Loading ...

Play interactive tourEdit tour

Analysis Report BsYHxeX7Ok.dll

Overview

General Information

Sample Name:BsYHxeX7Ok.dll
Analysis ID:344139
MD5:0125320a954399ad7b275b67b97a273f
SHA1:37afd871f306977f49c56400183ef5a80d8748f1
SHA256:d8a15d14d7bdc4d2e1d948e20cf2835b452f46b2c0860ccd8147ee8d8a43adec
Tags:dllHeodo

Most interesting Screenshot:

Detection

Emotet
Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Emotet
Machine Learning detection for sample
Checks if the current process is being debugged
Contains functionality to get notified if a device is plugged in / out
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Detected potential crypto function
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE file contains strange resources
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • loaddll32.exe (PID: 6404 cmdline: loaddll32.exe 'C:\Users\user\Desktop\BsYHxeX7Ok.dll' MD5: 2D39D4DFDE8F7151723794029AB8A034)
    • WerFault.exe (PID: 6528 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6404 -s 240 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • WerFault.exe (PID: 6680 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6404 -s 444 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • WerFault.exe (PID: 7016 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6404 -s 472 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.282474266.0000000000850000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
    00000001.00000002.282217417.0000000000710000.00000040.00020000.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
      00000001.00000002.282441133.0000000000820000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        1.2.loaddll32.exe.710000.0.raw.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
          1.2.loaddll32.exe.850000.1.raw.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
            1.2.loaddll32.exe.850000.1.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
              1.2.loaddll32.exe.710000.0.unpackJoeSecurity_EmotetYara detected EmotetJoe Security

                Sigma Overview

                No Sigma rule has matched

                Signature Overview

                Click to jump to signature section

                Show All Signature Results

                AV Detection:

                barindex
                Multi AV Scanner detection for submitted fileShow sources
                Source: BsYHxeX7Ok.dllVirustotal: Detection: 14%Perma Link
                Source: BsYHxeX7Ok.dllReversingLabs: Detection: 57%
                Machine Learning detection for sampleShow sources
                Source: BsYHxeX7Ok.dllJoe Sandbox ML: detected

                Compliance:

                barindex
                Uses 32bit PE filesShow sources
                Source: BsYHxeX7Ok.dllStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
                Binary contains paths to debug symbolsShow sources
                Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000004.00000003.231654518.00000000055D1000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.243097538.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.267923742.0000000004981000.00000004.00000001.sdmp
                Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000004.00000003.231654518.00000000055D1000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.243097538.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.267923742.0000000004981000.00000004.00000001.sdmp
                Source: Binary string: sechost.pdb source: WerFault.exe, 00000004.00000003.231666767.00000000055A2000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.243107080.0000000004FB2000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.267942144.0000000004B62000.00000004.00000040.sdmp
                Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000004.00000003.231654518.00000000055D1000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.243097538.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.267923742.0000000004981000.00000004.00000001.sdmp
                Source: Binary string: comctl32v582.pdb7 source: WerFault.exe, 00000007.00000003.243131627.0000000004FB0000.00000004.00000040.sdmp
                Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000004.00000003.231654518.00000000055D1000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.243097538.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.267923742.0000000004981000.00000004.00000001.sdmp
                Source: Binary string: msctf.pdbJ source: WerFault.exe, 00000004.00000003.231672539.00000000055A8000.00000004.00000040.sdmp
                Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000004.00000003.231708622.00000000055A5000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.243136061.0000000004FB5000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.267942144.0000000004B62000.00000004.00000040.sdmp
                Source: Binary string: wntdll.pdb source: WerFault.exe, 00000004.00000003.231654518.00000000055D1000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.243097538.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.264415332.000000000287F000.00000004.00000001.sdmp
                Source: Binary string: wUxTheme.pdb/ source: WerFault.exe, 0000000B.00000003.267956961.0000000004B68000.00000004.00000040.sdmp
                Source: Binary string: wrpcrt4.pdbk source: WerFault.exe, 00000004.00000003.231708622.00000000055A5000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.243136061.0000000004FB5000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.267942144.0000000004B62000.00000004.00000040.sdmp
                Source: Binary string: wimm32.pdb; source: WerFault.exe, 0000000B.00000003.267956961.0000000004B68000.00000004.00000040.sdmp
                Source: Binary string: msctf.pdb source: WerFault.exe, 00000004.00000003.231672539.00000000055A8000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.243116297.0000000004FB8000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.267956961.0000000004B68000.00000004.00000040.sdmp
                Source: Binary string: ole32.pdb source: WerFault.exe, 00000004.00000003.231672539.00000000055A8000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.243116297.0000000004FB8000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.267956961.0000000004B68000.00000004.00000040.sdmp
                Source: Binary string: version.pdb source: WerFault.exe, 00000004.00000003.231672539.00000000055A8000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.243116297.0000000004FB8000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.267956961.0000000004B68000.00000004.00000040.sdmp
                Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000004.00000003.231654518.00000000055D1000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.243097538.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.267923742.0000000004981000.00000004.00000001.sdmp
                Source: Binary string: advapi32.pdb source: WerFault.exe, 00000004.00000003.231654518.00000000055D1000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.243097538.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.267923742.0000000004981000.00000004.00000001.sdmp
                Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000004.00000003.231695574.00000000055A0000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.243131627.0000000004FB0000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.267994019.0000000004B60000.00000004.00000040.sdmp
                Source: Binary string: msctf.pdby source: WerFault.exe, 0000000B.00000003.267956961.0000000004B68000.00000004.00000040.sdmp
                Source: Binary string: wimm32.pdbp source: WerFault.exe, 00000004.00000003.231672539.00000000055A8000.00000004.00000040.sdmp
                Source: Binary string: combase.pdb\ source: WerFault.exe, 00000004.00000003.231672539.00000000055A8000.00000004.00000040.sdmp
                Source: Binary string: version.pdb% source: WerFault.exe, 0000000B.00000003.267956961.0000000004B68000.00000004.00000040.sdmp
                Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000004.00000003.231654518.00000000055D1000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.243097538.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.267923742.0000000004981000.00000004.00000001.sdmp
                Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000004.00000003.231695574.00000000055A0000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.243131627.0000000004FB0000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.267994019.0000000004B60000.00000004.00000040.sdmp
                Source: Binary string: comctl32v582.pdb source: WerFault.exe, 00000004.00000003.231695574.00000000055A0000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.243131627.0000000004FB0000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.267994019.0000000004B60000.00000004.00000040.sdmp
                Source: Binary string: wimm32.pdb source: WerFault.exe, 00000004.00000003.231672539.00000000055A8000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.243116297.0000000004FB8000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.267956961.0000000004B68000.00000004.00000040.sdmp
                Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000004.00000003.231654518.00000000055D1000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.243097538.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.267923742.0000000004981000.00000004.00000001.sdmp
                Source: Binary string: sechost.pdbk source: WerFault.exe, 00000004.00000003.231666767.00000000055A2000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.243107080.0000000004FB2000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.267942144.0000000004B62000.00000004.00000040.sdmp
                Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000004.00000003.231695574.00000000055A0000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.243131627.0000000004FB0000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.267994019.0000000004B60000.00000004.00000040.sdmp
                Source: Binary string: combase.pdb source: WerFault.exe, 00000004.00000003.231672539.00000000055A8000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.243116297.0000000004FB8000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.267956961.0000000004B68000.00000004.00000040.sdmp
                Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000004.00000003.231654518.00000000055D1000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.243097538.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.267923742.0000000004981000.00000004.00000001.sdmp
                Source: Binary string: version.pdbv source: WerFault.exe, 00000004.00000003.231672539.00000000055A8000.00000004.00000040.sdmp
                Source: Binary string: combase.pdbk source: WerFault.exe, 0000000B.00000003.267956961.0000000004B68000.00000004.00000040.sdmp
                Source: Binary string: wUxTheme.pdbR source: WerFault.exe, 00000004.00000003.231672539.00000000055A8000.00000004.00000040.sdmp
                Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000004.00000003.231695574.00000000055A0000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.243131627.0000000004FB0000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.267994019.0000000004B60000.00000004.00000040.sdmp
                Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000004.00000003.231672539.00000000055A8000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.243116297.0000000004FB8000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.267956961.0000000004B68000.00000004.00000040.sdmp
                Source: Binary string: comctl32v582.pdb, source: WerFault.exe, 0000000B.00000003.267994019.0000000004B60000.00000004.00000040.sdmp
                Source: Binary string: upwntdll.pdb source: WerFault.exe, 00000004.00000002.235969294.0000000004E4A000.00000004.00000001.sdmp
                Source: Binary string: apphelp.pdb source: WerFault.exe, 00000004.00000003.231654518.00000000055D1000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.243097538.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.267923742.0000000004981000.00000004.00000001.sdmp
                Source: Binary string: wuser32.pdb source: WerFault.exe, 00000004.00000003.231654518.00000000055D1000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.243097538.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.267923742.0000000004981000.00000004.00000001.sdmp
                Source: Binary string: ole32.pdb( source: WerFault.exe, 00000004.00000003.231672539.00000000055A8000.00000004.00000040.sdmp
                Source: Binary string: upwntdll.pdb"w0 source: WerFault.exe, 00000004.00000003.231587693.0000000004E4A000.00000004.00000001.sdmp
                Source: Binary string: wntdll.pdb( source: WerFault.exe, 0000000B.00000003.264415332.000000000287F000.00000004.00000001.sdmp
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00738000 RegisterDeviceNotificationA,GetProcessDpiAwarenessInternal,
                Source: WerFault.exe, 00000007.00000003.252976080.00000000047C7000.00000004.00000001.sdmpString found in binary or memory: http://crl.microsoftmT
                Source: WerFault.exe, 00000007.00000003.252976080.00000000047C7000.00000004.00000001.sdmpString found in binary or memory: http://crl.microsoftmT9

