Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
os.exe_

Overview

General Information

Sample Name:os.exe_ (renamed file extension from exe_ to exe)
Analysis ID:745620
MD5:df3118872eafc944ad200ad462023a5d
SHA1:afb8e59f0d39c614e6b7ac3486c7ea016342fb05
SHA256:e81704d02356f7f9a1a54ff857fa3afb2b96680b99c23643e1ccbc16b750239e
Infos:

Detection

Emotet
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
Yara detected Emotet
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Sample uses process hollowing technique
Writes to foreign memory regions
Drops or copies certutil.exe with a different name (likely to bypass HIPS)
Machine Learning detection for sample
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Modifies the context of a thread in another process (thread injection)
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
PE file does not import any functions
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
Drops PE files
Dropped file seen in connection with other malware
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)

Classification

  • System is w10x64
  • os.exe (PID: 4688 cmdline: C:\Users\user\Desktop\os.exe MD5: DF3118872EAFC944AD200AD462023A5D)
    • conhost.exe (PID: 1412 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • kbuhkupik.exe (PID: 2040 cmdline: C:\Users\user\AppData\Local\Temp\\kbuhkupik.exe" "C:\Users\user\AppData\Local\Temp\DB61.tmp MD5: EB199893441CED4BBBCB547FE411CF2D)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
os.exeJoeSecurity_Emotet_1Yara detected EmotetJoe Security
    os.exeWindows_Trojan_Emotet_db7d33faunknownunknown
    • 0x9fe2b:$chunk_0: 4C 8D 9C 24 C0 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3
    • 0xa66d6:$chunk_0: 4C 8D 9C 24 A0 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3
    • 0xb606b:$chunk_0: 4C 8D 9C 24 D0 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3
    • 0xb9b5c:$chunk_0: 4C 8D 9C 24 90 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3
    • 0xa8512:$chunk_1: 8B C7 41 0F B7 4C 45 00 41 8B 1C 8C 48 03 DD 48 3B DE 72 1B
    • 0x9f8b4:$chunk_2: 48 8B C4 48 89 48 08 48 89 50 10 4C 89 40 18 4C 89 48 20 C3
    • 0x9fe19:$chunk_3: 48 8B 45 37 BB 01 00 00 00 48 89 07 8B 45 3F 89 47 08 4C 8D 9C 24 C0 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3
    • 0xb6059:$chunk_3: 48 8B 45 3F BB 01 00 00 00 48 89 07 8B 45 47 89 47 08 4C 8D 9C 24 D0 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3
    • 0xa508e:$chunk_4: 48 39 3B 4C 8D 9C 24 80 00 00 00 49 8B 5B 10 49 8B 73 18 40 0F 95 C7 8B C7 49 8B 7B 28 49 8B E3 5D C3
    • 0xb795b:$chunk_4: 48 39 3B 4C 8D 9C 24 90 00 00 00 49 8B 5B 10 49 8B 73 18 40 0F 95 C7 8B C7 49 8B 7B 20 49 8B E3 5D C3
    • 0xaa4e4:$chunk_5: BE 02 00 00 00 4C 8D 9C 24 40 02 00 00 8B C6 49 8B 5B 30 49 8B 73 38 49 8B 7B 40 49 8B E3 41 5F 41 5E 41 5D 41 5C 5D C3
    • 0xa8526:$chunk_6: 43 8B 84 FE 8C 00 00 00 48 03 C6 48 3B D8 73 0B
    • 0xa0887:$chunk_7: 88 02 48 FF C2 48 FF C3 8A 03 84 C0 75 EE EB 03
    os.exeWindows_Trojan_Emotet_d6ac1ea4unknownunknown
    • 0x9eec8:$calc1: C7 44 24 40 7B 0E 92 27 C7 04 24 47 1F 5F 64 C7 44 24 38 26 79 E2 53 C7 44 24 48 47 1F 22 51 C7 44 24 30 20 72 30 00
    • 0x9efb9:$calc1: C7 44 24 30 BC 6D 33 2C C7 04 24 A9 D6 0C 1D C7 44 24 28 C5 95 6C EE C7 44 24 38 A9 D6 9E 16 C7 44 24 20 BE 32 E3 00
    • 0x9fe94:$calc1: C7 44 24 40 3D 98 DC 7F C7 04 24 E6 A1 05 7A C7 44 24 38 29 C3 BD 52 C7 44 24 48 E6 A1 00 3D C7 44 24 30 A1 10 2E 00
    • 0xa0561:$calc1: C7 44 24 40 2D 36 EB 18 C7 04 24 4F CE FD 3D C7 44 24 38 5D 5B B3 E4 C7 44 24 48 4F CE 07 FF C7 44 24 30 4F F5 B7 00
    • 0xa07a9:$calc1: C7 44 24 40 93 E3 A7 3D C7 04 24 BD 91 33 16 C7 44 24 38 BE 01 92 1F C7 44 24 48 BC 91 88 17 C7 44 24 30 4C A9 2D 00
    • 0xa0fe9:$calc1: C7 44 24 40 04 2B B6 1A C7 04 24 B9 F3 99 62 C7 44 24 38 10 B1 55 C4 C7 44 24 48 B9 F3 D6 CB C7 44 24 30 1C C9 85 00
    • 0xa15f2:$calc1: C7 44 24 40 9A A4 6B 3B C7 04 24 52 14 27 75 C7 44 24 38 AB 43 7B 5D C7 44 24 48 53 14 B7 6A C7 44 24 30 B4 8A 7D 00
    • 0xa170c:$calc1: C7 44 24 40 47 06 08 55 C7 04 24 73 79 B8 66 C7 44 24 38 0E DF 78 4E C7 44 24 48 73 79 2A DE C7 44 24 30 17 24 17 00
    • 0xa4876:$calc1: C7 44 24 30 49 30 8B 57 C7 04 24 65 D7 BF 5C C7 44 24 28 6D A7 F4 40 C7 44 24 38 65 D7 37 88 C7 44 24 20 98 07 A6 00
    • 0xa5284:$calc1: C7 44 24 40 42 00 11 1E C7 04 24 0B D4 9C 5C C7 44 24 38 C1 64 09 D9 C7 44 24 48 0A D4 34 47 C7 44 24 30 86 33 B6 00
    • 0xa57fd:$calc1: C7 44 24 40 12 AE 01 11 C7 04 24 14 30 18 37 C7 44 24 38 7C 17 7E CC C7 44 24 48 14 30 DD 5C C7 44 24 30 28 B5 5E 00
    • 0xa5c7a:$calc1: C7 44 24 40 29 41 4F 30 C7 04 24 AE F8 07 7B C7 44 24 38 8C A2 E9 DE C7 44 24 48 AF F8 97 64 C7 44 24 30 16 B5 92 00
    • 0xa649d:$calc1: C7 44 24 30 0A CC 62 1C C7 04 24 D0 CC 8A 54 C7 44 24 28 34 EE DF 47 C7 44 24 38 D0 CC 7A D1 C7 44 24 20 B8 43 BC 00
    • 0xa67eb:$calc1: C7 44 24 30 84 B8 00 13 C7 04 24 ED 85 16 4C C7 44 24 28 B3 F8 07 49 C7 44 24 38 ED 85 43 1A C7 44 24 20 29 43 5B 00
    • 0xa6aee:$calc1: C7 44 24 40 3D 4A CC 1D C7 04 24 3A C5 09 64 C7 44 24 38 E4 05 78 CE C7 44 24 48 3B C5 99 7B C7 44 24 30 18 BA 0B 00
    • 0xa7c9b:$calc1: C7 44 24 30 AF 69 CC 55 C7 04 24 AB C6 9A 7D C7 44 24 28 80 56 95 F7 C7 44 24 38 AB C6 8E 48 C7 44 24 20 6E 57 A8 00
    • 0xa7d7b:$calc1: C7 44 24 30 33 8D 2B 66 C7 04 24 C8 92 EF 16 C7 44 24 28 5F B8 25 D8 C7 44 24 38 C8 92 ED 88 C7 44 24 20 E9 50 52 00
    • 0xaa646:$calc1: C7 44 24 40 2F 3F 55 3F C7 04 24 85 8D 9B 37 C7 44 24 38 15 38 6F C8 C7 44 24 48 85 8D 5A 89 C7 44 24 30 3A FC BC 00
    • 0xab787:$calc1: C7 44 24 30 0F B6 65 5F C7 04 24 80 2C 25 17 C7 44 24 28 48 F6 27 14 C7 44 24 38 80 2C E7 B2 C7 44 24 20 1A 16 2F 00
    • 0xac2db:$calc1: C7 44 24 30 D3 EC C0 30 C7 04 24 79 71 B5 4C C7 44 24 28 E2 A7 BC C0 C7 44 24 38 79 71 AF 47 C7 44 24 20 13 08 57 00
    • 0xac614:$calc1: C7 44 24 30 CE 6C CB 23 C7 04 24 D7 1C 07 21 C7 44 24 28 5E B5 93 5E C7 44 24 38 D6 1C BC 20 C7 44 24 20 38 79 57 00
    SourceRuleDescriptionAuthorStrings
    C:\Users\user\Desktop\6E8422DB.dllJoeSecurity_Emotet_1Yara detected EmotetJoe Security
      C:\Users\user\Desktop\6E8422DB.dllWindows_Trojan_Emotet_db7d33faunknownunknown
      • 0x1417:$chunk_0: 4C 8D 9C 24 C0 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3
      • 0x7cc2:$chunk_0: 4C 8D 9C 24 A0 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3
      • 0x17657:$chunk_0: 4C 8D 9C 24 D0 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3
      • 0x1b148:$chunk_0: 4C 8D 9C 24 90 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3
      • 0x9afe:$chunk_1: 8B C7 41 0F B7 4C 45 00 41 8B 1C 8C 48 03 DD 48 3B DE 72 1B
      • 0xea0:$chunk_2: 48 8B C4 48 89 48 08 48 89 50 10 4C 89 40 18 4C 89 48 20 C3
      • 0x1405:$chunk_3: 48 8B 45 37 BB 01 00 00 00 48 89 07 8B 45 3F 89 47 08 4C 8D 9C 24 C0 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3
      • 0x17645:$chunk_3: 48 8B 45 3F BB 01 00 00 00 48 89 07 8B 45 47 89 47 08 4C 8D 9C 24 D0 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3
      • 0x667a:$chunk_4: 48 39 3B 4C 8D 9C 24 80 00 00 00 49 8B 5B 10 49 8B 73 18 40 0F 95 C7 8B C7 49 8B 7B 28 49 8B E3 5D C3
      • 0x18f47:$chunk_4: 48 39 3B 4C 8D 9C 24 90 00 00 00 49 8B 5B 10 49 8B 73 18 40 0F 95 C7 8B C7 49 8B 7B 20 49 8B E3 5D C3
      • 0xbad0:$chunk_5: BE 02 00 00 00 4C 8D 9C 24 40 02 00 00 8B C6 49 8B 5B 30 49 8B 73 38 49 8B 7B 40 49 8B E3 41 5F 41 5E 41 5D 41 5C 5D C3
      • 0x9b12:$chunk_6: 43 8B 84 FE 8C 00 00 00 48 03 C6 48 3B D8 73 0B
      • 0x1e73:$chunk_7: 88 02 48 FF C2 48 FF C3 8A 03 84 C0 75 EE EB 03
      C:\Users\user\Desktop\6E8422DB.dllWindows_Trojan_Emotet_d6ac1ea4unknownunknown
      • 0x4b4:$calc1: C7 44 24 40 7B 0E 92 27 C7 04 24 47 1F 5F 64 C7 44 24 38 26 79 E2 53 C7 44 24 48 47 1F 22 51 C7 44 24 30 20 72 30 00
      • 0x5a5:$calc1: C7 44 24 30 BC 6D 33 2C C7 04 24 A9 D6 0C 1D C7 44 24 28 C5 95 6C EE C7 44 24 38 A9 D6 9E 16 C7 44 24 20 BE 32 E3 00
      • 0x1480:$calc1: C7 44 24 40 3D 98 DC 7F C7 04 24 E6 A1 05 7A C7 44 24 38 29 C3 BD 52 C7 44 24 48 E6 A1 00 3D C7 44 24 30 A1 10 2E 00
      • 0x1b4d:$calc1: C7 44 24 40 2D 36 EB 18 C7 04 24 4F CE FD 3D C7 44 24 38 5D 5B B3 E4 C7 44 24 48 4F CE 07 FF C7 44 24 30 4F F5 B7 00
      • 0x1d95:$calc1: C7 44 24 40 93 E3 A7 3D C7 04 24 BD 91 33 16 C7 44 24 38 BE 01 92 1F C7 44 24 48 BC 91 88 17 C7 44 24 30 4C A9 2D 00
      • 0x25d5:$calc1: C7 44 24 40 04 2B B6 1A C7 04 24 B9 F3 99 62 C7 44 24 38 10 B1 55 C4 C7 44 24 48 B9 F3 D6 CB C7 44 24 30 1C C9 85 00
      • 0x2bde:$calc1: C7 44 24 40 9A A4 6B 3B C7 04 24 52 14 27 75 C7 44 24 38 AB 43 7B 5D C7 44 24 48 53 14 B7 6A C7 44 24 30 B4 8A 7D 00
      • 0x2cf8:$calc1: C7 44 24 40 47 06 08 55 C7 04 24 73 79 B8 66 C7 44 24 38 0E DF 78 4E C7 44 24 48 73 79 2A DE C7 44 24 30 17 24 17 00
      • 0x5e62:$calc1: C7 44 24 30 49 30 8B 57 C7 04 24 65 D7 BF 5C C7 44 24 28 6D A7 F4 40 C7 44 24 38 65 D7 37 88 C7 44 24 20 98 07 A6 00
      • 0x6870:$calc1: C7 44 24 40 42 00 11 1E C7 04 24 0B D4 9C 5C C7 44 24 38 C1 64 09 D9 C7 44 24 48 0A D4 34 47 C7 44 24 30 86 33 B6 00
      • 0x6de9:$calc1: C7 44 24 40 12 AE 01 11 C7 04 24 14 30 18 37 C7 44 24 38 7C 17 7E CC C7 44 24 48 14 30 DD 5C C7 44 24 30 28 B5 5E 00
      • 0x7266:$calc1: C7 44 24 40 29 41 4F 30 C7 04 24 AE F8 07 7B C7 44 24 38 8C A2 E9 DE C7 44 24 48 AF F8 97 64 C7 44 24 30 16 B5 92 00
      • 0x7a89:$calc1: C7 44 24 30 0A CC 62 1C C7 04 24 D0 CC 8A 54 C7 44 24 28 34 EE DF 47 C7 44 24 38 D0 CC 7A D1 C7 44 24 20 B8 43 BC 00
      • 0x7dd7:$calc1: C7 44 24 30 84 B8 00 13 C7 04 24 ED 85 16 4C C7 44 24 28 B3 F8 07 49 C7 44 24 38 ED 85 43 1A C7 44 24 20 29 43 5B 00
      • 0x80da:$calc1: C7 44 24 40 3D 4A CC 1D C7 04 24 3A C5 09 64 C7 44 24 38 E4 05 78 CE C7 44 24 48 3B C5 99 7B C7 44 24 30 18 BA 0B 00
      • 0x9287:$calc1: C7 44 24 30 AF 69 CC 55 C7 04 24 AB C6 9A 7D C7 44 24 28 80 56 95 F7 C7 44 24 38 AB C6 8E 48 C7 44 24 20 6E 57 A8 00
      • 0x9367:$calc1: C7 44 24 30 33 8D 2B 66 C7 04 24 C8 92 EF 16 C7 44 24 28 5F B8 25 D8 C7 44 24 38 C8 92 ED 88 C7 44 24 20 E9 50 52 00
      • 0xbc32:$calc1: C7 44 24 40 2F 3F 55 3F C7 04 24 85 8D 9B 37 C7 44 24 38 15 38 6F C8 C7 44 24 48 85 8D 5A 89 C7 44 24 30 3A FC BC 00
      • 0xcd73:$calc1: C7 44 24 30 0F B6 65 5F C7 04 24 80 2C 25 17 C7 44 24 28 48 F6 27 14 C7 44 24 38 80 2C E7 B2 C7 44 24 20 1A 16 2F 00
      • 0xd8c7:$calc1: C7 44 24 30 D3 EC C0 30 C7 04 24 79 71 B5 4C C7 44 24 28 E2 A7 BC C0 C7 44 24 38 79 71 AF 47 C7 44 24 20 13 08 57 00
      • 0xdc00:$calc1: C7 44 24 30 CE 6C CB 23 C7 04 24 D7 1C 07 21 C7 44 24 28 5E B5 93 5E C7 44 24 38 D6 1C BC 20 C7 44 24 20 38 79 57 00
      SourceRuleDescriptionAuthorStrings
      00000000.00000002.574333712.00007FF88EDF1000.00000020.00000001.01000000.00000004.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
        00000000.00000002.574333712.00007FF88EDF1000.00000020.00000001.01000000.00000004.sdmpWindows_Trojan_Emotet_db7d33faunknownunknown
        • 0x1017:$chunk_0: 4C 8D 9C 24 C0 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3
