Loading ...

Play interactive tourEdit tour

Analysis Report BsYHxeX7Ok.dll

Overview

General Information

Sample Name:BsYHxeX7Ok.dll
Analysis ID:344139
MD5:0125320a954399ad7b275b67b97a273f
SHA1:37afd871f306977f49c56400183ef5a80d8748f1
SHA256:d8a15d14d7bdc4d2e1d948e20cf2835b452f46b2c0860ccd8147ee8d8a43adec
Tags:dllHeodo

Most interesting Screenshot:

Detection

Emotet
Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Emotet
Machine Learning detection for sample
Checks if the current process is being debugged
Contains functionality to get notified if a device is plugged in / out
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Detected potential crypto function
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE file contains strange resources
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • loaddll32.exe (PID: 6404 cmdline: loaddll32.exe 'C:\Users\user\Desktop\BsYHxeX7Ok.dll' MD5: 2D39D4DFDE8F7151723794029AB8A034)
    • WerFault.exe (PID: 6528 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6404 -s 240 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • WerFault.exe (PID: 6680 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6404 -s 444 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • WerFault.exe (PID: 7016 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6404 -s 472 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.282474266.0000000000850000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
    00000001.00000002.282217417.0000000000710000.00000040.00020000.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
      00000001.00000002.282441133.0000000000820000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        1.2.loaddll32.exe.710000.0.raw.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
          1.2.loaddll32.exe.850000.1.raw.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
            1.2.loaddll32.exe.850000.1.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
              1.2.loaddll32.exe.710000.0.unpackJoeSecurity_EmotetYara detected EmotetJoe Security

                Sigma Overview

                No Sigma rule has matched

                Signature Overview

                Click to jump to signature section

                Show All Signature Results

                AV Detection:

                barindex
                Multi AV Scanner detection for submitted fileShow sources
                Source: BsYHxeX7Ok.dllVirustotal: Detection: 14%Perma Link
                Source: BsYHxeX7Ok.dllReversingLabs: Detection: 57%
                Machine Learning detection for sampleShow sources
                Source: BsYHxeX7Ok.dllJoe Sandbox ML: detected

                Compliance:

