Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
xhOJLzQSe7

Overview

General Information

Sample Name:xhOJLzQSe7 (renamed file extension from none to dll)
Analysis ID:669375
MD5:2408e1b795944eabc7f184c634b0ed81
SHA1:01f644589eebee027396cc2bc925c07f1dfbd573
SHA256:81875fefda81b8cfa1ab74dfac14d608d01c2cd9f94abb232e2c6c91a63b3682
Tags:32dllexetrojan
Infos:

Detection

Emotet
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Antivirus / Scanner detection for submitted sample
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Snort IDS alert for network traffic
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Program does not show much activity (idle)
IP address seen in connection with other malware
Creates a DirectInput object (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
PE file contains strange resources
Tries to load missing DLLs
Drops PE files to the windows directory (C:\Windows)
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Connects to several IPs in different countries
Potential key logger detected (key state polling based)
Registers a DLL
Queries disk information (often used to detect virtual machines)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 6764 cmdline: loaddll32.exe "C:\Users\user\Desktop\xhOJLzQSe7.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938)
    • cmd.exe (PID: 6772 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\xhOJLzQSe7.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 6792 cmdline: rundll32.exe "C:\Users\user\Desktop\xhOJLzQSe7.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • regsvr32.exe (PID: 6780 cmdline: regsvr32.exe /s C:\Users\user\Desktop\xhOJLzQSe7.dll MD5: 426E7499F6A7346F0410DEAD0805586B)
      • regsvr32.exe (PID: 6888 cmdline: C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Smcoeugpjqpltwaq\padmvjcc.wwg" MD5: 426E7499F6A7346F0410DEAD0805586B)
    • rundll32.exe (PID: 6808 cmdline: rundll32.exe C:\Users\user\Desktop\xhOJLzQSe7.dll,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • svchost.exe (PID: 7112 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6348 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6376 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 4572 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6080 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 7052 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

Threatname: Emotet

{"C2 list": ["136.31.0.0:102", "144.42.251.111:1", "72.67.111.110:3", "255.255.255.255:3", "128.63.180.0:2", "65.83.89.67:68", "64.56.248.2:2", "200.220.252.2:32", "192.153.248.2:48", "1.255.0.0:929", "176.200.250.2:32", "120.16.251.2:48", "26.189.253.2:94", "192.168.2.5:2", "171.213.29.176:4", "212.253.246.49:4", "10.181.2.0:5500", "248.153.248.2:1", "120.4.0.0:1", "252.180.2.0:5516", "168.18.251.2:1", "14.181.2.0:5168", "96.15.251.2:1", "17.181.2.0:5484", "224.18.251.2:1", "23.181.2.0:2584", "48.13.251.2:1", "96.234.0.0:443", "32.17.251.2:1"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.972201454.0000000002F01000.00000020.00001000.00020000.00000000.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
    00000006.00000002.972201454.0000000002F01000.00000020.00001000.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
      00000002.00000002.471795717.00000000043F1000.00000020.00001000.00020000.00000000.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
        00000002.00000002.471795717.00000000043F1000.00000020.00001000.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
          00000003.00000002.465962452.0000000000C01000.00000020.00001000.00020000.00000000.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
            Click to see the 11 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            3.2.rundll32.exe.bb0000.0.raw.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
              3.2.rundll32.exe.bb0000.0.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                2.2.regsvr32.exe.c10000.0.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                  2.2.regsvr32.exe.c10000.0.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                    3.2.rundll32.exe.bb0000.0.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                      Click to see the 19 entries

                      Sigma Signatures

                      No Sigma rule has matched

                      Snort Signatures

                      Timestamp:192.168.2.551.91.76.894981680802404338 07/20/22-01:12:50.117023
                      SID:2404338
                      Source Port:49816
                      Destination Port:8080
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:192.168.2.5119.193.124.414982770802404304 07/20/22-01:12:52.851489
                      SID:2404304
                      Source Port:49827
                      Destination Port:7080
                      Protocol:TCP
                      Classtype:A Network Trojan was detected

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Multi AV Scanner detection for submitted file
                      Source: xhOJLzQSe7.dllVirustotal: Detection: 69%Perma Link
                      Antivirus / Scanner detection for submitted sample
                      Source: xhOJLzQSe7.dllAvira: detected
                      Antivirus detection for URL or domain
                      Source: https://51.91.76.89:8080/wILlkzMrsIIqrWuKTJoVXizoHkadIszFHcIlGojhnBcDobePKzyquqAvira URL Cloud: Label: malware
                      Source: https://70.36.102.35/Avira URL Cloud: Label: malware
                      Source: https://70.36.102.35/lKdeDesHKlwQRuBQoJMtzzkSkkKhWjwqAvira URL Cloud: Label: malware
                      Source: https://70.36.102.35/lKdeDesHKlwQRuBQoJMtzzkSkkKhWjwAvira URL Cloud: Label: malware
                      Source: https://51.91.76.89:8080/wILlkzMrsIIqrWuKTJoVXizoHkadIszFHcIlGojhnBcDobePKzyquq9Avira URL Cloud: Label: malware
                      Source: https://51.91.76.89/Avira URL Cloud: Label: malware
                      Source: https://70.36.102.35/DefaultAvira URL Cloud: Label: malware
                      Source: 00000006.00000002.972404800.0000000002F88000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Emotet {"C2 list": ["136.31.0.0:102", "144.42.251.111:1", "72.67.111.110:3", "255.255.255.255:3", "128.63.180.0:2", "65.83.89.67:68", "64.56.248.2:2", "200.220.252.2:32", "192.153.248.2:48", "1.255.0.0:929", "176.200.250.2:32", "120.16.251.2:48", "26.189.253.2:94", "192.168.2.5:2", "171.213.29.176:4", "212.253.246.49:4", "10.181.2.0:5500", "248.153.248.2:1", "120.4.0.0:1", "252.180.2.0:5516", "168.18.251.2:1", "14.181.2.0:5168", "96.15.251.2:1", "17.181.2.0:5484", "224.18.251.2:1", "23.181.2.0:2584", "48.13.251.2:1", "96.234.0.0:443", "32.17.251.2:1"]}
                      Source: xhOJLzQSe7.dllStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_10011C86 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10011C86 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,