        • 0x78c2:$chunk_0: 4C 8D 9C 24 A0 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3
        • 0x17257:$chunk_0: 4C 8D 9C 24 D0 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3
        • 0x1ad48:$chunk_0: 4C 8D 9C 24 90 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3
        • 0x96fe:$chunk_1: 8B C7 41 0F B7 4C 45 00 41 8B 1C 8C 48 03 DD 48 3B DE 72 1B
        • 0xaa0:$chunk_2: 48 8B C4 48 89 48 08 48 89 50 10 4C 89 40 18 4C 89 48 20 C3
        • 0x1005:$chunk_3: 48 8B 45 37 BB 01 00 00 00 48 89 07 8B 45 3F 89 47 08 4C 8D 9C 24 C0 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3
        • 0x17245:$chunk_3: 48 8B 45 3F BB 01 00 00 00 48 89 07 8B 45 47 89 47 08 4C 8D 9C 24 D0 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3
        • 0x627a:$chunk_4: 48 39 3B 4C 8D 9C 24 80 00 00 00 49 8B 5B 10 49 8B 73 18 40 0F 95 C7 8B C7 49 8B 7B 28 49 8B E3 5D C3
        • 0x18b47:$chunk_4: 48 39 3B 4C 8D 9C 24 90 00 00 00 49 8B 5B 10 49 8B 73 18 40 0F 95 C7 8B C7 49 8B 7B 20 49 8B E3 5D C3
        • 0xb6d0:$chunk_5: BE 02 00 00 00 4C 8D 9C 24 40 02 00 00 8B C6 49 8B 5B 30 49 8B 73 38 49 8B 7B 40 49 8B E3 41 5F 41 5E 41 5D 41 5C 5D C3
        • 0x9712:$chunk_6: 43 8B 84 FE 8C 00 00 00 48 03 C6 48 3B D8 73 0B
        • 0x1a73:$chunk_7: 88 02 48 FF C2 48 FF C3 8A 03 84 C0 75 EE EB 03
        00000000.00000002.574333712.00007FF88EDF1000.00000020.00000001.01000000.00000004.sdmpWindows_Trojan_Emotet_d6ac1ea4unknownunknown
        • 0xb4:$calc1: C7 44 24 40 7B 0E 92 27 C7 04 24 47 1F 5F 64 C7 44 24 38 26 79 E2 53 C7 44 24 48 47 1F 22 51 C7 44 24 30 20 72 30 00
        • 0x1a5:$calc1: C7 44 24 30 BC 6D 33 2C C7 04 24 A9 D6 0C 1D C7 44 24 28 C5 95 6C EE C7 44 24 38 A9 D6 9E 16 C7 44 24 20 BE 32 E3 00
        • 0x1080:$calc1: C7 44 24 40 3D 98 DC 7F C7 04 24 E6 A1 05 7A C7 44 24 38 29 C3 BD 52 C7 44 24 48 E6 A1 00 3D C7 44 24 30 A1 10 2E 00
        • 0x174d:$calc1: C7 44 24 40 2D 36 EB 18 C7 04 24 4F CE FD 3D C7 44 24 38 5D 5B B3 E4 C7 44 24 48 4F CE 07 FF C7 44 24 30 4F F5 B7 00
        • 0x1995:$calc1: C7 44 24 40 93 E3 A7 3D C7 04 24 BD 91 33 16 C7 44 24 38 BE 01 92 1F C7 44 24 48 BC 91 88 17 C7 44 24 30 4C A9 2D 00
        • 0x21d5:$calc1: C7 44 24 40 04 2B B6 1A C7 04 24 B9 F3 99 62 C7 44 24 38 10 B1 55 C4 C7 44 24 48 B9 F3 D6 CB C7 44 24 30 1C C9 85 00
        • 0x27de:$calc1: C7 44 24 40 9A A4 6B 3B C7 04 24 52 14 27 75 C7 44 24 38 AB 43 7B 5D C7 44 24 48 53 14 B7 6A C7 44 24 30 B4 8A 7D 00
        • 0x28f8:$calc1: C7 44 24 40 47 06 08 55 C7 04 24 73 79 B8 66 C7 44 24 38 0E DF 78 4E C7 44 24 48 73 79 2A DE C7 44 24 30 17 24 17 00
        • 0x5a62:$calc1: C7 44 24 30 49 30 8B 57 C7 04 24 65 D7 BF 5C C7 44 24 28 6D A7 F4 40 C7 44 24 38 65 D7 37 88 C7 44 24 20 98 07 A6 00
        • 0x6470:$calc1: C7 44 24 40 42 00 11 1E C7 04 24 0B D4 9C 5C C7 44 24 38 C1 64 09 D9 C7 44 24 48 0A D4 34 47 C7 44 24 30 86 33 B6 00
        • 0x69e9:$calc1: C7 44 24 40 12 AE 01 11 C7 04 24 14 30 18 37 C7 44 24 38 7C 17 7E CC C7 44 24 48 14 30 DD 5C C7 44 24 30 28 B5 5E 00
        • 0x6e66:$calc1: C7 44 24 40 29 41 4F 30 C7 04 24 AE F8 07 7B C7 44 24 38 8C A2 E9 DE C7 44 24 48 AF F8 97 64 C7 44 24 30 16 B5 92 00
        • 0x7689:$calc1: C7 44 24 30 0A CC 62 1C C7 04 24 D0 CC 8A 54 C7 44 24 28 34 EE DF 47 C7 44 24 38 D0 CC 7A D1 C7 44 24 20 B8 43 BC 00
        • 0x79d7:$calc1: C7 44 24 30 84 B8 00 13 C7 04 24 ED 85 16 4C C7 44 24 28 B3 F8 07 49 C7 44 24 38 ED 85 43 1A C7 44 24 20 29 43 5B 00
        • 0x7cda:$calc1: C7 44 24 40 3D 4A CC 1D C7 04 24 3A C5 09 64 C7 44 24 38 E4 05 78 CE C7 44 24 48 3B C5 99 7B C7 44 24 30 18 BA 0B 00
        • 0x8e87:$calc1: C7 44 24 30 AF 69 CC 55 C7 04 24 AB C6 9A 7D C7 44 24 28 80 56 95 F7 C7 44 24 38 AB C6 8E 48 C7 44 24 20 6E 57 A8 00
        • 0x8f67:$calc1: C7 44 24 30 33 8D 2B 66 C7 04 24 C8 92 EF 16 C7 44 24 28 5F B8 25 D8 C7 44 24 38 C8 92 ED 88 C7 44 24 20 E9 50 52 00
        • 0xb832:$calc1: C7 44 24 40 2F 3F 55 3F C7 04 24 85 8D 9B 37 C7 44 24 38 15 38 6F C8 C7 44 24 48 85 8D 5A 89 C7 44 24 30 3A FC BC 00
        • 0xc973:$calc1: C7 44 24 30 0F B6 65 5F C7 04 24 80 2C 25 17 C7 44 24 28 48 F6 27 14 C7 44 24 38 80 2C E7 B2 C7 44 24 20 1A 16 2F 00
        • 0xd4c7:$calc1: C7 44 24 30 D3 EC C0 30 C7 04 24 79 71 B5 4C C7 44 24 28 E2 A7 BC C0 C7 44 24 38 79 71 AF 47 C7 44 24 20 13 08 57 00
        • 0xd800:$calc1: C7 44 24 30 CE 6C CB 23 C7 04 24 D7 1C 07 21 C7 44 24 28 5E B5 93 5E C7 44 24 38 D6 1C BC 20 C7 44 24 20 38 79 57 00
        00000000.00000002.574382395.00007FF88EE12000.00000008.00000001.01000000.00000004.sdmpSUSP_Four_Byte_XOR_PE_And_MZLook for 4 byte xor of a PE starting at offset 0Wesley Shields <wxs@atarininja.org>
          00000002.00000000.311642845.00007FF7E47D0000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Emotet_db7d33faunknownunknown
          • 0x6332:$chunk_0: 4C 8D 9C 24 70 02 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3
          • 0x6fa8:$chunk_1: 8B C7 41 0F B7 4C 45 00 41 8B 1C 8C 48 03 DD 48 3B DE 72 1B
          • 0x6fbc:$chunk_6: 43 8B 84 FE 8C 00 00 00 48 03 C6 48 3B D8 73 0B
          • 0x8072:$chunk_7: 88 02 48 FF C2 48 FF C3 8A 03 84 C0 75 EE EB 03
          Click to see the 10 entries
          SourceRuleDescriptionAuthorStrings
          2.0.kbuhkupik.exe.7ff7e47d0000.3.raw.unpackWindows_Trojan_Emotet_db7d33faunknownunknown
          • 0x6332:$chunk_0: 4C 8D 9C 24 70 02 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3
          • 0x6fa8:$chunk_1: 8B C7 41 0F B7 4C 45 00 41 8B 1C 8C 48 03 DD 48 3B DE 72 1B
          • 0x6fbc:$chunk_6: 43 8B 84 FE 8C 00 00 00 48 03 C6 48 3B D8 73 0B
          • 0x8072:$chunk_7: 88 02 48 FF C2 48 FF C3 8A 03 84 C0 75 EE EB 03
          0.2.os.exe.7ff88edf0000.2.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
            0.2.os.exe.7ff88edf0000.2.unpackWindows_Trojan_Emotet_db7d33faunknownunknown
            • 0x1417:$chunk_0: 4C 8D 9C 24 C0 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3
            • 0x7cc2:$chunk_0: 4C 8D 9C 24 A0 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3
            • 0x17657:$chunk_0: 4C 8D 9C 24 D0 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3
            • 0x1b148:$chunk_0: 4C 8D 9C 24 90 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3
            • 0x9afe:$chunk_1: 8B C7 41 0F B7 4C 45 00 41 8B 1C 8C 48 03 DD 48 3B DE 72 1B
            • 0xea0:$chunk_2: 48 8B C4 48 89 48 08 48 89 50 10 4C 89 40 18 4C 89 48 20 C3
            • 0x1405:$chunk_3: 48 8B 45 37 BB 01 00 00 00 48 89 07 8B 45 3F 89 47 08 4C 8D 9C 24 C0 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3
            • 0x17645:$chunk_3: 48 8B 45 3F BB 01 00 00 00 48 89 07 8B 45 47 89 47 08 4C 8D 9C 24 D0 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3
            • 0x667a:$chunk_4: 48 39 3B 4C 8D 9C 24 80 00 00 00 49 8B 5B 10 49 8B 73 18 40 0F 95 C7 8B C7 49 8B 7B 28 49 8B E3 5D C3
            • 0x18f47:$chunk_4: 48 39 3B 4C 8D 9C 24 90 00 00 00 49 8B 5B 10 49 8B 73 18 40 0F 95 C7 8B C7 49 8B 7B 20 49 8B E3 5D C3
            • 0xbad0:$chunk_5: BE 02 00 00 00 4C 8D 9C 24 40 02 00 00 8B C6 49 8B 5B 30 49 8B 73 38 49 8B 7B 40 49 8B E3 41 5F 41 5E 41 5D 41 5C 5D C3
            • 0x9b12:$chunk_6: 43 8B 84 FE 8C 00 00 00 48 03 C6 48 3B D8 73 0B
            • 0x1e73:$chunk_7: 88 02 48 FF C2 48 FF C3 8A 03 84 C0 75 EE EB 03
            0.2.os.exe.7ff88edf0000.2.unpackWindows_Trojan_Emotet_d6ac1ea4unknownunknown
            • 0x4b4:$calc1: C7 44 24 40 7B 0E 92 27 C7 04 24 47 1F 5F 64 C7 44 24 38 26 79 E2 53 C7 44 24 48 47 1F 22 51 C7 44 24 30 20 72 30 00
            • 0x5a5:$calc1: C7 44 24 30 BC 6D 33 2C C7 04 24 A9 D6 0C 1D C7 44 24 28 C5 95 6C EE C7 44 24 38 A9 D6 9E 16 C7 44 24 20 BE 32 E3 00
            • 0x1480:$calc1: C7 44 24 40 3D 98 DC 7F C7 04 24 E6 A1 05 7A C7 44 24 38 29 C3 BD 52 C7 44 24 48 E6 A1 00 3D C7 44 24 30 A1 10 2E 00
            • 0x1b4d:$calc1: C7 44 24 40 2D 36 EB 18 C7 04 24 4F CE FD 3D C7 44 24 38 5D 5B B3 E4 C7 44 24 48 4F CE 07 FF C7 44 24 30 4F F5 B7 00
            • 0x1d95:$calc1: C7 44 24 40 93 E3 A7 3D C7 04 24 BD 91 33 16 C7 44 24 38 BE 01 92 1F C7 44 24 48 BC 91 88 17 C7 44 24 30 4C A9 2D 00
            • 0x25d5:$calc1: C7 44 24 40 04 2B B6 1A C7 04 24 B9 F3 99 62 C7 44 24 38 10 B1 55 C4 C7 44 24 48 B9 F3 D6 CB C7 44 24 30 1C C9 85 00
            • 0x2bde:$calc1: C7 44 24 40 9A A4 6B 3B C7 04 24 52 14 27 75 C7 44 24 38 AB 43 7B 5D C7 44 24 48 53 14 B7 6A C7 44 24 30 B4 8A 7D 00
            • 0x2cf8:$calc1: C7 44 24 40 47 06 08 55 C7 04 24 73 79 B8 66 C7 44 24 38 0E DF 78 4E C7 44 24 48 73 79 2A DE C7 44 24 30 17 24 17 00
            • 0x5e62:$calc1: C7 44 24 30 49 30 8B 57 C7 04 24 65 D7 BF 5C C7 44 24 28 6D A7 F4 40 C7 44 24 38 65 D7 37 88 C7 44 24 20 98 07 A6 00
            • 0x6870:$calc1: C7 44 24 40 42 00 11 1E C7 04 24 0B D4 9C 5C C7 44 24 38 C1 64 09 D9 C7 44 24 48 0A D4 34 47 C7 44 24 30 86 33 B6 00
            • 0x6de9:$calc1: C7 44 24 40 12 AE 01 11 C7 04 24 14 30 18 37 C7 44 24 38 7C 17 7E CC C7 44 24 48 14 30 DD 5C C7 44 24 30 28 B5 5E 00
            • 0x7266:$calc1: C7 44 24 40 29 41 4F 30 C7 04 24 AE F8 07 7B C7 44 24 38 8C A2 E9 DE C7 44 24 48 AF F8 97 64 C7 44 24 30 16 B5 92 00
            • 0x7a89:$calc1: C7 44 24 30 0A CC 62 1C C7 04 24 D0 CC 8A 54 C7 44 24 28 34 EE DF 47 C7 44 24 38 D0 CC 7A D1 C7 44 24 20 B8 43 BC 00
            • 0x7dd7:$calc1: C7 44 24 30 84 B8 00 13 C7 04 24 ED 85 16 4C C7 44 24 28 B3 F8 07 49 C7 44 24 38 ED 85 43 1A C7 44 24 20 29 43 5B 00
            • 0x80da:$calc1: C7 44 24 40 3D 4A CC 1D C7 04 24 3A C5 09 64 C7 44 24 38 E4 05 78 CE C7 44 24 48 3B C5 99 7B C7 44 24 30 18 BA 0B 00
            • 0x9287:$calc1: C7 44 24 30 AF 69 CC 55 C7 04 24 AB C6 9A 7D C7 44 24 28 80 56 95 F7 C7 44 24 38 AB C6 8E 48 C7 44 24 20 6E 57 A8 00
            • 0x9367:$calc1: C7 44 24 30 33 8D 2B 66 C7 04 24 C8 92 EF 16 C7 44 24 28 5F B8 25 D8 C7 44 24 38 C8 92 ED 88 C7 44 24 20 E9 50 52 00
            • 0xbc32:$calc1: C7 44 24 40 2F 3F 55 3F C7 04 24 85 8D 9B 37 C7 44 24 38 15 38 6F C8 C7 44 24 48 85 8D 5A 89 C7 44 24 30 3A FC BC 00
            • 0xcd73:$calc1: C7 44 24 30 0F B6 65 5F C7 04 24 80 2C 25 17 C7 44 24 28 48 F6 27 14 C7 44 24 38 80 2C E7 B2 C7 44 24 20 1A 16 2F 00
            • 0xd8c7:$calc1: C7 44 24 30 D3 EC C0 30 C7 04 24 79 71 B5 4C C7 44 24 28 E2 A7 BC C0 C7 44 24 38 79 71 AF 47 C7 44 24 20 13 08 57 00
            • 0xdc00:$calc1: C7 44 24 30 CE 6C CB 23 C7 04 24 D7 1C 07 21 C7 44 24 28 5E B5 93 5E C7 44 24 38 D6 1C BC 20 C7 44 24 20 38 79 57 00
            0.3.os.exe.1acdc970000.4.unpackWindows_Trojan_Emotet_db7d33faunknownunknown
            • 0x5732:$chunk_0: 4C 8D 9C 24 70 02 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3
            • 0x63a8:$chunk_1: 8B C7 41 0F B7 4C 45 00 41 8B 1C 8C 48 03 DD 48 3B DE 72 1B
            • 0x63bc:$chunk_6: 43 8B 84 FE 8C 00 00 00 48 03 C6 48 3B D8 73 0B
            • 0x7472:$chunk_7: 88 02 48 FF C2 48 FF C3 8A 03 84 C0 75 EE EB 03
            Click to see the 28 entries
            No Sigma rule has matched
            No Snort rule has matched

