Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
9818t9ks1s

Overview

General Information

Sample Name:9818t9ks1s (renamed file extension from none to dll)
Analysis ID:669370
MD5:83418a9af56db91ff2c78c4b2b9d62f8
SHA1:0ea68aab3721e509ce0b1bff7e574eda037798be
SHA256:4a688f571024b08f9793559427d8692471f5aa715882899c631c3052eac7c6a1
Tags:32dllexetrojan
Infos:

Detection

Emotet
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Antivirus / Scanner detection for submitted sample
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Snort IDS alert for network traffic
Machine Learning detection for sample
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to query locales information (e.g. system language)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Program does not show much activity (idle)
IP address seen in connection with other malware
PE file contains strange resources
Tries to load missing DLLs
Drops PE files to the windows directory (C:\Windows)
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Connects to several IPs in different countries
Potential key logger detected (key state polling based)
Registers a DLL
Queries disk information (often used to detect virtual machines)
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 6888 cmdline: loaddll32.exe "C:\Users\user\Desktop\9818t9ks1s.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938)
    • cmd.exe (PID: 6896 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\9818t9ks1s.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 6924 cmdline: rundll32.exe "C:\Users\user\Desktop\9818t9ks1s.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • regsvr32.exe (PID: 6912 cmdline: regsvr32.exe /s C:\Users\user\Desktop\9818t9ks1s.dll MD5: 426E7499F6A7346F0410DEAD0805586B)
      • regsvr32.exe (PID: 7020 cmdline: C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Bvqee\qeggfkimakwygr.che" MD5: 426E7499F6A7346F0410DEAD0805586B)
    • rundll32.exe (PID: 6932 cmdline: rundll32.exe C:\Users\user\Desktop\9818t9ks1s.dll,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 7040 cmdline: rundll32.exe C:\Users\user\Desktop\9818t9ks1s.dll,DllUnregisterServerr MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • svchost.exe (PID: 5084 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6324 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6576 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 3952 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 7028 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5748 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

Threatname: Emotet

{"C2 list": ["51.91.7.5:8080", "197.242.150.244:8080", "1.234.2.232:8080", "173.212.193.249:8080", "51.91.76.89:8080", "151.106.112.196:8080", "107.182.225.142:8080", "103.43.46.182:443", "195.201.151.129:8080", "51.254.140.238:7080", "153.126.146.25:7080", "176.56.128.118:443", "188.44.20.25:443", "119.193.124.41:7080", "70.36.102.35:443", "45.142.114.231:8080", "46.55.222.11:443", "82.165.152.127:8080", "212.237.17.99:8080", "92.240.254.110:8080", "217.182.25.250:8080", "189.126.111.200:7080", "212.24.98.99:8080", "45.176.232.124:443", "192.99.251.50:443", "216.158.226.206:443", "206.188.212.92:8080", "176.104.106.96:8080", "159.65.88.10:8080", "138.185.72.26:8080", "203.114.109.124:443", "103.75.201.2:443", "1.234.21.73:7080", "209.126.98.206:8080", "50.30.40.196:8080", "209.250.246.206:443", "178.79.147.66:8080", "50.116.54.215:443", "185.8.212.130:7080", "31.24.158.56:8080", "146.59.226.45:443", "72.15.201.15:8080", "110.232.117.186:8080", "5.9.116.246:8080", "185.157.82.211:8080", "129.232.188.93:443", "158.69.222.101:443", "164.68.99.3:8080", "45.118.135.203:7080", "101.50.0.91:8080", "195.154.133.20:443", "196.218.30.83:443", "45.118.115.99:8080", "167.99.115.35:8080", "79.172.212.216:8080", "159.8.59.82:8080"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.440856153.00000000049E1000.00000020.00001000.00020000.00000000.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
    00000002.00000002.440856153.00000000049E1000.00000020.00001000.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
      00000003.00000002.438019180.00000000049F1000.00000020.00001000.00020000.00000000.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
        00000003.00000002.438019180.00000000049F1000.00000020.00001000.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
          00000002.00000002.440822056.00000000049B0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
            Click to see the 11 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            2.2.regsvr32.exe.49b0000.0.raw.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
              2.2.regsvr32.exe.49b0000.0.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                4.2.rundll32.exe.4290000.0.raw.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                  4.2.rundll32.exe.4290000.0.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                    5.2.regsvr32.exe.4c70000.0.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                      Click to see the 19 entries

                      Sigma Signatures

                      No Sigma rule has matched

                      Snort Signatures

                      Timestamp:192.168.2.5119.193.124.414982270802404304 07/20/22-01:07:10.809694
                      SID:2404304
                      Source Port:49822
                      Destination Port:7080
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:192.168.2.551.91.76.894981180802404338 07/20/22-01:07:08.508000
                      SID:2404338
                      Source Port:49811
                      Destination Port:8080
                      Protocol:TCP
                      Classtype:A Network Trojan was detected

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Multi AV Scanner detection for submitted file
                      Source: 9818t9ks1s.dllVirustotal: Detection: 69%Perma Link
                      Antivirus / Scanner detection for submitted sample
                      Source: 9818t9ks1s.dllAvira: detected
                      Antivirus detection for URL or domain
                      Source: https://70.36.102.35/vAvira URL Cloud: Label: malware
                      Source: https://70.36.102.35/gVsYreJaRCTZGAqrRgMzhhpqBeNQdFAvira URL Cloud: Label: malware
                      Source: https://70.36.102.35/Avira URL Cloud: Label: malware
                      Source: https://70.36.102.35/gVsYreJaRCTZGAqrRgMzhhpqBeNQdTAvira URL Cloud: Label: malware
                      Source: https://70.36.102.35/gVsYreJaRCTZGAqrRgMzhhpqBeNQdAvira URL Cloud: Label: malware
                      Multi AV Scanner detection for domain / URL
                      Source: https://70.36.102.35/Virustotal: Detection: 13%Perma Link
                      Machine Learning detection for sample
                      Source: 9818t9ks1s.dllJoe Sandbox ML: detected
                      Source: 00000005.00000002.953841049.00000000032E6000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Emotet {"C2 list": ["51.91.7.5:8080", "197.242.150.244:8080", "1.234.2.232:8080", "173.212.193.249:8080", "51.91.76.89:8080", "151.106.112.196:8080", "107.182.225.142:8080", "103.43.46.182:443", "195.201.151.129:8080", "51.254.140.238:7080", "153.126.146.25:7080", "176.56.128.118:443", "188.44.20.25:443", "119.193.124.41:7080", "70.36.102.35:443", "45.142.114.231:8080", "46.55.222.11:443", "82.165.152.127:8080", "212.237.17.99:8080", "92.240.254.110:8080", "217.182.25.250:8080", "189.126.111.200:7080", "212.24.98.99:8080", "45.176.232.124:443", "192.99.251.50:443", "216.158.226.206:443", "206.188.212.92:8080", "176.104.106.96:8080", "159.65.88.10:8080", "138.185.72.26:8080", "203.114.109.124:443", "103.75.201.2:443", "1.234.21.73:7080", "209.126.98.206:8080", "50.30.40.196:8080", "209.250.246.206:443", "178.79.147.66:8080", "50.116.54.215:443", "185.8.212.130:7080", "31.24.158.56:8080", "146.59.226.45:443", "72.15.201.15:8080", "110.232.117.186:8080", "5.9.116.246:8080", "185.157.82.211:8080", "129.232.188.93:443", "158.69.222.101:443", "164.68.99.3:8080", "45.118.135.203:7080", "101.50.0.91:8080", "195.154.133.20:443", "196.218.30.83:443", "45.118.115.99:8080", "167.99.115.35:8080", "79.172.212.216:8080", "159.8.59.82:8080"]}
                      Source: 9818t9ks1s.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1002592C __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,lstrcpyA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1002592C __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,lstrcpyA,