                      Networking

                      barindex
                      System process connects to network (likely due to code injection or exploit)
                      Source: C:\Windows\SysWOW64\regsvr32.exeNetwork Connect: 217.182.25.250 8080
                      Source: C:\Windows\SysWOW64\regsvr32.exeNetwork Connect: 70.36.102.35 443
                      Source: C:\Windows\SysWOW64\regsvr32.exeNetwork Connect: 51.91.76.89 8080
                      Source: C:\Windows\SysWOW64\regsvr32.exeNetwork Connect: 119.193.124.41 7080
                      Source: C:\Windows\SysWOW64\regsvr32.exeNetwork Connect: 92.240.254.110 8080
                      Snort IDS alert for network traffic
                      Source: TrafficSnort IDS: 2404338 ET CNC Feodo Tracker Reported CnC Server TCP group 20 192.168.2.5:49816 -> 51.91.76.89:8080
                      Source: TrafficSnort IDS: 2404304 ET CNC Feodo Tracker Reported CnC Server TCP group 3 192.168.2.5:49827 -> 119.193.124.41:7080
                      C2 URLs / IPs found in malware configuration
                      Source: Malware configuration extractorIPs: 136.31.0.0:102
                      Source: Malware configuration extractorIPs: 144.42.251.111:1
                      Source: Malware configuration extractorIPs: 72.67.111.110:3
                      Source: Malware configuration extractorIPs: 255.255.255.255:3
                      Source: Malware configuration extractorIPs: 128.63.180.0:2
                      Source: Malware configuration extractorIPs: 65.83.89.67:68
                      Source: Malware configuration extractorIPs: 64.56.248.2:2
                      Source: Malware configuration extractorIPs: 200.220.252.2:32
                      Source: Malware configuration extractorIPs: 192.153.248.2:48
                      Source: Malware configuration extractorIPs: 1.255.0.0:929
                      Source: Malware configuration extractorIPs: 176.200.250.2:32
                      Source: Malware configuration extractorIPs: 120.16.251.2:48
                      Source: Malware configuration extractorIPs: 26.189.253.2:94
                      Source: Malware configuration extractorIPs: 192.168.2.5:2
                      Source: Malware configuration extractorIPs: 171.213.29.176:4
                      Source: Malware configuration extractorIPs: 212.253.246.49:4
                      Source: Malware configuration extractorIPs: 10.181.2.0:5500
                      Source: Malware configuration extractorIPs: 248.153.248.2:1
                      Source: Malware configuration extractorIPs: 120.4.0.0:1
                      Source: Malware configuration extractorIPs: 252.180.2.0:5516
                      Source: Malware configuration extractorIPs: 168.18.251.2:1
                      Source: Malware configuration extractorIPs: 14.181.2.0:5168
                      Source: Malware configuration extractorIPs: 96.15.251.2:1
                      Source: Malware configuration extractorIPs: 17.181.2.0:5484
                      Source: Malware configuration extractorIPs: 224.18.251.2:1
                      Source: Malware configuration extractorIPs: 23.181.2.0:2584
                      Source: Malware configuration extractorIPs: 48.13.251.2:1
                      Source: Malware configuration extractorIPs: 96.234.0.0:443
                      Source: Malware configuration extractorIPs: 32.17.251.2:1
                      Source: Joe Sandbox ViewASN Name: OVHFR OVHFR
                      Source: Joe Sandbox ViewASN Name: PERFECT-INTERNATIONALUS PERFECT-INTERNATIONALUS
                      Source: Joe Sandbox ViewIP Address: 217.182.25.250 217.182.25.250
                      Source: Joe Sandbox ViewIP Address: 70.36.102.35 70.36.102.35
                      Source: global trafficTCP traffic: 192.168.2.5:49769 -> 92.240.254.110:8080
                      Source: global trafficTCP traffic: 192.168.2.5:49816 -> 51.91.76.89:8080
                      Source: global trafficTCP traffic: 192.168.2.5:49822 -> 217.182.25.250:8080
                      Source: global trafficTCP traffic: 192.168.2.5:49827 -> 119.193.124.41:7080
                      Source: unknownNetwork traffic detected: IP country count 13
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49766
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49766 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49767 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49768 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49768
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49767
                      Source: unknownTCP traffic detected without corresponding DNS query: 70.36.102.35
                      Source: unknownTCP traffic detected without corresponding DNS query: 70.36.102.35
                      Source: unknownTCP traffic detected without corresponding DNS query: 70.36.102.35
                      Source: unknownTCP traffic detected without corresponding DNS query: 70.36.102.35
                      Source: unknownTCP traffic detected without corresponding DNS query: 70.36.102.35
                      Source: unknownTCP traffic detected without corresponding DNS query: 70.36.102.35
                      Source: unknownTCP traffic detected without corresponding DNS query: 70.36.102.35
                      Source: unknownTCP traffic detected without corresponding DNS query: 70.36.102.35
                      Source: unknownTCP traffic detected without corresponding DNS query: 70.36.102.35
                      Source: unknownTCP traffic detected without corresponding DNS query: 70.36.102.35
                      Source: unknownTCP traffic detected without corresponding DNS query: 92.240.254.110
                      Source: unknownTCP traffic detected without corresponding DNS query: 92.240.254.110
                      Source: unknownTCP traffic detected without corresponding DNS query: 92.240.254.110
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.91.76.89
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.91.76.89
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.91.76.89
                      Source: unknownTCP traffic detected without corresponding DNS query: 217.182.25.250
                      Source: unknownTCP traffic detected without corresponding DNS query: 217.182.25.250
                      Source: unknownTCP traffic detected without corresponding DNS query: 217.182.25.250
                      Source: unknownTCP traffic detected without corresponding DNS query: 119.193.124.41
                      Source: unknownTCP traffic detected without corresponding DNS query: 119.193.124.41
                      Source: unknownTCP traffic detected without corresponding DNS query: 119.193.124.41
                      Source: unknownTCP traffic detected without corresponding DNS query: 119.193.124.41
                      Source: unknownTCP traffic detected without corresponding DNS query: 119.193.124.41
                      Source: unknownTCP traffic detected without corresponding DNS query: 119.193.124.41
                      Source: unknownTCP traffic detected without corresponding DNS query: 119.193.124.41
                      Source: unknownTCP traffic detected without corresponding DNS query: 119.193.124.41
                      Source: unknownTCP traffic detected without corresponding DNS query: 119.193.124.41
                      Source: unknownTCP traffic detected without corresponding DNS query: 119.193.124.41
                      Source: unknownTCP traffic detected without corresponding DNS query: 119.193.124.41
                      Source: unknownTCP traffic detected without corresponding DNS query: 119.193.124.41
                      Source: svchost.exe, 00000015.00000003.748420075.0000020F4E371000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG", equals www.facebook.com (Facebook)
                      Source: svchost.exe, 00000015.00000003.748420075.0000020F4E371000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG", equals www.twitter.com (Twitter)
                      Source: svchost.exe, 00000015.00000003.748420075.0000020F4E371000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.748444416.0000020F4E382000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-07-11T16:37:37.4991749Z||.||58dfb4d5-be7e-424e-8739-cac99224843f||1152921505695035586||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
                      Source: svchost.exe, 00000015.00000003.748420075.0000020F4E371000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.748444416.0000020F4E382000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-07-11T16:37:37.4991749Z||.||58dfb4d5-be7e-424e-8739-cac99224843f||1152921505695035586||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
                      Source: regsvr32.exe, 00000006.00000003.564381173.0000000002FD2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.972607400.0000000002FD2000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.840968249.00000257CCC64000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000002.799630816.0000020F4E300000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: svchost.exe, 00000008.00000002.840794935.00000257CCC14000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000002.799488078.0000020F4DAE9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
                      Source: regsvr32.exe, 00000006.00000003.564381173.0000000002FD2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.972607400.0000000002FD2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
                      Source: regsvr32.exe, 00000006.00000003.564381173.0000000002FD2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.972607400.0000000002FD2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab.
                      Source: svchost.exe, 00000015.00000003.767387577.0000020F4E37B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.767327941.0000020F4E398000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://help.disneyplus.com.
                      Source: regsvr32.exe, 00000006.00000003.564199843.0000000002F88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://119.193.124.41/
                      Source: regsvr32.exe, 00000006.00000002.972404800.0000000002F88000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.972295392.0000000002F3A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.564199843.0000000002F88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://119.193.124.41:7080/yNzUEhYRmfobVpbnIjDAnFfZFoBrGzwALuEiEPb
                      Source: regsvr32.exe, 00000006.00000002.972295392.0000000002F3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://119.193.124.41:7080/yNzUEhYRmfobVpbnIjDAnFfZFoBrGzwALuEiEPb#T
                      Source: regsvr32.exe, 00000006.00000002.972295392.0000000002F3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://119.193.124.41:7080/yNzUEhYRmfobVpbnIjDAnFfZFoBrGzwALuEiEPb1T
                      Source: regsvr32.exe, 00000006.00000002.972404800.0000000002F88000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.564199843.0000000002F88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://119.193.124.41:7080/yNzUEhYRmfobVpbnIjDAnFfZFoBrGzwALuEiEPbV
                      Source: regsvr32.exe, 00000006.00000002.972404800.0000000002F88000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.564199843.0000000002F88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://217.182.25.250/
                      Source: regsvr32.exe, 00000006.00000002.972404800.0000000002F88000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.564199843.0000000002F88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://217.182.25.250/6
                      Source: regsvr32.exe, 00000006.00000002.972587978.0000000002FC7000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.564257822.0000000002FC7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://217.182.25.250:8080/wyXUykQBFXLgUDhBPADNipDGWMKugALsfbonBqKseR
                      Source: regsvr32.exe, 00000006.00000002.972587978.0000000002FC7000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.564257822.0000000002FC7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://217.182.25.250:8080/wyXUykQBFXLgUDhBPADNipDGWMKugALsfbonBqKseR9
                      Source: regsvr32.exe, 00000006.00000002.972404800.0000000002F88000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.564199843.0000000002F88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://51.91.76.89/
                      Source: regsvr32.exe, 00000006.00000002.972404800.0000000002F88000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.564199843.0000000002F88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://51.91.76.89:8080/wILlkzMrsIIqrWuKTJoVXizoHkadIszFHcIlGojhnBcDobePKzyquq
                      Source: regsvr32.exe, 00000006.00000002.972404800.0000000002F88000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.564199843.0000000002F88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://51.91.76.89:8080/wILlkzMrsIIqrWuKTJoVXizoHkadIszFHcIlGojhnBcDobePKzyquq9
                      Source: regsvr32.exe, 00000006.00000003.506754073.0000000002FAA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.552349353.0000000002FAB000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.972404800.0000000002F88000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.564199843.0000000002F88000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.506733124.0000000002F88000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.552291019.0000000002F88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://70.36.102.35/
                      Source: regsvr32.exe, 00000006.00000003.552388525.0000000002F92000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.552291019.0000000002F88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://70.36.102.35/Default
                      Source: regsvr32.exe, 00000006.00000003.506754073.0000000002FAA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.552349353.0000000002FAB000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.972404800.0000000002F88000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.564199843.0000000002F88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://70.36.102.35/lKdeDesHKlwQRuBQoJMtzzkSkkKhWjw
                      Source: regsvr32.exe, 00000006.00000003.506754073.0000000002FAA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.552349353.0000000002FAB000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.972404800.0000000002F88000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.564199843.0000000002F88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://70.36.102.35/lKdeDesHKlwQRuBQoJMtzzkSkkKhWjwq
                      Source: regsvr32.exe, 00000006.00000003.552291019.0000000002F88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://92.240.254.110/
                      Source: regsvr32.exe, 00000006.00000003.552349353.0000000002FAB000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.972404800.0000000002F88000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.564199843.0000000002F88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://92.240.254.110/t
                      Source: regsvr32.exe, 00000006.00000003.552349353.0000000002FAB000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.552388525.0000000002F92000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.552291019.0000000002F88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://92.240.254.110:8080/
                      Source: regsvr32.exe, 00000006.00000003.552349353.0000000002FAB000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.972404800.0000000002F88000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.564199843.0000000002F88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://92.240.254.110:8080/OozwNWoXrNLqNNtlQCBStrfsHlZQDyVVCeVUrhuzIDQnbSNZedOwyJtV
                      Source: regsvr32.exe, 00000006.00000002.972587978.0000000002FC7000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.564257822.0000000002FC7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://92.240.254.110:8080/OozwNWoXrNLqNNtlQCBStrfsHlZQDyVVCeVUrhuzIDQnbSNZedOwyJtV6
                      Source: regsvr32.exe, 00000006.00000003.552349353.0000000002FAB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://92.240.254.110:8080/i
                      Source: svchost.exe, 00000015.00000003.767387577.0000020F4E37B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.767327941.0000020F4E398000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://disneyplus.com/legal.
                      Source: svchost.exe, 00000015.00000003.764113869.0000020F4E378000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.762818013.0000020F4E3A9000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.762692728.0000020F4E802000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.762844012.0000020F4E802000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.762785842.0000020F4E398000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.764136260.0000020F4E37B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.hotspotshield.com/
                      Source: svchost.exe, 00000015.00000003.767387577.0000020F4E37B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.767327941.0000020F4E398000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
                      Source: svchost.exe, 00000015.00000003.767387577.0000020F4E37B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.767327941.0000020F4E398000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
                      Source: svchost.exe, 00000015.00000003.764113869.0000020F4E378000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.762818013.0000020F4E3A9000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.762692728.0000020F4E802000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.762844012.0000020F4E802000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.762785842.0000020F4E398000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.764136260.0000020F4E37B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.hotspotshield.com/terms/
                      Source: svchost.exe, 00000015.00000003.764113869.0000020F4E378000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.762818013.0000020F4E3A9000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.762692728.0000020F4E802000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.762844012.0000020F4E802000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.762785842.0000020F4E398000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.764136260.0000020F4E37B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.pango.co/privacy
                      Source: svchost.exe, 00000015.00000003.771381314.0000020F4E802000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.771276935.0000020F4E3AE000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.771350523.0000020F4E37B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.771307358.0000020F4E398000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.tiktok.com/legal/report/feedback
                      Source: loaddll32.exe, 00000000.00000002.466537071.000000000097B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1000ACED GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1000ACED GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,