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Source: os.exeAvira: detected
            Source: C:\Users\user\Desktop\6E8422DB.dllAvira: detection malicious, Label: HEUR/AGEN.1251140
            Source: C:\Users\user\Desktop\6E8422DB.dllVirustotal: Detection: 57%Perma Link
            Source: os.exeJoe Sandbox ML: detected
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF6D40728F0 CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CryptDestroyHash,CryptReleaseContext,
            Source: os.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
            Source: Binary string: certutil.pdb source: os.exe, 00000000.00000003.309370759.000001ACDE2EE000.00000004.00000020.00020000.00000000.sdmp, kbuhkupik.exe, 00000002.00000000.310388028.00007FF7E48D9000.00000002.00000001.01000000.00000005.sdmp, kbuhkupik.exe.0.dr
            Source: Binary string: certutil.pdbGCTL source: os.exe, 00000000.00000003.309370759.000001ACDE2EE000.00000004.00000020.00020000.00000000.sdmp, kbuhkupik.exe, 00000002.00000000.310388028.00007FF7E48D9000.00000002.00000001.01000000.00000005.sdmp, kbuhkupik.exe.0.dr
            Source: os.exe, 00000000.00000003.309370759.000001ACDE2EE000.00000004.00000020.00020000.00000000.sdmp, kbuhkupik.exe, 00000002.00000000.310388028.00007FF7E48D9000.00000002.00000001.01000000.00000005.sdmp, kbuhkupik.exe.0.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enDisallowedCertLastSyncTimePinR
            Source: os.exe, 00000000.00000003.309370759.000001ACDE2EE000.00000004.00000020.00020000.00000000.sdmp, kbuhkupik.exe, 00000002.00000000.310388028.00007FF7E48D9000.00000002.00000001.01000000.00000005.sdmp, kbuhkupik.exe.0.drString found in binary or memory: https://%ws/%ws_%ws_%ws/service.svc/%wsADPolicyProviderSCEP
            Source: os.exe, 00000000.00000003.309370759.000001ACDE2EE000.00000004.00000020.00020000.00000000.sdmp, kbuhkupik.exe, 00000002.00000000.310388028.00007FF7E48D9000.00000002.00000001.01000000.00000005.sdmp, kbuhkupik.exe.0.drString found in binary or memory: https://login.microsoftonline.com/%s/oauth2/authorizeStringCchPrintfWhttps://login.microsoftonline.c