                E-Banking Fraud:

                barindex
                Yara detected EmotetShow sources
                Source: Yara matchFile source: 00000001.00000002.282474266.0000000000850000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.282217417.0000000000710000.00000040.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.282441133.0000000000820000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 1.2.loaddll32.exe.710000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.loaddll32.exe.850000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.loaddll32.exe.850000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.loaddll32.exe.710000.0.unpack, type: UNPACKEDPE
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_007385AC EnumDisplayMonitors,ExitWindowsEx,GetSystemMetrics,GetSystemMetrics,
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0071DBB2
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0072D87D
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00711662
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00711664
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0072505A
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0071BA46
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0071F249
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00728C4D
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0072DA27
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00728A24
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0071422B
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0071A82A
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0071B22A
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0072A02C
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0072A82C
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0071E42E
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00712814
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0072821E
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00724602
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0071E8F6
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00711EF9
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00716AFC
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_007138E1
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00722CE3
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00720CE0
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0072E4E1
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0072A2E5
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00714AD3
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0072B0D5
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_007168D8
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_007184D8
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_007142DE
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_007148C7
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_007212B3
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0072E0B6
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0071BEBD
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00718EA1
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_007126A0
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00712C93
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00721494
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0071AE9E
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00720082
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0072E689
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00728489
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0072197B
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0072BF69
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00717B6A
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0071A16A
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00729D6D
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00720950
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00721F54
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0072CB58
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00713743
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0071F54C
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0072894D
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0071D535
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00726334
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00724D39
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00728721
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00729726
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0072732F
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0072C92D
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00723F16
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0072CF07
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00717306
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00713F0A
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_007133F4
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0071A7FA
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_007229E3
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0071F7EF
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_007207D3
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_007195DD
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0072D5DF
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0072C1C2
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_007121C0
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0072E9A2
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0071EBA4
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0072B598
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0072539F
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0071799F
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0072DD80
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00727B8D
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0074303C
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00751E14
                Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6404 -s 240
                Source: BsYHxeX7Ok.dllStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                Source: BsYHxeX7Ok.dllStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
                Source: classification engineClassification label: mal60.troj.winDLL@4/12@0/0
                Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6404
                Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER9730.tmpJump to behavior
                Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: BsYHxeX7Ok.dllVirustotal: Detection: 14%
                Source: BsYHxeX7Ok.dllReversingLabs: Detection: 57%
                Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\BsYHxeX7Ok.dll'
                Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6404 -s 240
                Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6404 -s 444
                Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6404 -s 472
                Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000004.00000003.231654518.00000000055D1000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.243097538.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.267923742.0000000004981000.00000004.00000001.sdmp
                Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000004.00000003.231654518.00000000055D1000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.243097538.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.267923742.0000000004981000.00000004.00000001.sdmp
                Source: Binary string: sechost.pdb source: WerFault.exe, 00000004.00000003.231666767.00000000055A2000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.243107080.0000000004FB2000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.267942144.0000000004B62000.00000004.00000040.sdmp
                Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000004.00000003.231654518.00000000055D1000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.243097538.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.267923742.0000000004981000.00000004.00000001.sdmp
                Source: Binary string: comctl32v582.pdb7 source: WerFault.exe, 00000007.00000003.243131627.0000000004FB0000.00000004.00000040.sdmp
                Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000004.00000003.231654518.00000000055D1000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.243097538.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.267923742.0000000004981000.00000004.00000001.sdmp
                Source: Binary string: msctf.pdbJ source: WerFault.exe, 00000004.00000003.231672539.00000000055A8000.00000004.00000040.sdmp
                Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000004.00000003.231708622.00000000055A5000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.243136061.0000000004FB5000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.267942144.0000000004B62000.00000004.00000040.sdmp
                Source: Binary string: wntdll.pdb source: WerFault.exe, 00000004.00000003.231654518.00000000055D1000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.243097538.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.264415332.000000000287F000.00000004.00000001.sdmp
                Source: Binary string: wUxTheme.pdb/ source: WerFault.exe, 0000000B.00000003.267956961.0000000004B68000.00000004.00000040.sdmp
                Source: Binary string: wrpcrt4.pdbk source: WerFault.exe, 00000004.00000003.231708622.00000000055A5000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.243136061.0000000004FB5000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.267942144.0000000004B62000.00000004.00000040.sdmp
                Source: Binary string: wimm32.pdb; source: WerFault.exe, 0000000B.00000003.267956961.0000000004B68000.00000004.00000040.sdmp
                Source: Binary string: msctf.pdb source: WerFault.exe, 00000004.00000003.231672539.00000000055A8000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.243116297.0000000004FB8000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.267956961.0000000004B68000.00000004.00000040.sdmp
                Source: Binary string: ole32.pdb source: WerFault.exe, 00000004.00000003.231672539.00000000055A8000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.243116297.0000000004FB8000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.267956961.0000000004B68000.00000004.00000040.sdmp
                Source: Binary string: version.pdb source: WerFault.exe, 00000004.00000003.231672539.00000000055A8000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.243116297.0000000004FB8000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.267956961.0000000004B68000.00000004.00000040.sdmp
                Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000004.00000003.231654518.00000000055D1000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.243097538.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.267923742.0000000004981000.00000004.00000001.sdmp
                Source: Binary string: advapi32.pdb source: WerFault.exe, 00000004.00000003.231654518.00000000055D1000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.243097538.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.267923742.0000000004981000.00000004.00000001.sdmp
                Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000004.00000003.231695574.00000000055A0000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.243131627.0000000004FB0000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.267994019.0000000004B60000.00000004.00000040.sdmp
                Source: Binary string: msctf.pdby source: WerFault.exe, 0000000B.00000003.267956961.0000000004B68000.00000004.00000040.sdmp
                Source: Binary string: wimm32.pdbp source: WerFault.exe, 00000004.00000003.231672539.00000000055A8000.00000004.00000040.sdmp
                Source: Binary string: combase.pdb\ source: WerFault.exe, 00000004.00000003.231672539.00000000055A8000.00000004.00000040.sdmp
                Source: Binary string: version.pdb% source: WerFault.exe, 0000000B.00000003.267956961.0000000004B68000.00000004.00000040.sdmp
                Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000004.00000003.231654518.00000000055D1000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.243097538.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.267923742.0000000004981000.00000004.00000001.sdmp
                Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000004.00000003.231695574.00000000055A0000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.243131627.0000000004FB0000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.267994019.0000000004B60000.00000004.00000040.sdmp
                Source: Binary string: comctl32v582.pdb source: WerFault.exe, 00000004.00000003.231695574.00000000055A0000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.243131627.0000000004FB0000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.267994019.0000000004B60000.00000004.00000040.sdmp
                Source: Binary string: wimm32.pdb source: WerFault.exe, 00000004.00000003.231672539.00000000055A8000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.243116297.0000000004FB8000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.267956961.0000000004B68000.00000004.00000040.sdmp
                Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000004.00000003.231654518.00000000055D1000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.243097538.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.267923742.0000000004981000.00000004.00000001.sdmp
                Source: Binary string: sechost.pdbk source: WerFault.exe, 00000004.00000003.231666767.00000000055A2000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.243107080.0000000004FB2000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.267942144.0000000004B62000.00000004.00000040.sdmp
                Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000004.00000003.231695574.00000000055A0000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.243131627.0000000004FB0000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.267994019.0000000004B60000.00000004.00000040.sdmp
                Source: Binary string: combase.pdb source: WerFault.exe, 00000004.00000003.231672539.00000000055A8000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.243116297.0000000004FB8000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.267956961.0000000004B68000.00000004.00000040.sdmp
                Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000004.00000003.231654518.00000000055D1000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.243097538.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.267923742.0000000004981000.00000004.00000001.sdmp
                Source: Binary string: version.pdbv source: WerFault.exe, 00000004.00000003.231672539.00000000055A8000.00000004.00000040.sdmp
                Source: Binary string: combase.pdbk source: WerFault.exe, 0000000B.00000003.267956961.0000000004B68000.00000004.00000040.sdmp
                Source: Binary string: wUxTheme.pdbR source: WerFault.exe, 00000004.00000003.231672539.00000000055A8000.00000004.00000040.sdmp
                Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000004.00000003.231695574.00000000055A0000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.243131627.0000000004FB0000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.267994019.0000000004B60000.00000004.00000040.sdmp
                Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000004.00000003.231672539.00000000055A8000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.243116297.0000000004FB8000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.267956961.0000000004B68000.00000004.00000040.sdmp
                Source: Binary string: comctl32v582.pdb, source: WerFault.exe, 0000000B.00000003.267994019.0000000004B60000.00000004.00000040.sdmp
                Source: Binary string: upwntdll.pdb source: WerFault.exe, 00000004.00000002.235969294.0000000004E4A000.00000004.00000001.sdmp
                Source: Binary string: apphelp.pdb source: WerFault.exe, 00000004.00000003.231654518.00000000055D1000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.243097538.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.267923742.0000000004981000.00000004.00000001.sdmp
                Source: Binary string: wuser32.pdb source: WerFault.exe, 00000004.00000003.231654518.00000000055D1000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.243097538.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.267923742.0000000004981000.00000004.00000001.sdmp
                Source: Binary string: ole32.pdb( source: WerFault.exe, 00000004.00000003.231672539.00000000055A8000.00000004.00000040.sdmp
                Source: Binary string: upwntdll.pdb"w0 source: WerFault.exe, 00000004.00000003.231587693.0000000004E4A000.00000004.00000001.sdmp
                Source: Binary string: wntdll.pdb( source: WerFault.exe, 0000000B.00000003.264415332.000000000287F000.00000004.00000001.sdmp
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00762D98 push 00762E25h; ret
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0077086C push 00770898h; ret
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00773848 push 00773874h; ret
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00770834 push 00770860h; ret
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00764038 push 00764064h; ret
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00770020 push 00770058h; ret
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0073C8F0 push 0073C91Ch; ret
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0073B8EC push 0073B92Fh; ret
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_007528C8 push 00752933h; ret
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0073A0B4 push 0073A0E0h; ret
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_007738B8 push 007738E4h; ret
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0073C8A4 push 0073C8E6h; ret
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00773880 push 007738ACh; ret
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0073B964 push 0073B990h; ret
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00770934 push 00770960h; ret
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0073E9E8 push 0073EA14h; ret
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00758994 push ecx; mov dword ptr [esp], ecx
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0073B99C push 0073B9D4h; ret
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0073B274 push 0073B2CDh; ret
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00738A50 push 00738A7Ch; ret
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0073CA58 push 0073CA84h; ret
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0073BA30 push 0073BA5Ch; ret
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0073AA38 push 0073AA87h; ret
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0076CA20 push 0076CA58h; ret
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0076BAF0 push 0076BB32h; ret
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0073AAE0 push 0073AB0Ch; ret
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0073AAA8 push 0073AAD4h; ret
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00738B7C push 00738BA8h; ret
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0076BB64 push 0076BB90h; ret
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0073BB60 push 0073BB8Ch; ret
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00739B64 push 00739BA2h; ret
                Source: C:\Windows\SysWOW64\WerFault.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: WerFault.exe, 00000004.00000002.235986143.0000000004EF0000.00000002.00000001.sdmp, WerFault.exe, 00000007.00000002.255418021.0000000005040000.00000002.00000001.sdmp, WerFault.exe, 0000000B.00000002.279996637.0000000004440000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                Source: WerFault.exe, 00000007.00000003.253017420.000000000479F000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000002.279948140.0000000004340000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                Source: WerFault.exe, 00000007.00000002.254441564.0000000004780000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW(
                Source: WerFault.exe, 00000004.00000002.235986143.0000000004EF0000.00000002.00000001.sdmp, WerFault.exe, 00000007.00000002.255418021.0000000005040000.00000002.00000001.sdmp, WerFault.exe, 0000000B.00000002.279996637.0000000004440000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                Source: WerFault.exe, 00000004.00000002.235986143.0000000004EF0000.00000002.00000001.sdmp, WerFault.exe, 00000007.00000002.255418021.0000000005040000.00000002.00000001.sdmp, WerFault.exe, 0000000B.00000002.279996637.0000000004440000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                Source: WerFault.exe, 0000000B.00000003.278361427.0000000002854000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWb
                Source: WerFault.exe, 00000004.00000002.235986143.0000000004EF0000.00000002.00000001.sdmp, WerFault.exe, 00000007.00000002.255418021.0000000005040000.00000002.00000001.sdmp, WerFault.exe, 0000000B.00000002.279996637.0000000004440000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                Source: C:\Windows\System32\loaddll32.exeProcess queried: DebugPort
                Source: C:\Windows\System32\loaddll32.exeProcess queried: DebugPort
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0071A823 mov eax, dword ptr fs:[00000030h]
                Source: C:\Windows\System32\loaddll32.exeMemory protected: page write copy | page execute | page execute read | page execute and read and write | page guard
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_007384D8 mouse_event,GetSystemMetrics,GetSystemMetrics,