                      Networking

                      barindex
                      System process connects to network (likely due to code injection or exploit)
                      Source: C:\Windows\SysWOW64\regsvr32.exeNetwork Connect: 217.182.25.250 8080
                      Source: C:\Windows\SysWOW64\regsvr32.exeNetwork Connect: 70.36.102.35 443
                      Source: C:\Windows\SysWOW64\regsvr32.exeNetwork Connect: 51.91.76.89 8080
                      Source: C:\Windows\SysWOW64\regsvr32.exeNetwork Connect: 119.193.124.41 7080
                      Source: C:\Windows\SysWOW64\regsvr32.exeNetwork Connect: 92.240.254.110 8080
                      Snort IDS alert for network traffic
                      Source: TrafficSnort IDS: 2404338 ET CNC Feodo Tracker Reported CnC Server TCP group 20 192.168.2.5:49811 -> 51.91.76.89:8080
                      Source: TrafficSnort IDS: 2404304 ET CNC Feodo Tracker Reported CnC Server TCP group 3 192.168.2.5:49822 -> 119.193.124.41:7080
                      C2 URLs / IPs found in malware configuration
                      Source: Malware configuration extractorIPs: 51.91.7.5:8080
                      Source: Malware configuration extractorIPs: 197.242.150.244:8080
                      Source: Malware configuration extractorIPs: 1.234.2.232:8080
                      Source: Malware configuration extractorIPs: 173.212.193.249:8080
                      Source: Malware configuration extractorIPs: 51.91.76.89:8080
                      Source: Malware configuration extractorIPs: 151.106.112.196:8080
                      Source: Malware configuration extractorIPs: 107.182.225.142:8080
                      Source: Malware configuration extractorIPs: 103.43.46.182:443
                      Source: Malware configuration extractorIPs: 195.201.151.129:8080
                      Source: Malware configuration extractorIPs: 51.254.140.238:7080
                      Source: Malware configuration extractorIPs: 153.126.146.25:7080
                      Source: Malware configuration extractorIPs: 176.56.128.118:443
                      Source: Malware configuration extractorIPs: 188.44.20.25:443
                      Source: Malware configuration extractorIPs: 119.193.124.41:7080
                      Source: Malware configuration extractorIPs: 70.36.102.35:443
                      Source: Malware configuration extractorIPs: 45.142.114.231:8080
                      Source: Malware configuration extractorIPs: 46.55.222.11:443
                      Source: Malware configuration extractorIPs: 82.165.152.127:8080
                      Source: Malware configuration extractorIPs: 212.237.17.99:8080
                      Source: Malware configuration extractorIPs: 92.240.254.110:8080
                      Source: Malware configuration extractorIPs: 217.182.25.250:8080
                      Source: Malware configuration extractorIPs: 189.126.111.200:7080
                      Source: Malware configuration extractorIPs: 212.24.98.99:8080
                      Source: Malware configuration extractorIPs: 45.176.232.124:443
                      Source: Malware configuration extractorIPs: 192.99.251.50:443
                      Source: Malware configuration extractorIPs: 216.158.226.206:443
                      Source: Malware configuration extractorIPs: 206.188.212.92:8080
                      Source: Malware configuration extractorIPs: 176.104.106.96:8080
                      Source: Malware configuration extractorIPs: 159.65.88.10:8080
                      Source: Malware configuration extractorIPs: 138.185.72.26:8080
                      Source: Malware configuration extractorIPs: 203.114.109.124:443
                      Source: Malware configuration extractorIPs: 103.75.201.2:443
                      Source: Malware configuration extractorIPs: 1.234.21.73:7080
                      Source: Malware configuration extractorIPs: 209.126.98.206:8080
                      Source: Malware configuration extractorIPs: 50.30.40.196:8080
                      Source: Malware configuration extractorIPs: 209.250.246.206:443
                      Source: Malware configuration extractorIPs: 178.79.147.66:8080
                      Source: Malware configuration extractorIPs: 50.116.54.215:443
                      Source: Malware configuration extractorIPs: 185.8.212.130:7080
                      Source: Malware configuration extractorIPs: 31.24.158.56:8080
                      Source: Malware configuration extractorIPs: 146.59.226.45:443
                      Source: Malware configuration extractorIPs: 72.15.201.15:8080
                      Source: Malware configuration extractorIPs: 110.232.117.186:8080
                      Source: Malware configuration extractorIPs: 5.9.116.246:8080
                      Source: Malware configuration extractorIPs: 185.157.82.211:8080
                      Source: Malware configuration extractorIPs: 129.232.188.93:443
                      Source: Malware configuration extractorIPs: 158.69.222.101:443
                      Source: Malware configuration extractorIPs: 164.68.99.3:8080
                      Source: Malware configuration extractorIPs: 45.118.135.203:7080
                      Source: Malware configuration extractorIPs: 101.50.0.91:8080
                      Source: Malware configuration extractorIPs: 195.154.133.20:443
                      Source: Malware configuration extractorIPs: 196.218.30.83:443
                      Source: Malware configuration extractorIPs: 45.118.115.99:8080
                      Source: Malware configuration extractorIPs: 167.99.115.35:8080
                      Source: Malware configuration extractorIPs: 79.172.212.216:8080
                      Source: Malware configuration extractorIPs: 159.8.59.82:8080
                      Source: Joe Sandbox ViewASN Name: OVHFR OVHFR
                      Source: Joe Sandbox ViewASN Name: PLUSSERVER-ASN1DE PLUSSERVER-ASN1DE
                      Source: Joe Sandbox ViewIP Address: 217.182.25.250 217.182.25.250
                      Source: global trafficTCP traffic: 192.168.2.5:49770 -> 92.240.254.110:8080
                      Source: global trafficTCP traffic: 192.168.2.5:49811 -> 51.91.76.89:8080
                      Source: global trafficTCP traffic: 192.168.2.5:49817 -> 217.182.25.250:8080
                      Source: global trafficTCP traffic: 192.168.2.5:49822 -> 119.193.124.41:7080
                      Source: unknownNetwork traffic detected: IP country count 28
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49767 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49769 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49768 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49769
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49768
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49767
                      Source: unknownTCP traffic detected without corresponding DNS query: 70.36.102.35
                      Source: unknownTCP traffic detected without corresponding DNS query: 70.36.102.35
                      Source: unknownTCP traffic detected without corresponding DNS query: 70.36.102.35
                      Source: unknownTCP traffic detected without corresponding DNS query: 70.36.102.35
                      Source: unknownTCP traffic detected without corresponding DNS query: 70.36.102.35
                      Source: unknownTCP traffic detected without corresponding DNS query: 70.36.102.35
                      Source: unknownTCP traffic detected without corresponding DNS query: 70.36.102.35
                      Source: unknownTCP traffic detected without corresponding DNS query: 70.36.102.35
                      Source: unknownTCP traffic detected without corresponding DNS query: 70.36.102.35
                      Source: unknownTCP traffic detected without corresponding DNS query: 70.36.102.35
                      Source: unknownTCP traffic detected without corresponding DNS query: 92.240.254.110
                      Source: unknownTCP traffic detected without corresponding DNS query: 92.240.254.110
                      Source: unknownTCP traffic detected without corresponding DNS query: 92.240.254.110
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.91.76.89
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.91.76.89
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.91.76.89
                      Source: unknownTCP traffic detected without corresponding DNS query: 217.182.25.250
                      Source: unknownTCP traffic detected without corresponding DNS query: 217.182.25.250
                      Source: unknownTCP traffic detected without corresponding DNS query: 217.182.25.250
                      Source: unknownTCP traffic detected without corresponding DNS query: 119.193.124.41
                      Source: unknownTCP traffic detected without corresponding DNS query: 119.193.124.41
                      Source: unknownTCP traffic detected without corresponding DNS query: 119.193.124.41
                      Source: unknownTCP traffic detected without corresponding DNS query: 119.193.124.41
                      Source: unknownTCP traffic detected without corresponding DNS query: 119.193.124.41
                      Source: unknownTCP traffic detected without corresponding DNS query: 119.193.124.41
                      Source: unknownTCP traffic detected without corresponding DNS query: 119.193.124.41
                      Source: unknownTCP traffic detected without corresponding DNS query: 119.193.124.41
                      Source: unknownTCP traffic detected without corresponding DNS query: 119.193.124.41
                      Source: unknownTCP traffic detected without corresponding DNS query: 119.193.124.41
                      Source: unknownTCP traffic detected without corresponding DNS query: 119.193.124.41
                      Source: svchost.exe, 00000018.00000003.636242685.000002554B96E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.636284410.000002554B96E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.636264427.000002554B96E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.636298329.000002554B96E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.636333190.000002554B96E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.636344572.000002554B96E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.636370804.000002554B96E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.636357149.000002554B96E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.636166889.000002554B96E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.636188041.000002554B96E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.636224370.000002554B96E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.636314319.000002554B96E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG", equals www.facebook.com (Facebook)
                      Source: svchost.exe, 00000018.00000003.636242685.000002554B96E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.636284410.000002554B96E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.636264427.000002554B96E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.636298329.000002554B96E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.636333190.000002554B96E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.636344572.000002554B96E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.636370804.000002554B96E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.636357149.000002554B96E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.636166889.000002554B96E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.636188041.000002554B96E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.636224370.000002554B96E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.636314319.000002554B96E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG", equals www.twitter.com (Twitter)
                      Source: svchost.exe, 00000018.00000003.636242685.000002554B96E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.636284410.000002554B96E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.636264427.000002554B96E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.636298329.000002554B96E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.636333190.000002554B96E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.636344572.000002554B96E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.636370804.000002554B96E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.636357149.000002554B96E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.636166889.000002554B96E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.636188041.000002554B96E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.637100433.000002554B971000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.636016846.000002554B981000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.636224370.000002554B96E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.636314319.000002554B96E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-07-11T16:37:37.4991749Z||.||58dfb4d5-be7e-424e-8739-cac99224843f||1152921505695035586||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
                      Source: svchost.exe, 00000018.00000003.636242685.000002554B96E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.636284410.000002554B96E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.636264427.000002554B96E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.636298329.000002554B96E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.636333190.000002554B96E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.636344572.000002554B96E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.636370804.000002554B96E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.636357149.000002554B96E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.636166889.000002554B96E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.636188041.000002554B96E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.637100433.000002554B971000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.636016846.000002554B981000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.636224370.000002554B96E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.636314319.000002554B96E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-07-11T16:37:37.4991749Z||.||58dfb4d5-be7e-424e-8739-cac99224843f||1152921505695035586||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
                      Source: regsvr32.exe, 00000005.00000003.538445333.0000000003352000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000002.954006400.0000000003352000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.836929466.0000019586090000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.684487522.000002554B900000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: svchost.exe, 0000000D.00000002.836929466.0000019586090000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.684378033.000002554AEEB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
                      Source: regsvr32.exe, 00000005.00000003.538445333.0000000003352000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000002.954006400.0000000003352000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabQ
                      Source: regsvr32.exe, 00000005.00000003.538445333.0000000003352000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000002.954006400.0000000003352000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en6
                      Source: svchost.exe, 00000018.00000003.654122875.000002554B9B3000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.654040928.000002554B991000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.654068801.000002554B9A2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://help.disneyplus.com.
                      Source: svchost.exe, 0000000D.00000002.836571481.00000195808AF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.dmtf.o
                      Source: svchost.exe, 0000000D.00000002.836571481.00000195808AF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/
                      Source: svchost.exe, 0000000D.00000002.836571481.00000195808AF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/enumeratio
                      Source: regsvr32.exe, 00000005.00000003.526452741.000000000331E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://70.36.102.35/
                      Source: regsvr32.exe, 00000005.00000003.481253554.000000000331E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://70.36.102.35/gVsYreJaRCTZGAqrRgMzhhpqBeNQd
                      Source: regsvr32.exe, 00000005.00000003.481253554.000000000331E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.526452741.000000000331E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://70.36.102.35/gVsYreJaRCTZGAqrRgMzhhpqBeNQdF
                      Source: regsvr32.exe, 00000005.00000003.481253554.000000000331E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.526452741.000000000331E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://70.36.102.35/gVsYreJaRCTZGAqrRgMzhhpqBeNQdT
                      Source: regsvr32.exe, 00000005.00000003.481253554.000000000331E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.526452741.000000000331E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://70.36.102.35/v
                      Source: regsvr32.exe, 00000005.00000003.526452741.000000000331E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://92.240.254.110/
                      Source: regsvr32.exe, 00000005.00000003.526452741.000000000331E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://92.240.254.110/6.102.35/gVsYreJaRCTZGAqrRgMzhhpqBeNQd
                      Source: regsvr32.exe, 00000005.00000002.953979215.0000000003347000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.538622366.0000000003347000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://92.240.254.110:8080/gECMlLDhVoiKFtzKjjRUPjlZHZhhxfpHLqiKeXIlMdFcRqaPxeg
                      Source: svchost.exe, 00000018.00000003.654122875.000002554B9B3000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.654040928.000002554B991000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.654068801.000002554B9A2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://disneyplus.com/legal.
                      Source: svchost.exe, 00000018.00000003.650938728.000002554BE1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.650909580.000002554B9B1000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.651038741.000002554B98F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.650818268.000002554B98F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.650841411.000002554B9A0000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.651011860.000002554BE02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.650968671.000002554BE1A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.hotspotshield.com/
                      Source: svchost.exe, 00000018.00000003.654122875.000002554B9B3000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.654040928.000002554B991000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.654068801.000002554B9A2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
                      Source: svchost.exe, 00000018.00000003.654122875.000002554B9B3000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.654040928.000002554B991000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.654068801.000002554B9A2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
                      Source: svchost.exe, 00000018.00000003.650938728.000002554BE1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.650909580.000002554B9B1000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.651038741.000002554B98F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.650818268.000002554B98F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.650841411.000002554B9A0000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.651011860.000002554BE02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.650968671.000002554BE1A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.hotspotshield.com/terms/
                      Source: svchost.exe, 00000018.00000003.650938728.000002554BE1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.650909580.000002554B9B1000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.651038741.000002554B98F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.650818268.000002554B98F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.650841411.000002554B9A0000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.651011860.000002554BE02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.650968671.000002554BE1A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.pango.co/privacy
                      Source: svchost.exe, 00000018.00000003.659846928.000002554B991000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.659413155.000002554BE18000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.659476166.000002554B9A6000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.659437692.000002554BE02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.659235634.000002554B9A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.tiktok.com/legal/report/feedback
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_10032A2D GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA,SendMessageA,GetParent,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1003437E GetKeyState,GetKeyState,GetKeyState,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1002FE1B ScreenToClient,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1003437E GetKeyState,GetKeyState,GetKeyState,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1001D99B __EH_prolog,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetParent,SendMessageA,ScreenToClient,GetCursorPos,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SetWindowPos,SendMessageA,SendMessageA,GetParent,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10032A2D GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA,SendMessageA,GetParent,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1002FE1B ScreenToClient,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow,