            E-Banking Fraud

            barindex
            Source: Yara matchFile source: os.exe, type: SAMPLE
            Source: Yara matchFile source: 0.2.os.exe.7ff88edf0000.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.3.os.exe.1acdcbdea14.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.3.os.exe.1acdc960000.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.3.os.exe.1acdcbdea14.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.3.os.exe.1acdc960000.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.3.os.exe.1acdcbba850.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.3.os.exe.1acdcb40000.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.574333712.00007FF88EDF1000.00000020.00000001.01000000.00000004.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.307924696.000001ACDC960000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.307776422.000001ACDCB40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: C:\Users\user\Desktop\6E8422DB.dll, type: DROPPED

            System Summary

            barindex
            Source: os.exe, type: SAMPLEMatched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
            Source: os.exe, type: SAMPLEMatched rule: Windows_Trojan_Emotet_d6ac1ea4 Author: unknown
            Source: 2.0.kbuhkupik.exe.7ff7e47d0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
            Source: 0.2.os.exe.7ff88edf0000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
            Source: 0.2.os.exe.7ff88edf0000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_d6ac1ea4 Author: unknown
            Source: 0.3.os.exe.1acdc970000.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
            Source: 0.3.os.exe.1acdcbdea14.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
            Source: 0.3.os.exe.1acdcbdea14.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_d6ac1ea4 Author: unknown
            Source: 0.3.os.exe.1acdc970000.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
            Source: 0.3.os.exe.1acdc960000.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
            Source: 0.3.os.exe.1acdc960000.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_d6ac1ea4 Author: unknown
            Source: 2.2.kbuhkupik.exe.7ff7e47d0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
            Source: 2.0.kbuhkupik.exe.7ff7e47d0000.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
            Source: 2.0.kbuhkupik.exe.7ff7e47d0000.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
            Source: 0.3.os.exe.1acdcbdea14.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
            Source: 0.3.os.exe.1acdcbdea14.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_d6ac1ea4 Author: unknown
            Source: 2.2.kbuhkupik.exe.7ff7e47d0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
            Source: 0.3.os.exe.1acdc960000.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
            Source: 0.3.os.exe.1acdc960000.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_d6ac1ea4 Author: unknown
            Source: 2.0.kbuhkupik.exe.7ff7e47d0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
            Source: 0.3.os.exe.1acdcbba850.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
            Source: 0.3.os.exe.1acdcbba850.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_d6ac1ea4 Author: unknown
            Source: 0.3.os.exe.1acdcb40000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
            Source: 0.3.os.exe.1acdcb40000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
            Source: 0.3.os.exe.1acdcb40000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_d6ac1ea4 Author: unknown
            Source: 2.0.kbuhkupik.exe.7ff7e47d0000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
            Source: 2.0.kbuhkupik.exe.7ff7e47d0000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
            Source: 2.0.kbuhkupik.exe.7ff7e47d0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
            Source: 00000000.00000002.574333712.00007FF88EDF1000.00000020.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
            Source: 00000000.00000002.574333712.00007FF88EDF1000.00000020.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: Windows_Trojan_Emotet_d6ac1ea4 Author: unknown
            Source: 00000002.00000000.311642845.00007FF7E47D0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
            Source: 00000000.00000003.312156622.000001ACDCA6E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
            Source: 00000002.00000002.312032417.00007FF7E47D0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
            Source: 00000000.00000003.312117777.000001ACDC970000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
            Source: 00000000.00000003.307924696.000001ACDC960000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
            Source: 00000000.00000003.307924696.000001ACDC960000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Emotet_d6ac1ea4 Author: unknown
            Source: 00000002.00000000.311475701.00007FF7E47D0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
            Source: 00000000.00000003.307776422.000001ACDCB40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
            Source: 00000000.00000003.307776422.000001ACDCB40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Emotet_d6ac1ea4 Author: unknown
            Source: C:\Users\user\Desktop\6E8422DB.dll, type: DROPPEDMatched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
            Source: C:\Users\user\Desktop\6E8422DB.dll, type: DROPPEDMatched rule: Windows_Trojan_Emotet_d6ac1ea4 Author: unknown
            Source: os.exe, type: SAMPLEMatched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
            Source: os.exe, type: SAMPLEMatched rule: Windows_Trojan_Emotet_d6ac1ea4 reference_sample = 2c6709d5d2e891d1ce26fdb4021599ac10fea93c7773f5c00bea8e5e90404b71, os = windows, severity = x86, creation_date = 2022-05-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = 7e6224c58c283765b5e819eb46814c556ae6b7b5931cd1e3e19ca3ec8fa31aa2, id = d6ac1ea4-b0a8-4023-b712-9f4f2c7146a3, last_modified = 2022-06-09
            Source: 2.0.kbuhkupik.exe.7ff7e47d0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
            Source: 0.2.os.exe.7ff88edf0000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
            Source: 0.2.os.exe.7ff88edf0000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_d6ac1ea4 reference_sample = 2c6709d5d2e891d1ce26fdb4021599ac10fea93c7773f5c00bea8e5e90404b71, os = windows, severity = x86, creation_date = 2022-05-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = 7e6224c58c283765b5e819eb46814c556ae6b7b5931cd1e3e19ca3ec8fa31aa2, id = d6ac1ea4-b0a8-4023-b712-9f4f2c7146a3, last_modified = 2022-06-09
            Source: 0.3.os.exe.1acdc970000.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
            Source: 0.3.os.exe.1acdcbdea14.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
            Source: 0.3.os.exe.1acdcbdea14.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_d6ac1ea4 reference_sample = 2c6709d5d2e891d1ce26fdb4021599ac10fea93c7773f5c00bea8e5e90404b71, os = windows, severity = x86, creation_date = 2022-05-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = 7e6224c58c283765b5e819eb46814c556ae6b7b5931cd1e3e19ca3ec8fa31aa2, id = d6ac1ea4-b0a8-4023-b712-9f4f2c7146a3, last_modified = 2022-06-09
            Source: 0.3.os.exe.1acdc970000.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
            Source: 0.3.os.exe.1acdc960000.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
            Source: 0.3.os.exe.1acdc960000.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_d6ac1ea4 reference_sample = 2c6709d5d2e891d1ce26fdb4021599ac10fea93c7773f5c00bea8e5e90404b71, os = windows, severity = x86, creation_date = 2022-05-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = 7e6224c58c283765b5e819eb46814c556ae6b7b5931cd1e3e19ca3ec8fa31aa2, id = d6ac1ea4-b0a8-4023-b712-9f4f2c7146a3, last_modified = 2022-06-09
            Source: 2.2.kbuhkupik.exe.7ff7e47d0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
            Source: 2.0.kbuhkupik.exe.7ff7e47d0000.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
            Source: 2.0.kbuhkupik.exe.7ff7e47d0000.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
            Source: 0.3.os.exe.1acdcbdea14.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
            Source: 0.3.os.exe.1acdcbdea14.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_d6ac1ea4 reference_sample = 2c6709d5d2e891d1ce26fdb4021599ac10fea93c7773f5c00bea8e5e90404b71, os = windows, severity = x86, creation_date = 2022-05-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = 7e6224c58c283765b5e819eb46814c556ae6b7b5931cd1e3e19ca3ec8fa31aa2, id = d6ac1ea4-b0a8-4023-b712-9f4f2c7146a3, last_modified = 2022-06-09
            Source: 2.2.kbuhkupik.exe.7ff7e47d0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
            Source: 0.3.os.exe.1acdc960000.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
            Source: 0.3.os.exe.1acdc960000.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_d6ac1ea4 reference_sample = 2c6709d5d2e891d1ce26fdb4021599ac10fea93c7773f5c00bea8e5e90404b71, os = windows, severity = x86, creation_date = 2022-05-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = 7e6224c58c283765b5e819eb46814c556ae6b7b5931cd1e3e19ca3ec8fa31aa2, id = d6ac1ea4-b0a8-4023-b712-9f4f2c7146a3, last_modified = 2022-06-09
            Source: 2.0.kbuhkupik.exe.7ff7e47d0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
            Source: 0.3.os.exe.1acdcbba850.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
            Source: 0.3.os.exe.1acdcbba850.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_d6ac1ea4 reference_sample = 2c6709d5d2e891d1ce26fdb4021599ac10fea93c7773f5c00bea8e5e90404b71, os = windows, severity = x86, creation_date = 2022-05-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = 7e6224c58c283765b5e819eb46814c556ae6b7b5931cd1e3e19ca3ec8fa31aa2, id = d6ac1ea4-b0a8-4023-b712-9f4f2c7146a3, last_modified = 2022-06-09
            Source: 0.3.os.exe.1acdcb40000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
            Source: 0.3.os.exe.1acdcb40000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
            Source: 0.3.os.exe.1acdcb40000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_d6ac1ea4 reference_sample = 2c6709d5d2e891d1ce26fdb4021599ac10fea93c7773f5c00bea8e5e90404b71, os = windows, severity = x86, creation_date = 2022-05-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = 7e6224c58c283765b5e819eb46814c556ae6b7b5931cd1e3e19ca3ec8fa31aa2, id = d6ac1ea4-b0a8-4023-b712-9f4f2c7146a3, last_modified = 2022-06-09
            Source: 2.0.kbuhkupik.exe.7ff7e47d0000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
            Source: 2.0.kbuhkupik.exe.7ff7e47d0000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
            Source: 2.0.kbuhkupik.exe.7ff7e47d0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
            Source: 00000000.00000002.574333712.00007FF88EDF1000.00000020.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
            Source: 00000000.00000002.574333712.00007FF88EDF1000.00000020.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: Windows_Trojan_Emotet_d6ac1ea4 reference_sample = 2c6709d5d2e891d1ce26fdb4021599ac10fea93c7773f5c00bea8e5e90404b71, os = windows, severity = x86, creation_date = 2022-05-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = 7e6224c58c283765b5e819eb46814c556ae6b7b5931cd1e3e19ca3ec8fa31aa2, id = d6ac1ea4-b0a8-4023-b712-9f4f2c7146a3, last_modified = 2022-06-09
            Source: 00000000.00000002.574382395.00007FF88EE12000.00000008.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: SUSP_Four_Byte_XOR_PE_And_MZ author = Wesley Shields <wxs@atarininja.org>, description = Look for 4 byte xor of a PE starting at offset 0, score = 2021-10-11, reference = https://gist.github.com/wxsBSD/bf7b88b27e9f879016b5ce2c778d3e83
            Source: 00000002.00000000.311642845.00007FF7E47D0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
            Source: 00000000.00000003.312156622.000001ACDCA6E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
            Source: 00000002.00000002.312032417.00007FF7E47D0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
            Source: 00000000.00000003.312117777.000001ACDC970000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
            Source: 00000000.00000003.307924696.000001ACDC960000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
            Source: 00000000.00000003.307924696.000001ACDC960000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Emotet_d6ac1ea4 reference_sample = 2c6709d5d2e891d1ce26fdb4021599ac10fea93c7773f5c00bea8e5e90404b71, os = windows, severity = x86, creation_date = 2022-05-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = 7e6224c58c283765b5e819eb46814c556ae6b7b5931cd1e3e19ca3ec8fa31aa2, id = d6ac1ea4-b0a8-4023-b712-9f4f2c7146a3, last_modified = 2022-06-09
            Source: 00000002.00000000.311475701.00007FF7E47D0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
            Source: 00000000.00000003.307776422.000001ACDCB40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
            Source: 00000000.00000003.307776422.000001ACDCB40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Emotet_d6ac1ea4 reference_sample = 2c6709d5d2e891d1ce26fdb4021599ac10fea93c7773f5c00bea8e5e90404b71, os = windows, severity = x86, creation_date = 2022-05-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = 7e6224c58c283765b5e819eb46814c556ae6b7b5931cd1e3e19ca3ec8fa31aa2, id = d6ac1ea4-b0a8-4023-b712-9f4f2c7146a3, last_modified = 2022-06-09
            Source: C:\Users\user\Desktop\6E8422DB.dll, type: DROPPEDMatched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
            Source: C:\Users\user\Desktop\6E8422DB.dll, type: DROPPEDMatched rule: Windows_Trojan_Emotet_d6ac1ea4 reference_sample = 2c6709d5d2e891d1ce26fdb4021599ac10fea93c7773f5c00bea8e5e90404b71, os = windows, severity = x86, creation_date = 2022-05-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = 7e6224c58c283765b5e819eb46814c556ae6b7b5931cd1e3e19ca3ec8fa31aa2, id = d6ac1ea4-b0a8-4023-b712-9f4f2c7146a3, last_modified = 2022-06-09
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF6D40B6D94
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF6D4073DF0
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF6D40946E8
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF6D4093A40
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF6D4080B06
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF6D40B053C
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF6D40BFD5C
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF6D40AC5A0
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF6D40ACDD0
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF6D407DDE8
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF6D40BE614
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF6D40AD668
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF6D40CAEB0
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF6D407EEF4
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF6D40AC788
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF6D4072F80
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF6D407D7CC
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF6D4075FC0
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF6D40AF7F4
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF6D40B6830
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF6D4080024
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF6D40BC854
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF6D40C8848
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF6D40AD160
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF6D40BE164
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF6D40AC3B8
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF6D4084400
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF6D40BEC94
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF6D4087D18
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF88EE0E7CC
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF88EE0F740
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF88EDFEF04
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF88EDFD0F0
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF88EE0D888
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF88EE04050
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF88EE08DF0