                      E-Banking Fraud

                      barindex
                      Yara detected Emotet
                      Source: Yara matchFile source: 3.2.rundll32.exe.bb0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.regsvr32.exe.c10000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.bb0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.3280000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.regsvr32.exe.2e00000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.3250000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.regsvr32.exe.43f0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.3250000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.regsvr32.exe.2e00000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.c00000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.regsvr32.exe.2f00000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.regsvr32.exe.c10000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000006.00000002.972201454.0000000002F01000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.471795717.00000000043F1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.465962452.0000000000C01000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.466876693.0000000003250000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.471763679.0000000000C10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.465829043.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.466979688.0000000003281000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.972129886.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: xhOJLzQSe7.dllStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
                      Source: C:\Windows\SysWOW64\regsvr32.exeFile deleted: C:\Windows\SysWOW64\Smcoeugpjqpltwaq\padmvjcc.wwg:Zone.IdentifierJump to behavior
                      Source: C:\Windows\SysWOW64\regsvr32.exeFile created: C:\Windows\SysWOW64\Smcoeugpjqpltwaq\Jump to behavior
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_10021091
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_10030140
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_10022164
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_10020220
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1002D49C
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_10024556
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_10021564
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1000C578
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_10030682
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_10021938
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_10028B9A
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1002FBFE
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_10026C81
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_10030D46
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_10021D44
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_10031E11
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10021091
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10030140
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10022164
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10020220
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1002D49C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10024556
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10021564
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1000C578
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10030682
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10021938
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10028B9A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1002FBFE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10026C81
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10030D46
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10021D44
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10031E11
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: String function: 1001FBC4 appears 143 times
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: String function: 1001FBF7 appears 39 times
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: String function: 10022714 appears 51 times
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: String function: 10004D7A appears 33 times
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 1001FBC4 appears 143 times
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 1001FBF7 appears 39 times
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 10022714 appears 51 times
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 10004D7A appears 33 times
                      Source: xhOJLzQSe7.dllBinary or memory string: OriginalFilenameBaseDLG_MFC.EXEN vs xhOJLzQSe7.dll
                      Source: xhOJLzQSe7.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: xhOJLzQSe7.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: xhOJLzQSe7.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: xhOJLzQSe7.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: xhOJLzQSe7.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: xhOJLzQSe7.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: xhOJLzQSe7.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: xhOJLzQSe7.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dll
                      Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dll
                      Source: xhOJLzQSe7.dllVirustotal: Detection: 69%
                      Source: xhOJLzQSe7.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\xhOJLzQSe7.dll"
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\xhOJLzQSe7.dll",#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\xhOJLzQSe7.dll
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\xhOJLzQSe7.dll",#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\xhOJLzQSe7.dll,DllRegisterServer
                      Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Smcoeugpjqpltwaq\padmvjcc.wwg"
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\xhOJLzQSe7.dll",#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\xhOJLzQSe7.dll
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\xhOJLzQSe7.dll,DllRegisterServer
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\xhOJLzQSe7.dll",#1
                      Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Smcoeugpjqpltwaq\padmvjcc.wwg"
                      Source: C:\Windows\SysWOW64\regsvr32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D105A4D4-344C-48EB-9866-EE378D90658B}\InProcServer32
                      Source: classification engineClassification label: mal100.troj.evad.winDLL@17/5@0/35
                      Source: C:\Windows\SysWOW64\regsvr32.exeFile read: C:\Users\desktop.iniJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\xhOJLzQSe7.dll",#1
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_100042F6 GetCurrencyFormatW,GetCurrencyFormatW,GetCurrencyFormatW,GetCurrencyFormatW,GetCurrencyFormatW,GetCurrencyFormatW,GetCurrencyFormatW,GetCurrencyFormatW,GetCurrencyFormatW,GetCurrencyFormatW,GetCurrencyFormatW,GetCurrencyFormatW,GetCurrencyFormatW,GetCurrencyFormatW,GetCurrencyFormatW,GetCurrencyFormatW,GetCurrencyFormatW,GetCurrencyFormatW,GetCurrencyFormatW,GetCurrencyFormatW,GetCurrencyFormatW,GetCurrencyFormatW,GetCurrencyFormatW,GetCurrencyFormatW,GetCurrencyFormatW,GetCurrencyFormatW,GetCurrencyFormatW,GetCurrencyFormatW,GetCurrencyFormatW,GetCurrencyFormatW,GetCurrencyFormatW,GetCurrencyFormatW,FindResourceW,LoadResource,SizeofResource,GetCurrencyFormatW,GetCurrencyFormatW,GetCurrencyFormatW,VirtualAllocExNuma,GetCurrencyFormatW,GetCurrencyFormatW,GetCurrencyFormatW,VirtualAlloc,memcpy,malloc,??3@YAXPAX@Z,_printf,
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: xhOJLzQSe7.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                      Source: xhOJLzQSe7.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                      Source: xhOJLzQSe7.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                      Source: xhOJLzQSe7.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                      Source: xhOJLzQSe7.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_10022759 push ecx; ret
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1001FC9C push ecx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10022759 push ecx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1001FC9C push ecx; ret
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1002C912 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__invoke_watson,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__invoke_watson,__decode_pointer,__decode_pointer,__decode_pointer,
                      Source: xhOJLzQSe7.dllStatic PE information: real checksum: 0xa0f94 should be: 0xa1c03
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\xhOJLzQSe7.dll
                      Source: C:\Windows\SysWOW64\regsvr32.exePE file moved: C:\Windows\SysWOW64\Smcoeugpjqpltwaq\padmvjcc.wwgJump to behavior

                      Hooking and other Techniques for Hiding and Protection

                      barindex
                      Hides that the sample has been downloaded from the Internet (zone.identifier)
                      Source: C:\Windows\SysWOW64\regsvr32.exeFile opened: C:\Windows\SysWOW64\Smcoeugpjqpltwaq\padmvjcc.wwg:Zone.Identifier read attributes | delete
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Xzqbzebvc\likpmyarcnrmr.nnt:Zone.Identifier read attributes | delete
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Peztz\yraxpwfxlfeitn.uit:Zone.Identifier read attributes | delete
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_100084E6 IsIconic,GetWindowPlacement,GetWindowRect,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_100037A6 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100084E6 IsIconic,GetWindowPlacement,GetWindowRect,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100037A6 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exe TID: 7148Thread sleep time: -30000s >= -30000s
                      Source: C:\Windows\System32\svchost.exe TID: 5944Thread sleep time: -30000s >= -30000s
                      Source: C:\Windows\System32\svchost.exe TID: 6352Thread sleep time: -60000s >= -30000s
                      Source: C:\Windows\System32\loaddll32.exeLast function: Thread delayed
                      Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                      Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
                      Source: C:\Windows\SysWOW64\regsvr32.exeProcess information queried: ProcessInformation
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_10011C86 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10011C86 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,
                      Source: C:\Windows\SysWOW64\regsvr32.exeAPI call chain: ExitProcess graph end node
                      Source: C:\Windows\SysWOW64\regsvr32.exeAPI call chain: ExitProcess graph end node
                      Source: C:\Windows\SysWOW64\rundll32.exeAPI call chain: ExitProcess graph end node
                      Source: C:\Windows\SysWOW64\rundll32.exeAPI call chain: ExitProcess graph end node
                      Source: C:\Windows\SysWOW64\regsvr32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: svchost.exe, 00000008.00000002.840968249.00000257CCC64000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "@Hyper-V RAW
                      Source: svchost.exe, 00000015.00000002.799503325.0000020F4DAF6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @Hyper-V RAW
                      Source: regsvr32.exe, 00000006.00000003.506754073.0000000002FAA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.552349353.0000000002FAB000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.972404800.0000000002F88000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.564199843.0000000002F88000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.506733124.0000000002F88000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.552388525.0000000002F92000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.552291019.0000000002F88000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.840188612.00000257C742A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.840947326.00000257CCC58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000002.799200631.0000020F4DA85000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                      Source: svchost.exe, 0000000C.00000002.972147470.000001A5AC602000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
                      Source: svchost.exe, 0000000C.00000002.972252494.000001A5AC628000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1001FBB5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1002C912 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__invoke_watson,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__invoke_watson,__decode_pointer,__decode_pointer,__decode_pointer,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_100206F8 GetProcessHeap,GetProcessHeap,HeapAlloc,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,__heap_term,__RTC_Initialize,GetCommandLineA,___crtGetEnvironmentStringsA,__ioinit,__mtterm,__setargv,__setenvp,__cinit,__ioterm,__ioterm,__mtterm,__heap_term,___set_flsgetvalue,__calloc_crt,__decode_pointer,__initptd,GetCurrentThreadId,__freeptd,
                      Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                      Source: C:\Windows\System32\loaddll32.exeProcess queried: DebugPort
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1001FBB5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1002ACAB __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_10024E50 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_10027FD8 SetUnhandledExceptionFilter,__encode_pointer,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_10027FFA __decode_pointer,SetUnhandledExceptionFilter,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1001FBB5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1002ACAB __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10024E50 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10027FD8 SetUnhandledExceptionFilter,__encode_pointer,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10027FFA __decode_pointer,SetUnhandledExceptionFilter,

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      System process connects to network (likely due to code injection or exploit)
                      Source: C:\Windows\SysWOW64\regsvr32.exeNetwork Connect: 217.182.25.250 8080
                      Source: C:\Windows\SysWOW64\regsvr32.exeNetwork Connect: 70.36.102.35 443
                      Source: C:\Windows\SysWOW64\regsvr32.exeNetwork Connect: 51.91.76.89 8080
                      Source: C:\Windows\SysWOW64\regsvr32.exeNetwork Connect: 119.193.124.41 7080
                      Source: C:\Windows\SysWOW64\regsvr32.exeNetwork Connect: 92.240.254.110 8080
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\xhOJLzQSe7.dll",#1
                      Source: C:\Windows\SysWOW64\regsvr32.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\regsvr32.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: GetLocaleInfoA,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: GetThreadLocale,GetLocaleInfoA,GetACP,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: _strcpy_s,__snprintf_s,GetLocaleInfoA,LoadLibraryA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetThreadLocale,GetLocaleInfoA,GetACP,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: _strcpy_s,__snprintf_s,GetLocaleInfoA,LoadLibraryA,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1002DE74 cpuid
                      Source: C:\Windows\SysWOW64\regsvr32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_10027ED8 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1002C0EA __lock,__invoke_watson,__invoke_watson,__invoke_watson,____lc_codepage_func,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__invoke_watson,__invoke_watson,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_100206F8 GetProcessHeap,GetProcessHeap,HeapAlloc,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,__heap_term,__RTC_Initialize,GetCommandLineA,___crtGetEnvironmentStringsA,__ioinit,__mtterm,__setargv,__setenvp,__cinit,__ioterm,__ioterm,__mtterm,__heap_term,___set_flsgetvalue,__calloc_crt,__decode_pointer,__initptd,GetCurrentThreadId,__freeptd,