                      E-Banking Fraud

                      barindex
                      Yara detected Emotet
                      Source: Yara matchFile source: 2.2.regsvr32.exe.49b0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.4290000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.regsvr32.exe.4c70000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.regsvr32.exe.4c70000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.3110000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.42c0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.3110000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.regsvr32.exe.49e0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.regsvr32.exe.49b0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.regsvr32.exe.4d70000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.49f0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.4290000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000002.00000002.440856153.00000000049E1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.438019180.00000000049F1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.440822056.00000000049B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.438281451.0000000004290000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.954167693.0000000004C70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.438313364.00000000042C1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.954213063.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.437810837.0000000003110000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: 9818t9ks1s.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
                      Source: C:\Windows\SysWOW64\regsvr32.exeFile deleted: C:\Windows\SysWOW64\Bvqee\qeggfkimakwygr.che:Zone.IdentifierJump to behavior
                      Source: C:\Windows\SysWOW64\regsvr32.exeFile created: C:\Windows\SysWOW64\Bvqee\Jump to behavior
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1001409B
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_10023973
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1000DB7F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1001409B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10023973
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10010A0C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1000DB7F
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: String function: 10011BF0 appears 53 times
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: String function: 10012514 appears 39 times
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 10011BF0 appears 118 times
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 10012514 appears 47 times
                      Source: 9818t9ks1s.dllStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                      Source: 9818t9ks1s.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: 9818t9ks1s.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: 9818t9ks1s.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dll
                      Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dll
                      Source: 9818t9ks1s.dllVirustotal: Detection: 69%
                      Source: 9818t9ks1s.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\9818t9ks1s.dll"
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\9818t9ks1s.dll",#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\9818t9ks1s.dll
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\9818t9ks1s.dll",#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\9818t9ks1s.dll,DllRegisterServer
                      Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Bvqee\qeggfkimakwygr.che"
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\9818t9ks1s.dll,DllUnregisterServerr
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\9818t9ks1s.dll",#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\9818t9ks1s.dll
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\9818t9ks1s.dll,DllRegisterServer
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\9818t9ks1s.dll,DllUnregisterServerr
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\9818t9ks1s.dll",#1
                      Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Bvqee\qeggfkimakwygr.che"
                      Source: C:\Windows\SysWOW64\regsvr32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D105A4D4-344C-48EB-9866-EE378D90658B}\InProcServer32
                      Source: classification engineClassification label: mal100.troj.evad.winDLL@19/5@0/58
                      Source: C:\Windows\SysWOW64\regsvr32.exeFile read: C:\Users\desktop.iniJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\9818t9ks1s.dll",#1
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_10006120 FindResourceW,LoadResource,SizeofResource,VirtualAllocExNuma,VirtualAlloc,memcpy,malloc,??3@YAXPAX@Z,
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: 9818t9ks1s.dllStatic PE information: section name: RT_CURSOR
                      Source: 9818t9ks1s.dllStatic PE information: section name: RT_BITMAP
                      Source: 9818t9ks1s.dllStatic PE information: section name: RT_ICON
                      Source: 9818t9ks1s.dllStatic PE information: section name: RT_MENU
                      Source: 9818t9ks1s.dllStatic PE information: section name: RT_DIALOG
                      Source: 9818t9ks1s.dllStatic PE information: section name: RT_STRING
                      Source: 9818t9ks1s.dllStatic PE information: section name: RT_ACCELERATOR
                      Source: 9818t9ks1s.dllStatic PE information: section name: RT_GROUP_ICON
                      Source: 9818t9ks1s.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                      Source: 9818t9ks1s.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                      Source: 9818t9ks1s.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                      Source: 9818t9ks1s.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                      Source: 9818t9ks1s.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_10010B20 push eax; ret
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_10010B20 push eax; ret
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_10011BF0 push eax; ret
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1001254F push ecx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1001254F push ecx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10010B20 push eax; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10010B20 push eax; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10011BF0 push eax; ret
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_10025CEC __EH_prolog,LoadLibraryA,GetProcAddress,
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\9818t9ks1s.dll
                      Source: C:\Windows\SysWOW64\regsvr32.exePE file moved: C:\Windows\SysWOW64\Bvqee\qeggfkimakwygr.cheJump to behavior

                      Hooking and other Techniques for Hiding and Protection

                      barindex
                      Hides that the sample has been downloaded from the Internet (zone.identifier)
                      Source: C:\Windows\SysWOW64\regsvr32.exeFile opened: C:\Windows\SysWOW64\Bvqee\qeggfkimakwygr.che:Zone.Identifier read attributes | delete
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Urxuhfwuvdoqo\fwicd.dee:Zone.Identifier read attributes | delete
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Fwtalcmqgixd\btngtvbvsro.wfo:Zone.Identifier read attributes | delete
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_10007AE5 IsIconic,GetWindowPlacement,GetWindowRect,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10007AE5 IsIconic,GetWindowPlacement,GetWindowRect,
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exe TID: 6164Thread sleep time: -30000s >= -30000s
                      Source: C:\Windows\System32\svchost.exe TID: 6524Thread sleep time: -30000s >= -30000s
                      Source: C:\Windows\System32\svchost.exe TID: 6228Thread sleep time: -120000s >= -30000s
                      Source: C:\Windows\SysWOW64\regsvr32.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
                      Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                      Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
                      Source: C:\Windows\SysWOW64\regsvr32.exeAPI coverage: 2.8 %
                      Source: C:\Windows\SysWOW64\rundll32.exeAPI coverage: 2.6 %
                      Source: C:\Windows\SysWOW64\regsvr32.exeProcess information queried: ProcessInformation
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_10010839 VirtualQuery,GetSystemInfo,VirtualQuery,VirtualAlloc,VirtualProtect,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1002592C __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,lstrcpyA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1002592C __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,lstrcpyA,
                      Source: C:\Windows\SysWOW64\regsvr32.exeAPI call chain: ExitProcess graph end node
                      Source: C:\Windows\SysWOW64\rundll32.exeAPI call chain: ExitProcess graph end node
                      Source: C:\Windows\SysWOW64\regsvr32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: svchost.exe, 00000018.00000002.684176363.000002554AE70000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWP
                      Source: regsvr32.exe, 00000005.00000003.526469173.0000000003338000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.481292465.0000000003338000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.538611722.0000000003338000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000002.953956932.0000000003338000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.836818432.000001958604C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.836852130.0000019586062000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.684378033.000002554AEEB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                      Source: svchost.exe, 0000000D.00000002.836363112.000001958082A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW@P
                      Source: svchost.exe, 0000000E.00000002.953778088.000002243AA02000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
                      Source: svchost.exe, 0000000E.00000002.953865417.000002243AA28000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: regsvr32.exe, 00000005.00000003.526469173.0000000003338000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.481292465.0000000003338000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.538611722.0000000003338000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000002.953956932.0000000003338000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWd
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_10025CEC __EH_prolog,LoadLibraryA,GetProcAddress,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_10005260 GetNativeSystemInfo,GetProcessHeap,HeapAlloc,memcpy,
                      Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                      Source: C:\Windows\System32\loaddll32.exeProcess queried: DebugPort
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10016DD6 SetUnhandledExceptionFilter,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10016DEA SetUnhandledExceptionFilter,

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      System process connects to network (likely due to code injection or exploit)
                      Source: C:\Windows\SysWOW64\regsvr32.exeNetwork Connect: 217.182.25.250 8080
                      Source: C:\Windows\SysWOW64\regsvr32.exeNetwork Connect: 70.36.102.35 443
                      Source: C:\Windows\SysWOW64\regsvr32.exeNetwork Connect: 51.91.76.89 8080
                      Source: C:\Windows\SysWOW64\regsvr32.exeNetwork Connect: 119.193.124.41 7080
                      Source: C:\Windows\SysWOW64\regsvr32.exeNetwork Connect: 92.240.254.110 8080
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\9818t9ks1s.dll",#1
                      Source: C:\Windows\SysWOW64\regsvr32.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\regsvr32.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: GetThreadLocale,GetLocaleInfoA,GetACP,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: lstrcpyA,LoadLibraryA,GetLocaleInfoA,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: GetLocaleInfoA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetThreadLocale,GetLocaleInfoA,GetACP,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: lstrcpyA,LoadLibraryA,GetLocaleInfoA,
                      Source: C:\Windows\SysWOW64\regsvr32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_10011075 GetSystemTimeAsFileTime,__aulldiv,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_10018E14 __lock,_strlen,_strncpy,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,_strncpy,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_10001100 GetVersionExA,InterlockedExchange,