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF88EE085A8
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF88EE07568
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF88EDF8E84
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF88EDFB3B8
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF88EDF33D4
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF88EDF6B30
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF88EDF2CE0
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF88EDFAC98
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF88EE0FC4C
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF88EE051F4
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF88EE069A4
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF88EDF4914
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF88EDFC7E0
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF88EE09FDC
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF88EDFB7BC
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF88EDFE7B0
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF88EDF3780
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF88EE05764
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF88EDF873C
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF88EE00748
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF88EE00F34
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF88EE070C4
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF88EE058C0
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF88EDF6880
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF88EE02880
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF88EE10094
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF88EDF1068
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF88EDFA038
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF88EDF4050
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF88EE0484C
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF88EE09844
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF88EDFB020
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF88EDF5800
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF88EE0E014
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF88EE02DE0
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF88EDF15EC
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF88EE025C0
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF88EE0BDC0
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF88EDFF5C8
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF88EE0DD8C
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF88EE05D94
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF88EE07D6C
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF88EE0C528
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF88EE00D1C
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF88EDF3CF8
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF88EDFBD10
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF88EDF26E0
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF88EDF3ED8
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF88EDF76D8
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF88EE066D8
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF88EE046A0
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF88EE0D6B0
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF88EDF6EAC
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF88EE09E58
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF88EDFB64C
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF88EE05610
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF88EDFFE10
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF88EE0C3D8
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF88EE03BB0
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF88EE09380
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF88EDFBB8C
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF88EE09B6C
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF88EDF8358
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF88EDF1B74
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF88EE10350
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF88EE0AB38
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF88EE04B50
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF88EE0BB40
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF88EE03B28
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF88EE07B14
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF88EE06B08
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF88EE054D8
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF88EE08CD8
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF88EDFECC8
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF88EDFFC98
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF88EDF7CB0
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF88EE05C78
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF88EE0E478
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF88EDFE490
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF88EDF8C74
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF88EDFCC24
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF88EE00C20
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF88EE0D41C
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF88EDF7428
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF88EDF240C
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF88EE0A9CC
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF88EDFB1A4
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF88EDF39A8
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF88EE0D990
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF88EDF815C
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF88EE00140
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF88EDF214C
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF88EE0B92C
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF88EE0C134
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF88EE0E124
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF88EE022E0
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF88EDF42A4
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF88EE00A9C
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF88EDFFAB0
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF88EDF7A94
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF88EDF825C
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF88EDF2A4C
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF88EDFDA20
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF88EE05A30
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF88EDFB9FC
            Source: C:\Users\user\AppData\Local\Temp\kbuhkupik.exeCode function: 2_2_00007FF7E47D9648
            Source: C:\Users\user\AppData\Local\Temp\kbuhkupik.exeCode function: 2_2_00007FF7E47D67A0
            Source: C:\Users\user\AppData\Local\Temp\kbuhkupik.exeCode function: 2_2_00007FF7E47D37A0
            Source: C:\Users\user\AppData\Local\Temp\kbuhkupik.exeCode function: 2_2_00007FF7E47D4FC8
            Source: C:\Users\user\AppData\Local\Temp\kbuhkupik.exeCode function: 2_2_00007FF7E47D3CF8
            Source: C:\Users\user\AppData\Local\Temp\kbuhkupik.exeCode function: 2_2_00007FF7E47D75AC
            Source: C:\Users\user\AppData\Local\Temp\kbuhkupik.exeCode function: 2_2_00007FF7E47DEDA8
            Source: C:\Users\user\AppData\Local\Temp\kbuhkupik.exeCode function: 2_2_00007FF7E47D79BC
            Source: C:\Users\user\AppData\Local\Temp\kbuhkupik.exeCode function: 2_2_00007FF7E47D6DF8
            Source: C:\Users\user\AppData\Local\Temp\kbuhkupik.exeCode function: 2_2_00007FF7E47D260C
            Source: C:\Users\user\AppData\Local\Temp\kbuhkupik.exeCode function: 2_2_00007FF7E47D711C
            Source: C:\Users\user\AppData\Local\Temp\kbuhkupik.exeCode function: 2_2_00007FF7E47E2148
            Source: C:\Users\user\AppData\Local\Temp\kbuhkupik.exeCode function: 2_2_00007FF7E47E1558
            Source: C:\Users\user\AppData\Local\Temp\kbuhkupik.exeCode function: 2_2_00007FF7E47D12A4
            Source: C:\Users\user\AppData\Local\Temp\kbuhkupik.exeCode function: 2_2_00007FF7E47D4E98
            Source: C:\Users\user\AppData\Local\Temp\kbuhkupik.exeCode function: 2_2_00007FF7E47D1EBC
            Source: C:\Users\user\AppData\Local\Temp\kbuhkupik.exeCode function: 2_2_00007FF7E47D2ACC
            Source: C:\Users\user\AppData\Local\Temp\kbuhkupik.exeCode function: 2_2_00007FF7E47D5310
            Source: C:\Users\user\AppData\Local\Temp\kbuhkupik.exeCode function: 2_2_00007FF7E47D4A48
            Source: C:\Users\user\AppData\Local\Temp\kbuhkupik.exeCode function: 2_2_00007FF7E47D2E68
            Source: C:\Users\user\AppData\Local\Temp\kbuhkupik.exeCode function: 2_2_00007FF7E47D47E0
            Source: C:\Users\user\AppData\Local\Temp\kbuhkupik.exeCode function: 2_2_00007FF7E47D83DC
            Source: C:\Users\user\AppData\Local\Temp\kbuhkupik.exeCode function: 2_2_00007FF7E47D1000
            Source: C:\Users\user\AppData\Local\Temp\kbuhkupik.exeCode function: 2_2_00007FF7E47D3B28
            Source: C:\Users\user\AppData\Local\Temp\kbuhkupik.exeCode function: 2_2_00007FF7E47D1B48
            Source: C:\Users\user\AppData\Local\Temp\kbuhkupik.exeCode function: 2_2_00007FF7E47D1758
            Source: C:\Users\user\AppData\Local\Temp\kbuhkupik.exeCode function: 2_2_00007FF7E47DA0A0
            Source: C:\Users\user\AppData\Local\Temp\kbuhkupik.exeCode function: 2_2_00007FF7E47E28F4
            Source: C:\Users\user\AppData\Local\Temp\kbuhkupik.exeCode function: 2_2_00007FF7E47D5D04
            Source: C:\Users\user\AppData\Local\Temp\kbuhkupik.exeCode function: 2_2_00007FF7E47E1908
            Source: C:\Users\user\AppData\Local\Temp\kbuhkupik.exeCode function: 2_2_00007FF7E47D601C
            Source: C:\Users\user\AppData\Local\Temp\kbuhkupik.exeCode function: 2_2_00007FF7E47D6434
            Source: C:\Users\user\AppData\Local\Temp\kbuhkupik.exeCode function: 2_2_00007FF7E47D8044
            Source: C:\Users\user\AppData\Local\Temp\kbuhkupik.exeCode function: 2_2_00007FF7E47D5440
            Source: C:\Users\user\AppData\Local\Temp\kbuhkupik.exeCode function: 2_2_00007FF7E47D243C
            Source: C:\Users\user\AppData\Local\Temp\kbuhkupik.exeCode function: 2_2_00007FF7E47E0C50
            Source: C:\Users\user\AppData\Local\Temp\kbuhkupik.exeCode function: 2_2_00007FF7E47D7470
            Source: C:\Users\user\AppData\Local\Temp\kbuhkupik.exeCode function: 2_2_00007FF7E47D1C8C
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF88EE085A8 NtUnmapViewOfSection,VirtualAllocEx,SetThreadContext,
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF88EE0A1D8 NtUnmapViewOfSection,
            Source: 6E8422DB.dll.0.drStatic PE information: No import functions for PE file found
            Source: os.exe, 00000000.00000003.309580078.000001ACDE45E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCertUtil.exej% vs os.exe
            Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\kbuhkupik.exe 88EAE7C94142232FBB961DD8381FAEF23129B9F958BE283AE8393D28FED2092B
            Source: C:\Users\user\Desktop\os.exeFile read: C:\Users\user\Desktop\os.exeJump to behavior
            Source: os.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\os.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
            Source: unknownProcess created: C:\Users\user\Desktop\os.exe C:\Users\user\Desktop\os.exe
            Source: C:\Users\user\Desktop\os.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\os.exeProcess created: C:\Users\user\AppData\Local\Temp\kbuhkupik.exe C:\Users\user\AppData\Local\Temp\\kbuhkupik.exe" "C:\Users\user\AppData\Local\Temp\DB61.tmp
            Source: C:\Users\user\Desktop\os.exeProcess created: C:\Users\user\AppData\Local\Temp\kbuhkupik.exe C:\Users\user\AppData\Local\Temp\\kbuhkupik.exe" "C:\Users\user\AppData\Local\Temp\DB61.tmp
            Source: C:\Users\user\Desktop\os.exeFile created: C:\Users\user\Desktop\6E8422DB.dllJump to behavior
            Source: C:\Users\user\Desktop\os.exeFile created: C:\Users\user\AppData\Local\Temp\DB61.tmpJump to behavior
            Source: classification engineClassification label: mal100.troj.evad.winEXE@4/4@0/0
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1412:120:WilError_01
            Source: os.exeStatic PE information: Image base 0x140000000 > 0x60000000
            Source: os.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
            Source: os.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
            Source: os.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
            Source: os.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: os.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
            Source: os.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
            Source: os.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
            Source: os.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: certutil.pdb source: os.exe, 00000000.00000003.309370759.000001ACDE2EE000.00000004.00000020.00020000.00000000.sdmp, kbuhkupik.exe, 00000002.00000000.310388028.00007FF7E48D9000.00000002.00000001.01000000.00000005.sdmp, kbuhkupik.exe.0.dr
            Source: Binary string: certutil.pdbGCTL source: os.exe, 00000000.00000003.309370759.000001ACDE2EE000.00000004.00000020.00020000.00000000.sdmp, kbuhkupik.exe, 00000002.00000000.310388028.00007FF7E48D9000.00000002.00000001.01000000.00000005.sdmp, kbuhkupik.exe.0.dr
            Source: os.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
            Source: os.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
            Source: os.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
            Source: os.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
            Source: os.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF6D4089B8E push rbp; iretd
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF6D408ACC4 pushfq ; ret
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF6D408AD06 push rbp; iretd
            Source: C:\Users\user\AppData\Local\Temp\kbuhkupik.exeCode function: 2_2_00007FF7E47ED2F9 push rax; ret
            Source: C:\Users\user\AppData\Local\Temp\kbuhkupik.exeCode function: 2_2_00007FF7E47E4010 push rax; retf
            Source: C:\Users\user\AppData\Local\Temp\kbuhkupik.exeCode function: 2_2_00007FF7E47ED378 push rax; ret
            Source: os.exeStatic PE information: section name: _RDATA
            Source: 09F81D2E.dll.0.drStatic PE information: section name: _RDATA
            Source: kbuhkupik.exe.0.drStatic PE information: section name: .didat
            Source: C:\Users\user\Desktop\os.exeFile created: C:\Users\user\Desktop\6E8422DB.dllJump to dropped file
            Source: C:\Users\user\Desktop\os.exeFile created: C:\Users\user\Desktop\09F81D2E.dllJump to dropped file
            Source: C:\Users\user\Desktop\os.exeFile created: C:\Users\user\AppData\Local\Temp\kbuhkupik.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\kbuhkupik.exeCode function: 2_2_00007FF7E47D9648 EncodePointer,RtlEncodePointer,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
            Source: C:\Users\user\Desktop\os.exe TID: 1416Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\os.exeDropped PE file which has not been started: C:\Users\user\Desktop\09F81D2E.dllJump to dropped file
            Source: C:\Users\user\Desktop\os.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\Desktop\os.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF6D407B568 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
            Source: C:\Users\user\AppData\Local\Temp\kbuhkupik.exeCode function: 2_2_00007FF7E47DCEBC EncodePointer,__crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF88EDFCFF4 GetProcessHeap,
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF6D407B110 SetUnhandledExceptionFilter,_invalid_parameter_noinfo,
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF6D407B568 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF6D407B710 SetUnhandledExceptionFilter,
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF6D407B2BC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF6D40AE50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
            Source: C:\Users\user\AppData\Local\Temp\kbuhkupik.exeCode function: 2_2_00007FF7E47DAB8C SetUnhandledExceptionFilter,UnhandledExceptionFilter,UnhandledExceptionFilter,IsDebuggerPresent,
            Source: C:\Users\user\AppData\Local\Temp\kbuhkupik.exeCode function: 2_2_00007FF7E47E4108 SetUnhandledExceptionFilter,