                barindex
                Uses 32bit PE filesShow sources
                Source: BsYHxeX7Ok.dllStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
                Binary contains paths to debug symbolsShow sources
                Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000004.00000003.231654518.00000000055D1000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.243097538.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.267923742.0000000004981000.00000004.00000001.sdmp
                Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000004.00000003.231654518.00000000055D1000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.243097538.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.267923742.0000000004981000.00000004.00000001.sdmp
                Source: Binary string: sechost.pdb source: WerFault.exe, 00000004.00000003.231666767.00000000055A2000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.243107080.0000000004FB2000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.267942144.0000000004B62000.00000004.00000040.sdmp
                Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000004.00000003.231654518.00000000055D1000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.243097538.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.267923742.0000000004981000.00000004.00000001.sdmp
                Source: Binary string: comctl32v582.pdb7 source: WerFault.exe, 00000007.00000003.243131627.0000000004FB0000.00000004.00000040.sdmp
                Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000004.00000003.231654518.00000000055D1000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.243097538.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.267923742.0000000004981000.00000004.00000001.sdmp
                Source: Binary string: msctf.pdbJ source: WerFault.exe, 00000004.00000003.231672539.00000000055A8000.00000004.00000040.sdmp
                Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000004.00000003.231708622.00000000055A5000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.243136061.0000000004FB5000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.267942144.0000000004B62000.00000004.00000040.sdmp
                Source: Binary string: wntdll.pdb source: WerFault.exe, 00000004.00000003.231654518.00000000055D1000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.243097538.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.264415332.000000000287F000.00000004.00000001.sdmp
                Source: Binary string: wUxTheme.pdb/ source: WerFault.exe, 0000000B.00000003.267956961.0000000004B68000.00000004.00000040.sdmp
                Source: Binary string: wrpcrt4.pdbk source: WerFault.exe, 00000004.00000003.231708622.00000000055A5000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.243136061.0000000004FB5000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.267942144.0000000004B62000.00000004.00000040.sdmp
                Source: Binary string: wimm32.pdb; source: WerFault.exe, 0000000B.00000003.267956961.0000000004B68000.00000004.00000040.sdmp
                Source: Binary string: msctf.pdb source: WerFault.exe, 00000004.00000003.231672539.00000000055A8000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.243116297.0000000004FB8000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.267956961.0000000004B68000.00000004.00000040.sdmp
                Source: Binary string: ole32.pdb source: WerFault.exe, 00000004.00000003.231672539.00000000055A8000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.243116297.0000000004FB8000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.267956961.0000000004B68000.00000004.00000040.sdmp
                Source: Binary string: version.pdb source: WerFault.exe, 00000004.00000003.231672539.00000000055A8000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.243116297.0000000004FB8000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.267956961.0000000004B68000.00000004.00000040.sdmp
                Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000004.00000003.231654518.00000000055D1000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.243097538.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.267923742.0000000004981000.00000004.00000001.sdmp
                Source: Binary string: advapi32.pdb source: WerFault.exe, 00000004.00000003.231654518.00000000055D1000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.243097538.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.267923742.0000000004981000.00000004.00000001.sdmp
                Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000004.00000003.231695574.00000000055A0000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.243131627.0000000004FB0000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.267994019.0000000004B60000.00000004.00000040.sdmp
                Source: Binary string: msctf.pdby source: WerFault.exe, 0000000B.00000003.267956961.0000000004B68000.00000004.00000040.sdmp
                Source: Binary string: wimm32.pdbp source: WerFault.exe, 00000004.00000003.231672539.00000000055A8000.00000004.00000040.sdmp
                Source: Binary string: combase.pdb\ source: WerFault.exe, 00000004.00000003.231672539.00000000055A8000.00000004.00000040.sdmp
                Source: Binary string: version.pdb% source: WerFault.exe, 0000000B.00000003.267956961.0000000004B68000.00000004.00000040.sdmp
                Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000004.00000003.231654518.00000000055D1000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.243097538.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.267923742.0000000004981000.00000004.00000001.sdmp
                Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000004.00000003.231695574.00000000055A0000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.243131627.0000000004FB0000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.267994019.0000000004B60000.00000004.00000040.sdmp
                Source: Binary string: comctl32v582.pdb source: WerFault.exe, 00000004.00000003.231695574.00000000055A0000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.243131627.0000000004FB0000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.267994019.0000000004B60000.00000004.00000040.sdmp
                Source: Binary string: wimm32.pdb source: WerFault.exe, 00000004.00000003.231672539.00000000055A8000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.243116297.0000000004FB8000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.267956961.0000000004B68000.00000004.00000040.sdmp
                Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000004.00000003.231654518.00000000055D1000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.243097538.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.267923742.0000000004981000.00000004.00000001.sdmp
                Source: Binary string: sechost.pdbk source: WerFault.exe, 00000004.00000003.231666767.00000000055A2000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.243107080.0000000004FB2000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.267942144.0000000004B62000.00000004.00000040.sdmp
                Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000004.00000003.231695574.00000000055A0000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.243131627.0000000004FB0000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.267994019.0000000004B60000.00000004.00000040.sdmp
                Source: Binary string: combase.pdb source: WerFault.exe, 00000004.00000003.231672539.00000000055A8000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.243116297.0000000004FB8000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.267956961.0000000004B68000.00000004.00000040.sdmp
                Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000004.00000003.231654518.00000000055D1000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.243097538.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.267923742.0000000004981000.00000004.00000001.sdmp
                Source: Binary string: version.pdbv source: WerFault.exe, 00000004.00000003.231672539.00000000055A8000.00000004.00000040.sdmp
                Source: Binary string: combase.pdbk source: WerFault.exe, 0000000B.00000003.267956961.0000000004B68000.00000004.00000040.sdmp
                Source: Binary string: wUxTheme.pdbR source: WerFault.exe, 00000004.00000003.231672539.00000000055A8000.00000004.00000040.sdmp
                Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000004.00000003.231695574.00000000055A0000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.243131627.0000000004FB0000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.267994019.0000000004B60000.00000004.00000040.sdmp
                Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000004.00000003.231672539.00000000055A8000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.243116297.0000000004FB8000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.267956961.0000000004B68000.00000004.00000040.sdmp
                Source: Binary string: comctl32v582.pdb, source: WerFault.exe, 0000000B.00000003.267994019.0000000004B60000.00000004.00000040.sdmp
                Source: Binary string: upwntdll.pdb source: WerFault.exe, 00000004.00000002.235969294.0000000004E4A000.00000004.00000001.sdmp
                Source: Binary string: apphelp.pdb source: WerFault.exe, 00000004.00000003.231654518.00000000055D1000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.243097538.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.267923742.0000000004981000.00000004.00000001.sdmp
                Source: Binary string: wuser32.pdb source: WerFault.exe, 00000004.00000003.231654518.00000000055D1000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.243097538.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.267923742.0000000004981000.00000004.00000001.sdmp
                Source: Binary string: ole32.pdb( source: WerFault.exe, 00000004.00000003.231672539.00000000055A8000.00000004.00000040.sdmp
                Source: Binary string: upwntdll.pdb"w0 source: WerFault.exe, 00000004.00000003.231587693.0000000004E4A000.00000004.00000001.sdmp
                Source: Binary string: wntdll.pdb( source: WerFault.exe, 0000000B.00000003.264415332.000000000287F000.00000004.00000001.sdmp
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00738000 RegisterDeviceNotificationA,GetProcessDpiAwarenessInternal,1_2_00738000
                Source: WerFault.exe, 00000007.00000003.252976080.00000000047C7000.00000004.00000001.sdmpString found in binary or memory: http://crl.microsoftmT
                Source: WerFault.exe, 00000007.00000003.252976080.00000000047C7000.00000004.00000001.sdmpString found in binary or memory: http://crl.microsoftmT9