                      Stealing of Sensitive Information

                      barindex
                      Yara detected Emotet
                      Source: Yara matchFile source: 3.2.rundll32.exe.bb0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.regsvr32.exe.c10000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.bb0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.3280000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.regsvr32.exe.2e00000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.3250000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.regsvr32.exe.43f0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.3250000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.regsvr32.exe.2e00000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.c00000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.regsvr32.exe.2f00000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.regsvr32.exe.c10000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000006.00000002.972201454.0000000002F01000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.471795717.00000000043F1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.465962452.0000000000C01000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.466876693.0000000003250000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.471763679.0000000000C10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.465829043.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.466979688.0000000003281000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.972129886.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid Accounts1
                      Native API                      		1
                      DLL Side-Loading                      		111
                      Process Injection                      		2
                      Masquerading                      		2
                      Input Capture                      		2
                      System Time Discovery                      		Remote Services2
                      Input Capture                      		Exfiltration Over Other Network Medium12
                      Encrypted Channel                      		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                      DLL Side-Loading                      		3
                      Virtualization/Sandbox Evasion                      		LSASS Memory41
                      Security Software Discovery                      		Remote Desktop Protocol1
                      Archive Collected Data                      		Exfiltration Over Bluetooth1
                      Non-Standard Port                      		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)111
                      Process Injection                      		Security Account Manager3
                      Virtualization/Sandbox Evasion                      		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration11
                      Application Layer Protocol                      		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
                      Deobfuscate/Decode Files or Information                      		NTDS1
                      Process Discovery                      		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                      Hidden Files and Directories                      		LSA Secrets1
                      Application Window Discovery                      		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.common2
                      Obfuscated Files or Information                      		Cached Domain Credentials1
                      Remote System Discovery                      		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup Items1
                      Regsvr32                      		DCSync2
                      File and Directory Discovery                      		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
                      Rundll32                      		Proc Filesystem45
                      System Information Discovery                      		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)1
                      DLL Side-Loading                      		/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                      Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)1
                      File Deletion                      		Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 669375 Sample: xhOJLzQSe7 Startdate: 20/07/2022 Architecture: WINDOWS Score: 100 30 136.31.0.0 WEBPASSUS United States 2->30 32 120.16.251.2 VODAFONE-AS-APVodafoneAustraliaPtyLtdAU Australia 2->32 34 26 other IPs or domains 2->34 48 Snort IDS alert for network traffic 2->48 50 Antivirus detection for URL or domain 2->50 52 Antivirus / Scanner detection for submitted sample 2->52 54 3 other signatures 2->54 8 loaddll32.exe 1 2->8         started        10 svchost.exe 9 1 2->10         started        13 svchost.exe 2->13         started        15 4 other processes 2->15 signatures3 process4 dnsIp5 17 regsvr32.exe 5 8->17         started        20 cmd.exe 1 8->20         started        22 rundll32.exe 2 8->22         started        42 127.0.0.1 unknown unknown 10->42 44 192.168.2.1 unknown unknown 13->44 process6 signatures7 46 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->46 24 regsvr32.exe 17->24         started        28 rundll32.exe 2 20->28         started        process8 dnsIp9 36 70.36.102.35, 443, 49766, 49767 PERFECT-INTERNATIONALUS United States 24->36 38 217.182.25.250, 49822, 8080 OVHFR France 24->38 40 3 other IPs or domains 24->40 56 System process connects to network (likely due to code injection or exploit) 24->56 58 Hides that the sample has been downloaded from the Internet (zone.identifier) 28->58 signatures10

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      xhOJLzQSe7.dll70%VirustotalBrowse
                      xhOJLzQSe7.dll100%AviraTR/Emotet.uwcip

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      2.2.regsvr32.exe.c10000.0.unpack100%AviraHEUR/AGEN.1215461Download File
                      6.2.regsvr32.exe.2e00000.0.unpack100%AviraHEUR/AGEN.1215461Download File
                      6.2.regsvr32.exe.2f00000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      4.2.rundll32.exe.3280000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      3.2.rundll32.exe.c00000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      3.2.rundll32.exe.bb0000.0.unpack100%AviraHEUR/AGEN.1215461Download File
                      4.2.rundll32.exe.3250000.0.unpack100%AviraHEUR/AGEN.1215461Download File
                      2.2.regsvr32.exe.43f0000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      https://92.240.254.110:8080/i0%Avira URL Cloudsafe
                      https://www.disneyplus.com/legal/your-california-privacy-rights0%URL Reputationsafe
                      https://92.240.254.110:8080/OozwNWoXrNLqNNtlQCBStrfsHlZQDyVVCeVUrhuzIDQnbSNZedOwyJtV60%Avira URL Cloudsafe
                      https://119.193.124.41:7080/yNzUEhYRmfobVpbnIjDAnFfZFoBrGzwALuEiEPb0%Avira URL Cloudsafe
                      https://51.91.76.89:8080/wILlkzMrsIIqrWuKTJoVXizoHkadIszFHcIlGojhnBcDobePKzyquq100%Avira URL Cloudmalware
                      https://70.36.102.35/100%Avira URL Cloudmalware
                      https://119.193.124.41:7080/yNzUEhYRmfobVpbnIjDAnFfZFoBrGzwALuEiEPb1T0%Avira URL Cloudsafe
                      https://92.240.254.110/t0%Avira URL Cloudsafe
                      http://crl.ver)0%Avira URL Cloudsafe
                      https://www.tiktok.com/legal/report/feedback0%URL Reputationsafe
                      https://119.193.124.41:7080/yNzUEhYRmfobVpbnIjDAnFfZFoBrGzwALuEiEPb#T0%Avira URL Cloudsafe
                      https://217.182.25.250:8080/wyXUykQBFXLgUDhBPADNipDGWMKugALsfbonBqKseR0%Avira URL Cloudsafe
                      https://70.36.102.35/lKdeDesHKlwQRuBQoJMtzzkSkkKhWjwq100%Avira URL Cloudmalware
                      https://92.240.254.110:8080/0%Avira URL Cloudsafe
                      https://www.disneyplus.com/legal/privacy-policy0%URL Reputationsafe
                      https://217.182.25.250:8080/wyXUykQBFXLgUDhBPADNipDGWMKugALsfbonBqKseR90%Avira URL Cloudsafe
                      https://70.36.102.35/lKdeDesHKlwQRuBQoJMtzzkSkkKhWjw100%Avira URL Cloudmalware
                      https://51.91.76.89:8080/wILlkzMrsIIqrWuKTJoVXizoHkadIszFHcIlGojhnBcDobePKzyquq9100%Avira URL Cloudmalware
                      https://92.240.254.110:8080/OozwNWoXrNLqNNtlQCBStrfsHlZQDyVVCeVUrhuzIDQnbSNZedOwyJtV0%Avira URL Cloudsafe
                      https://217.182.25.250/60%Avira URL Cloudsafe
                      https://51.91.76.89/100%Avira URL Cloudmalware
                      https://www.pango.co/privacy0%URL Reputationsafe
                      https://disneyplus.com/legal.0%URL Reputationsafe
                      https://119.193.124.41/0%Avira URL Cloudsafe
                      https://217.182.25.250/0%Avira URL Cloudsafe
                      https://92.240.254.110/0%Avira URL Cloudsafe
                      http://help.disneyplus.com.0%URL Reputationsafe
                      https://70.36.102.35/Default100%Avira URL Cloudmalware
                      https://119.193.124.41:7080/yNzUEhYRmfobVpbnIjDAnFfZFoBrGzwALuEiEPbV0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      https://92.240.254.110:8080/iregsvr32.exe, 00000006.00000003.552349353.0000000002FAB000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://www.disneyplus.com/legal/your-california-privacy-rightssvchost.exe, 00000015.00000003.767387577.0000020F4E37B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.767327941.0000020F4E398000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://92.240.254.110:8080/OozwNWoXrNLqNNtlQCBStrfsHlZQDyVVCeVUrhuzIDQnbSNZedOwyJtV6regsvr32.exe, 00000006.00000002.972587978.0000000002FC7000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.564257822.0000000002FC7000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://119.193.124.41:7080/yNzUEhYRmfobVpbnIjDAnFfZFoBrGzwALuEiEPbregsvr32.exe, 00000006.00000002.972404800.0000000002F88000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.972295392.0000000002F3A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.564199843.0000000002F88000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://51.91.76.89:8080/wILlkzMrsIIqrWuKTJoVXizoHkadIszFHcIlGojhnBcDobePKzyquqregsvr32.exe, 00000006.00000002.972404800.0000000002F88000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.564199843.0000000002F88000.00000004.00000020.00020000.00000000.sdmptrue
                      • Avira URL Cloud: malware
                      		unknown
                      https://70.36.102.35/regsvr32.exe, 00000006.00000003.506754073.0000000002FAA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.552349353.0000000002FAB000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.972404800.0000000002F88000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.564199843.0000000002F88000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.506733124.0000000002F88000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.552291019.0000000002F88000.00000004.00000020.00020000.00000000.sdmptrue
                      • Avira URL Cloud: malware
                      		unknown
                      https://119.193.124.41:7080/yNzUEhYRmfobVpbnIjDAnFfZFoBrGzwALuEiEPb1Tregsvr32.exe, 00000006.00000002.972295392.0000000002F3A000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://92.240.254.110/tregsvr32.exe, 00000006.00000003.552349353.0000000002FAB000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.972404800.0000000002F88000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.564199843.0000000002F88000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://crl.ver)svchost.exe, 00000008.00000002.840794935.00000257CCC14000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000002.799488078.0000020F4DAE9000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		low
                      https://www.tiktok.com/legal/report/feedbacksvchost.exe, 00000015.00000003.771381314.0000020F4E802000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.771276935.0000020F4E3AE000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.771350523.0000020F4E37B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.771307358.0000020F4E398000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://119.193.124.41:7080/yNzUEhYRmfobVpbnIjDAnFfZFoBrGzwALuEiEPb#Tregsvr32.exe, 00000006.00000002.972295392.0000000002F3A000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://217.182.25.250:8080/wyXUykQBFXLgUDhBPADNipDGWMKugALsfbonBqKseRregsvr32.exe, 00000006.00000002.972587978.0000000002FC7000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.564257822.0000000002FC7000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://70.36.102.35/lKdeDesHKlwQRuBQoJMtzzkSkkKhWjwqregsvr32.exe, 00000006.00000003.506754073.0000000002FAA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.552349353.0000000002FAB000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.972404800.0000000002F88000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.564199843.0000000002F88000.00000004.00000020.00020000.00000000.sdmptrue
                      • Avira URL Cloud: malware
                      		unknown
                      https://support.hotspotshield.com/svchost.exe, 00000015.00000003.764113869.0000020F4E378000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.762818013.0000020F4E3A9000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.762692728.0000020F4E802000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.762844012.0000020F4E802000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.762785842.0000020F4E398000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.764136260.0000020F4E37B000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        https://92.240.254.110:8080/regsvr32.exe, 00000006.00000003.552349353.0000000002FAB000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.552388525.0000000002F92000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.552291019.0000000002F88000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://www.disneyplus.com/legal/privacy-policysvchost.exe, 00000015.00000003.767387577.0000020F4E37B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.767327941.0000020F4E398000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://217.182.25.250:8080/wyXUykQBFXLgUDhBPADNipDGWMKugALsfbonBqKseR9regsvr32.exe, 00000006.00000002.972587978.0000000002FC7000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.564257822.0000000002FC7000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://70.36.102.35/lKdeDesHKlwQRuBQoJMtzzkSkkKhWjwregsvr32.exe, 00000006.00000003.506754073.0000000002FAA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.552349353.0000000002FAB000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.972404800.0000000002F88000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.564199843.0000000002F88000.00000004.00000020.00020000.00000000.sdmptrue
                        • Avira URL Cloud: malware
                        		unknown
                        https://51.91.76.89:8080/wILlkzMrsIIqrWuKTJoVXizoHkadIszFHcIlGojhnBcDobePKzyquq9regsvr32.exe, 00000006.00000002.972404800.0000000002F88000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.564199843.0000000002F88000.00000004.00000020.00020000.00000000.sdmptrue
                        • Avira URL Cloud: malware
                        		unknown
                        https://92.240.254.110:8080/OozwNWoXrNLqNNtlQCBStrfsHlZQDyVVCeVUrhuzIDQnbSNZedOwyJtVregsvr32.exe, 00000006.00000003.552349353.0000000002FAB000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.972404800.0000000002F88000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.564199843.0000000002F88000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://217.182.25.250/6regsvr32.exe, 00000006.00000002.972404800.0000000002F88000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.564199843.0000000002F88000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://51.91.76.89/regsvr32.exe, 00000006.00000002.972404800.0000000002F88000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.564199843.0000000002F88000.00000004.00000020.00020000.00000000.sdmptrue
                        • Avira URL Cloud: malware
                        		unknown
                        https://www.hotspotshield.com/terms/svchost.exe, 00000015.00000003.764113869.0000020F4E378000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.762818013.0000020F4E3A9000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.762692728.0000020F4E802000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.762844012.0000020F4E802000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.762785842.0000020F4E398000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.764136260.0000020F4E37B000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          https://www.pango.co/privacysvchost.exe, 00000015.00000003.764113869.0000020F4E378000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.762818013.0000020F4E3A9000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.762692728.0000020F4E802000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.762844012.0000020F4E802000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.762785842.0000020F4E398000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.764136260.0000020F4E37B000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://disneyplus.com/legal.svchost.exe, 00000015.00000003.767387577.0000020F4E37B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.767327941.0000020F4E398000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://119.193.124.41/regsvr32.exe, 00000006.00000003.564199843.0000000002F88000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://217.182.25.250/regsvr32.exe, 00000006.00000002.972404800.0000000002F88000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.564199843.0000000002F88000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://92.240.254.110/regsvr32.exe, 00000006.00000003.552291019.0000000002F88000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://help.disneyplus.com.svchost.exe, 00000015.00000003.767387577.0000020F4E37B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.767327941.0000020F4E398000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://70.36.102.35/Defaultregsvr32.exe, 00000006.00000003.552388525.0000000002F92000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.552291019.0000000002F88000.00000004.00000020.00020000.00000000.sdmptrue
                          • Avira URL Cloud: malware
                          		unknown
                          https://119.193.124.41:7080/yNzUEhYRmfobVpbnIjDAnFfZFoBrGzwALuEiEPbVregsvr32.exe, 00000006.00000002.972404800.0000000002F88000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.564199843.0000000002F88000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          217.182.25.250
                          		unknownFrance
                          		16276OVHFRtrue
                          70.36.102.35
                          		unknownUnited States
                          		22439PERFECT-INTERNATIONALUStrue
                          120.4.0.0
                          		unknownChina
                          		4837CHINA169-BACKBONECHINAUNICOMChina169BackboneCNtrue
                          17.181.2.0
                          		unknownUnited States
                          		714APPLE-ENGINEERINGUSfalse
                          200.220.252.2
                          		unknownBrazil
                          		26599TELEFONICABRASILSABRtrue
                          168.18.251.2
                          		unknownUnited States
                          		3479PEACHNET-AS1UStrue
                          48.13.251.2
                          		unknownUnited States
                          		2686ATGS-MMD-ASUStrue
                          120.16.251.2
                          		unknownAustralia
                          		133612VODAFONE-AS-APVodafoneAustraliaPtyLtdAUtrue
                          23.181.2.0
                          		unknownReserved
                          		23473PAVLOVMEDIAUStrue
                          192.153.248.2
                          		unknownUnited States
                          		2562TI-USINTLUStrue
                          252.180.2.0
                          		unknownReserved
                          		unknownunknowntrue
                          128.63.180.0
                          		unknownUnited States
                          		13DNIC-AS-00013UStrue
                          1.255.0.0
                          		unknownKorea Republic of
                          		9318SKB-ASSKBroadbandCoLtdKRtrue
                          136.31.0.0
                          		unknownUnited States
                          		19165WEBPASSUStrue
                          32.17.251.2
                          		unknownUnited States
                          		2686ATGS-MMD-ASUStrue
                          65.83.89.67
                          		unknownUnited States
                          		6389BELLSOUTH-NET-BLKUStrue
                          64.56.248.2
                          		unknownCanada
                          		6407PRIMUS-AS6407CAtrue
                          224.18.251.2
                          		unknownReserved
                          		unknownunknowntrue
                          96.15.251.2
                          		unknownUnited States
                          		22394CELLCOUStrue
                          51.91.76.89
                          		unknownFrance
                          		16276OVHFRtrue
                          212.253.246.49
                          		unknownTurkey
                          		34984TELLCOM-ASTRtrue
                          171.213.29.176
                          		unknownChina
                          		4134CHINANET-BACKBONENo31Jin-rongStreetCNtrue
                          248.153.248.2
                          		unknownReserved
                          		unknownunknowntrue
                          14.181.2.0
                          		unknownViet Nam
                          		45899VNPT-AS-VNVNPTCorpVNtrue
                          144.42.251.111
                          		unknownUnited States
                          		27402IBC-N1UStrue
                          72.67.111.110
                          		unknownUnited States
                          		5650FRONTIER-FRTRUStrue
                          26.189.253.2
                          		unknownUnited States
                          		7922COMCAST-7922UStrue
                          96.234.0.0
                          		unknownUnited States
                          		701UUNETUStrue
                          119.193.124.41
                          		unknownKorea Republic of
                          		4766KIXS-AS-KRKoreaTelecomKRtrue
                          92.240.254.110
                          		unknownSlovakia (SLOVAK Republic)
                          		42005LIGHTSTORM-COMMUNICATIONS-SRO-SK-ASPeeringsSKtrue
                          176.200.250.2
                          		unknownItaly
                          		16232ASN-TIMServiceProviderITtrue