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Source: C:\Users\user\Desktop\os.exeSection unmapped: C:\Users\user\AppData\Local\Temp\kbuhkupik.exe base address: 7FF7E47D0000
            Source: C:\Users\user\Desktop\os.exeMemory written: C:\Users\user\AppData\Local\Temp\kbuhkupik.exe base: 7FF7E47D0000
            Source: C:\Users\user\Desktop\os.exeFile created: C:\Users\user\AppData\Local\Temp\kbuhkupik.exeJump to dropped file
            Source: C:\Users\user\Desktop\os.exeMemory allocated: C:\Users\user\AppData\Local\Temp\kbuhkupik.exe base: 7FF7E47D0000 protect: page execute and read and write
            Source: C:\Users\user\Desktop\os.exeMemory written: C:\Users\user\AppData\Local\Temp\kbuhkupik.exe base: 7FF7E47D0000 value starts with: 4D5A
            Source: C:\Users\user\Desktop\os.exeThread register set: target process: 2040
            Source: C:\Users\user\Desktop\os.exeProcess created: C:\Users\user\AppData\Local\Temp\kbuhkupik.exe C:\Users\user\AppData\Local\Temp\\kbuhkupik.exe" "C:\Users\user\AppData\Local\Temp\DB61.tmp
            Source: C:\Users\user\Desktop\os.exeCode function: GetLocaleInfoEx,
            Source: C:\Users\user\Desktop\os.exeCode function: EnumSystemLocalesW,
            Source: C:\Users\user\Desktop\os.exeCode function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,
            Source: C:\Users\user\Desktop\os.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
            Source: C:\Users\user\Desktop\os.exeCode function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
            Source: C:\Users\user\Desktop\os.exeCode function: EnumSystemLocalesW,
            Source: C:\Users\user\Desktop\os.exeCode function: GetLocaleInfoW,
            Source: C:\Users\user\Desktop\os.exeCode function: EnumSystemLocalesW,
            Source: C:\Users\user\Desktop\os.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
            Source: C:\Users\user\Desktop\os.exeCode function: 0_2_00007FF6D407B978 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