                E-Banking Fraud:

                barindex
                Yara detected EmotetShow sources
                Source: Yara matchFile source: 00000001.00000002.282474266.0000000000850000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.282217417.0000000000710000.00000040.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.282441133.0000000000820000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 1.2.loaddll32.exe.710000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.loaddll32.exe.850000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.loaddll32.exe.850000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.loaddll32.exe.710000.0.unpack, type: UNPACKEDPE
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_007385AC EnumDisplayMonitors,ExitWindowsEx,GetSystemMetrics,GetSystemMetrics,1_2_007385AC
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0071DBB21_2_0071DBB2
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0072D87D1_2_0072D87D
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_007116621_2_00711662
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_007116641_2_00711664
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0072505A1_2_0072505A
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0071BA461_2_0071BA46
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0071F2491_2_0071F249
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00728C4D1_2_00728C4D
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0072DA271_2_0072DA27
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00728A241_2_00728A24
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0071422B1_2_0071422B
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0071A82A1_2_0071A82A
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0071B22A1_2_0071B22A
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0072A02C1_2_0072A02C
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0072A82C1_2_0072A82C
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0071E42E1_2_0071E42E
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_007128141_2_00712814
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0072821E1_2_0072821E
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_007246021_2_00724602
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0071E8F61_2_0071E8F6
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00711EF91_2_00711EF9
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00716AFC1_2_00716AFC
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_007138E11_2_007138E1
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00722CE31_2_00722CE3
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00720CE01_2_00720CE0
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0072E4E11_2_0072E4E1
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0072A2E51_2_0072A2E5
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00714AD31_2_00714AD3
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0072B0D51_2_0072B0D5
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_007168D81_2_007168D8
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_007184D81_2_007184D8
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_007142DE1_2_007142DE
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_007148C71_2_007148C7
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_007212B31_2_007212B3
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0072E0B61_2_0072E0B6
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0071BEBD1_2_0071BEBD
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00718EA11_2_00718EA1
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_007126A01_2_007126A0
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00712C931_2_00712C93
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_007214941_2_00721494
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0071AE9E1_2_0071AE9E
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_007200821_2_00720082
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0072E6891_2_0072E689
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_007284891_2_00728489
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0072197B1_2_0072197B
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0072BF691_2_0072BF69
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00717B6A1_2_00717B6A
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0071A16A1_2_0071A16A
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00729D6D1_2_00729D6D
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_007209501_2_00720950
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00721F541_2_00721F54
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0072CB581_2_0072CB58
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_007137431_2_00713743
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0071F54C1_2_0071F54C
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0072894D1_2_0072894D
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0071D5351_2_0071D535
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_007263341_2_00726334
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00724D391_2_00724D39
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_007287211_2_00728721
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_007297261_2_00729726
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0072732F1_2_0072732F
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0072C92D1_2_0072C92D
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00723F161_2_00723F16
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0072CF071_2_0072CF07
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_007173061_2_00717306
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00713F0A1_2_00713F0A
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_007133F41_2_007133F4
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0071A7FA1_2_0071A7FA
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_007229E31_2_007229E3
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0071F7EF1_2_0071F7EF
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_007207D31_2_007207D3
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_007195DD1_2_007195DD
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0072D5DF1_2_0072D5DF
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0072C1C21_2_0072C1C2