                          Private

                          IP
                          192.168.2.1
                          192.168.2.5
                          10.181.2.0
                          127.0.0.1

                          General Information

                          Joe Sandbox Version:35.0.0 Citrine
                          Analysis ID:669375
                          Start date and time: 20/07/202201:10:392022-07-20 01:10:39 +02:00
                          Joe Sandbox Product:CloudBasic
                          Overall analysis duration:0h 11m 15s
                          Hypervisor based Inspection enabled:false
                          Report type:light
                          Sample file name:xhOJLzQSe7 (renamed file extension from none to dll)
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                          Number of analysed new started processes analysed:23
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • HDC enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Detection:MAL
                          Classification:mal100.troj.evad.winDLL@17/5@0/35
                          EGA Information:
                          • Successful, ratio: 100%
                          HDC Information:
                          • Successful, ratio: 100% (good quality ratio 95.5%)
                          • Quality average: 76.8%
                          • Quality standard deviation: 29.3%
                          HCA Information:
                          • Successful, ratio: 98%
                          • Number of executed functions: 0
                          • Number of non-executed functions: 0
                          Cookbook Comments:
                          • Adjust boot time
                          • Enable AMSI
                          • Override analysis time to 240s for rundll32

                          Warnings

                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe, wuapihost.exe
                          • Excluded IPs from analysis (whitelisted): 23.211.4.86, 20.223.24.244
                          • Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, ris.api.iris.microsoft.com, licensing.mp.microsoft.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                          • Not all processes where analyzed, report is missing behavior information
                          • Report creation exceeded maximum time and may have missing disassembly code information.
                          • Report size exceeded maximum capacity and may have missing behavior information.
                          • Report size getting too big, too many NtOpenKeyEx calls found.
                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                          • Report size getting too big, too many NtQueryValueKey calls found.

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          01:12:21API Interceptor11x Sleep call for process: svchost.exe modified

                          Joe Sandbox View / Context

                          IPs

                          No context

                          Domains

                          No context

                          ASNs

                          No context

                          JA3 Fingerprints

                          No context

                          Dropped Files

                          No context

                          Created / dropped Files

                          C:\ProgramData\Microsoft\Network\Downloader\edb.chk

                          Download File
                          Process:C:\Windows\System32\svchost.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):8192
                          Entropy (8bit):0.3593198815979092
                          Encrypted:false
                          SSDEEP:12:SnaaD0JcaaD0JwQQU2naaD0JcaaD0JwQQU:4tgJctgJw/tgJctgJw
                          MD5:BF1DC7D5D8DAD7478F426DF8B3F8BAA6
                          SHA1:C6B0BDE788F553F865D65F773D8F6A3546887E42
                          SHA-256:BE47C764C38CA7A90A345BE183F5261E89B98743B5E35989E9A8BE0DA498C0F2
                          SHA-512:00F2412AA04E09EA19A8315D80BE66D2727C713FC0F5AE6A9334BABA539817F568A98CA3A45B2673282BDD325B8B0E2840A393A4DCFADCB16473F5EAF2AF3180
                          Malicious:false
                          Preview:.............*..........3...w..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@......................................................*.............................................................................................................................................................................................................................................................................................................................................................

                          C:\ProgramData\Microsoft\Network\Downloader\edb.log

                          Download File
                          Process:C:\Windows\System32\svchost.exe
                          File Type:MPEG-4 LOAS
                          Category:dropped
                          Size (bytes):1310720
                          Entropy (8bit):0.2494769775041721
                          Encrypted:false
                          SSDEEP:1536:BJiRdfVzkZm3lyf49uyc0ga04PdHS9LrM/oVMUdSRU4F:BJiRdwfu2SRU4F
                          MD5:88071C3BD9E3CC34C8D9AFDE14ED3CB4
                          SHA1:5E3FD9ADA509777A7D0275615540533DD58B7C73
                          SHA-256:F9C9F1C1C50DC3BF0C899BC591278DE1C0E35B3BFB8B60C0043F2517A37F2E20
                          SHA-512:C9DF93D5652744D560196B93E1A6731E27912A33CE17A5F1201A1BA6390F2EF5BB84087B6C9C227475D0296A6CF398FEAD390A076708EB446A2A5B2F0524C63A
                          Malicious:false
                          Preview:V.d.........@..@.3...w...........................3...w..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@.........................................d#.................................................................................................................................................................................................................................................................................................................................................

