popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

FnrTI

Malicious Library UPX PE64 PE File DLL
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 July 15, 2022, 7:52 a.m. July 15, 2022, 7:55 a.m.
Size 269.0KB
Type PE32+ executable (DLL) (GUI) x86-64, for MS Windows
MD5 745dac0fc6ed20141b8e9b80b76addc4
SHA256 fbaf857bb62b3f5f78b894c92ef05ac19e155384ac881f59ee991f6983530229
CRC32 C49E1440
ssdeep 6144:HhuDhkX/MAXwTCFQi+2JW/PAiikmKx770v/5kjjB589:HhuDCvM0rQi1W/PAiikPNm+jD
Yara
  • UPX_Zero - UPX packed file
  • IsDLL - (no description)
  • Malicious_Library_Zero - Malicious_Library
  • IsPE64 - (no description)
  • PE_Header_Zero - PE File Signature

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
104.168.155.143 Active Moloch
144.202.108.116 Active Moloch
149.56.131.28 Active Moloch
164.90.222.65 Active Moloch
172.105.226.75 Active Moloch
196.218.30.83 Active Moloch
207.148.79.14 Active Moloch
213.239.212.5 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.101:49395 -> 213.239.212.5:443 2404314 ET CNC Feodo Tracker Reported CnC Server group 15 A Network Trojan was detected
TCP 192.168.56.101:49393 -> 104.168.155.143:8080 2404301 ET CNC Feodo Tracker Reported CnC Server group 2 A Network Trojan was detected
TCP 192.168.56.101:49395 -> 213.239.212.5:443 2028401 ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex Unknown Traffic
TCP 192.168.56.101:49398 -> 172.105.226.75:8080 2028401 ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex Unknown Traffic
TCP 192.168.56.101:49405 -> 149.56.131.28:8080 2404306 ET CNC Feodo Tracker Reported CnC Server group 7 A Network Trojan was detected
TCP 172.105.226.75:8080 -> 192.168.56.101:49400 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.101:49402 -> 149.56.131.28:8080 2028401 ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex Unknown Traffic
TCP 192.168.56.101:49403 -> 149.56.131.28:8080 2028401 ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex Unknown Traffic
TCP 149.56.131.28:8080 -> 192.168.56.101:49404 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.101:49391 -> 164.90.222.65:443 2404307 ET CNC Feodo Tracker Reported CnC Server group 8 A Network Trojan was detected
TCP 192.168.56.101:49392 -> 144.202.108.116:8080 2404304 ET CNC Feodo Tracker Reported CnC Server group 5 A Network Trojan was detected
TCP 192.168.56.101:49394 -> 213.239.212.5:443 2028401 ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex Unknown Traffic
TCP 213.239.212.5:443 -> 192.168.56.101:49396 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.101:49399 -> 172.105.226.75:8080 2028401 ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex Unknown Traffic

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameA

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2304
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000520000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2304
region_size: 176128
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000530000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2304
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007391c000
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2420
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000510000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2420
region_size: 176128
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000520000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2420
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007391c000
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2720
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000001d40000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2720
region_size: 176128
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000001eb0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2720
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007391c000
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2516
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000001dc0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2516
region_size: 176128
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000001dd0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2516
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007391c000
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3004
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000001c40000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3004
region_size: 176128
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000001c50000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3004
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007391c000
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2924
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000001c40000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2924
region_size: 176128
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000001c50000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2924
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007391c000
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3056
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000001eb0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3056
region_size: 176128
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000001ec0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3056
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007391c000
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1304
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000001d40000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1304
region_size: 176128
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000001d50000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1304
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007391c000
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2768
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000001dd0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2768
region_size: 176128
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000001de0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2768
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007391c000
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2436
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000590000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2436
region_size: 176128
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000005a0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2436
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007391c000
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1988
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000001c40000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1988
region_size: 176128
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000001c50000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1988
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007391c000
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2744
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000410000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2744
region_size: 176128
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000420000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2744
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007391c000
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2812
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000001c40000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2812
region_size: 176128
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000001cf0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2812
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007391c000
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2572
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000310000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2572
region_size: 176128
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000340000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2572
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007391c000
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2884
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000001c40000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2884
region_size: 176128
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000001cf0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2884
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007391c000
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2292
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000001c40000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2292
region_size: 176128
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000001df0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2292
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007391c000
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2964
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000001c40000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2964
region_size: 176128
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000001c50000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0
cmdline C:\Windows\system32\regsvr32.exe "C:\Windows\system32\MxDzSVtwfSRlLv\dnfqUgyyGIrKnZE.dll"
Time & API Arguments Status Return Repeated