                      Stealing of Sensitive Information

                      barindex
                      Yara detected Emotet
                      Source: Yara matchFile source: 2.2.regsvr32.exe.49b0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.4290000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.regsvr32.exe.4c70000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.regsvr32.exe.4c70000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.3110000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.42c0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.3110000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.regsvr32.exe.49e0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.regsvr32.exe.49b0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.regsvr32.exe.4d70000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.49f0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.4290000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000002.00000002.440856153.00000000049E1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.438019180.00000000049F1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.440822056.00000000049B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.438281451.0000000004290000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.954167693.0000000004C70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.438313364.00000000042C1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.954213063.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.437810837.0000000003110000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid Accounts2
                      Native API                      		1
                      DLL Side-Loading                      		111
                      Process Injection                      		2
                      Masquerading                      		1
                      Input Capture                      		2
                      System Time Discovery                      		Remote Services1
                      Input Capture                      		Exfiltration Over Other Network Medium12
                      Encrypted Channel                      		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                      DLL Side-Loading                      		3
                      Virtualization/Sandbox Evasion                      		LSASS Memory31
                      Security Software Discovery                      		Remote Desktop Protocol1
                      Archive Collected Data                      		Exfiltration Over Bluetooth1
                      Non-Standard Port                      		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)111
                      Process Injection                      		Security Account Manager3
                      Virtualization/Sandbox Evasion                      		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration11
                      Application Layer Protocol                      		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
                      Deobfuscate/Decode Files or Information                      		NTDS1
                      Process Discovery                      		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                      Hidden Files and Directories                      		LSA Secrets1
                      Application Window Discovery                      		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.common2
                      Obfuscated Files or Information                      		Cached Domain Credentials1
                      Remote System Discovery                      		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup Items1
                      Regsvr32                      		DCSync2
                      File and Directory Discovery                      		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
                      Rundll32                      		Proc Filesystem36
                      System Information Discovery                      		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)1
                      DLL Side-Loading                      		/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                      Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)1
                      File Deletion                      		Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 669370 Sample: 9818t9ks1s Startdate: 20/07/2022 Architecture: WINDOWS Score: 100 32 129.232.188.93 xneeloZA South Africa 2->32 34 185.8.212.130 UZINFOCOMUZ Uzbekistan 2->34 36 49 other IPs or domains 2->36 50 Snort IDS alert for network traffic 2->50 52 Multi AV Scanner detection for domain / URL 2->52 54 Antivirus detection for URL or domain 2->54 56 5 other signatures 2->56 8 loaddll32.exe 1 2->8         started        10 svchost.exe 9 1 2->10         started        13 svchost.exe 2->13         started        15 4 other processes 2->15 signatures3 process4 dnsIp5 17 regsvr32.exe 5 8->17         started        20 cmd.exe 1 8->20         started        22 rundll32.exe 2 8->22         started        24 rundll32.exe 8->24         started        38 127.0.0.1 unknown unknown 10->38 40 192.168.2.1 unknown unknown 13->40 process6 signatures7 48 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->48 26 regsvr32.exe 17->26         started        30 rundll32.exe 2 20->30         started        process8 dnsIp9 42 70.36.102.35, 443, 49767, 49768 PERFECT-INTERNATIONALUS United States 26->42 44 217.182.25.250, 49817, 8080 OVHFR France 26->44 46 3 other IPs or domains 26->46 58 System process connects to network (likely due to code injection or exploit) 26->58 60 Hides that the sample has been downloaded from the Internet (zone.identifier) 30->60 signatures10

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      9818t9ks1s.dll70%VirustotalBrowse
                      9818t9ks1s.dll100%AviraTR/AD.Nekark.bnwrm
                      9818t9ks1s.dll100%Joe Sandbox ML

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      2.2.regsvr32.exe.49b0000.0.unpack100%AviraHEUR/AGEN.1215461Download File
                      4.2.rundll32.exe.4290000.0.unpack100%AviraHEUR/AGEN.1215461Download File
                      5.2.regsvr32.exe.4c70000.0.unpack100%AviraHEUR/AGEN.1215461Download File
                      5.2.regsvr32.exe.4d70000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      2.2.regsvr32.exe.49e0000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      4.2.rundll32.exe.42c0000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      3.2.rundll32.exe.49f0000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      3.2.rundll32.exe.3110000.0.unpack100%AviraHEUR/AGEN.1215461Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      https://www.disneyplus.com/legal/your-california-privacy-rights0%URL Reputationsafe
                      https://70.36.102.35/v100%Avira URL Cloudmalware
                      https://www.disneyplus.com/legal/privacy-policy0%URL Reputationsafe
                      https://70.36.102.35/gVsYreJaRCTZGAqrRgMzhhpqBeNQdF100%Avira URL Cloudmalware
                      https://70.36.102.35/14%VirustotalBrowse
                      https://70.36.102.35/100%Avira URL Cloudmalware
                      https://www.pango.co/privacy0%URL Reputationsafe
                      https://disneyplus.com/legal.0%URL Reputationsafe
                      http://crl.ver)0%Avira URL Cloudsafe
                      https://www.tiktok.com/legal/report/feedback0%URL Reputationsafe
                      https://70.36.102.35/gVsYreJaRCTZGAqrRgMzhhpqBeNQdT100%Avira URL Cloudmalware
                      http://schemas.dmtf.o0%Avira URL Cloudsafe
                      https://92.240.254.110:8080/gECMlLDhVoiKFtzKjjRUPjlZHZhhxfpHLqiKeXIlMdFcRqaPxeg0%Avira URL Cloudsafe
                      https://92.240.254.110/6.102.35/gVsYreJaRCTZGAqrRgMzhhpqBeNQd0%Avira URL Cloudsafe
                      https://92.240.254.110/0%Avira URL Cloudsafe
                      http://help.disneyplus.com.0%URL Reputationsafe
                      https://70.36.102.35/gVsYreJaRCTZGAqrRgMzhhpqBeNQd100%Avira URL Cloudmalware

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://schemas.xmlsoap.org/ws/2004/svchost.exe, 0000000D.00000002.836571481.00000195808AF000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        https://www.disneyplus.com/legal/your-california-privacy-rightssvchost.exe, 00000018.00000003.654122875.000002554B9B3000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.654040928.000002554B991000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.654068801.000002554B9A2000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://70.36.102.35/vregsvr32.exe, 00000005.00000003.481253554.000000000331E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.526452741.000000000331E000.00000004.00000020.00020000.00000000.sdmptrue
                        • Avira URL Cloud: malware
                        		unknown
                        https://www.disneyplus.com/legal/privacy-policysvchost.exe, 00000018.00000003.654122875.000002554B9B3000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.654040928.000002554B991000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.654068801.000002554B9A2000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://70.36.102.35/gVsYreJaRCTZGAqrRgMzhhpqBeNQdFregsvr32.exe, 00000005.00000003.481253554.000000000331E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.526452741.000000000331E000.00000004.00000020.00020000.00000000.sdmptrue
                        • Avira URL Cloud: malware
                        		unknown
                        https://70.36.102.35/regsvr32.exe, 00000005.00000003.526452741.000000000331E000.00000004.00000020.00020000.00000000.sdmptrue
                        • 14%, Virustotal, Browse
                        • Avira URL Cloud: malware
                        		unknown
                        https://www.hotspotshield.com/terms/svchost.exe, 00000018.00000003.650938728.000002554BE1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.650909580.000002554B9B1000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.651038741.000002554B98F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.650818268.000002554B98F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.650841411.000002554B9A0000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.651011860.000002554BE02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.650968671.000002554BE1A000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          https://www.pango.co/privacysvchost.exe, 00000018.00000003.650938728.000002554BE1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.650909580.000002554B9B1000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.651038741.000002554B98F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.650818268.000002554B98F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.650841411.000002554B9A0000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.651011860.000002554BE02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.650968671.000002554BE1A000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://disneyplus.com/legal.svchost.exe, 00000018.00000003.654122875.000002554B9B3000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.654040928.000002554B991000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.654068801.000002554B9A2000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://crl.ver)svchost.exe, 0000000D.00000002.836929466.0000019586090000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.684378033.000002554AEEB000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		low
                          https://www.tiktok.com/legal/report/feedbacksvchost.exe, 00000018.00000003.659846928.000002554B991000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.659413155.000002554BE18000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.659476166.000002554B9A6000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.659437692.000002554BE02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.659235634.000002554B9A6000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://70.36.102.35/gVsYreJaRCTZGAqrRgMzhhpqBeNQdTregsvr32.exe, 00000005.00000003.481253554.000000000331E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.526452741.000000000331E000.00000004.00000020.00020000.00000000.sdmptrue
                          • Avira URL Cloud: malware
                          		unknown
                          http://schemas.dmtf.osvchost.exe, 0000000D.00000002.836571481.00000195808AF000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://92.240.254.110:8080/gECMlLDhVoiKFtzKjjRUPjlZHZhhxfpHLqiKeXIlMdFcRqaPxegregsvr32.exe, 00000005.00000002.953979215.0000000003347000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.538622366.0000000003347000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://92.240.254.110/6.102.35/gVsYreJaRCTZGAqrRgMzhhpqBeNQdregsvr32.exe, 00000005.00000003.526452741.000000000331E000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://92.240.254.110/regsvr32.exe, 00000005.00000003.526452741.000000000331E000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://help.disneyplus.com.svchost.exe, 00000018.00000003.654122875.000002554B9B3000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.654040928.000002554B991000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.654068801.000002554B9A2000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/09/enumeratiosvchost.exe, 0000000D.00000002.836571481.00000195808AF000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            https://support.hotspotshield.com/svchost.exe, 00000018.00000003.650938728.000002554BE1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.650909580.000002554B9B1000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.651038741.000002554B98F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.650818268.000002554B98F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.650841411.000002554B9A0000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.651011860.000002554BE02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.650968671.000002554BE1A000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              https://70.36.102.35/gVsYreJaRCTZGAqrRgMzhhpqBeNQdregsvr32.exe, 00000005.00000003.481253554.000000000331E000.00000004.00000020.00020000.00000000.sdmptrue
                              • Avira URL Cloud: malware
                              		unknown