                          C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                          Download File
                          Process:C:\Windows\System32\svchost.exe
                          File Type:Extensible storage engine DataBase, version 0x620, checksum 0xc5b2aade, page size 16384, Windows version 10.0
                          Category:dropped
                          Size (bytes):786432
                          Entropy (8bit):0.2506485651556909
                          Encrypted:false
                          SSDEEP:384:Q75+W0StseCJ48EApW0StseCJ48E2rTSjlK/ebmLerYSRSY1J2:Q7SSB2nSB2RSjlK/+mLesOj1J2
                          MD5:A9F772B36D7B60A4F8AE685217B8B990
                          SHA1:39EDA4A6E9D0983CBCE64B6461BAB392D836D23A
                          SHA-256:51123EBF547311EA6563ECCF8E6F5BEECAB06BEDF7B98F85C4DDD51A991C33DC
                          SHA-512:02D38075F3C561202B9FF22BA5DC303DF1265F8114311CB88FFFF5B52CCF0429921A0191FA90B786E533C97F757017A2C9DE9F3D6A379F08C8FBACA4F322B548
                          Malicious:false
                          Preview:...... ................e.f.3...w........................)..........zo......z..h.(..........zo...)..............3...w...........................................................................................................B...........@...................................................................................................... ....................................................................................................................................................................................................................................................(H......zo.................rF%......zo.........................................................................................................................................................................................................................................................................................................................................................................................

                          C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                          Download File
                          Process:C:\Windows\System32\svchost.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):16384
                          Entropy (8bit):0.07701541276467044
                          Encrypted:false
                          SSDEEP:3:fS7vwKeh7WkE/vbWlXvF5l//Uwikf8/all3Vkttlmlnl:6rwFAzWlXTt80fZ3
                          MD5:49858689703A1D91AC87C7D09DD56D04
                          SHA1:C97DCE7C9AACE737EB1A83A686C02864F6B394BA
                          SHA-256:2908DC01BF0447C5861A039D5BDC4BE8C6BC1D4296C0E7A8F56D33DCDAC80EEB
                          SHA-512:BE25C0D1654B22692BE3F5C5CC3CB16DFAB696F73F2C6C31C9D8FFBEF88E31D738F09B8F265F14C2CEFC9AA9A5720565C8656D3C5727006B9FBBF7CC36F6BF00
                          Malicious:false
                          Preview:.>.I.....................................3...w.......z;......zo..............zo......zo.y........z.g................rF%......zo.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                          Download File
                          Process:C:\Windows\System32\svchost.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):55
                          Entropy (8bit):4.306461250274409
                          Encrypted:false
                          SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                          MD5:DCA83F08D448911A14C22EBCACC5AD57
                          SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                          SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                          SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                          Malicious:false
                          Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                          Static File Info

                          General

                          File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Entropy (8bit):6.416849040145407
                          TrID:
                          • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
                          • Generic Win/DOS Executable (2004/3) 0.20%
                          • DOS Executable Generic (2002/1) 0.20%
                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                          File name:xhOJLzQSe7.dll
                          File size:626688
                          MD5:2408e1b795944eabc7f184c634b0ed81
                          SHA1:01f644589eebee027396cc2bc925c07f1dfbd573
                          SHA256:81875fefda81b8cfa1ab74dfac14d608d01c2cd9f94abb232e2c6c91a63b3682
                          SHA512:d3a2909078d6f7b8624e049b17b2ee21b038ae242a7ed4e50222567ca1cf36eb4e72d5f354d2fc8a3ce2642307246a6ea2d04c10b889c1b1fba4d99ce9aa582d
                          SSDEEP:6144:XvRov7wREVy3B6yu4YXep2v5uYxlNmsgrR8drCSi78SLUYeDrQ0Ax+xSEN:ZsVyXu4YupcuYVmxrSsmD8fx+xJ
                          TLSH:E7D46C117691C832FC995F34359392BD1FF87F64AAA4822BEF903A4D6BB35008E146D7
                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........7...d...d...d+..d...d+..d...d...d...d.!.d...d.!.d`..d.!.dv..d.!.d...d.!.d...d.!.d...dRich...d................PE..L...p.<b...

                          File Icon

                          Icon Hash:71b018ccc6577131

                          Static PE Info

                          General

                          Entrypoint:0x100209c7
                          Entrypoint Section:.text
                          Digitally signed:false
                          Imagebase:0x10000000
                          Subsystem:windows gui
                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
                          DLL Characteristics:
                          Time Stamp:0x623C8770 [Thu Mar 24 15:00:00 2022 UTC]
                          TLS Callbacks:
                          CLR (.Net) Version:
                          OS Version Major:4
                          OS Version Minor:0
                          File Version Major:4
                          File Version Minor:0
                          Subsystem Version Major:4
                          Subsystem Version Minor:0
                          Import Hash:196752bd65f33bc6f5dd0426f39259ae

                          Entrypoint Preview

                          Instruction
                          cmp dword ptr [esp+08h], 01h
                          jne 00007FBA0CD80087h
                          call 00007FBA0CD8758Ah
                          push dword ptr [esp+04h]
                          mov ecx, dword ptr [esp+10h]
                          mov edx, dword ptr [esp+0Ch]
                          call 00007FBA0CD7FF72h
                          pop ecx
                          retn 000Ch
                          push ebp
                          mov ebp, esp
                          sub esp, 20h
                          mov eax, dword ptr [ebp+08h]
                          push esi
                          push edi
                          push 00000008h
                          pop ecx
                          mov esi, 100397B4h
                          lea edi, dword ptr [ebp-20h]
                          rep movsd
                          mov dword ptr [ebp-08h], eax
                          mov eax, dword ptr [ebp+0Ch]
                          test eax, eax
                          pop edi
                          mov dword ptr [ebp-04h], eax
                          pop esi
                          je 00007FBA0CD8008Eh
                          test byte ptr [eax], 00000008h
                          je 00007FBA0CD80089h
                          mov dword ptr [ebp-0Ch], 01994000h
                          lea eax, dword ptr [ebp-0Ch]
                          push eax
                          push dword ptr [ebp-10h]
                          push dword ptr [ebp-1Ch]
                          push dword ptr [ebp-20h]
                          call dword ptr [100360E0h]
                          leave
                          retn 0008h
                          push 00000000h
                          push dword ptr [esp+14h]
                          push dword ptr [esp+14h]
                          push dword ptr [esp+14h]
                          push dword ptr [esp+14h]
                          call 00007FBA0CD87659h
                          add esp, 14h
                          ret
                          int3
                          int3
                          int3
                          mov ecx, dword ptr [esp+04h]
                          test ecx, 00000003h
                          je 00007FBA0CD800A6h
                          mov al, byte ptr [ecx]
                          add ecx, 01h
                          test al, al
                          je 00007FBA0CD800D0h
                          test ecx, 00000003h
                          jne 00007FBA0CD80071h
                          add eax, 00000000h
                          lea esp, dword ptr [esp+00000000h]
                          lea esp, dword ptr [esp+00000000h]
                          mov eax, dword ptr [ecx]
                          mov edx, 7EFEFEFFh
                          add edx, eax
                          xor eax, FFFFFFFFh
                          xor eax, edx

                          Rich Headers

                          Programming Language:
                          • [ASM] VS2005 build 50727
                          • [ C ] VS2005 build 50727
                          • [C++] VS2005 build 50727
                          • [EXP] VS2005 build 50727
                          • [RES] VS2005 build 50727
                          • [LNK] VS2005 build 50727

                          Data Directories

                          NameVirtual AddressVirtual Size Is in Section
                          IMAGE_DIRECTORY_ENTRY_EXPORT0x434c00x54.rdata
                          IMAGE_DIRECTORY_ENTRY_IMPORT0x419140xdc.rdata
                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x4b0000x480b4.rsrc
                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x940000x3fe8.reloc
                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x3b9a00x40.rdata
                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IAT0x360000x53c.rdata
                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x4188c0x40.rdata
                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                          Sections

                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                          .text0x10000x340f70x35000False0.5665859006485849data6.63826832292909IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          .rdata0x360000xd5140xe000False0.31638881138392855data4.886223825499972IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .data0x440000x65980x3000False0.2610677083333333data4.030187754909099IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .rsrc0x4b0000x480b40x49000False0.5451626712328768data6.348672990248238IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .reloc0x940000x86600x9000False0.3055284288194444data3.8230472463394145IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                          Resources