            Stealing of Sensitive Information

            barindex
            Source: Yara matchFile source: os.exe, type: SAMPLE
            Source: Yara matchFile source: 0.2.os.exe.7ff88edf0000.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.3.os.exe.1acdcbdea14.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.3.os.exe.1acdc960000.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.3.os.exe.1acdcbdea14.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.3.os.exe.1acdc960000.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.3.os.exe.1acdcbba850.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.3.os.exe.1acdcb40000.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.574333712.00007FF88EDF1000.00000020.00000001.01000000.00000004.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.307924696.000001ACDC960000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.307776422.000001ACDCB40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: C:\Users\user\Desktop\6E8422DB.dll, type: DROPPED
            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid Accounts1
            Shared Modules
            Path Interception511
            Process Injection
            1
            Masquerading
            OS Credential Dumping1
            System Time Discovery
            Remote Services1
            Archive Collected Data
            Exfiltration Over Other Network Medium2
            Encrypted Channel
            Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
            Disable or Modify Tools
            LSASS Memory13
            Security Software Discovery
            Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)21
            Virtualization/Sandbox Evasion
            Security Account Manager21
            Virtualization/Sandbox Evasion
            SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)511
            Process Injection
            NTDS13
            System Information Discovery
            Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
            Obfuscated Files or Information
            LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand
            SourceDetectionScannerLabelLink
            os.exe100%AviraHEUR/AGEN.1213146
            os.exe100%Joe Sandbox ML
            SourceDetectionScannerLabelLink
            C:\Users\user\Desktop\6E8422DB.dll100%AviraHEUR/AGEN.1251140
            C:\Users\user\AppData\Local\Temp\kbuhkupik.exe0%VirustotalBrowse
            C:\Users\user\AppData\Local\Temp\kbuhkupik.exe0%MetadefenderBrowse
            C:\Users\user\Desktop\6E8422DB.dll57%VirustotalBrowse
            SourceDetectionScannerLabelLinkDownload
            0.3.os.exe.1acdc960000.3.unpack100%AviraHEUR/AGEN.1215461Download File
            0.3.os.exe.1acdcbdea14.0.unpack100%AviraHEUR/AGEN.1215461Download File
            0.2.os.exe.7ff88edf0000.2.unpack100%AviraHEUR/AGEN.1251140Download File
            No Antivirus matches
            SourceDetectionScannerLabelLink
            https://%ws/%ws_%ws_%ws/service.svc/%wsADPolicyProviderSCEP0%Avira URL Cloudsafe
            No contacted domains info
            NameSourceMaliciousAntivirus DetectionReputation
            https://%ws/%ws_%ws_%ws/service.svc/%wsADPolicyProviderSCEPos.exe, 00000000.00000003.309370759.000001ACDE2EE000.00000004.00000020.00020000.00000000.sdmp, kbuhkupik.exe, 00000002.00000000.310388028.00007FF7E48D9000.00000002.00000001.01000000.00000005.sdmp, kbuhkupik.exe.0.drfalse
            • Avira URL Cloud: safe
            low
            https://login.microsoftonline.com/%s/oauth2/authorizeStringCchPrintfWhttps://login.microsoftonline.cos.exe, 00000000.00000003.309370759.000001ACDE2EE000.00000004.00000020.00020000.00000000.sdmp, kbuhkupik.exe, 00000002.00000000.310388028.00007FF7E48D9000.00000002.00000001.01000000.00000005.sdmp, kbuhkupik.exe.0.drfalse
              high
              No contacted IP infos
              Joe Sandbox Version:36.0.0 Rainbow Opal
              Analysis ID:745620
              Start date and time:2022-11-14 15:05:41 +01:00
              Joe Sandbox Product:CloudBasic
              Overall analysis duration:0h 6m 25s
              Hypervisor based Inspection enabled:false
              Report type:light
              Sample file name:os.exe_ (renamed file extension from exe_ to exe)
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
              Number of analysed new started processes analysed:8
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • HDC enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Detection:MAL
              Classification:mal100.troj.evad.winEXE@4/4@0/0
              EGA Information:
              • Successful, ratio: 100%
              HDC Information:
              • Successful, ratio: 83.2% (good quality ratio 74.6%)
              • Quality average: 61.6%
              • Quality standard deviation: 31.7%
              HCA Information:
              • Successful, ratio: 96%
              • Number of executed functions: 0
              • Number of non-executed functions: 0
              • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe
              • Not all processes where analyzed, report is missing behavior information
              No simulations
              No context
              No context
              No context
              No context
              No context
              Process:C:\Users\user\Desktop\os.exe
              File Type:PE32+ executable (console) x86-64, for MS Windows
              Category:dropped
              Size (bytes):1557504
              Entropy (8bit):6.211780689185465
              Encrypted:false
              SSDEEP:24576:cgZXpeAPnh67DOFN29Qi7aHbEGoaPqjohfGLNUnjEAUFniL72f:cgZXp5/h0C2apHygioheLOjE62
              MD5:EB199893441CED4BBBCB547FE411CF2D
              SHA1:D04100B59A2620257B96FF5D9B420649F54B1392
              SHA-256:88EAE7C94142232FBB961DD8381FAEF23129B9F958BE283AE8393D28FED2092B
              SHA-512:8C86337A86F576D9FEE4D545B1541F211EB4A54663120CB2DE5F3DF2F972315AFB6F4312DCC8B57F784F1E917BE258E1440763531D5A42F8E3D4E6A75270E423
              Malicious:true
              Antivirus:
              • Antivirus: Virustotal, Detection: 0%, Browse
              • Antivirus: Metadefender, Detection: 0%, Browse
              Reputation:low
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k.......................n.......n.......n.......n..........g....n..M....nd......n......Rich....................PE..d...;............"......|...v.................@.............................@......f.....`.......... ......................................p...........8....p..0u..............l"......T............................................................................text...sz.......|.................. ..`.rdata..............................@..@.data....%...@......."..............@....pdata..0u...p...v..................@..@.didat..............................@....rsrc...8...........................@..@.reloc..l".......$..................@..B........................................................................................................................................................................................................................
              Process:C:\Users\user\Desktop\os.exe
              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
              Category:dropped
              Size (bytes):121344
              Entropy (8bit):6.020791170598696
              Encrypted:false
              SSDEEP:3072:dvsJ1yYfWqzIcJ6+R8uQyUtjt8F+8uYW5j:R4cYfWqzr4+R8xZCF+dJ
              MD5:726E5AA7D5929BDC85333E966770FF1A
              SHA1:B43E1A8CF31AD480EC2AE01420E2017488993A8F
              SHA-256:89BE65452EA9DC74134F60311D57B84956D149C600C89801FB152BB04420B16B
              SHA-512:1E69593638B9735C3F7E1E0AE49705B8A10F833D65B9D754973FFF4EDB48DBD270C60E7D157D92F0E42E228C91FCFF2B32D1B1C7F8E4119CA2CBDBBFF70F7FE4
              Malicious:true
              Reputation:low
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........7.q.V.".V.".V."3$.#.V."3$.#eV."3$.#.V."3$.#.V.".V.".V."...#.V."...#.V."...#.V."`/.#.V."`/.#.V."`/1".V."`/.#.V."Rich.V."........................PE..d....&rc.........." .........................................................0............`.............................................T...d...(............................ ..l.......8...........................@...@............ ..P............................text............................... ..`.rdata..,.... ......................@..@.data...............................@....pdata..............................@..@_RDATA..\...........................@..@.rsrc...............................@..@.reloc..l.... ......................@..B........................................................................................................................................................................................
              Process:C:\Users\user\Desktop\os.exe
              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
              Category:dropped
              Size (bytes):253440
              Entropy (8bit):7.122291797078351
              Encrypted:false
              SSDEEP:6144:Ikcd+S1wXL3CHEDbcrP72YM6dLdv4Tyhz7FxLla3kcL2ql4:Ikcd7qXmEDb+PaYMOLaTyhzpxLla3kGK
              MD5:D022C836503739CEE4048234ACCFCEB2
              SHA1:A7BFAF7BC8528013BD460BEF2A56ADC7C5DAF0AE
              SHA-256:B0B5A1083E83868C5A4F2686453D2E8F1DAE5C74993F177CE9D6A3A277441674
              SHA-512:4188EC977DBCC99470D386EC811172365E35778AF9F3D034B9ADBEB36D617F7587BBA3CBFA6E98FB80C9F545215DED6E239E484210732889A16993F096971398
              Malicious:true
              Yara Hits:
              • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: C:\Users\user\Desktop\6E8422DB.dll, Author: Joe Security
              • Rule: Windows_Trojan_Emotet_db7d33fa, Description: unknown, Source: C:\Users\user\Desktop\6E8422DB.dll, Author: unknown
              • Rule: Windows_Trojan_Emotet_d6ac1ea4, Description: unknown, Source: C:\Users\user\Desktop\6E8422DB.dll, Author: unknown
              Antivirus:
              • Antivirus: Avira, Detection: 100%
              • Antivirus: Virustotal, Detection: 57%, Browse
              Reputation:low
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D.a-...~...~...~}..~...~}..~...~Rich...~........PE..d....q.b.........." .....................................................................`.....................................................................0....................................................................................................text...0........................... ..`.rdata..............................@..@.data...x.... ......................@....pdata..0...........................@..@................................................................................................................................................................................................................................................................................................................................................................................................................
              Process:C:\Users\user\Desktop\os.exe
              File Type:ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):619
              Entropy (8bit):5.3345959332920705
              Encrypted:false
              SSDEEP:12:Rk7/Ux2LgbvOzjnlctA0XB/s+0+5vixJCjp5KbJzS+Fo6:m7/cUEGeVH35vi/Cp5szS6o6
              MD5:F1E1A3710F764D295A666E7712FCDDBE
              SHA1:FDB1A64C3CC119CC70B044C090D10619ADE6F317
              SHA-256:A9ADBFAF658248ED54930CCC30046BDC542DA11002BE4842D72AD3BC66AD52B0
              SHA-512:16D069E4ECDB23A7760FF40B4B51C2DF84F8C1B3AEE12D88D4C18F44B10DD1DC666C06D1A430AF2400241C891266E818A528CF6807138AB9B2591072F6DDB409
              Malicious:false
              Preview:The embedded DLL was dropped to 6E8422DB.dll..Running the embedded DLL with the following parameters:..DLL SHA256:.......B0B5A1083E83868C5A4F2686453D2E8F1DAE5C74993F177CE9D6A3A277441674..Epoch:............4..Computer name:....DESKTOPX1HXN1XA (random)..Serial:...........62BF261F (random)..Emotet dummy DLL was dropped to 09F81D2E.dll..KERNELBASE.dll!BaseUnicodeCommandLine was patched..Command line was patched to "C:\Windows\System32\regsvr32.exe" "09F81D2E.dll"..Loading 6E8422DB.dll.....Calling DllEntryPoint() in custom mode.....DllEntryPoint() returned TRUE..The module may still be running in a separated thread..
              File type:PE32+ executable (console) x86-64, for MS Windows
              Entropy (8bit):6.708031023378439
              TrID:
              • Win64 Executable Console (202006/5) 92.65%
              • Win64 Executable (generic) (12005/4) 5.51%
              • Generic Win/DOS Executable (2004/3) 0.92%
              • DOS Executable Generic (2002/1) 0.92%
              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
              File name:os.exe
              File size:903189
              MD5:df3118872eafc944ad200ad462023a5d
              SHA1:afb8e59f0d39c614e6b7ac3486c7ea016342fb05
              SHA256:e81704d02356f7f9a1a54ff857fa3afb2b96680b99c23643e1ccbc16b750239e
              SHA512:fb6dc4454fc3ec2c6604aae991fa835ac964cd4b4ef7d60d16480c132565d2ff6e01044d346db180faca61fad4d979755d4f5e4343dddbddfa5ccbacf58993a5
              SSDEEP:24576:LXV2EplBrPZus04p3CBdZkcd+XmqbIyCzb6kGR4:LXV2UltZppEvbDG
              TLSH:E9158D57A29942FDF1A7D1348486260AE7B0780652219ADF47E04BAF1F277E11E2F3DC
              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........E........................f...................................................L.......L.n.....L.......Rich...................
              Icon Hash:00828e8e8686b000
              Entrypoint:0x14000b2a8
              Entrypoint Section:.text
              Digitally signed:false
              Imagebase:0x140000000
              Subsystem:windows cui
              Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
              DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
              Time Stamp:0x637226A2 [Mon Nov 14 11:29:38 2022 UTC]
              TLS Callbacks:
              CLR (.Net) Version:
              OS Version Major:6
              OS Version Minor:0
              File Version Major:6
              File Version Minor:0
              Subsystem Version Major:6
              Subsystem Version Minor:0
              Import Hash:d02262cfa0ab12b8c838af1a98da369c
              Instruction
              dec eax
              sub esp, 28h
              call 00007F9438DCCFACh
              dec eax
              add esp, 28h
              jmp 00007F9438DCC757h
              int3
              int3
              inc eax
              push ebx
              dec eax
              sub esp, 20h
              dec eax
              mov ebx, ecx
              xor ecx, ecx
              call dword ptr [00056E53h]
              dec eax
              mov ecx, ebx
              call dword ptr [00056E42h]
              call dword ptr [00056E4Ch]
              dec eax
              mov ecx, eax
              mov edx, C0000409h
              dec eax
              add esp, 20h
              pop ebx
              dec eax
              jmp dword ptr [00056E40h]
              dec eax
              mov dword ptr [esp+08h], ecx
              dec eax
              sub esp, 38h
              mov ecx, 00000017h
              call dword ptr [00056E34h]
              test eax, eax
              je 00007F9438DCC8E9h
              mov ecx, 00000002h
              int 29h
              dec eax
              lea ecx, dword ptr [0008F83Ah]
              call 00007F9438DCCAAEh
              dec eax
              mov eax, dword ptr [esp+38h]
              dec eax
              mov dword ptr [0008F921h], eax
              dec eax
              lea eax, dword ptr [esp+38h]
              dec eax
              add eax, 08h
              dec eax
              mov dword ptr [0008F8B1h], eax
              dec eax
              mov eax, dword ptr [0008F90Ah]
              dec eax
              mov dword ptr [0008F77Bh], eax
              dec eax
              mov eax, dword ptr [esp+40h]
              dec eax
              mov dword ptr [0008F87Fh], eax
              mov dword ptr [0008F755h], C0000409h
              mov dword ptr [0008F74Fh], 00000001h
              mov dword ptr [0008F759h], 00000001h
              NameVirtual AddressVirtual Size Is in Section
              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IMPORT0x7a2b40x3c.rdata
              IMAGE_DIRECTORY_ENTRY_RESOURCE0xa20000x288.rsrc
              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x9d0000x3c9c.pdata
              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
              IMAGE_DIRECTORY_ENTRY_BASERELOC0xa30000xd8c.reloc
              IMAGE_DIRECTORY_ENTRY_DEBUG0x725a00x38.rdata
              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
              IMAGE_DIRECTORY_ENTRY_TLS0x726000x28.rdata
              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x724600x140.rdata
              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IAT0x620000x380.rdata
              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
              .text0x10000x607b80x60800False0.4547542908031088data6.494863973067288IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              .rdata0x620000x18e5e0x19000False0.440009765625data5.1869098128532585IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .data0x7b0000x214dc0x1fc00False0.48175289124015747data5.941625434601615IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              .pdata0x9d0000x3c9c0x3e00False0.4765625data5.653230312289686IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              _RDATA0xa10000x15c0x200False0.41796875data3.3314562870393805IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .rsrc0xa20000x2880x400False0.33203125data3.8449104178415685IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .reloc0xa30000xd8c0xe00False0.46791294642857145data5.39595888202804IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
              NameRVASizeTypeLanguageCountry
              RT_MANIFEST0xa20600x224XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (488), with CRLF line terminatorsEnglishUnited States
              DLLImport
              ADVAPI32.dllCryptGetHashParam, CryptDestroyHash, CryptHashData, CryptCreateHash, CryptAcquireContextW, CryptReleaseContext
              KERNEL32.dllReadFile, VirtualFree, WriteFile, VirtualAlloc, CreateToolhelp32Snapshot, CreateEventW, Sleep, GetLastError, CreateFileA, LoadLibraryA, DeleteFileA, CloseHandle, Module32FirstW, GetFileSize, Module32NextW, GetTickCount, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, SetEvent, ResetEvent, WaitForSingleObjectEx, GetModuleHandleW, GetProcAddress, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, IsDebuggerPresent, GetStartupInfoW, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, MultiByteToWideChar, WideCharToMultiByte, InitializeCriticalSectionEx, EncodePointer, DecodePointer, GetStringTypeW, LCMapStringEx, GetLocaleInfoEx, CompareStringEx, GetCPInfo, RtlUnwind, RtlUnwindEx, RtlPcToFileHeader, RaiseException, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, GetCommandLineA, GetCommandLineW, ExitProcess, GetModuleHandleExW, GetModuleFileNameW, GetStdHandle, HeapAlloc, HeapFree, GetFileType, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableW, FlsAlloc, FlsGetValue, FlsSetValue, FlsFree, GetDateFormatW, GetTimeFormatW, CompareStringW, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetProcessHeap, SetStdHandle, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, GetFileSizeEx, SetFilePointerEx, ReadConsoleW, HeapReAlloc, GetTimeZoneInformation, HeapSize, CreateFileW, WriteConsoleW
              Language of compilation systemCountry where language is spokenMap
              EnglishUnited States
              No network behavior found