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_007121C01_2_007121C0
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0072E9A21_2_0072E9A2
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0071EBA41_2_0071EBA4
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0072B5981_2_0072B598
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0072539F1_2_0072539F
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0071799F1_2_0071799F
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0072DD801_2_0072DD80
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00727B8D1_2_00727B8D
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0074303C1_2_0074303C
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00751E141_2_00751E14
                Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6404 -s 240
                Source: BsYHxeX7Ok.dllStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                Source: BsYHxeX7Ok.dllStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
                Source: classification engineClassification label: mal60.troj.winDLL@4/12@0/0
                Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6404
                Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER9730.tmpJump to behavior
                Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: BsYHxeX7Ok.dllVirustotal: Detection: 14%
                Source: BsYHxeX7Ok.dllReversingLabs: Detection: 57%
                Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\BsYHxeX7Ok.dll'
                Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6404 -s 240
                Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6404 -s 444
                Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6404 -s 472
                Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000004.00000003.231654518.00000000055D1000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.243097538.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.267923742.0000000004981000.00000004.00000001.sdmp
                Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000004.00000003.231654518.00000000055D1000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.243097538.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.267923742.0000000004981000.00000004.00000001.sdmp
                Source: Binary string: sechost.pdb source: WerFault.exe, 00000004.00000003.231666767.00000000055A2000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.243107080.0000000004FB2000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.267942144.0000000004B62000.00000004.00000040.sdmp
                Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000004.00000003.231654518.00000000055D1000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.243097538.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.267923742.0000000004981000.00000004.00000001.sdmp
                Source: Binary string: comctl32v582.pdb7 source: WerFault.exe, 00000007.00000003.243131627.0000000004FB0000.00000004.00000040.sdmp
                Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000004.00000003.231654518.00000000055D1000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.243097538.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.267923742.0000000004981000.00000004.00000001.sdmp
                Source: Binary string: msctf.pdbJ source: WerFault.exe, 00000004.00000003.231672539.00000000055A8000.00000004.00000040.sdmp
                Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000004.00000003.231708622.00000000055A5000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.243136061.0000000004FB5000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.267942144.0000000004B62000.00000004.00000040.sdmp
                Source: Binary string: wntdll.pdb source: WerFault.exe, 00000004.00000003.231654518.00000000055D1000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.243097538.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.264415332.000000000287F000.00000004.00000001.sdmp
                Source: Binary string: wUxTheme.pdb/ source: WerFault.exe, 0000000B.00000003.267956961.0000000004B68000.00000004.00000040.sdmp
                Source: Binary string: wrpcrt4.pdbk source: WerFault.exe, 00000004.00000003.231708622.00000000055A5000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.243136061.0000000004FB5000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.267942144.0000000004B62000.00000004.00000040.sdmp
                Source: Binary string: wimm32.pdb; source: WerFault.exe, 0000000B.00000003.267956961.0000000004B68000.00000004.00000040.sdmp
                Source: Binary string: msctf.pdb source: WerFault.exe, 00000004.00000003.231672539.00000000055A8000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.243116297.0000000004FB8000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.267956961.0000000004B68000.00000004.00000040.sdmp
                Source: Binary string: ole32.pdb source: WerFault.exe, 00000004.00000003.231672539.00000000055A8000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.243116297.0000000004FB8000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.267956961.0000000004B68000.00000004.00000040.sdmp
                Source: Binary string: version.pdb source: WerFault.exe, 00000004.00000003.231672539.00000000055A8000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.243116297.0000000004FB8000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.267956961.0000000004B68000.00000004.00000040.sdmp
                Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000004.00000003.231654518.00000000055D1000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.243097538.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.267923742.0000000004981000.00000004.00000001.sdmp
                Source: Binary string: advapi32.pdb source: WerFault.exe, 00000004.00000003.231654518.00000000055D1000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.243097538.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.267923742.0000000004981000.00000004.00000001.sdmp
                Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000004.00000003.231695574.00000000055A0000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.243131627.0000000004FB0000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.267994019.0000000004B60000.00000004.00000040.sdmp