                Stealing of Sensitive Information:

                barindex
                Yara detected EmotetShow sources
                Source: Yara matchFile source: 00000001.00000002.282474266.0000000000850000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.282217417.0000000000710000.00000040.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.282441133.0000000000820000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 1.2.loaddll32.exe.710000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.loaddll32.exe.850000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.loaddll32.exe.850000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.loaddll32.exe.710000.0.unpack, type: UNPACKEDPE

                Mitre Att&ck Matrix

                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection1Virtualization/Sandbox Evasion1OS Credential DumpingQuery Registry1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
                Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemorySecurity Software Discovery11Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection1Security Account ManagerVirtualization/Sandbox Evasion1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information1NTDSPeripheral Device Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA SecretsSystem Information Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 signatures2 2 Behavior Graph ID: 344139 Sample: BsYHxeX7Ok.dll Startdate: 26/01/2021 Architecture: WINDOWS Score: 60 14 Multi AV Scanner detection for submitted file 2->14 16 Yara detected Emotet 2->16 18 Machine Learning detection for sample 2->18 6 loaddll32.exe 1 2->6         started        process3 process4 8 WerFault.exe 3 9 6->8         started        10 WerFault.exe 3 9 6->10         started        12 WerFault.exe 2 9 6->12         started       

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                BsYHxeX7Ok.dll14%VirustotalBrowse
                BsYHxeX7Ok.dll57%ReversingLabsWin32.Trojan.EmotetCrypt
                BsYHxeX7Ok.dll100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                SourceDetectionScannerLabelLinkDownload
                1.2.loaddll32.exe.710000.0.unpack100%AviraHEUR/AGEN.1110387Download File

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://crl.microsoftmT90%Avira URL Cloudsafe
                http://crl.microsoftmT0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                No contacted domains info

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://crl.microsoftmT9WerFault.exe, 00000007.00000003.252976080.00000000047C7000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://crl.microsoftmTWerFault.exe, 00000007.00000003.252976080.00000000047C7000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                unknown

                Contacted IPs

                No contacted IP infos

                General Information

                Joe Sandbox Version:31.0.0 Emerald
                Analysis ID:344139
                Start date:26.01.2021
                Start time:07:15:18
                Joe Sandbox Product:CloudBasic
                Overall analysis duration:0h 7m 41s
                Hypervisor based Inspection enabled:false
                Report type:light
                Sample file name:BsYHxeX7Ok.dll
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                Number of analysed new started processes analysed:33
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • HDC enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Detection:MAL
                Classification:mal60.troj.winDLL@4/12@0/0
                EGA Information:Failed
                HDC Information:
                • Successful, ratio: 0.4% (good quality ratio 0.4%)
                • Quality average: 93.9%
                • Quality standard deviation: 3.4%
                HCA Information:Failed
                Cookbook Comments:
                • Adjust boot time
                • Enable AMSI
                • Found application associated with file extension: .dll
                Warnings:
                Show All
                • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, wermgr.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                • Excluded IPs from analysis (whitelisted): 92.122.145.220, 13.64.90.137, 104.43.193.48, 92.122.144.200, 51.11.168.160, 95.101.22.224, 95.101.22.216, 51.103.5.186, 52.155.217.156, 20.54.26.129
                • Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, wns.notify.windows.com.akadns.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, emea1.notify.windows.com.akadns.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, client.wns.windows.com, fs.microsoft.com, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, par02p.wns.notify.trafficmanager.net

                Simulations

                Behavior and APIs

                TimeTypeDescription
                07:16:20API Interceptor2x Sleep call for process: WerFault.exe modified