                          NameRVASizeTypeLanguageCountry
                          0x4c0740x20800dataSpanishMexico
                          RT_CURSOR0x6c8740x134data
                          RT_CURSOR0x6c9a80xb4data
                          RT_CURSOR0x6ca5c0x134AmigaOS bitmap font
                          RT_CURSOR0x6cb900x134data
                          RT_CURSOR0x6ccc40x134data
                          RT_CURSOR0x6cdf80x134data
                          RT_CURSOR0x6cf2c0x134data
                          RT_CURSOR0x6d0600x134data
                          RT_CURSOR0x6d1940x134data
                          RT_CURSOR0x6d2c80x134data
                          RT_CURSOR0x6d3fc0x134data
                          RT_CURSOR0x6d5300x134data
                          RT_CURSOR0x6d6640x134AmigaOS bitmap font
                          RT_CURSOR0x6d7980x134data
                          RT_CURSOR0x6d8cc0x134data
                          RT_CURSOR0x6da000x134data
                          RT_BITMAP0x6db340xb8data
                          RT_BITMAP0x6dbec0x144data
                          RT_ICON0x6dd300x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 67108992, next used block 3293332676SpanishMexico
                          RT_ICON0x6e0180x128GLS_BINARY_LSB_FIRSTSpanishMexico
                          RT_ICON0x6e1400x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 67108992, next used block 3293332676SpanishMexico
                          RT_ICON0x6e4280x128GLS_BINARY_LSB_FIRSTSpanishMexico
                          RT_ICON0x6e5500x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 67108992, next used block 3293332676SpanishMexico
                          RT_ICON0x6e8380x128GLS_BINARY_LSB_FIRSTSpanishMexico
                          RT_ICON0x6e9600x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 67108992, next used block 3293332676SpanishMexico
                          RT_ICON0x6ec480x128GLS_BINARY_LSB_FIRSTSpanishMexico
                          RT_ICON0x6ed700x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 67108992, next used block 3293332676SpanishMexico
                          RT_ICON0x6f0580x128GLS_BINARY_LSB_FIRSTSpanishMexico
                          RT_ICON0x6f1800x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 67108992, next used block 3293332676SpanishMexico
                          RT_ICON0x6f4680x128GLS_BINARY_LSB_FIRSTSpanishMexico
                          RT_ICON0x6f5900x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 67108992, next used block 3293332676SpanishMexico
                          RT_ICON0x6f8780x128GLS_BINARY_LSB_FIRSTSpanishMexico
                          RT_ICON0x6f9a00x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 67108992, next used block 3293332676SpanishMexico
                          RT_ICON0x6fc880x128GLS_BINARY_LSB_FIRSTSpanishMexico
                          RT_ICON0x6fdb00x10828dBase III DBT, version number 0, next free block index 40SpanishMexico
                          RT_ICON0x805d80x10828dBase III DBT, version number 0, next free block index 40SpanishMexico
                          RT_DIALOG0x90e000x12cdata
                          RT_DIALOG0x90f2c0x134data
                          RT_DIALOG0x910600xfedata
                          RT_DIALOG0x911600x34data
                          RT_STRING0x911940x52data
                          RT_STRING0x911e80xb0Hitachi SH big-endian COFF object file, not stripped, 16640 sections, symbol offset=0x69007200, 201344768 symbols, optional header size 29952
                          RT_STRING0x912980x30data
                          RT_STRING0x912c80x1d0data
                          RT_STRING0x914980x5bcdata
                          RT_STRING0x91a540x31cdata
                          RT_STRING0x91d700x300data
                          RT_STRING0x920700xb0data
                          RT_STRING0x921200xeedata
                          RT_STRING0x922100x11edata
                          RT_STRING0x923300x4d0data
                          RT_STRING0x928000x248data
                          RT_STRING0x92a480x2edata
                          RT_STRING0x92a780x4cdata
                          RT_GROUP_CURSOR0x92ac40x22Lotus unknown worksheet or configuration, revision 0x2
                          RT_GROUP_CURSOR0x92ae80x14Lotus unknown worksheet or configuration, revision 0x1
                          RT_GROUP_CURSOR0x92afc0x14Lotus unknown worksheet or configuration, revision 0x1
                          RT_GROUP_CURSOR0x92b100x14Lotus unknown worksheet or configuration, revision 0x1
                          RT_GROUP_CURSOR0x92b240x14Lotus unknown worksheet or configuration, revision 0x1
                          RT_GROUP_CURSOR0x92b380x14Lotus unknown worksheet or configuration, revision 0x1
                          RT_GROUP_CURSOR0x92b4c0x14Lotus unknown worksheet or configuration, revision 0x1
                          RT_GROUP_CURSOR0x92b600x14Lotus unknown worksheet or configuration, revision 0x1
                          RT_GROUP_CURSOR0x92b740x14Lotus unknown worksheet or configuration, revision 0x1
                          RT_GROUP_CURSOR0x92b880x14Lotus unknown worksheet or configuration, revision 0x1
                          RT_GROUP_CURSOR0x92b9c0x14Lotus unknown worksheet or configuration, revision 0x1
                          RT_GROUP_CURSOR0x92bb00x14Lotus unknown worksheet or configuration, revision 0x1
                          RT_GROUP_CURSOR0x92bc40x14Lotus unknown worksheet or configuration, revision 0x1
                          RT_GROUP_CURSOR0x92bd80x14Lotus unknown worksheet or configuration, revision 0x1
                          RT_GROUP_CURSOR0x92bec0x14Lotus unknown worksheet or configuration, revision 0x1
                          RT_GROUP_ICON0x92c000x22dataSpanishMexico
                          RT_GROUP_ICON0x92c240x22dataSpanishMexico
                          RT_GROUP_ICON0x92c480x22dataSpanishMexico
                          RT_GROUP_ICON0x92c6c0x22dataSpanishMexico
                          RT_GROUP_ICON0x92c900x14dataSpanishMexico
                          RT_GROUP_ICON0x92ca40x22dataSpanishMexico
                          RT_GROUP_ICON0x92cc80x22dataSpanishMexico
                          RT_GROUP_ICON0x92cec0x22dataSpanishMexico
                          RT_GROUP_ICON0x92d100x22dataSpanishMexico
                          RT_GROUP_ICON0x92d340x14dataSpanishMexico
                          RT_VERSION0x92d480x314data
                          RT_MANIFEST0x9305c0x56ASCII text, with CRLF line terminatorsEnglishUnited States

                          Imports

                          DLLImport
                          KERNEL32.dllGetFileAttributesA, GetFileTime, GetTickCount, HeapAlloc, HeapFree, RtlUnwind, HeapReAlloc, VirtualProtect, VirtualAlloc, GetSystemInfo, VirtualQuery, GetCommandLineA, GetProcessHeap, RaiseException, HeapSize, VirtualFree, HeapDestroy, HeapCreate, GetStdHandle, TerminateProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, Sleep, GetFileType, GetStartupInfoA, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, QueryPerformanceCounter, GetSystemTimeAsFileTime, GetACP, GetStringTypeA, GetStringTypeW, GetTimeZoneInformation, GetConsoleCP, GetConsoleMode, LCMapStringA, LCMapStringW, SetStdHandle, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, SetEnvironmentVariableA, FileTimeToLocalFileTime, FileTimeToSystemTime, GetOEMCP, GetCPInfo, CreateFileA, GetFullPathNameA, GetVolumeInformationA, FindFirstFileA, FindClose, GetCurrentProcess, DuplicateHandle, GetThreadLocale, GetFileSize, SetEndOfFile, UnlockFile, LockFile, FlushFileBuffers, SetFilePointer, WriteFile, ReadFile, GlobalFlags, WritePrivateProfileStringA, InterlockedIncrement, TlsFree, DeleteCriticalSection, LocalReAlloc, TlsSetValue, TlsAlloc, InitializeCriticalSection, GlobalHandle, GlobalReAlloc, EnterCriticalSection, TlsGetValue, LeaveCriticalSection, LocalAlloc, InterlockedDecrement, GlobalGetAtomNameA, GlobalFindAtomA, lstrcmpW, GetVersionExA, FreeResource, GetCurrentProcessId, GlobalAddAtomA, CloseHandle, GetCurrentThread, GetCurrentThreadId, ConvertDefaultLocale, GetModuleFileNameA, EnumResourceLanguagesA, GetLocaleInfoA, LoadLibraryA, lstrcmpA, FreeLibrary, GlobalDeleteAtom, GetModuleHandleA, GetProcAddress, GlobalFree, GlobalAlloc, GlobalLock, GlobalUnlock, FormatMessageA, LocalFree, MulDiv, SetLastError, ExitProcess, GetCurrencyFormatW, FindResourceA, LoadResource, LockResource, SizeofResource, lstrlenA, CompareStringW, CompareStringA, GetVersion, GetLastError, WideCharToMultiByte, MultiByteToWideChar, SetHandleCount, InterlockedExchange
                          USER32.dllGetNextDlgGroupItem, MessageBeep, UnregisterClassA, RegisterClipboardFormatA, PostThreadMessageA, SetCapture, LoadCursorA, GetSysColorBrush, EndPaint, BeginPaint, GetWindowDC, ReleaseDC, GetDC, ClientToScreen, GrayStringA, DrawTextExA, DrawTextA, TabbedTextOutA, ShowWindow, MoveWindow, SetWindowTextA, IsDialogMessageA, SetDlgItemTextA, DestroyMenu, SetWindowContextHelpId, MapDialogRect, RegisterWindowMessageA, SendDlgItemMessageA, WinHelpA, IsChild, GetCapture, GetClassNameA, SetPropA, GetPropA, RemovePropA, SetFocus, InvalidateRgn, GetWindowTextA, GetForegroundWindow, GetTopWindow, UnhookWindowsHookEx, GetMessageTime, GetMessagePos, MapWindowPoints, SetForegroundWindow, UpdateWindow, GetMenu, CreateWindowExA, GetClassInfoExA, GetClassInfoA, RegisterClassA, GetSysColor, AdjustWindowRectEx, EqualRect, CopyRect, PtInRect, GetDlgCtrlID, DefWindowProcA, CallWindowProcA, SetWindowLongA, SetWindowPos, OffsetRect, IntersectRect, SystemParametersInfoA, GetWindowPlacement, GetWindowRect, GetWindow, GetDesktopWindow, SetActiveWindow, CreateDialogIndirectParamA, CharUpperA, DrawIcon, AppendMenuA, DestroyWindow, IsWindow, GetDlgItem, GetNextDlgTabItem, EndDialog, GetWindowThreadProcessId, GetWindowLongA, GetLastActivePopup, IsWindowEnabled, MessageBoxA, SetCursor, SetWindowsHookExA, InvalidateRect, SetRect, IsRectEmpty, CopyAcceleratorTableA, CharNextA, ReleaseCapture, SendMessageA, GetSystemMenu, IsIconic, GetClientRect, EnableWindow, LoadIconA, GetSystemMetrics, GetSubMenu, GetMenuItemCount, GetMenuItemID, GetMenuState, PostQuitMessage, PostMessageA, CheckMenuItem, EnableMenuItem, ModifyMenuA, GetParent, GetFocus, LoadBitmapA, GetMenuCheckMarkDimensions, SetMenuItemBitmaps, ValidateRect, GetCursorPos, PeekMessageA, GetKeyState, IsWindowVisible, GetActiveWindow, DispatchMessageA, TranslateMessage, GetMessageA, CallNextHookEx, GetClassLongA
                          GDI32.dllSetWindowExtEx, ScaleWindowExtEx, ExtSelectClipRgn, DeleteDC, GetStockObject, GetBkColor, GetTextColor, CreateRectRgnIndirect, GetRgnBox, GetMapMode, ScaleViewportExtEx, SetViewportExtEx, OffsetViewportOrgEx, SetViewportOrgEx, SelectObject, Escape, TextOutA, RectVisible, PtVisible, GetDeviceCaps, GetViewportExtEx, DeleteObject, SetMapMode, RestoreDC, SaveDC, ExtTextOutA, GetObjectA, SetBkColor, SetTextColor, GetClipBox, CreateBitmap, GetWindowExtEx
                          comdlg32.dllGetFileTitleA
                          WINSPOOL.DRVDocumentPropertiesA, OpenPrinterA, ClosePrinter
                          ADVAPI32.dllRegSetValueExA, RegCreateKeyExA, RegQueryValueA, RegEnumKeyA, RegDeleteKeyA, RegOpenKeyExA, RegQueryValueExA, RegOpenKeyA, RegCloseKey
                          SHLWAPI.dllPathFindFileNameA, PathStripToRootA, PathFindExtensionA, PathIsUNCA
                          oledlg.dll
                          ole32.dllOleInitialize, CoFreeUnusedLibraries, OleUninitialize, CreateILockBytesOnHGlobal, StgCreateDocfileOnILockBytes, StgOpenStorageOnILockBytes, CoGetClassObject, CLSIDFromString, CoRevokeClassObject, CoTaskMemAlloc, CoTaskMemFree, OleIsCurrentClipboard, OleFlushClipboard, CoRegisterMessageFilter, CLSIDFromProgID
                          OLEAUT32.dllVariantChangeType, VariantInit, SysAllocStringLen, SysFreeString, SysStringLen, SysAllocStringByteLen, OleCreateFontIndirect, VariantTimeToSystemTime, SystemTimeToVariantTime, SafeArrayDestroy, SysAllocString, VariantCopy, VariantClear

                          Exports

                          NameOrdinalAddress
                          DllRegisterServer10x1000373c

                          Possible Origin

                          Language of compilation systemCountry where language is spokenMap
                          SpanishMexico
                          EnglishUnited States