                Source: Binary string: msctf.pdby source: WerFault.exe, 0000000B.00000003.267956961.0000000004B68000.00000004.00000040.sdmp
                Source: Binary string: wimm32.pdbp source: WerFault.exe, 00000004.00000003.231672539.00000000055A8000.00000004.00000040.sdmp
                Source: Binary string: combase.pdb\ source: WerFault.exe, 00000004.00000003.231672539.00000000055A8000.00000004.00000040.sdmp
                Source: Binary string: version.pdb% source: WerFault.exe, 0000000B.00000003.267956961.0000000004B68000.00000004.00000040.sdmp
                Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000004.00000003.231654518.00000000055D1000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.243097538.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.267923742.0000000004981000.00000004.00000001.sdmp
                Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000004.00000003.231695574.00000000055A0000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.243131627.0000000004FB0000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.267994019.0000000004B60000.00000004.00000040.sdmp
                Source: Binary string: comctl32v582.pdb source: WerFault.exe, 00000004.00000003.231695574.00000000055A0000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.243131627.0000000004FB0000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.267994019.0000000004B60000.00000004.00000040.sdmp
                Source: Binary string: wimm32.pdb source: WerFault.exe, 00000004.00000003.231672539.00000000055A8000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.243116297.0000000004FB8000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.267956961.0000000004B68000.00000004.00000040.sdmp
                Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000004.00000003.231654518.00000000055D1000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.243097538.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.267923742.0000000004981000.00000004.00000001.sdmp
                Source: Binary string: sechost.pdbk source: WerFault.exe, 00000004.00000003.231666767.00000000055A2000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.243107080.0000000004FB2000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.267942144.0000000004B62000.00000004.00000040.sdmp
                Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000004.00000003.231695574.00000000055A0000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.243131627.0000000004FB0000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.267994019.0000000004B60000.00000004.00000040.sdmp
                Source: Binary string: combase.pdb source: WerFault.exe, 00000004.00000003.231672539.00000000055A8000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.243116297.0000000004FB8000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.267956961.0000000004B68000.00000004.00000040.sdmp
                Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000004.00000003.231654518.00000000055D1000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.243097538.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.267923742.0000000004981000.00000004.00000001.sdmp
                Source: Binary string: version.pdbv source: WerFault.exe, 00000004.00000003.231672539.00000000055A8000.00000004.00000040.sdmp
                Source: Binary string: combase.pdbk source: WerFault.exe, 0000000B.00000003.267956961.0000000004B68000.00000004.00000040.sdmp
                Source: Binary string: wUxTheme.pdbR source: WerFault.exe, 00000004.00000003.231672539.00000000055A8000.00000004.00000040.sdmp
                Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000004.00000003.231695574.00000000055A0000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.243131627.0000000004FB0000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.267994019.0000000004B60000.00000004.00000040.sdmp
                Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000004.00000003.231672539.00000000055A8000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.243116297.0000000004FB8000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.267956961.0000000004B68000.00000004.00000040.sdmp
                Source: Binary string: comctl32v582.pdb, source: WerFault.exe, 0000000B.00000003.267994019.0000000004B60000.00000004.00000040.sdmp
                Source: Binary string: upwntdll.pdb source: WerFault.exe, 00000004.00000002.235969294.0000000004E4A000.00000004.00000001.sdmp
                Source: Binary string: apphelp.pdb source: WerFault.exe, 00000004.00000003.231654518.00000000055D1000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.243097538.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.267923742.0000000004981000.00000004.00000001.sdmp
                Source: Binary string: wuser32.pdb source: WerFault.exe, 00000004.00000003.231654518.00000000055D1000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.243097538.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.267923742.0000000004981000.00000004.00000001.sdmp
                Source: Binary string: ole32.pdb( source: WerFault.exe, 00000004.00000003.231672539.00000000055A8000.00000004.00000040.sdmp
                Source: Binary string: upwntdll.pdb"w0 source: WerFault.exe, 00000004.00000003.231587693.0000000004E4A000.00000004.00000001.sdmp
                Source: Binary string: wntdll.pdb( source: WerFault.exe, 0000000B.00000003.264415332.000000000287F000.00000004.00000001.sdmp
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00762D98 push 00762E25h; ret 1_2_00762E1D
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0077086C push 00770898h; ret 1_2_00770890
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00773848 push 00773874h; ret 1_2_0077386C
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00770834 push 00770860h; ret 1_2_00770858
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00764038 push 00764064h; ret 1_2_0076405C
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00770020 push 00770058h; ret 1_2_00770050
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0073C8F0 push 0073C91Ch; ret 1_2_0073C914
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0073B8EC push 0073B92Fh; ret 1_2_0073B927
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_007528C8 push 00752933h; ret 1_2_0075292B