                              World Map of Contacted IPs

                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs

                              Public IPs

                              IPDomainCountryFlagASNASN NameMalicious
                              217.182.25.250
                              		unknownFrance
                              		16276OVHFRtrue
                              151.106.112.196
                              		unknownGermany
                              		61157PLUSSERVER-ASN1DEtrue
                              79.172.212.216
                              		unknownHungary
                              		61998SZERVERPLEXHUtrue
                              110.232.117.186
                              		unknownAustralia
                              		56038RACKCORP-APRackCorpAUtrue
                              51.254.140.238
                              		unknownFrance
                              		16276OVHFRtrue
                              195.201.151.129
                              		unknownGermany
                              		24940HETZNER-ASDEtrue
                              206.188.212.92
                              		unknownUnited States
                              		55002DEFENSE-NETUStrue
                              45.118.115.99
                              		unknownIndonesia
                              		131717IDNIC-CIFO-AS-IDPTCitraJelajahInformatikaIDtrue
                              209.126.98.206
                              		unknownUnited States
                              		30083AS-30083-GO-DADDY-COM-LLCUStrue
                              1.234.21.73
                              		unknownKorea Republic of
                              		9318SKB-ASSKBroadbandCoLtdKRtrue
                              176.56.128.118
                              		unknownSwitzerland
                              		12637SEEWEBWebhostingcolocationandcloudservicesITtrue
                              45.118.135.203
                              		unknownJapan63949LINODE-APLinodeLLCUStrue
                              167.99.115.35
                              		unknownUnited States
                              		14061DIGITALOCEAN-ASNUStrue
                              185.8.212.130
                              		unknownUzbekistan
                              		48979UZINFOCOMUZtrue
                              197.242.150.244
                              		unknownSouth Africa
                              		37611AfrihostZAtrue
                              51.91.76.89
                              		unknownFrance
                              		16276OVHFRtrue
                              45.176.232.124
                              		unknownColombia
                              		267869CABLEYTELECOMUNICACIONESDECOLOMBIASASCABLETELCOCtrue
                              178.79.147.66
                              		unknownUnited Kingdom
                              		63949LINODE-APLinodeLLCUStrue
                              31.24.158.56
                              		unknownSpain
                              		50926INFORTELECOM-ASEStrue
                              50.30.40.196
                              		unknownUnited States
                              		30083AS-30083-GO-DADDY-COM-LLCUStrue
                              164.68.99.3
                              		unknownGermany
                              		51167CONTABODEtrue
                              189.126.111.200
                              		unknownBrazil
                              		27715LocawebServicosdeInternetSABRtrue
                              146.59.226.45
                              		unknownNorway
                              		16276OVHFRtrue
                              158.69.222.101
                              		unknownCanada
                              		16276OVHFRtrue
                              196.218.30.83
                              		unknownEgypt
                              		8452TE-ASTE-ASEGtrue
                              159.65.88.10
                              		unknownUnited States
                              		14061DIGITALOCEAN-ASNUStrue
                              101.50.0.91
                              		unknownIndonesia
                              		55688BEON-AS-IDPTBeonIntermediaIDtrue
                              195.154.133.20
                              		unknownFrance
                              		12876OnlineSASFRtrue
                              185.157.82.211
                              		unknownPoland
                              		42927S-NET-ASPLtrue
                              70.36.102.35
                              		unknownUnited States
                              		22439PERFECT-INTERNATIONALUStrue
                              103.43.46.182
                              		unknownIndonesia
                              		58397INFINYS-AS-IDPTInfinysSystemIndonesiaIDtrue
                              212.237.17.99
                              		unknownItaly
                              		31034ARUBA-ASNITtrue
                              212.24.98.99
                              		unknownLithuania
                              		62282RACKRAYUABRakrejusLTtrue
                              138.185.72.26
                              		unknownBrazil
                              		264343EmpasoftLtdaMeBRtrue
                              216.158.226.206
                              		unknownUnited States
                              		19318IS-AS-1UStrue
                              103.75.201.2
                              		unknownThailand
                              		133496CDNPLUSCOLTD-AS-APCDNPLUSCOLTDTHtrue
                              51.91.7.5
                              		unknownFrance
                              		16276OVHFRtrue
                              5.9.116.246
                              		unknownGermany
                              		24940HETZNER-ASDEtrue
                              188.44.20.25
                              		unknownMacedonia
                              		57374GIV-ASMKtrue
                              153.126.146.25
                              		unknownJapan7684SAKURA-ASAKURAInternetIncJPtrue
                              72.15.201.15
                              		unknownUnited States
                              		13649ASN-VINSUStrue
                              209.250.246.206
                              		unknownEuropean Union
                              		20473AS-CHOOPAUStrue
                              82.165.152.127
                              		unknownGermany
                              		8560ONEANDONE-ASBrauerstrasse48DEtrue
                              107.182.225.142
                              		unknownUnited States
                              		32780HOSTINGSERVICES-INCUStrue
                              50.116.54.215
                              		unknownUnited States
                              		63949LINODE-APLinodeLLCUStrue
                              46.55.222.11
                              		unknownBulgaria
                              		34841BALCHIKNETBGtrue
                              173.212.193.249
                              		unknownGermany
                              		51167CONTABODEtrue
                              176.104.106.96
                              		unknownSerbia
                              		198371NINETRStrue
                              192.99.251.50
                              		unknownCanada
                              		16276OVHFRtrue
                              45.142.114.231
                              		unknownGermany
                              		44066DE-FIRSTCOLOwwwfirst-colonetDEtrue
                              1.234.2.232
                              		unknownKorea Republic of
                              		9318SKB-ASSKBroadbandCoLtdKRtrue
                              203.114.109.124
                              		unknownThailand
                              		131293TOT-LLI-AS-APTOTPublicCompanyLimitedTHtrue
                              119.193.124.41
                              		unknownKorea Republic of
                              		4766KIXS-AS-KRKoreaTelecomKRtrue
                              129.232.188.93
                              		unknownSouth Africa
                              		37153xneeloZAtrue
                              159.8.59.82
                              		unknownUnited States
                              		36351SOFTLAYERUStrue
                              92.240.254.110
                              		unknownSlovakia (SLOVAK Republic)
                              		42005LIGHTSTORM-COMMUNICATIONS-SRO-SK-ASPeeringsSKtrue

                              Private

                              IP
                              192.168.2.1
                              127.0.0.1

                              General Information

                              Joe Sandbox Version:35.0.0 Citrine
                              Analysis ID:669370
                              Start date and time: 20/07/202201:05:102022-07-20 01:05:10 +02:00
                              Joe Sandbox Product:CloudBasic
                              Overall analysis duration:0h 12m 23s
                              Hypervisor based Inspection enabled:false
                              Report type:light
                              Sample file name:9818t9ks1s (renamed file extension from none to dll)
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                              Number of analysed new started processes analysed:26
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • HDC enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Detection:MAL
                              Classification:mal100.troj.evad.winDLL@19/5@0/58
                              EGA Information:
                              • Successful, ratio: 100%
                              HDC Information:
                              • Successful, ratio: 99.8% (good quality ratio 97.2%)
                              • Quality average: 84.5%
                              • Quality standard deviation: 23.7%
                              HCA Information:
                              • Successful, ratio: 94%
                              • Number of executed functions: 0
                              • Number of non-executed functions: 0
                              Cookbook Comments:
                              • Adjust boot time
                              • Enable AMSI
                              • Override analysis time to 240s for rundll32

                              Warnings

                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, wuapihost.exe
                              • Excluded IPs from analysis (whitelisted): 20.106.86.13, 23.205.181.161, 13.71.55.58, 23.211.4.86, 20.223.24.244
                              • Excluded domains from analysis (whitelisted): fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, e11290.dspg.akamaiedge.net, go.microsoft.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, login.live.com, settings-prod-cin-2.centralindia.cloudapp.azure.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, www.bing.com, client.wns.windows.com, fs.microsoft.com, settings-prod-wus3-1.westus3.cloudapp.azure.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ctldl.windowsupdate.com, settings-win.data.microsoft.com, e1723.g.akamaiedge.net, atm-settingsfe-prod-weighted.trafficmanager.net, ris.api.iris.microsoft.com, licensing.mp.microsoft.com, store-images.s-microsoft.com, go.microsoft.com.edgekey.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                              • Not all processes where analyzed, report is missing behavior information
                              • Report creation exceeded maximum time and may have missing disassembly code information.
                              • Report size exceeded maximum capacity and may have missing behavior information.
                              • Report size getting too big, too many NtOpenKeyEx calls found.
                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                              • Report size getting too big, too many NtQueryValueKey calls found.

                              Simulations

                              Behavior and APIs

                              TimeTypeDescription
                              01:06:51API Interceptor11x Sleep call for process: svchost.exe modified

                              Joe Sandbox View / Context

                              IPs

                              No context

                              Domains

                              No context

                              ASNs

                              No context

                              JA3 Fingerprints

                              No context

                              Dropped Files

                              No context

                              Created / dropped Files

                              C:\ProgramData\Microsoft\Network\Downloader\edb.chk

                              Download File
                              Process:C:\Windows\System32\svchost.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):8192
                              Entropy (8bit):0.3593198815979092
                              Encrypted:false
                              SSDEEP:12:SnaaD0JcaaD0JwQQU2naaD0JcaaD0JwQQU:4tgJctgJw/tgJctgJw
                              MD5:BF1DC7D5D8DAD7478F426DF8B3F8BAA6
                              SHA1:C6B0BDE788F553F865D65F773D8F6A3546887E42
                              SHA-256:BE47C764C38CA7A90A345BE183F5261E89B98743B5E35989E9A8BE0DA498C0F2
                              SHA-512:00F2412AA04E09EA19A8315D80BE66D2727C713FC0F5AE6A9334BABA539817F568A98CA3A45B2673282BDD325B8B0E2840A393A4DCFADCB16473F5EAF2AF3180
                              Malicious:false
                              Preview:.............*..........3...w..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@......................................................*.............................................................................................................................................................................................................................................................................................................................................................

                              C:\ProgramData\Microsoft\Network\Downloader\edb.log

                              Download File
                              Process:C:\Windows\System32\svchost.exe
                              File Type:MPEG-4 LOAS
                              Category:dropped
                              Size (bytes):1310720
                              Entropy (8bit):0.24943716309551126
                              Encrypted:false
                              SSDEEP:1536:BJiRdfVzkZm3lyf49uyc0ga04PdHS9LrM/oVMUdSRU49:BJiRdwfu2SRU49
                              MD5:00654427E58616B58C62FC50C2B52CAE
                              SHA1:FAE33CDA4A87AE87F8C54F629D947A73C0F3D752
                              SHA-256:03367E7F1FBA65E7384C510DBEF162E503A7499F98E712C23D2A4990677EBACD
                              SHA-512:50B9C51F0154E0AC12BFE61392E0295E5B70A93338AE526C115E018FE46A93596226C4B2A0BD74C2B254883E93F1CC2A7BFF900D505722DC7CB765E1B5EF9A2D
                              Malicious:false
                              Preview:V.d.........@..@.3...w...........................3...w..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@.........................................d#.................................................................................................................................................................................................................................................................................................................................................

                              C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                              Download File
                              Process:C:\Windows\System32\svchost.exe
                              File Type:Extensible storage engine DataBase, version 0x620, checksum 0x31ef495f, page size 16384, Windows version 10.0
                              Category:dropped
                              Size (bytes):786432
                              Entropy (8bit):0.25054036977537886
                              Encrypted:false
                              SSDEEP:384:7jM+W0StseCJ48EApW0StseCJ48E2rTSjlK/ebmLerYSRSY1J2:7jTSB2nSB2RSjlK/+mLesOj1J2
                              MD5:F449C6D8DF10E7E1F61BDD97A6494F87
                              SHA1:CE664D962FF28C7AD92580FEAB4E450998815495
                              SHA-256:5928D3F1531BDD70D74FF76EEF2344721E7398CC22D3F203F09CBEDD149DE78A
                              SHA-512:5B77117B0644DAB36AC90631921320E6B5978D08E4D7B852E212F6E89335E7021068E8570BF8E777941328E3B4E1511AF61F99DD07D633BB8195149C484955B9
                              Malicious:false
                              Preview:1.I_... ................e.f.3...w........................)..........z..3....z9.h.(..........z....)..............3...w...........................................................................................................B...........@...................................................................................................... ....................................................................................................................................................................................................................................................(.0.....z...........................z..........................................................................................................................................................................................................................................................................................................................................................................................