                          Network Behavior

                          Snort IDS Alerts

                          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                          192.168.2.551.91.76.894981680802404338 07/20/22-01:12:50.117023TCP2404338ET CNC Feodo Tracker Reported CnC Server TCP group 20498168080192.168.2.551.91.76.89
                          192.168.2.5119.193.124.414982770802404304 07/20/22-01:12:52.851489TCP2404304ET CNC Feodo Tracker Reported CnC Server TCP group 3498277080192.168.2.5119.193.124.41

                          Network Port Distribution

                          TCP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Jul 20, 2022 01:12:28.345110893 CEST49766443192.168.2.570.36.102.35
                          Jul 20, 2022 01:12:28.345185041 CEST4434976670.36.102.35192.168.2.5
                          Jul 20, 2022 01:12:28.345278025 CEST49766443192.168.2.570.36.102.35
                          Jul 20, 2022 01:12:28.365789890 CEST49766443192.168.2.570.36.102.35
                          Jul 20, 2022 01:12:28.365828991 CEST4434976670.36.102.35192.168.2.5
                          Jul 20, 2022 01:12:28.540317059 CEST4434976670.36.102.35192.168.2.5
                          Jul 20, 2022 01:12:28.553242922 CEST49767443192.168.2.570.36.102.35
                          Jul 20, 2022 01:12:28.553294897 CEST4434976770.36.102.35192.168.2.5
                          Jul 20, 2022 01:12:28.553361893 CEST49767443192.168.2.570.36.102.35
                          Jul 20, 2022 01:12:28.554018974 CEST49767443192.168.2.570.36.102.35
                          Jul 20, 2022 01:12:28.554048061 CEST4434976770.36.102.35192.168.2.5
                          Jul 20, 2022 01:12:28.727739096 CEST4434976770.36.102.35192.168.2.5
                          Jul 20, 2022 01:12:28.734802961 CEST49768443192.168.2.570.36.102.35
                          Jul 20, 2022 01:12:28.734843016 CEST4434976870.36.102.35192.168.2.5
                          Jul 20, 2022 01:12:28.734922886 CEST49768443192.168.2.570.36.102.35
                          Jul 20, 2022 01:12:28.738056898 CEST49768443192.168.2.570.36.102.35
                          Jul 20, 2022 01:12:28.738120079 CEST4434976870.36.102.35192.168.2.5
                          Jul 20, 2022 01:12:28.738195896 CEST49768443192.168.2.570.36.102.35
                          Jul 20, 2022 01:12:28.803554058 CEST497698080192.168.2.592.240.254.110
                          Jul 20, 2022 01:12:31.969569921 CEST497698080192.168.2.592.240.254.110
                          Jul 20, 2022 01:12:37.970036030 CEST497698080192.168.2.592.240.254.110
                          Jul 20, 2022 01:12:50.117022991 CEST498168080192.168.2.551.91.76.89
                          Jul 20, 2022 01:12:50.140120029 CEST80804981651.91.76.89192.168.2.5
                          Jul 20, 2022 01:12:50.783684015 CEST498168080192.168.2.551.91.76.89
                          Jul 20, 2022 01:12:50.803967953 CEST80804981651.91.76.89192.168.2.5
                          Jul 20, 2022 01:12:51.488040924 CEST498168080192.168.2.551.91.76.89
                          Jul 20, 2022 01:12:51.512299061 CEST80804981651.91.76.89192.168.2.5
                          Jul 20, 2022 01:12:51.524338007 CEST498228080192.168.2.5217.182.25.250
                          Jul 20, 2022 01:12:51.558746099 CEST808049822217.182.25.250192.168.2.5
                          Jul 20, 2022 01:12:52.080899000 CEST498228080192.168.2.5217.182.25.250
                          Jul 20, 2022 01:12:52.109123945 CEST808049822217.182.25.250192.168.2.5
                          Jul 20, 2022 01:12:52.783854008 CEST498228080192.168.2.5217.182.25.250
                          Jul 20, 2022 01:12:52.811814070 CEST808049822217.182.25.250192.168.2.5
                          Jul 20, 2022 01:12:52.851489067 CEST498277080192.168.2.5119.193.124.41
                          Jul 20, 2022 01:12:53.111404896 CEST708049827119.193.124.41192.168.2.5
                          Jul 20, 2022 01:12:53.111524105 CEST498277080192.168.2.5119.193.124.41
                          Jul 20, 2022 01:12:53.115263939 CEST498277080192.168.2.5119.193.124.41
                          Jul 20, 2022 01:12:53.375121117 CEST708049827119.193.124.41192.168.2.5
                          Jul 20, 2022 01:12:53.388797045 CEST708049827119.193.124.41192.168.2.5
                          Jul 20, 2022 01:12:53.388885021 CEST708049827119.193.124.41192.168.2.5
                          Jul 20, 2022 01:12:53.388910055 CEST498277080192.168.2.5119.193.124.41
                          Jul 20, 2022 01:12:53.388953924 CEST498277080192.168.2.5119.193.124.41
                          Jul 20, 2022 01:12:54.101490974 CEST498277080192.168.2.5119.193.124.41
                          Jul 20, 2022 01:12:54.362796068 CEST708049827119.193.124.41192.168.2.5
                          Jul 20, 2022 01:12:54.362960100 CEST498277080192.168.2.5119.193.124.41
                          Jul 20, 2022 01:12:54.369782925 CEST498277080192.168.2.5119.193.124.41
                          Jul 20, 2022 01:12:54.672770023 CEST708049827119.193.124.41192.168.2.5
                          Jul 20, 2022 01:12:55.549302101 CEST708049827119.193.124.41192.168.2.5
                          Jul 20, 2022 01:12:55.549442053 CEST498277080192.168.2.5119.193.124.41
                          Jul 20, 2022 01:12:58.549236059 CEST708049827119.193.124.41192.168.2.5
                          Jul 20, 2022 01:12:58.549263000 CEST708049827119.193.124.41192.168.2.5
                          Jul 20, 2022 01:12:58.549376965 CEST498277080192.168.2.5119.193.124.41
                          Jul 20, 2022 01:14:18.243630886 CEST498277080192.168.2.5119.193.124.41
                          Jul 20, 2022 01:14:18.243719101 CEST498277080192.168.2.5119.193.124.41

                          Statistics

                          Behavior

                          Click to jump to process

                          System Behavior

                          General

                          Target ID:0
                          Start time:01:12:00
                          Start date:20/07/2022
                          Path:C:\Windows\System32\loaddll32.exe
                          Wow64 process (32bit):true
                          Commandline:loaddll32.exe "C:\Users\user\Desktop\xhOJLzQSe7.dll"
                          Imagebase:0x3e0000
                          File size:116736 bytes
                          MD5 hash:7DEB5DB86C0AC789123DEC286286B938
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high

                          General

                          Target ID:1
                          Start time:01:12:01
                          Start date:20/07/2022
                          Path:C:\Windows\SysWOW64\cmd.exe
                          Wow64 process (32bit):true
                          Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\xhOJLzQSe7.dll",#1
                          Imagebase:0x1100000
                          File size:232960 bytes
                          MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high

                          General

                          Target ID:2
                          Start time:01:12:02
                          Start date:20/07/2022
                          Path:C:\Windows\SysWOW64\regsvr32.exe
                          Wow64 process (32bit):true
                          Commandline:regsvr32.exe /s C:\Users\user\Desktop\xhOJLzQSe7.dll
                          Imagebase:0xc40000
                          File size:20992 bytes
                          MD5 hash:426E7499F6A7346F0410DEAD0805586B
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000002.00000002.471795717.00000000043F1000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000002.00000002.471795717.00000000043F1000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000002.00000002.471763679.0000000000C10000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000002.00000002.471763679.0000000000C10000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                          Reputation:high

                          General

                          Target ID:3
                          Start time:01:12:02
                          Start date:20/07/2022
                          Path:C:\Windows\SysWOW64\rundll32.exe
                          Wow64 process (32bit):true
                          Commandline:rundll32.exe "C:\Users\user\Desktop\xhOJLzQSe7.dll",#1
                          Imagebase:0xca0000
                          File size:61952 bytes
                          MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000003.00000002.465962452.0000000000C01000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.465962452.0000000000C01000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000003.00000002.465829043.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.465829043.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                          Reputation:high

                          General

                          Target ID:4
                          Start time:01:12:03
                          Start date:20/07/2022
                          Path:C:\Windows\SysWOW64\rundll32.exe
                          Wow64 process (32bit):true
                          Commandline:rundll32.exe C:\Users\user\Desktop\xhOJLzQSe7.dll,DllRegisterServer
                          Imagebase:0xca0000
                          File size:61952 bytes
                          MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000004.00000002.466876693.0000000003250000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.466876693.0000000003250000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000004.00000002.466979688.0000000003281000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.466979688.0000000003281000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                          Reputation:high

                          General

                          Target ID:6
                          Start time:01:12:08
                          Start date:20/07/2022
                          Path:C:\Windows\SysWOW64\regsvr32.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Smcoeugpjqpltwaq\padmvjcc.wwg"
                          Imagebase:0xc40000
                          File size:20992 bytes
                          MD5 hash:426E7499F6A7346F0410DEAD0805586B
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000006.00000002.972201454.0000000002F01000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.972201454.0000000002F01000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000006.00000002.972129886.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.972129886.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                          Reputation:high

                          General

                          Target ID:8
                          Start time:01:12:20
                          Start date:20/07/2022
                          Path:C:\Windows\System32\svchost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                          Imagebase:0x7ff78ca80000
                          File size:51288 bytes
                          MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high

                          General

                          Target ID:12
                          Start time:01:12:42
                          Start date:20/07/2022
                          Path:C:\Windows\System32\svchost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                          Imagebase:0x7ff78ca80000
                          File size:51288 bytes
                          MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high

                          General

                          Target ID:13
                          Start time:01:12:42
                          Start date:20/07/2022
                          Path:C:\Windows\System32\svchost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                          Imagebase:0x7ff78ca80000
                          File size:51288 bytes
                          MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language

                          General

                          Target ID:17
                          Start time:01:13:24
                          Start date:20/07/2022
                          Path:C:\Windows\System32\svchost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                          Imagebase:0x7ff78ca80000
                          File size:51288 bytes
                          MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language

                          General

                          Target ID:19
                          Start time:01:13:51
                          Start date:20/07/2022
                          Path:C:\Windows\System32\svchost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                          Imagebase:0x7ff78ca80000
                          File size:51288 bytes
                          MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language

                          General

                          Target ID:21
                          Start time:01:14:14
                          Start date:20/07/2022
                          Path:C:\Windows\System32\svchost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                          Imagebase:0x7ff78ca80000
                          File size:51288 bytes
                          MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language

                          Disassembly

                          No disassembly