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0073A0B4 push 0073A0E0h; ret 1_2_0073A0D8
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_007738B8 push 007738E4h; ret 1_2_007738DC
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0073C8A4 push 0073C8E6h; ret 1_2_0073C8DE
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00773880 push 007738ACh; ret 1_2_007738A4
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0073B964 push 0073B990h; ret 1_2_0073B988
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00770934 push 00770960h; ret 1_2_00770958
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0073E9E8 push 0073EA14h; ret 1_2_0073EA0C
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00758994 push ecx; mov dword ptr [esp], ecx1_2_00758998
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0073B99C push 0073B9D4h; ret 1_2_0073B9CC
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0073B274 push 0073B2CDh; ret 1_2_0073B2C5
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00738A50 push 00738A7Ch; ret 1_2_00738A74
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0073CA58 push 0073CA84h; ret 1_2_0073CA7C
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0073BA30 push 0073BA5Ch; ret 1_2_0073BA54
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0073AA38 push 0073AA87h; ret 1_2_0073AA7F
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0076CA20 push 0076CA58h; ret 1_2_0076CA50
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0076BAF0 push 0076BB32h; ret 1_2_0076BB2A
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0073AAE0 push 0073AB0Ch; ret 1_2_0073AB04
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0073AAA8 push 0073AAD4h; ret 1_2_0073AACC
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00738B7C push 00738BA8h; ret 1_2_00738BA0
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0076BB64 push 0076BB90h; ret 1_2_0076BB88
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0073BB60 push 0073BB8Ch; ret 1_2_0073BB84
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00739B64 push 00739BA2h; ret 1_2_00739B9A
                Source: C:\Windows\SysWOW64\WerFault.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: WerFault.exe, 00000004.00000002.235986143.0000000004EF0000.00000002.00000001.sdmp, WerFault.exe, 00000007.00000002.255418021.0000000005040000.00000002.00000001.sdmp, WerFault.exe, 0000000B.00000002.279996637.0000000004440000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                Source: WerFault.exe, 00000007.00000003.253017420.000000000479F000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000002.279948140.0000000004340000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                Source: WerFault.exe, 00000007.00000002.254441564.0000000004780000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW(
                Source: WerFault.exe, 00000004.00000002.235986143.0000000004EF0000.00000002.00000001.sdmp, WerFault.exe, 00000007.00000002.255418021.0000000005040000.00000002.00000001.sdmp, WerFault.exe, 0000000B.00000002.279996637.0000000004440000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                Source: WerFault.exe, 00000004.00000002.235986143.0000000004EF0000.00000002.00000001.sdmp, WerFault.exe, 00000007.00000002.255418021.0000000005040000.00000002.00000001.sdmp, WerFault.exe, 0000000B.00000002.279996637.0000000004440000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                Source: WerFault.exe, 0000000B.00000003.278361427.0000000002854000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWb
                Source: WerFault.exe, 00000004.00000002.235986143.0000000004EF0000.00000002.00000001.sdmp, WerFault.exe, 00000007.00000002.255418021.0000000005040000.00000002.00000001.sdmp, WerFault.exe, 0000000B.00000002.279996637.0000000004440000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                Source: C:\Windows\System32\loaddll32.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\System32\loaddll32.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0071A823 mov eax, dword ptr fs:[00000030h]1_2_0071A823
                Source: C:\Windows\System32\loaddll32.exeMemory protected: page write copy | page execute | page execute read | page execute and read and write | page guardJump to behavior
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_007384D8 mouse_event,GetSystemMetrics,GetSystemMetrics,1_2_007384D8

                Stealing of Sensitive Information:

                barindex
                Yara detected EmotetShow sources
                Source: Yara matchFile source: 00000001.00000002.282474266.0000000000850000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.282217417.0000000000710000.00000040.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.282441133.0000000000820000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 1.2.loaddll32.exe.710000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.loaddll32.exe.850000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.loaddll32.exe.850000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.loaddll32.exe.710000.0.unpack, type: UNPACKEDPE

                Mitre Att&ck Matrix

                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection1Virtualization/Sandbox Evasion1OS Credential DumpingQuery Registry1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
                Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemorySecurity Software Discovery11Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection1Security Account ManagerVirtualization/Sandbox Evasion1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information1NTDSPeripheral Device Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA SecretsSystem Information Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 signatures2 2 Behavior Graph ID: 344139 Sample: BsYHxeX7Ok.dll Startdate: 26/01/2021 Architecture: WINDOWS Score: 60 14 Multi AV Scanner detection for submitted file 2->14 16 Yara detected Emotet 2->16 18 Machine Learning detection for sample 2->18 6 loaddll32.exe 1 2->6         started        process3 process4 8 WerFault.exe 3 9 6->8         started        10 WerFault.exe 3 9 6->10         started        12 WerFault.exe 2 9 6->12         started       

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.