                              C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                              Download File
                              Process:C:\Windows\System32\svchost.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):16384
                              Entropy (8bit):0.07303587911152667
                              Encrypted:false
                              SSDEEP:3:R4HR7vWMoximlll/tksjibD1tHlllall3Vkttlmlnl:grW/iWMwibD1tfA3
                              MD5:F2E666170C5999D5002A645DC8634D6E
                              SHA1:20FFA1FAF1479110694542B7972C3F5155A9BED6
                              SHA-256:57FB4BC8D3FFC4201342D81B07349EA6BC5728AFB0C4213E52AC91FB781D2E1E
                              SHA-512:331576024162E4BBD3517803D81CEC60A8A12D1DED59E31B50FCA8DCC2D0721EE075955591EF0116383F3188729105F45E65CE4F376610963ECDA11978181B6B
                              Malicious:false
                              Preview:=........................................3...w..3....z9......z...............z.......z..yM.I.....z}i.........................z..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                              C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                              Download File
                              Process:C:\Windows\System32\svchost.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):55
                              Entropy (8bit):4.306461250274409
                              Encrypted:false
                              SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                              MD5:DCA83F08D448911A14C22EBCACC5AD57
                              SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                              SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                              SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                              Malicious:false
                              Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                              Static File Info

                              General

                              File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                              Entropy (8bit):6.352826845434315
                              TrID:
                              • Win32 Dynamic Link Library (generic) (1002004/3) 98.32%
                              • Windows Screen Saver (13104/52) 1.29%
                              • Generic Win/DOS Executable (2004/3) 0.20%
                              • DOS Executable Generic (2002/1) 0.20%
                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                              File name:9818t9ks1s.dll
                              File size:655360
                              MD5:83418a9af56db91ff2c78c4b2b9d62f8
                              SHA1:0ea68aab3721e509ce0b1bff7e574eda037798be
                              SHA256:4a688f571024b08f9793559427d8692471f5aa715882899c631c3052eac7c6a1
                              SHA512:dadfeea6c52deda79860158036b60c54e907483b3f317e270d44e5949db169f4a26e748956654d914a3c9dda52c264e2c79bc0073254d9e58c62d9b5e69205a2
                              SSDEEP:6144:/6ZMFXzqfoSHr/mvcQYbi2HN8C8BgifO7y7TcuVqrWLWN7Ypsi6Ih9vH0/oUHahE:/8MFX47ivcQMNsrD4KJjO69cI
                              TLSH:06D47C0EFFD1C1B2D36B123019D5C64823ADBF2CEAA1C5B777A8BE1D69326C14512B16
                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......)..0m..cm..cm..c...cg..c...ck..c~..co..c...c|..cm..c@..ch..cq..ch..c...cF..cd..ch..c...ch..cl..c...cl..ch..cl..cRichm..c.......

                              File Icon

                              Icon Hash:c0cc4c687ccccc78

                              Static PE Info

                              General

                              Entrypoint:0x1001131c
                              Entrypoint Section:.text
                              Digitally signed:false
                              Imagebase:0x10000000
                              Subsystem:windows gui
                              Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
                              DLL Characteristics:
                              Time Stamp:0x623CFB7E [Thu Mar 24 23:15:10 2022 UTC]
                              TLS Callbacks:
                              CLR (.Net) Version:
                              OS Version Major:4
                              OS Version Minor:0
                              File Version Major:4
                              File Version Minor:0
                              Subsystem Version Major:4
                              Subsystem Version Minor:0
                              Import Hash:d63ab94f4bb6b5d2f0f6092bf07e00ac

                              Entrypoint Preview

                              Instruction
                              push 0000000Ch
                              push 10041D40h
                              call 00007FB05074AA61h
                              xor eax, eax
                              inc eax
                              mov dword ptr [ebp-1Ch], eax
                              mov esi, dword ptr [ebp+0Ch]
                              xor edi, edi
                              cmp esi, edi
                              jne 00007FB05074987Eh
                              cmp dword ptr [1004F3C8h], edi
                              je 00007FB050749929h
                              mov dword ptr [ebp-04h], edi
                              cmp esi, eax
                              je 00007FB050749877h
                              cmp esi, 02h
                              jne 00007FB0507498A3h
                              mov eax, dword ptr [10050CB4h]
                              cmp eax, edi
                              je 00007FB05074987Eh
                              push dword ptr [ebp+10h]
                              push esi
                              push dword ptr [ebp+08h]
                              call eax
                              mov dword ptr [ebp-1Ch], eax
                              cmp dword ptr [ebp-1Ch], edi
                              je 00007FB0507498FBh
                              push dword ptr [ebp+10h]
                              push esi
                              push dword ptr [ebp+08h]
                              call 00007FB050749697h
                              mov dword ptr [ebp-1Ch], eax
                              cmp eax, edi
                              je 00007FB0507498E4h
                              mov ebx, dword ptr [ebp+10h]
                              push ebx
                              push esi
                              push dword ptr [ebp+08h]
                              call 00007FB05073E608h
                              mov dword ptr [ebp-1Ch], eax
                              cmp esi, 01h
                              jne 00007FB050749880h
                              cmp eax, edi
                              jne 00007FB05074987Ch
                              push ebx
                              push edi
                              push dword ptr [ebp+08h]
                              call 00007FB05074966Dh
                              cmp esi, edi
                              je 00007FB050749877h
                              cmp esi, 03h
                              jne 00007FB05074989Bh
                              push ebx
                              push esi
                              push dword ptr [ebp+08h]
                              call 00007FB05074965Ah
                              test eax, eax
                              jne 00007FB050749875h
                              mov dword ptr [ebp-1Ch], edi
                              cmp dword ptr [ebp-1Ch], edi
                              je 00007FB050749885h
                              mov eax, dword ptr [10050CB4h]
                              cmp eax, edi
                              je 00007FB05074987Ch
                              push ebx
                              push esi
                              push dword ptr [ebp+08h]
                              call eax
                              mov dword ptr [ebp-1Ch], eax
                              or dword ptr [ebp-04h], FFFFFFFFh
                              mov eax, dword ptr [ebp-1Ch]
                              jmp 00007FB05074988Ch
                              mov eax, dword ptr [ebp-14h]
                              mov ecx, dword ptr [eax]

                              Rich Headers

                              Programming Language:
                              • [ASM] VS2003 (.NET) build 3077
                              • [ C ] VS2003 (.NET) build 3077
                              • [C++] VS2003 (.NET) build 3077
                              • [EXP] VS2003 (.NET) build 3077
                              • [RES] VS2003 (.NET) build 3077
                              • [LNK] VS2003 (.NET) build 3077

                              Data Directories

                              NameVirtual AddressVirtual Size Is in Section
                              IMAGE_DIRECTORY_ENTRY_EXPORT0x4aa400x6e.rdata
                              IMAGE_DIRECTORY_ENTRY_IMPORT0x488440x104.rdata
                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x510000x480a0.rsrc
                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x9a0000x4e40.reloc
                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x438300x48.rdata
                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IAT0x3c0000x668.rdata
                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x487bc0x40.rdata
                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                              Sections

                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                              .text0x10000x3a49e0x3b000False0.6009418034957628data6.6116392367886405IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              .rdata0x3c0000xeaae0xf000False0.32220052083333334data5.046533656475497IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              .data0x4b0000x5cb80x3000False0.2513834635416667data3.8346109495878085IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .rsrc0x510000x480a00x49000False0.5524534460616438data6.0777904674160155IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              .reloc0x9a0000x88100x9000False0.3506673177083333data4.48951519417909IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                              Resources

                              NameRVASizeTypeLanguageCountry
                              0x747c00x20800data
                              RT_CURSOR0x950280x134data
                              RT_CURSOR0x951600xb4data
                              RT_CURSOR0x952400x134AmigaOS bitmap font
                              RT_CURSOR0x953900x134data
                              RT_CURSOR0x954e00x134data
                              RT_CURSOR0x956300x134data
                              RT_CURSOR0x957800x134data
                              RT_CURSOR0x958d00x134data
                              RT_CURSOR0x95a200x134data
                              RT_CURSOR0x95b700x134data
                              RT_CURSOR0x95cc00x134data
                              RT_CURSOR0x95e100x134data
                              RT_CURSOR0x95f600x134AmigaOS bitmap font
                              RT_CURSOR0x960b00x134data
                              RT_CURSOR0x962000x134data
                              RT_CURSOR0x963500x134data
                              RT_BITMAP0x522e00x428data
                              RT_BITMAP0x520c00xe0GLS_BINARY_LSB_FIRSTSpanishMexico
                              RT_BITMAP0x965a00xb8data
                              RT_BITMAP0x966580x144data
                              RT_ICON0x52a980x10828dBase III DBT, version number 0, next free block index 40
                              RT_ICON0x632d80x10828dBase III DBT, version number 0, next free block index 40
                              RT_ICON0x73b180x2e8data
                              RT_ICON0x73e000x128GLS_BINARY_LSB_FIRST
                              RT_ICON0x73f500x2e8data
                              RT_ICON0x742380x128GLS_BINARY_LSB_FIRST
                              RT_ICON0x743880x2e8data
                              RT_ICON0x746700x128GLS_BINARY_LSB_FIRST
                              RT_MENU0x527280x23adata
                              RT_MENU0x521b00x46dataSpanishMexico
                              RT_DIALOG0x529680x12cdata
                              RT_DIALOG0x521f80xe2dataSpanishMexico
                              RT_DIALOG0x964a00xfedata
                              RT_STRING0x968100x92data
                              RT_STRING0x967a00x6adataSpanishMexico
                              RT_STRING0x968a80x48data
                              RT_STRING0x969380x19edata
                              RT_STRING0x96c080x280data
                              RT_STRING0x970100x39cdata
                              RT_STRING0x96f900x7adata
                              RT_STRING0x96ad80x12edata
                              RT_STRING0x96e880x104data
                              RT_STRING0x968f00x46data
                              RT_STRING0x973b00x128data
                              RT_STRING0x974d80x240data
                              RT_STRING0x977180x9edata
                              RT_STRING0x977b80xb0Hitachi SH big-endian COFF object file, not stripped, 16640 sections, symbol offset=0x69007200, 201344768 symbols, optional header size 29952
                              RT_STRING0x978680x30data
                              RT_STRING0x978980x1d0data
                              RT_STRING0x97a680x5bcdata
                              RT_STRING0x984180x31cdata
                              RT_STRING0x981180x300data
                              RT_STRING0x98fa00xb0data
                              RT_STRING0x980280xeedata
                              RT_STRING0x98e500x11edata
                              RT_STRING0x987380x4d0data
                              RT_STRING0x98c080x248data
                              RT_STRING0x98f700x2edata
                              RT_STRING0x990500x4cdata
                              RT_ACCELERATOR0x94fc00x68data
                              RT_GROUP_CURSOR0x952180x22Lotus unknown worksheet or configuration, revision 0x2
                              RT_GROUP_CURSOR0x95a080x14Lotus unknown worksheet or configuration, revision 0x1
                              RT_GROUP_CURSOR0x953780x14Lotus unknown worksheet or configuration, revision 0x1
                              RT_GROUP_CURSOR0x958b80x14Lotus unknown worksheet or configuration, revision 0x1
                              RT_GROUP_CURSOR0x957680x14Lotus unknown worksheet or configuration, revision 0x1
                              RT_GROUP_CURSOR0x960980x14Lotus unknown worksheet or configuration, revision 0x1
                              RT_GROUP_CURSOR0x956180x14Lotus unknown worksheet or configuration, revision 0x1
                              RT_GROUP_CURSOR0x95ca80x14Lotus unknown worksheet or configuration, revision 0x1
                              RT_GROUP_CURSOR0x954c80x14Lotus unknown worksheet or configuration, revision 0x1
                              RT_GROUP_CURSOR0x95b580x14Lotus unknown worksheet or configuration, revision 0x1
                              RT_GROUP_CURSOR0x95df80x14Lotus unknown worksheet or configuration, revision 0x1
                              RT_GROUP_CURSOR0x95f480x14Lotus unknown worksheet or configuration, revision 0x1
                              RT_GROUP_CURSOR0x961e80x14Lotus unknown worksheet or configuration, revision 0x1
                              RT_GROUP_CURSOR0x963380x14Lotus unknown worksheet or configuration, revision 0x1
                              RT_GROUP_CURSOR0x964880x14Lotus unknown worksheet or configuration, revision 0x1
                              RT_GROUP_ICON0x632c00x14data
                              RT_GROUP_ICON0x73f280x22data
                              RT_GROUP_ICON0x73b000x14data
                              RT_GROUP_ICON0x743600x22data
                              RT_GROUP_ICON0x747980x22data
                              None0x527080x1edata
                              None0x521a00xadataSpanishMexico

