                                                                                          Programmed in:C, C++ or other language

                                                                                          General

                                                                                          Target ID:14
                                                                                          Start time:22:21:35
                                                                                          Start date:28/01/2022
                                                                                          Path:C:\Windows\System32\SgrmBroker.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\SgrmBroker.exe
                                                                                          Imagebase:0x7ff6de5a0000
                                                                                          File size:163336 bytes
                                                                                          MD5 hash:D3170A3F3A9626597EEE1888686E3EA6
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language

                                                                                          General

                                                                                          Target ID:15
                                                                                          Start time:22:21:36
                                                                                          Start date:28/01/2022
                                                                                          Path:C:\Windows\System32\svchost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
                                                                                          Imagebase:0x7ff641cd0000
                                                                                          File size:51288 bytes
                                                                                          MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:false
                                                                                          Programmed in:C, C++ or other language

                                                                                          General

                                                                                          Target ID:19
                                                                                          Start time:22:21:59
                                                                                          Start date:28/01/2022
                                                                                          Path:C:\Windows\System32\svchost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                          Imagebase:0x7ff641cd0000
                                                                                          File size:51288 bytes
                                                                                          MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language

                                                                                          General

                                                                                          Target ID:21
                                                                                          Start time:22:22:23
                                                                                          Start date:28/01/2022
                                                                                          Path:C:\Windows\System32\BackgroundTransferHost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
                                                                                          Imagebase:0x7ff772bb0000
                                                                                          File size:36864 bytes
                                                                                          MD5 hash:02BA81746B929ECC9DB6665589B68335
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:false
                                                                                          Programmed in:C, C++ or other language

                                                                                          General

                                                                                          Target ID:22
                                                                                          Start time:22:22:23
                                                                                          Start date:28/01/2022
                                                                                          Path:C:\Windows\System32\svchost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                          Imagebase:0x7ff641cd0000
                                                                                          File size:51288 bytes
                                                                                          MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language

                                                                                          General

                                                                                          Target ID:23
                                                                                          Start time:22:22:37
                                                                                          Start date:28/01/2022
                                                                                          Path:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:"C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
                                                                                          Imagebase:0x7ff7bf500000
                                                                                          File size:455656 bytes
                                                                                          MD5 hash:A267555174BFA53844371226F482B86B
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:false
                                                                                          Programmed in:C, C++ or other language

                                                                                          General

                                                                                          Target ID:24
                                                                                          Start time:22:22:37
                                                                                          Start date:28/01/2022
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff774ee0000
                                                                                          File size:625664 bytes
                                                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:false
                                                                                          Programmed in:C, C++ or other language

                                                                                          General

                                                                                          Target ID:26
                                                                                          Start time:22:22:40
                                                                                          Start date:28/01/2022
                                                                                          Path:C:\Windows\System32\svchost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                          Imagebase:0x7ff641cd0000
                                                                                          File size:51288 bytes
                                                                                          MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language

                                                                                          Disassembly

                                                                                          No disassembly