                Joe Sandbox View / Context

                IPs

                No context

                Domains

                No context

                ASN

                No context

                JA3 Fingerprints

                No context

                Dropped Files

                No context

                Created / dropped Files

                C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_loaddll32.exe_7225963344ab2d4b76a392ee69fe603ad8f2abb_b4806494_1a50c15d\Report.wer
                Process:C:\Windows\SysWOW64\WerFault.exe
                File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                Category:dropped
                Size (bytes):10134
                Entropy (8bit):3.7646610495056536
                Encrypted:false
                SSDEEP:96:RYnj4CW0yTVy9hTot7JnqpXIQcQac6pcEccw35+a+z+HbHgEVG4rmMKazWbSmvFp:qjXUsH0tGtjpDH/u7s+S274ItWu
                MD5:C422BA0A5A2F8E68DE85C4F2B27F9744
                SHA1:3BF55DF103B0A07C910E7212E996086058E92EE2
                SHA-256:76F9281E1BBF7371B963688062377A17A0FF6C0EA433DA31BAF23F7607B0FD15
                SHA-512:A2CF62D79BE241ED893FC1D22D92A5584BB816D248509E744D6B853D6BC3F610290BEB393E370DA1008D9B711A11E2192F932F6A64E8AD36C30FA1C5AD2678F6
                Malicious:false
                Reputation:low
                Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.5.6.1.4.7.7.7.4.7.2.5.7.1.1.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.5.6.1.4.7.7.7.7.9.7.5.7.1.1.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.5.9.d.6.e.a.f.-.7.1.e.6.-.4.a.2.9.-.8.e.a.8.-.2.0.2.1.e.c.2.5.3.e.2.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.c.7.c.d.e.3.2.-.2.3.0.5.-.4.d.7.d.-.8.7.3.3.-.4.f.e.3.3.0.1.4.0.1.3.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.l.o.a.d.d.l.l.3.2...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.0.4.-.0.0.0.1.-.0.0.1.6.-.f.6.d.a.-.b.d.2.a.f.6.f.3.d.6.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.l.o.a.d.d.l.l.3.2...e.x.e.....T.a.r.g.e.t.A.p.
                C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_loaddll32.exe_c5a25cdcc8f97dcd0e408681553972f33acea_b4806494_1b20ef63\Report.wer
                Process:C:\Windows\SysWOW64\WerFault.exe
                File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                Category:dropped
                Size (bytes):10088
                Entropy (8bit):3.7615576725876148
                Encrypted:false
                SSDEEP:96:ox36Plcpj4CW0yEmqy9hT97efvpXIQcQPc6bcEycw37+a+z+HbHgEVG4rmMKazWG:E36SdXU/oHhfoXjpDH/u7sZS274ItWo
                MD5:7C12BFAB0F59B52846C04CA731DB267F
                SHA1:35D9E460CADC4404C6869BD59529D76B7D65F552
                SHA-256:1B1AAD60F962C1D569BFCE727AC594D027798D06BA38326D51FCFB41E7FCC265
                SHA-512:82B663750666DF8D20A7902E743E6304D570E6B48817CAD93D6E2A8750DC97081C2D1C21F59B2BAD1A5D546F56E60611207C4BAD7213C53875AB55179985120F
                Malicious:false
                Reputation:low
                Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.5.6.1.4.7.7.8.6.0.0.6.9.5.4.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.5.6.1.4.7.7.9.0.2.5.6.9.4.4.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.9.1.d.f.a.c.c.-.1.3.c.a.-.4.d.e.1.-.b.4.1.7.-.5.e.b.2.d.c.5.f.0.1.5.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.d.6.2.6.9.f.0.-.5.5.2.e.-.4.3.7.3.-.a.7.1.f.-.7.5.e.6.d.e.a.3.0.0.6.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.l.o.a.d.d.l.l.3.2...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.0.4.-.0.0.0.1.-.0.0.1.6.-.f.6.d.a.-.b.d.2.a.f.6.f.3.d.6.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.l.o.a.d.d.l.l.3.2...e.x.e.....T.a.r.g.e.t.A.p.
                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_a074f448eb416fc5ae408d6a8da6168cd6117a23_b4806494_19c8a097\Report.wer
                Process:C:\Windows\SysWOW64\WerFault.exe
                File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                Category:dropped
                Size (bytes):9694
                Entropy (8bit):3.759141443436875
                Encrypted:false
                SSDEEP:96:ACj4CW0yxy9hT97WzSZpXIQcQac6pcEccw35+a+z+HbHgEVG4rmMKazWbSmvFVh/:XXU8H0tGtjpDy/u7s+S274ItbY
                MD5:C0C05C8B451A7A3E6C0931043ACAE82B
                SHA1:BBD9E48041A8C762CA2F04063102F83C6C58E2EC
                SHA-256:124FCECED0D204475F000701E1B296B48038426D5A1C0480FEEB189B8E19D338
                SHA-512:5573A6CB152E6CCBE99D757B9019DD96FB534B8268E279C366226410F10477BC29BDF75F62A1040B5A824A1DF8FC2A1DB78D55E1BF0B6D81E669DBCA3CAF0092
                Malicious:false
                Reputation:low
                Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.2.5.6.1.4.7.7.6.9.2.2.5.7.1.5.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.2.c.f.7.6.d.6.-.c.8.0.b.-.4.1.6.4.-.9.c.c.3.-.9.0.4.f.f.e.5.d.8.f.7.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.d.a.1.7.b.f.d.-.a.0.6.1.-.4.c.c.8.-.9.5.e.d.-.c.0.6.6.4.0.8.c.6.a.f.c.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.l.o.a.d.d.l.l.3.2...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.0.4.-.0.0.0.1.-.0.0.1.6.-.f.6.d.a.-.b.d.2.a.f.6.f.3.d.6.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.l.o.a.d.d.l.l.3.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.0././.1.1././.3.0.:.1.2.:.1.5.:.2.1.!.0.!.l.o.a.d.d.l.l.3.2...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.
                C:\ProgramData\Microsoft\Windows\WER\Temp\WER9730.tmp.dmp
                Process:C:\Windows\SysWOW64\WerFault.exe
                File Type:Mini DuMP crash report, 15 streams, Tue Jan 26 15:16:09 2021, 0x1205a4 type
                Category:dropped
                Size (bytes):41828
                Entropy (8bit):2.038826544545495
                Encrypted:false
                SSDEEP:192:w0RghZKselJ94Q2S1uBIWrE91VNybNDXnpon/J/j:tRWZ5elJGQ2ScSWwPybN8Fj
                MD5:13F7C11E69DA9921F0651BDEF07D381B
                SHA1:E0892C6958FECCD7EEAF5387B7B8A4B841454185
                SHA-256:7A7A6DB3E948ADCFAEA494D9CEB767647D5BF746395B61BEBAC7B129117D7552
                SHA-512:297C0760F2705149595CB09F3170DB9DA313C8CBCE833C7C2C2C89519DC48427385BE4D7D6EFC4B69B4D15AD41FE11A0C01AB9260AC4175770E2243C40DA62B3
                Malicious:false
                Reputation:low
                Preview: MDMP....... .......92.`...................U...........B..............GenuineIntelW...........T...........52.`.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
                C:\ProgramData\Microsoft\Windows\WER\Temp\WER9ABC.tmp.WERInternalMetadata.xml
                Process:C:\Windows\SysWOW64\WerFault.exe
                File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                Category:dropped
                Size (bytes):8348
                Entropy (8bit):3.6920162098436102
                Encrypted:false
                SSDEEP:192:Rrl7r3GLNi4DY6Qu2v6YIvSU8aigmfiSWCpN489bsn41fQkm:RrlsNiD6Z2v6YgSU8aigmfiS9snifi
                MD5:B087A84A63DCF6F547DED7B76CEA8618
                SHA1:0FE760CDC04A8A14D83F93FEC8BE0CB32B1A4415
                SHA-256:8EC704446CE8495B41A93C89D8C6ECFC9B8A969B6C01F3A19773B86A1D45CD63