Process32FirstW

 snapshot_handle: 0x0000000000000144
process_name: [System Process]
process_identifier: 0
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000144
process_name: System
process_identifier: 4
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000144
process_name: smss.exe
process_identifier: 224
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000144
process_name: csrss.exe
process_identifier: 300
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000144
process_name: wininit.exe
process_identifier: 340
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000144
process_name: csrss.exe
process_identifier: 364
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000144
process_name: winlogon.exe
process_identifier: 404
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000144
process_name: services.exe
process_identifier: 440
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000144
process_name: lsass.exe
process_identifier: 452
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000144
process_name: lsm.exe
process_identifier: 460
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000144
process_name: svchost.exe
process_identifier: 580
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000144
process_name: svchost.exe
process_identifier: 656
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000144
process_name: svchost.exe
process_identifier: 728
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000144
process_name: svchost.exe
process_identifier: 796
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000144
process_name: svchost.exe
process_identifier: 836
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000144
process_name: audiodg.exe
process_identifier: 916
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000144
process_name: svchost.exe
process_identifier: 988
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000144
process_name: svchost.exe
process_identifier: 304
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000144
process_name: spoolsv.exe
process_identifier: 312
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000144
process_name: svchost.exe
process_identifier: 1044
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000144
process_name: taskhost.exe
process_identifier: 1132
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000144
process_name: svchost.exe
process_identifier: 1340
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000144
process_name: srvany.exe
process_identifier: 1380
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000144
process_name: KMService.exe
process_identifier: 1452
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000144
process_name: conhost.exe
process_identifier: 1468
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000144
process_name: sppsvc.exe
process_identifier: 1716
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000144
process_name: svchost.exe
process_identifier: 1804
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000144
process_name: dwm.exe
process_identifier: 2028
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000144
process_name: explorer.exe
process_identifier: 1156
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000144
process_name: pw.exe
process_identifier: 924
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000144
process_name: SearchIndexer.exe
process_identifier: 772
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000144
process_name: SearchProtocolHost.exe
process_identifier: 1776
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000144
process_name: SearchFilterHost.exe
process_identifier: 1492
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000144
process_name: mobsync.exe
process_identifier: 2348
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000144
process_name: pw.exe
process_identifier: 2520
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000144
process_name: taskhost.exe
process_identifier: 2612
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000144
process_name: SearchProtocolHost.exe
process_identifier: 2708
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000144
process_name: rundll32.exe
process_identifier: 2116
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000144
process_name: rundll32.exe
process_identifier: 2812
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000154
process_name: rundll32.exe
process_identifier: 3848
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000154
process_name: rundll32.exe
process_identifier: 3948
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000154
process_name: rundll32.exe
process_identifier: 4036
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000154
process_name: rundll32.exe
process_identifier: 3104
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000154
process_name: rundll32.exe
process_identifier: 3152
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000154
process_name: rundll32.exe
process_identifier: 2400
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000154
process_name: rundll32.exe
process_identifier: 3260
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000154
process_name: rundll32.exe
process_identifier: 2396
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000154
process_name: rundll32.exe
process_identifier: 3248
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000154
process_name: rundll32.exe
process_identifier: 3640
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000154
process_name: regsvr32.exe
process_identifier: 3724
1 1 0
section {u'size_of_data': u'0x0002be00', u'virtual_address': u'0x0001b000', u'entropy': 7.848244115365133, u'name': u'.rsrc', u'virtual_size': u'0x0002bc80'} entropy 7.84824411537 description A section with a high entropy has been found
entropy 0.654850746269 description Overall entropy of this PE file is high
process regsvr32.exe
process rundll32.exe
host 104.168.155.143
host 144.202.108.116
host 149.56.131.28
host 164.90.222.65
host 172.105.226.75
host 196.218.30.83
host 207.148.79.14
host 213.239.212.5
service_name dnfqUgyyGIrKnZE.dll service_path C:\Windows\System32\regsvr32.exe "C:\Windows\system32\MxDzSVtwfSRlLv\dnfqUgyyGIrKnZE.dll"
Time & API Arguments Status Return Repeated