              Click to jump to process

              Target ID:0
              Start time:15:06:37
              Start date:14/11/2022
              Path:C:\Users\user\Desktop\os.exe
              Wow64 process (32bit):false
              Commandline:C:\Users\user\Desktop\os.exe
              Imagebase:0x7ff6d4070000
              File size:903189 bytes
              MD5 hash:DF3118872EAFC944AD200AD462023A5D
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000002.574333712.00007FF88EDF1000.00000020.00000001.01000000.00000004.sdmp, Author: Joe Security
              • Rule: Windows_Trojan_Emotet_db7d33fa, Description: unknown, Source: 00000000.00000002.574333712.00007FF88EDF1000.00000020.00000001.01000000.00000004.sdmp, Author: unknown
              • Rule: Windows_Trojan_Emotet_d6ac1ea4, Description: unknown, Source: 00000000.00000002.574333712.00007FF88EDF1000.00000020.00000001.01000000.00000004.sdmp, Author: unknown
              • Rule: SUSP_Four_Byte_XOR_PE_And_MZ, Description: Look for 4 byte xor of a PE starting at offset 0, Source: 00000000.00000002.574382395.00007FF88EE12000.00000008.00000001.01000000.00000004.sdmp, Author: Wesley Shields <wxs@atarininja.org>
              • Rule: Windows_Trojan_Emotet_db7d33fa, Description: unknown, Source: 00000000.00000003.312156622.000001ACDCA6E000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: Windows_Trojan_Emotet_db7d33fa, Description: unknown, Source: 00000000.00000003.312117777.000001ACDC970000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
              • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000003.307924696.000001ACDC960000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
              • Rule: Windows_Trojan_Emotet_db7d33fa, Description: unknown, Source: 00000000.00000003.307924696.000001ACDC960000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
              • Rule: Windows_Trojan_Emotet_d6ac1ea4, Description: unknown, Source: 00000000.00000003.307924696.000001ACDC960000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
              • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000003.307776422.000001ACDCB40000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
              • Rule: Windows_Trojan_Emotet_db7d33fa, Description: unknown, Source: 00000000.00000003.307776422.000001ACDCB40000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
              • Rule: Windows_Trojan_Emotet_d6ac1ea4, Description: unknown, Source: 00000000.00000003.307776422.000001ACDCB40000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
              Reputation:low

              Target ID:1
              Start time:15:06:37
              Start date:14/11/2022
              Path:C:\Windows\System32\conhost.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Imagebase:0x7ff7c72c0000
              File size:625664 bytes
              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              Target ID:2
              Start time:15:06:38
              Start date:14/11/2022
              Path:C:\Users\user\AppData\Local\Temp\kbuhkupik.exe
              Wow64 process (32bit):false
              Commandline:C:\Users\user\AppData\Local\Temp\\kbuhkupik.exe" "C:\Users\user\AppData\Local\Temp\DB61.tmp
              Imagebase:0x7ff7e47d0000
              File size:1557504 bytes
              MD5 hash:EB199893441CED4BBBCB547FE411CF2D
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: Windows_Trojan_Emotet_db7d33fa, Description: unknown, Source: 00000002.00000000.311642845.00007FF7E47D0000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
              • Rule: Windows_Trojan_Emotet_db7d33fa, Description: unknown, Source: 00000002.00000002.312032417.00007FF7E47D0000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
              • Rule: Windows_Trojan_Emotet_db7d33fa, Description: unknown, Source: 00000002.00000000.311475701.00007FF7E47D0000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
              Antivirus matches:
              • Detection: 0%, Virustotal, Browse
              • Detection: 0%, Metadefender, Browse
              Reputation:moderate

              No disassembly