                SHA-512:923B0462F9B50227320B7885D51437D4265C1F3A1A51256DCDF6BE16704DAA01EB039D193DFA5DA95E1606BD43D6AECCD2360DB4C88CB818B522D8BAB53E78BE
                Malicious:false
                Reputation:low
                Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.4.0.4.<./.P.i.d.>.......
                C:\ProgramData\Microsoft\Windows\WER\Temp\WER9DDA.tmp.xml
                Process:C:\Windows\SysWOW64\WerFault.exe
                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):4658
                Entropy (8bit):4.429769617248258
                Encrypted:false
                SSDEEP:48:cvIwSD8zsxRJgtWI9r2yWSC8B548fm8M4JONgFa2+q8vYNQxKcQIcQwv+ld:uITfxESSN/1JjKLxKkwv+ld
                MD5:15F23103DA45B2E2067424F685EEAC3B
                SHA1:0A0ECF39D509F43B7A4DDA03CC795ED7FDD98F35
                SHA-256:E7395CD429268F456A2870CFAA16863EEE1BE912FCFB1C984E05C37814307726
                SHA-512:0A25EAA7333E6DB9589FB4BA33CD61043AB5ECC0C0821F0681419D5561AFED3CCC99B61E04083688758C89137E26FE1A82D45EBF2A7BA78B3458EF2CAC9D38AE
                Malicious:false
                Reputation:low
                Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="833786" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                C:\ProgramData\Microsoft\Windows\WER\Temp\WERACAC.tmp.dmp
                Process:C:\Windows\SysWOW64\WerFault.exe
                File Type:Mini DuMP crash report, 15 streams, Tue Jan 26 15:16:15 2021, 0x1205a4 type
                Category:dropped
                Size (bytes):41588
                Entropy (8bit):1.9841631652526566
                Encrypted:false
                SSDEEP:192:eTJghZKs+lJV4QLduBIWrNkSIyP0R57uClbfyS:IJWZ5+lJeQLESWR1IycmS
                MD5:765F4C728B13DB1896B73E947B12A075
                SHA1:3A442390A85D48F3C59F11EC23CD50616DF903EE
                SHA-256:90713247A4E4F0607D07381F754AE6FD3ABA76219BB96F45E4D8EEC59D43FF0F
                SHA-512:CC29B2948E90E7B937D9D3440C2D8C1E60365397E1AD1500116E4171F26485C11D364EE26B04B140A880073C7171910DA4C9C3F53F87A58C1B6EE64BB226F312
                Malicious:false
                Reputation:low
                Preview: MDMP....... .......?2.`...................U...........B..............GenuineIntelW...........T...........52.`.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
                C:\ProgramData\Microsoft\Windows\WER\Temp\WERAF9B.tmp.WERInternalMetadata.xml
                Process:C:\Windows\SysWOW64\WerFault.exe
                File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                Category:dropped
                Size (bytes):8324
                Entropy (8bit):3.6961754756167085
                Encrypted:false
                SSDEEP:192:Rrl7r3GLNi4Dc67k2v6YI6SUqaRyegmf4SWCpr789bRnYsfzbm:RrlsNi36Y2v6Y1SUqawegmf4SiRnLfu
                MD5:62A4C5380C0701B801FB197677E5ABAC
                SHA1:4D292495B0B5F91FE005AE50849CAFABA41DBBA3
                SHA-256:75913919B52F091A4CE08D29F16A405613FC5E3D46BB781B98C4444AD14D4A5D
                SHA-512:3969A874806BBEE55F225514FA20B83BD0A33D7B78CBDBC6B5FF79DF564D3D1937EB3203607CCCEFB696C8AA6F4AF4715ACDD7FB32701BBEA2008A0E535D9FF7
                Malicious:false
                Reputation:low
                Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.4.0.4.<./.P.i.d.>.......
                C:\ProgramData\Microsoft\Windows\WER\Temp\WERB133.tmp.xml
                Process:C:\Windows\SysWOW64\WerFault.exe
                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):4597
                Entropy (8bit):4.472832368306633
                Encrypted:false
                SSDEEP:48:cvIwSD8zsxRJgtWI9r2yWSC8BCa8fm8M4JO6ZFD+q8bDRxKcQIcQwv+kd:uITfxESSNkJ1XGRxKkwv+kd
                MD5:BC1B5B1EEC72DA00CD5949DC7F3BA676
                SHA1:E12EC1F3D79B613019F10A0045D0438CC00E1BCC
                SHA-256:1B18F4B5F4C9BFEBA22BADF0E6151A5E12F659825AD8D70BD4E646BB80C1E6F6
                SHA-512:CEE37113BD761A498F4F3E4EC6967A6254E339AE4FB5657EC08E286BD46DD4ECAAD9FE01C3B775B7C6AF0724369330DB21AD1EF0DB9FAC0828C24E80BD402871
                Malicious:false
                Reputation:low
                Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="833786" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                C:\ProgramData\Microsoft\Windows\WER\Temp\WERD8BE.tmp.dmp
                Process:C:\Windows\SysWOW64\WerFault.exe
                File Type:Mini DuMP crash report, 15 streams, Tue Jan 26 15:16:26 2021, 0x1205a4 type
                Category:dropped
                Size (bytes):38012
                Entropy (8bit):1.9487981955990552
                Encrypted:false
                SSDEEP:192:T9NhZKs+lJn4QjeuBIWrR79BK7EIjefEgd:JNhZ5+lJ4QjlSWV9BLEy
                MD5:0B9AD215C68D0C2D8D4ECF2D37D404FA
                SHA1:E59D52ABA900ABB633313B1C1069C44EA413D5CD
                SHA-256:A2359A269A277B7C0C9F22E3B87C282F06660E5CD25522CC1B0261CE1010DF7F
                SHA-512:381A837F6896D77F9666D088D5126163C908D6289AF713FD96472AF7DFFDDDFB5AC17C971D5840CB9AEE8928ED6A3418D0AA6D6BB1581F94F1343ABA2CF90BBD
                Malicious:false
                Reputation:low
                Preview: MDMP....... .......J2.`...................U...........B..............GenuineIntelW...........T...........52.`.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
                C:\ProgramData\Microsoft\Windows\WER\Temp\WERDD04.tmp.WERInternalMetadata.xml
                Process:C:\Windows\SysWOW64\WerFault.exe
                File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                Category:dropped
                Size (bytes):8284
                Entropy (8bit):3.6935941200272753
                Encrypted:false
                SSDEEP:192:Rrl7r3GLNi4DK6ON2v6YIBSUqWJGgmfVSNCpDI89bgnYsfT6jAm:RrlsNiZ6U2v6YOSUqRgmfVSognLfex
                MD5:D3EF14C680659FAFE7857906EA45F07E
                SHA1:8E38362D0022974C6F9D4DE01928B9860149F470
                SHA-256:1CC0D42DE82F5B2CD5BF2DAEE353CC4C7D04908884ABAFB8B78401015163A0FA
                SHA-512:18C25D8A622E514729EBCB9BCAB71D67B40557689605E49746F35A412D04FE4B75C9E16C613D3BBCF4A502C444C142360DADEC758B703F01EB53FAF1E89683A1
                Malicious:false
                Reputation:low
                Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.4.0.4.<./.P.i.d.>.......
                C:\ProgramData\Microsoft\Windows\WER\Temp\WERDF96.tmp.xml
                Process:C:\Windows\SysWOW64\WerFault.exe
                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):4557
                Entropy (8bit):4.4437911607407345
                Encrypted:false
                SSDEEP:48:cvIwSD8zsxKJgtWI9r2yWSC8Bk8fm8M4JORjFa5+q8p8nxKcQIcQwv+kd:uITf+ESSNnJ1bxKkwv+kd
                MD5:0299DEE8AB3686E56106BD95512135EE
                SHA1:99340B2A5043DCC5BC2953D621AA2A1193B649CF
                SHA-256:085A99D7E2E96BA20FDC7A439CD870BE4B5DBEBE288B8A411B9F9E2EDBC3D448
                SHA-512:913A7E69FF027B2E0FA6468B3AC9D02D316184596845B6B30B581F13B3E11F2D4BFD47D98E73795F3F13222B104D61C496788CA99B032B6E2AE44A06B48A75D4
                Malicious:false
                Reputation:low
                Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="833787" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