                              Imports

                              DLLImport
                              KERNEL32.dllRtlUnwind, GetSystemTimeAsFileTime, GetCommandLineA, TerminateProcess, HeapReAlloc, HeapSize, HeapDestroy, HeapCreate, VirtualFree, IsBadWritePtr, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, VirtualQuery, QueryPerformanceCounter, GetCurrentProcessId, SetUnhandledExceptionFilter, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, GetTimeZoneInformation, IsBadReadPtr, IsBadCodePtr, SetStdHandle, SetEnvironmentVariableA, GetSystemInfo, VirtualAlloc, VirtualProtect, HeapFree, HeapAlloc, GetTickCount, SystemTimeToFileTime, LocalFileTimeToFileTime, FileTimeToLocalFileTime, FileTimeToSystemTime, GetOEMCP, GetCPInfo, GetShortPathNameA, CreateFileA, GetVolumeInformationA, FindFirstFileA, FindClose, GetCurrentProcess, DuplicateHandle, GetFileSize, SetEndOfFile, UnlockFile, LockFile, FlushFileBuffers, SetFilePointer, WriteFile, ReadFile, DeleteFileA, MoveFileA, GetCurrentDirectoryA, GlobalFlags, TlsFree, LocalReAlloc, TlsSetValue, TlsAlloc, TlsGetValue, EnterCriticalSection, GlobalHandle, GlobalReAlloc, LeaveCriticalSection, LocalAlloc, InterlockedIncrement, InterlockedDecrement, DeleteCriticalSection, InitializeCriticalSection, RaiseException, GetDiskFreeSpaceA, GetFullPathNameA, GetTempFileNameA, GetFileTime, SetFileTime, GetFileAttributesA, GlobalGetAtomNameA, GlobalFindAtomA, lstrcatA, lstrcmpW, GetPrivateProfileStringA, WritePrivateProfileStringA, GetPrivateProfileIntA, CloseHandle, GlobalAddAtomA, GetCurrentThread, GetCurrentThreadId, FreeLibrary, GlobalDeleteAtom, lstrcmpA, GetModuleFileNameA, GetModuleHandleA, GetProcAddress, ConvertDefaultLocale, EnumResourceLanguagesA, lstrcpyA, LoadLibraryA, FreeResource, SetLastError, GlobalFree, FindResourceA, LoadResource, LockResource, SizeofResource, MulDiv, GlobalAlloc, GlobalLock, GlobalUnlock, FormatMessageA, lstrcpynA, LocalFree, ExitProcess, GetStringTypeExA, CompareStringW, CompareStringA, lstrlenA, lstrcmpiA, GetVersion, GetLastError, WideCharToMultiByte, MultiByteToWideChar, GetVersionExA, GetThreadLocale, GetLocaleInfoA, GetACP, UnhandledExceptionFilter, InterlockedExchange
                              USER32.dllKillTimer, WindowFromPoint, GetDCEx, LockWindowUpdate, RegisterClipboardFormatA, PostThreadMessageA, SetRect, CharNextA, DestroyIcon, EndPaint, BeginPaint, GetWindowDC, ClientToScreen, GrayStringA, DrawTextExA, DrawTextA, TabbedTextOutA, FillRect, LoadCursorA, GetSysColorBrush, SetParent, GetSystemMenu, DeleteMenu, IsRectEmpty, IsZoomed, GetDC, ReleaseDC, LoadMenuA, DestroyMenu, UnpackDDElParam, ReuseDDElParam, ReleaseCapture, LoadAcceleratorsA, InsertMenuItemA, CreatePopupMenu, SetRectEmpty, BringWindowToTop, SetMenu, TranslateAcceleratorA, InvalidateRect, RegisterWindowMessageA, WinHelpA, GetCapture, CreateWindowExA, GetClassLongA, GetClassNameA, SetPropA, GetPropA, RemovePropA, IsChild, GetForegroundWindow, BeginDeferWindowPos, EndDeferWindowPos, GetTopWindow, UnhookWindowsHookEx, GetMessageTime, GetMessagePos, LoadIconA, MapWindowPoints, TrackPopupMenu, SetForegroundWindow, SetTimer, GetClientRect, GetMenu, GetSysColor, AdjustWindowRectEx, ScreenToClient, EqualRect, DeferWindowPos, GetClassInfoA, RegisterClassA, UnregisterClassA, DefWindowProcA, CallWindowProcA, OffsetRect, IntersectRect, SystemParametersInfoA, IsIconic, GetWindowPlacement, GetWindowRect, CopyRect, PtInRect, GetWindow, SetWindowContextHelpId, MapDialogRect, wsprintfA, GetWindowTextLengthA, GetWindowTextA, SetWindowPos, CharUpperA, UpdateWindow, EnableWindow, SendMessageA, GetClassInfoExA, GetSubMenu, GetMenuItemCount, InsertMenuA, GetMenuItemID, AppendMenuA, SetFocus, ShowWindow, MoveWindow, SetWindowLongA, GetDlgCtrlID, SetWindowTextA, IsDialogMessageA, SendDlgItemMessageA, GetMenuItemInfoA, InflateRect, SetMenuItemBitmaps, GetFocus, ModifyMenuA, EnableMenuItem, CheckMenuItem, GetMenuCheckMarkDimensions, LoadBitmapA, SetWindowsHookExA, CallNextHookEx, GetMessageA, TranslateMessage, MessageBeep, GetNextDlgGroupItem, SetCapture, InvalidateRgn, CopyAcceleratorTableA, GetMenuStringA, GetMenuState, EndDialog, GetNextDlgTabItem, GetParent, IsWindowEnabled, GetDlgItem, GetWindowLongA, IsWindow, DestroyWindow, CreateDialogIndirectParamA, GetSystemMetrics, SetActiveWindow, GetActiveWindow, GetDesktopWindow, PostQuitMessage, PostMessageA, SetCursor, ShowOwnedPopups, GetLastActivePopup, MessageBoxA, ValidateRect, GetCursorPos, PeekMessageA, GetKeyState, IsWindowVisible, DispatchMessageA
                              GDI32.dllCreateSolidBrush, CreateFontIndirectA, GetBkColor, GetTextColor, GetStockObject, GetRgnBox, PatBlt, SetRectRgn, CombineRgn, GetMapMode, CreatePatternBrush, ExtSelectClipRgn, ScaleWindowExtEx, SetWindowExtEx, ScaleViewportExtEx, SetViewportExtEx, OffsetViewportOrgEx, SetViewportOrgEx, Escape, ExtTextOutA, TextOutA, RectVisible, PtVisible, GetPixel, BitBlt, GetWindowExtEx, CreateRectRgnIndirect, GetDeviceCaps, CreateRectRgn, SelectClipRgn, IntersectClipRect, ExcludeClipRect, SetMapMode, SetBkMode, RestoreDC, SaveDC, GetTextExtentPoint32A, GetTextMetricsA, CreateFontA, GetCharWidthA, DeleteObject, SelectObject, StretchDIBits, DeleteDC, CreateCompatibleDC, CreateCompatibleBitmap, GetObjectA, SetBkColor, SetTextColor, GetClipBox, CreateBitmap, GetViewportExtEx
                              comdlg32.dllGetSaveFileNameA, GetFileTitleA, GetOpenFileNameA
                              WINSPOOL.DRVOpenPrinterA, DocumentPropertiesA, ClosePrinter
                              ADVAPI32.dllGetFileSecurityA, RegSetValueA, RegOpenKeyA, RegQueryValueExA, RegOpenKeyExA, RegDeleteKeyA, RegEnumKeyA, RegQueryValueA, RegCreateKeyExA, RegSetValueExA, RegDeleteValueA, RegCreateKeyA, RegCloseKey, SetFileSecurityA
                              SHELL32.dllDragQueryFileA, ExtractIconA, SHGetFileInfoA, DragFinish
                              COMCTL32.dllImageList_Draw, ImageList_GetImageInfo, ImageList_Destroy
                              SHLWAPI.dllPathFindFileNameA, PathStripToRootA, PathFindExtensionA, PathIsUNCA
                              oledlg.dll
                              ole32.dllCreateILockBytesOnHGlobal, StgCreateDocfileOnILockBytes, StgOpenStorageOnILockBytes, CoGetClassObject, CLSIDFromString, CLSIDFromProgID, CoTaskMemFree, OleUninitialize, CoFreeUnusedLibraries, CoRegisterMessageFilter, OleFlushClipboard, OleIsCurrentClipboard, CoRevokeClassObject, CoTaskMemAlloc, OleInitialize
                              OLEAUT32.dllSysAllocStringLen, VariantClear, VariantChangeType, VariantInit, SysStringLen, SysAllocStringByteLen, OleCreateFontIndirect, SystemTimeToVariantTime, SafeArrayDestroy, SysAllocString, VariantCopy, SysFreeString

                              Exports

                              NameOrdinalAddress
                              DllRegisterServer10x10005090
                              DllUnregisterServerr20x100050c0

                              Possible Origin

                              Language of compilation systemCountry where language is spokenMap
                              SpanishMexico