CreateServiceW

 service_start_name:
start_type: 2
password:
display_name: dnfqUgyyGIrKnZE.dll
filepath: C:\Windows\System32\regsvr32.exe "C:\Windows\system32\MxDzSVtwfSRlLv\dnfqUgyyGIrKnZE.dll"
service_name: dnfqUgyyGIrKnZE.dll
filepath_r: C:\Windows\system32\regsvr32.exe "C:\Windows\system32\MxDzSVtwfSRlLv\dnfqUgyyGIrKnZE.dll"
desired_access: 2
service_handle: 0x0000000000239830
error_control: 0
service_type: 16
service_manager_handle: 0x0000000000239440
1 2332720 0
file C:\Windows\System32\MxDzSVtwfSRlLv\dnfqUgyyGIrKnZE.dll:Zone.Identifier
Lionic Trojan.Win64.Strab.4!c
Elastic malicious (moderate confidence)
Cynet Malicious (score: 99)
FireEye Generic.mg.745dac0fc6ed2014
CAT-QuickHeal Trojan.Win64
McAfee Emotet-FTY!745DAC0FC6ED
Malwarebytes Trojan.Emotet
Sangfor Trojan.Win64.Kryptik.DHR
K7AntiVirus Trojan ( 0059554a1 )
BitDefender Trojan.GenericKD.50608750
K7GW Trojan ( 0059554a1 )
CrowdStrike win/malicious_confidence_100% (W)
Arcabit Trojan.Generic.D3043A6E
Cyren W64/S-ec2e480c!Eldorado
Symantec Trojan.Gen.MBT
ESET-NOD32 a variant of Win64/Kryptik.DHR
Paloalto generic.ml
ClamAV Win.Trojan.Emotet-9955402-0
Kaspersky Trojan.Win64.Strab.n
Alibaba Trojan:Win64/Strab.7b781f12
ViRobot Trojan.Win32.Z.Emotet.275456.KB
MicroWorld-eScan Trojan.GenericKD.50608750
Avast Win64:BotX-gen [Trj]
Tencent Trojan.Win64.Kryptik.zr
Ad-Aware Trojan.GenericKD.50608750
Emsisoft Trojan.GenericKD.50608750 (B)
Comodo Malware@#3au9qi7krnqm3
F-Secure Trojan.TR/Kryptik.pwmhf
DrWeb Trojan.Emotet.1203
VIPRE Trojan.GenericKD.50608750
TrendMicro TrojanSpy.Win64.EMOTET.SMYXCFC
McAfee-GW-Edition Emotet-FTY!745DAC0FC6ED
Sophos Mal/Generic-S + Troj/Emotet-DCG
Jiangmin Trojan.Strab.bcj
Webroot W32.Trojan.Emotet
Avira TR/Kryptik.pwmhf
Antiy-AVL Trojan/Generic.ASMalwS.6C82
Kingsoft Win32.Troj.Win64.n.(kcloud)
Microsoft Trojan:Win64/Emotet.BY!MTB
GData Trojan.GenericKD.50608750
AhnLab-V3 Malware/Win.FTY.R503424
VBA32 Trojan.Win64.Emotet
ALYac Trojan.Agent.Emotet
MAX malware (ai score=99)
Cylance Unsafe
Rising Trojan.Emotet/x64!1.DEEF (CLASSIC)
Yandex Trojan.Strab!V/4HjPjRRxs
Ikarus Trojan-Spy.Emotet
MaxSecure Trojan.Malware.185465870.susgen
Fortinet W64/Emotet.G!tr
dead_host 144.202.108.116:8080
dead_host 207.148.79.14:8080
dead_host 164.90.222.65:443
dead_host 196.218.30.83:443
dead_host 104.168.155.143:8080