                Static File Info

                General

                File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                Entropy (8bit):6.906327751615201
                TrID:
                • Win32 Dynamic Link Library (generic) (1002004/3) 97.97%
                • Win32 Executable Delphi generic (14689/80) 1.44%
                • Win16/32 Executable Delphi generic (2074/23) 0.20%
                • Generic Win/DOS Executable (2004/3) 0.20%
                • DOS Executable Generic (2002/1) 0.20%
                File name:BsYHxeX7Ok.dll
                File size:628736
                MD5:0125320a954399ad7b275b67b97a273f
                SHA1:37afd871f306977f49c56400183ef5a80d8748f1
                SHA256:d8a15d14d7bdc4d2e1d948e20cf2835b452f46b2c0860ccd8147ee8d8a43adec
                SHA512:bc4b30147d97520ff627cf8e843ffe3619ae7423fe1da7f3e6b21a0452728c1ba944d5acb53c65ea07372db22f9fac5c850683a5e385335ad08f28c6d20e6951
                SSDEEP:12288:SYzchQVZnkmt/70MWugxPJZFpf0c1pHBbdJrs2xnd:d4KV5Hpt8bZHLXCA
                File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                File Icon

                Icon Hash:b99988fcd4f66e0f

                Static PE Info

                General

                Entrypoint:0x463ebc
                Entrypoint Section:CODE
                Digitally signed:false
                Imagebase:0x400000
                Subsystem:windows gui
                Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
                DLL Characteristics:
                Time Stamp:0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
                TLS Callbacks:
                CLR (.Net) Version:
                OS Version Major:4
                OS Version Minor:0
                File Version Major:4
                File Version Minor:0
                Subsystem Version Major:4
                Subsystem Version Minor:0
                Import Hash:7ed08afc6b0c9da85427ea1b02b1e145

                Entrypoint Preview

                Instruction
                push ebp
                mov ebp, esp
                add esp, FFFFFFC4h
                mov eax, 00463C14h
                call 00007FCAB4E9DD45h
                mov dword ptr [0046666Ch], 00463928h
                mov eax, 00000001h
                call 00007FCAB4EFB23Dh
                call 00007FCAB4E9B9FCh
                lea eax, dword ptr [eax+00h]
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al