                              Network Behavior

                              Snort IDS Alerts

                              TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                              192.168.2.5119.193.124.414982270802404304 07/20/22-01:07:10.809694TCP2404304ET CNC Feodo Tracker Reported CnC Server TCP group 3498227080192.168.2.5119.193.124.41
                              192.168.2.551.91.76.894981180802404338 07/20/22-01:07:08.508000TCP2404338ET CNC Feodo Tracker Reported CnC Server TCP group 20498118080192.168.2.551.91.76.89

                              Network Port Distribution

                              TCP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Jul 20, 2022 01:06:46.936866999 CEST49767443192.168.2.570.36.102.35
                              Jul 20, 2022 01:06:46.936918020 CEST4434976770.36.102.35192.168.2.5
                              Jul 20, 2022 01:06:46.937026024 CEST49767443192.168.2.570.36.102.35
                              Jul 20, 2022 01:06:46.988656998 CEST49767443192.168.2.570.36.102.35
                              Jul 20, 2022 01:06:46.988699913 CEST4434976770.36.102.35192.168.2.5
                              Jul 20, 2022 01:06:47.166369915 CEST4434976770.36.102.35192.168.2.5
                              Jul 20, 2022 01:06:47.175667048 CEST49768443192.168.2.570.36.102.35
                              Jul 20, 2022 01:06:47.175726891 CEST4434976870.36.102.35192.168.2.5
                              Jul 20, 2022 01:06:47.175817966 CEST49768443192.168.2.570.36.102.35
                              Jul 20, 2022 01:06:47.176795959 CEST49768443192.168.2.570.36.102.35
                              Jul 20, 2022 01:06:47.176825047 CEST4434976870.36.102.35192.168.2.5
                              Jul 20, 2022 01:06:47.348900080 CEST4434976870.36.102.35192.168.2.5
                              Jul 20, 2022 01:06:47.356182098 CEST49769443192.168.2.570.36.102.35
                              Jul 20, 2022 01:06:47.356241941 CEST4434976970.36.102.35192.168.2.5
                              Jul 20, 2022 01:06:47.356360912 CEST49769443192.168.2.570.36.102.35
                              Jul 20, 2022 01:06:47.356899023 CEST49769443192.168.2.570.36.102.35
                              Jul 20, 2022 01:06:47.356967926 CEST4434976970.36.102.35192.168.2.5
                              Jul 20, 2022 01:06:47.357043982 CEST49769443192.168.2.570.36.102.35
                              Jul 20, 2022 01:06:47.450864077 CEST497708080192.168.2.592.240.254.110
                              Jul 20, 2022 01:06:50.456844091 CEST497708080192.168.2.592.240.254.110
                              Jul 20, 2022 01:06:56.457360983 CEST497708080192.168.2.592.240.254.110
                              Jul 20, 2022 01:07:08.507999897 CEST498118080192.168.2.551.91.76.89
                              Jul 20, 2022 01:07:08.528073072 CEST80804981151.91.76.89192.168.2.5
                              Jul 20, 2022 01:07:09.036581039 CEST498118080192.168.2.551.91.76.89
                              Jul 20, 2022 01:07:09.056623936 CEST80804981151.91.76.89192.168.2.5
                              Jul 20, 2022 01:07:09.567893982 CEST498118080192.168.2.551.91.76.89
                              Jul 20, 2022 01:07:09.589181900 CEST80804981151.91.76.89192.168.2.5
                              Jul 20, 2022 01:07:09.615654945 CEST498178080192.168.2.5217.182.25.250
                              Jul 20, 2022 01:07:09.643641949 CEST808049817217.182.25.250192.168.2.5
                              Jul 20, 2022 01:07:10.146051884 CEST498178080192.168.2.5217.182.25.250
                              Jul 20, 2022 01:07:10.174648046 CEST808049817217.182.25.250192.168.2.5
                              Jul 20, 2022 01:07:10.771107912 CEST498178080192.168.2.5217.182.25.250
                              Jul 20, 2022 01:07:10.799603939 CEST808049817217.182.25.250192.168.2.5
                              Jul 20, 2022 01:07:10.809694052 CEST498227080192.168.2.5119.193.124.41
                              Jul 20, 2022 01:07:11.079042912 CEST708049822119.193.124.41192.168.2.5
                              Jul 20, 2022 01:07:11.079195976 CEST498227080192.168.2.5119.193.124.41
                              Jul 20, 2022 01:07:11.082602024 CEST498227080192.168.2.5119.193.124.41
                              Jul 20, 2022 01:07:11.353307962 CEST708049822119.193.124.41192.168.2.5
                              Jul 20, 2022 01:07:11.369446039 CEST708049822119.193.124.41192.168.2.5
                              Jul 20, 2022 01:07:11.369509935 CEST708049822119.193.124.41192.168.2.5
                              Jul 20, 2022 01:07:11.369604111 CEST498227080192.168.2.5119.193.124.41
                              Jul 20, 2022 01:07:12.626746893 CEST498227080192.168.2.5119.193.124.41
                              Jul 20, 2022 01:07:12.898112059 CEST708049822119.193.124.41192.168.2.5
                              Jul 20, 2022 01:07:12.898277998 CEST498227080192.168.2.5119.193.124.41
                              Jul 20, 2022 01:07:12.903048992 CEST498227080192.168.2.5119.193.124.41
                              Jul 20, 2022 01:07:13.218106985 CEST708049822119.193.124.41192.168.2.5
                              Jul 20, 2022 01:07:14.065052986 CEST708049822119.193.124.41192.168.2.5
                              Jul 20, 2022 01:07:14.065643072 CEST498227080192.168.2.5119.193.124.41
                              Jul 20, 2022 01:07:17.064517021 CEST708049822119.193.124.41192.168.2.5
                              Jul 20, 2022 01:07:17.064565897 CEST708049822119.193.124.41192.168.2.5
                              Jul 20, 2022 01:07:17.064661980 CEST498227080192.168.2.5119.193.124.41
                              Jul 20, 2022 01:08:36.268321991 CEST498227080192.168.2.5119.193.124.41
                              Jul 20, 2022 01:08:36.268376112 CEST498227080192.168.2.5119.193.124.41

                              Statistics

                              Behavior

                              Click to jump to process

                              System Behavior

                              General

                              Target ID:0
                              Start time:01:06:21
                              Start date:20/07/2022
                              Path:C:\Windows\System32\loaddll32.exe
                              Wow64 process (32bit):true
                              Commandline:loaddll32.exe "C:\Users\user\Desktop\9818t9ks1s.dll"
                              Imagebase:0xff0000
                              File size:116736 bytes
                              MD5 hash:7DEB5DB86C0AC789123DEC286286B938
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high

                              General

                              Target ID:1
                              Start time:01:06:22
                              Start date:20/07/2022
                              Path:C:\Windows\SysWOW64\cmd.exe
                              Wow64 process (32bit):true
                              Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\9818t9ks1s.dll",#1
                              Imagebase:0x1100000
                              File size:232960 bytes
                              MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high

                              General

                              Target ID:2
                              Start time:01:06:22
                              Start date:20/07/2022
                              Path:C:\Windows\SysWOW64\regsvr32.exe
                              Wow64 process (32bit):true
                              Commandline:regsvr32.exe /s C:\Users\user\Desktop\9818t9ks1s.dll
                              Imagebase:0x8f0000
                              File size:20992 bytes
                              MD5 hash:426E7499F6A7346F0410DEAD0805586B
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000002.00000002.440856153.00000000049E1000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000002.00000002.440856153.00000000049E1000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000002.00000002.440822056.00000000049B0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000002.00000002.440822056.00000000049B0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                              Reputation:high

                              General

                              Target ID:3
                              Start time:01:06:22
                              Start date:20/07/2022
                              Path:C:\Windows\SysWOW64\rundll32.exe
                              Wow64 process (32bit):true
                              Commandline:rundll32.exe "C:\Users\user\Desktop\9818t9ks1s.dll",#1
                              Imagebase:0xc60000
                              File size:61952 bytes
                              MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000003.00000002.438019180.00000000049F1000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.438019180.00000000049F1000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000003.00000002.437810837.0000000003110000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.437810837.0000000003110000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                              Reputation:high

                              General

                              Target ID:4
                              Start time:01:06:23
                              Start date:20/07/2022
                              Path:C:\Windows\SysWOW64\rundll32.exe
                              Wow64 process (32bit):true
                              Commandline:rundll32.exe C:\Users\user\Desktop\9818t9ks1s.dll,DllRegisterServer
                              Imagebase:0xc60000
                              File size:61952 bytes
                              MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000004.00000002.438281451.0000000004290000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.438281451.0000000004290000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000004.00000002.438313364.00000000042C1000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.438313364.00000000042C1000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                              Reputation:high

                              General

                              Target ID:5
                              Start time:01:06:26
                              Start date:20/07/2022
                              Path:C:\Windows\SysWOW64\regsvr32.exe
                              Wow64 process (32bit):true
                              Commandline:C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Bvqee\qeggfkimakwygr.che"
                              Imagebase:0x8f0000
                              File size:20992 bytes
                              MD5 hash:426E7499F6A7346F0410DEAD0805586B
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000005.00000002.954167693.0000000004C70000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.954167693.0000000004C70000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000005.00000002.954213063.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.954213063.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                              Reputation:high

                              General

                              Target ID:6
                              Start time:01:06:27
                              Start date:20/07/2022
                              Path:C:\Windows\SysWOW64\rundll32.exe
                              Wow64 process (32bit):true
                              Commandline:rundll32.exe C:\Users\user\Desktop\9818t9ks1s.dll,DllUnregisterServerr
                              Imagebase:0xc60000
                              File size:61952 bytes
                              MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high

                              General

                              Target ID:12
                              Start time:01:06:47
                              Start date:20/07/2022
                              Path:C:\Windows\System32\svchost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                              Imagebase:0x7ff78ca80000
                              File size:51288 bytes
                              MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language

                              General

                              Target ID:13
                              Start time:01:06:51
                              Start date:20/07/2022
                              Path:C:\Windows\System32\svchost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                              Imagebase:0x7ff78ca80000
                              File size:51288 bytes
                              MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language

                              General

                              Target ID:14
                              Start time:01:07:04
                              Start date:20/07/2022
                              Path:C:\Windows\System32\svchost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                              Imagebase:0x7ff78ca80000
                              File size:51288 bytes
                              MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language

                              General

                              Target ID:16
                              Start time:01:07:10
                              Start date:20/07/2022
                              Path:C:\Windows\System32\svchost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                              Imagebase:0x7ff78ca80000
                              File size:51288 bytes
                              MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language

                              General

                              Target ID:22
                              Start time:01:07:41
                              Start date:20/07/2022
                              Path:C:\Windows\System32\svchost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                              Imagebase:0x7ff78ca80000
                              File size:51288 bytes
                              MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language

                              General

                              Target ID:24
                              Start time:01:07:51
                              Start date:20/07/2022
                              Path:C:\Windows\System32\svchost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                              Imagebase:0x7ff78ca80000
                              File size:51288 bytes
                              MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language

                              Disassembly

                              No disassembly