                Data Directories

                NameVirtual AddressVirtual Size Is in Section
                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IMPORT0x670000x22ec.idata
                IMAGE_DIRECTORY_ENTRY_RESOURCE0x710000x2ba00.rsrc
                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                IMAGE_DIRECTORY_ENTRY_BASERELOC0x6a0000x6ed4.reloc
                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                Sections

                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                CODE0x10000x62ee80x63000False0.52030806108data6.5550941356IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                DATA0x640000x14cc0x1600False0.433948863636data4.11607326462IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                BSS0x660000xcd10x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                .idata0x670000x22ec0x2400False0.359809027778data4.92726416893IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                .reloc0x6a0000x6ed40x7000False0.624232700893data6.67422538704IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                .rsrc0x710000x2ba000x2ba00False0.685765132521data6.85431640563IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

                Resources

                NameRVASizeTypeLanguageCountry
                FF0x71b2c0x25c09dataEnglishUnited States
                RT_CURSOR0x977380x134data
                RT_CURSOR0x9786c0x134data
                RT_CURSOR0x979a00x134data
                RT_CURSOR0x97ad40x134data
                RT_CURSOR0x97c080x134data
                RT_CURSOR0x97d3c0x134data
                RT_CURSOR0x97e700x134data
                RT_BITMAP0x97fa40x1d0data
                RT_BITMAP0x981740x1e4data
                RT_BITMAP0x983580x1d0data
                RT_BITMAP0x985280x1d0data
                RT_BITMAP0x986f80x1d0data
                RT_BITMAP0x988c80x1d0data
                RT_BITMAP0x98a980x1d0data
                RT_BITMAP0x98c680x1d0data
                RT_BITMAP0x98e380x1d0data
                RT_BITMAP0x990080x1d0data
                RT_BITMAP0x991d80xe8GLS_BINARY_LSB_FIRST
                RT_ICON0x992c00x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 49, next used block 48059RussianRussia
                RT_DIALOG0x995a80x52data
                RT_STRING0x995fc0x404data
                RT_STRING0x99a000x1ccdata
                RT_STRING0x99bcc0x188data
                RT_STRING0x99d540x1b0data
                RT_STRING0x99f040x218data
                RT_STRING0x9a11c0xecdata
                RT_STRING0x9a2080x224data
                RT_STRING0x9a42c0x33cdata
                RT_STRING0x9a7680x3d4data
                RT_STRING0x9ab3c0x3a4data
                RT_STRING0x9aee00x3e8data
                RT_STRING0x9b2c80xf4data
                RT_STRING0x9b3bc0xc4data
                RT_STRING0x9b4800x2c0data
                RT_STRING0x9b7400x478data
                RT_STRING0x9bbb80x3acdata
                RT_STRING0x9bf640x2d4data
                RT_RCDATA0x9c2380x10data
                RT_RCDATA0x9c2480x358data
                RT_RCDATA0x9c5a00x29cDelphi compiled form 'TForm1'
                RT_GROUP_CURSOR0x9c83c0x14Lotus unknown worksheet or configuration, revision 0x1
                RT_GROUP_CURSOR0x9c8500x14Lotus unknown worksheet or configuration, revision 0x1
                RT_GROUP_CURSOR0x9c8640x14Lotus unknown worksheet or configuration, revision 0x1
                RT_GROUP_CURSOR0x9c8780x14Lotus unknown worksheet or configuration, revision 0x1
                RT_GROUP_CURSOR0x9c88c0x14Lotus unknown worksheet or configuration, revision 0x1
                RT_GROUP_CURSOR0x9c8a00x14Lotus unknown worksheet or configuration, revision 0x1
                RT_GROUP_CURSOR0x9c8b40x14Lotus unknown worksheet or configuration, revision 0x1
                RT_GROUP_ICON0x9c8c80x14dataRussianRussia

                Imports

                DLLImport
                kernel32.dllDeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, GetVersion, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle
                user32.dllGetKeyboardType, LoadStringA, MessageBoxA, CharNextA
                advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey
                oleaut32.dllSysFreeString, SysReAllocStringLen, SysAllocStringLen
                kernel32.dllTlsSetValue, TlsGetValue, TlsFree, TlsAlloc, LocalFree, LocalAlloc
                advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey
                kernel32.dlllstrcpyA, WriteFile, WinExec, WaitForSingleObject, VirtualQuery, VirtualAlloc, Sleep, SizeofResource, SetThreadLocale, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResetEvent, ReadFile, MultiByteToWideChar, MulDiv, LockResource, LoadResource, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalUnlock, GlobalReAlloc, GlobalHandle, GlobalLock, GlobalFree, GlobalFindAtomA, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomA, GetVersionExA, GetVersion, GetTickCount, GetThreadLocale, GetSystemInfo, GetStringTypeExA, GetStdHandle, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameA, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCurrentProcessId, GetCPInfo, GetACP, FreeResource, InterlockedExchange, FreeLibrary, FormatMessageA, FindResourceA, ExitProcess, EnumCalendarInfoA, EnterCriticalSection, DeleteCriticalSection, CreateThread, CreateFileA, CreateEventA, CompareStringA, CloseHandle
                version.dllVerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA
                gdi32.dllUnrealizeObject, StretchBlt, SetWindowOrgEx, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SaveDC, RestoreDC, RectVisible, RealizePalette, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetTextMetricsA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetPixel, GetPaletteEntries, GetObjectA, GetEnhMetaFileA, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, ExcludeClipRect, DeleteObject, DeleteDC, CreateSolidBrush, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectA, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, BitBlt
                user32.dllCreateWindowExA, WindowFromPoint, WinHelpA, WaitMessage, UpdateWindow, UnregisterClassA, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, ShowCursor, SetWindowsHookExA, SetWindowPos, SetWindowPlacement, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetParent, SetMenuItemInfoA, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetClassLongA, SetCapture, SetActiveWindow, SendMessageA, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostQuitMessage, PostMessageA, PeekMessageA, OffsetRect, OemToCharA, MessageBoxA, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageA, IsChild, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongA, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClientRect, GetClassNameA, GetClassInfoA, GetCapture, GetActiveWindow, FrameRect, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawEdge, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreatePopupMenu, CreateMenu, CreateIcon, ClientToScreen, CheckMenuItem, CharUpperW, CallWindowProcA, CallNextHookEx, BeginPaint, CharNextA, CharLowerA, CharUpperBuffA, CharUpperA, CharToOemA, AdjustWindowRectEx, ActivateKeyboardLayout
                kernel32.dllSleep
                oleaut32.dllSafeArrayPtrOfIndex, SafeArrayPutElement, SafeArrayGetElement, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopyInd, VariantCopy, VariantClear, VariantInit
                ole32.dllCoCreateInstance, CoUninitialize, CoInitialize
                oleaut32.dllCreateErrorInfo, GetErrorInfo, SetErrorInfo, SysFreeString
                comctl32.dllImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_SetDragCursorImage, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_ReplaceIcon, ImageList_Add, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create
                user32.dllDdeCmpStringHandles, DdeFreeStringHandle, DdeQueryStringA, DdeCreateStringHandleA, DdeGetLastError, DdeFreeDataHandle, DdeUnaccessData, DdeAccessData, DdeCreateDataHandle, DdeClientTransaction, DdeNameService, DdePostAdvise, DdeSetUserHandle, DdeQueryConvInfo, DdeDisconnect, DdeConnect, DdeUninitialize, DdeInitializeA

                Possible Origin

                Language of compilation systemCountry where language is spokenMap
                EnglishUnited States
                RussianRussia

                Network Behavior

                Network Port Distribution

                UDP Packets

                TimestampSource PortDest PortSource IPDest IP
                Jan 26, 2021 07:16:01.119040012 CET6173353192.168.2.58.8.8.8
                Jan 26, 2021 07:16:01.178134918 CET53617338.8.8.8192.168.2.5
                Jan 26, 2021 07:16:01.209001064 CET6544753192.168.2.58.8.8.8
                Jan 26, 2021 07:16:01.256872892 CET53654478.8.8.8192.168.2.5
                Jan 26, 2021 07:16:02.487807035 CET5244153192.168.2.58.8.8.8
                Jan 26, 2021 07:16:02.546792030 CET53524418.8.8.8192.168.2.5
                Jan 26, 2021 07:16:03.683407068 CET6217653192.168.2.58.8.8.8
                Jan 26, 2021 07:16:03.739995003 CET53621768.8.8.8192.168.2.5
                Jan 26, 2021 07:16:05.011957884 CET5959653192.168.2.58.8.8.8
                Jan 26, 2021 07:16:05.059942961 CET53595968.8.8.8192.168.2.5
                Jan 26, 2021 07:16:05.960835934 CET6529653192.168.2.58.8.8.8
                Jan 26, 2021 07:16:06.011603117 CET53652968.8.8.8192.168.2.5
                Jan 26, 2021 07:16:07.402606964 CET6318353192.168.2.58.8.8.8
                Jan 26, 2021 07:16:07.450618029 CET53631838.8.8.8192.168.2.5
                Jan 26, 2021 07:16:08.767453909 CET6015153192.168.2.58.8.8.8
                Jan 26, 2021 07:16:08.826179981 CET53601518.8.8.8192.168.2.5
                Jan 26, 2021 07:16:10.116492033 CET5696953192.168.2.58.8.8.8
                Jan 26, 2021 07:16:10.164515972 CET53569698.8.8.8192.168.2.5
                Jan 26, 2021 07:16:13.290750980 CET5516153192.168.2.58.8.8.8
                Jan 26, 2021 07:16:13.341430902 CET53551618.8.8.8192.168.2.5
                Jan 26, 2021 07:16:18.910341024 CET5475753192.168.2.58.8.8.8
                Jan 26, 2021 07:16:18.958494902 CET53547578.8.8.8192.168.2.5
                Jan 26, 2021 07:16:27.058024883 CET4999253192.168.2.58.8.8.8
                Jan 26, 2021 07:16:27.119025946 CET53499928.8.8.8192.168.2.5
                Jan 26, 2021 07:16:31.141572952 CET6007553192.168.2.58.8.8.8
                Jan 26, 2021 07:16:31.192306995 CET53600758.8.8.8192.168.2.5
                Jan 26, 2021 07:16:34.584722042 CET5501653192.168.2.58.8.8.8
                Jan 26, 2021 07:16:34.632829905 CET53550168.8.8.8192.168.2.5
                Jan 26, 2021 07:16:42.898499012 CET6434553192.168.2.58.8.8.8
                Jan 26, 2021 07:16:42.954871893 CET53643458.8.8.8192.168.2.5
                Jan 26, 2021 07:16:50.643254042 CET5712853192.168.2.58.8.8.8
                Jan 26, 2021 07:16:50.691179037 CET53571288.8.8.8192.168.2.5
                Jan 26, 2021 07:16:56.036890030 CET5479153192.168.2.58.8.8.8
                Jan 26, 2021 07:16:56.092883110 CET53547918.8.8.8192.168.2.5
                Jan 26, 2021 07:16:56.728971958 CET5046353192.168.2.58.8.8.8
                Jan 26, 2021 07:16:56.788089037 CET53504638.8.8.8192.168.2.5
                Jan 26, 2021 07:16:57.551562071 CET5039453192.168.2.58.8.8.8
                Jan 26, 2021 07:16:57.608000994 CET53503948.8.8.8192.168.2.5
                Jan 26, 2021 07:16:58.070348024 CET5853053192.168.2.58.8.8.8
                Jan 26, 2021 07:16:58.121098995 CET53585308.8.8.8192.168.2.5
                Jan 26, 2021 07:17:00.018488884 CET5381353192.168.2.58.8.8.8
                Jan 26, 2021 07:17:00.077462912 CET53538138.8.8.8192.168.2.5
                Jan 26, 2021 07:17:00.651200056 CET6373253192.168.2.58.8.8.8
                Jan 26, 2021 07:17:00.707487106 CET53637328.8.8.8192.168.2.5
                Jan 26, 2021 07:17:01.280186892 CET5734453192.168.2.58.8.8.8
                Jan 26, 2021 07:17:01.330993891 CET53573448.8.8.8192.168.2.5
                Jan 26, 2021 07:17:01.361679077 CET5445053192.168.2.58.8.8.8
                Jan 26, 2021 07:17:01.425633907 CET53544508.8.8.8192.168.2.5
                Jan 26, 2021 07:17:02.171823025 CET5926153192.168.2.58.8.8.8
                Jan 26, 2021 07:17:02.230834007 CET53592618.8.8.8192.168.2.5
                Jan 26, 2021 07:17:02.438508034 CET5715153192.168.2.58.8.8.8
                Jan 26, 2021 07:17:02.494695902 CET53571518.8.8.8192.168.2.5
                Jan 26, 2021 07:17:05.021364927 CET5941353192.168.2.58.8.8.8
                Jan 26, 2021 07:17:05.077379942 CET53594138.8.8.8192.168.2.5
                Jan 26, 2021 07:17:05.499620914 CET6051653192.168.2.58.8.8.8
                Jan 26, 2021 07:17:05.555548906 CET53605168.8.8.8192.168.2.5

                Code Manipulations

                Statistics

                Behavior

                Click to jump to process

                System Behavior

                General

                Start time:07:16:05
                Start date:26/01/2021
                Path:C:\Windows\System32\loaddll32.exe
                Wow64 process (32bit):true
                Commandline:loaddll32.exe 'C:\Users\user\Desktop\BsYHxeX7Ok.dll'
                Imagebase:0x1050000
                File size:120832 bytes
                MD5 hash:2D39D4DFDE8F7151723794029AB8A034
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:Borland Delphi
                Yara matches:
                • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000001.00000002.282474266.0000000000850000.00000040.00000001.sdmp, Author: Joe Security
                • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000001.00000002.282217417.0000000000710000.00000040.00020000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000001.00000002.282441133.0000000000820000.00000040.00000001.sdmp, Author: Joe Security
                Reputation:moderate

                General

                Start time:07:16:07
                Start date:26/01/2021
                Path:C:\Windows\SysWOW64\WerFault.exe
                Wow64 process (32bit):true
                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6404 -s 240
                Imagebase:0x240000
                File size:434592 bytes
                MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high

                General

                Start time:07:16:13
                Start date:26/01/2021
                Path:C:\Windows\SysWOW64\WerFault.exe
                Wow64 process (32bit):true
                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6404 -s 444
                Imagebase:0x240000
                File size:434592 bytes
                MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high

                General

                Start time:07:16:24
                Start date:26/01/2021
                Path:C:\Windows\SysWOW64\WerFault.exe
                Wow64 process (32bit):true
                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6404 -s 472
                Imagebase:0x240000
                File size:434592 bytes
                MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high

                Disassembly

                Code Analysis

                Reset < >