Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report nIQCsrVbbw

Overview

General Information

Sample Name:nIQCsrVbbw (renamed file extension from none to dll)
Analysis ID:553359
MD5:06b75d254c6844f78c7d7eefa5b1243e
SHA1:af4b4dccf317dbeeab97868a9514a7c9e496c8d3
SHA256:b0e46325319e75a2490a73045a60030961851c07d266df73d7e048799e133ec7
Tags:32dllexe
Infos:

Most interesting Screenshot:

Detection

Emotet
Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Sigma detected: Suspicious Call by Ordinal
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
One or more processes crash
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Creates a DirectInput object (often for capturing keystrokes)
AV process strings found (often used to terminate AV products)
PE file contains an invalid checksum
PE file contains strange resources
Tries to load missing DLLs
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Connects to several IPs in different countries
Potential key logger detected (key state polling based)
Registers a DLL
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries disk information (often used to detect virtual machines)
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 6748 cmdline: loaddll32.exe "C:\Users\user\Desktop\nIQCsrVbbw.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938)
    • cmd.exe (PID: 6764 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\nIQCsrVbbw.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 6784 cmdline: rundll32.exe "C:\Users\user\Desktop\nIQCsrVbbw.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • rundll32.exe (PID: 2484 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\nIQCsrVbbw.dll",DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • regsvr32.exe (PID: 6772 cmdline: regsvr32.exe /s C:\Users\user\Desktop\nIQCsrVbbw.dll MD5: 426E7499F6A7346F0410DEAD0805586B)
      • rundll32.exe (PID: 6844 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\nIQCsrVbbw.dll",DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6816 cmdline: rundll32.exe C:\Users\user\Desktop\nIQCsrVbbw.dll,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • rundll32.exe (PID: 4872 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Uibizbzyxusffon\lvdcgmwj.xbl",PtnVsXFQteN MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • rundll32.exe (PID: 6012 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Uibizbzyxusffon\lvdcgmwj.xbl",DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • WerFault.exe (PID: 6632 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6748 -s 512 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • svchost.exe (PID: 7056 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 2920 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 1768 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • WerFault.exe (PID: 3876 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 6748 -ip 6748 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • svchost.exe (PID: 6636 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6980 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 7080 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 2064 cmdline: c:\windows\system32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

Threatname: Emotet

{"C2 list": ["45.138.98.34:80", "69.16.218.101:8080", "51.210.242.234:8080", "185.148.168.220:8080", "142.4.219.173:8080", "54.38.242.185:443", "191.252.103.16:80", "104.131.62.48:8080", "62.171.178.147:8080", "217.182.143.207:443", "168.197.250.14:80", "37.44.244.177:8080", "66.42.57.149:443", "210.57.209.142:8080", "159.69.237.188:443", "116.124.128.206:8080", "128.199.192.135:8080", "195.154.146.35:443", "185.148.168.15:8080", "195.77.239.39:8080", "207.148.81.119:8080", "85.214.67.203:8080", "190.90.233.66:443", "78.46.73.125:443", "78.47.204.80:443", "37.59.209.141:8080", "54.37.228.122:443"], "Public Key": ["RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW", "RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.361373048.0000000000881000.00000020.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
    0000000C.00000002.369867351.0000000005381000.00000020.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
      00000002.00000002.306596758.0000000003330000.00000040.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
        00000000.00000000.376038820.0000000000D51000.00000020.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
          0000000C.00000002.369320365.00000000051C1000.00000020.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
            Click to see the 27 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            5.2.rundll32.exe.4860000.8.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
              5.2.rundll32.exe.1140000.2.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                2.2.regsvr32.exe.3330000.0.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                  12.2.rundll32.exe.5380000.9.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                    12.2.rundll32.exe.51c0000.5.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                      Click to see the 44 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Suspicious Call by OrdinalShow sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: rundll32.exe "C:\Users\user\Desktop\nIQCsrVbbw.dll",#1, CommandLine: rundll32.exe "C:\Users\user\Desktop\nIQCsrVbbw.dll",#1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\nIQCsrVbbw.dll",#1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6764, ProcessCommandLine: rundll32.exe "C:\Users\user\Desktop\nIQCsrVbbw.dll",#1, ProcessId: 6784

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 0.2.loaddll32.exe.d00000.0.raw.unpackMalware Configuration Extractor: Emotet {"C2 list": ["45.138.98.34:80", "69.16.218.101:8080", "51.210.242.234:8080", "185.148.168.220:8080", "142.4.219.173:8080", "54.38.242.185:443", "191.252.103.16:80", "104.131.62.48:8080", "62.171.178.147:8080", "217.182.143.207:443", "168.197.250.14:80", "37.44.244.177:8080", "66.42.57.149:443", "210.57.209.142:8080", "159.69.237.188:443", "116.124.128.206:8080", "128.199.192.135:8080", "195.154.146.35:443", "185.148.168.15:8080", "195.77.239.39:8080", "207.148.81.119:8080", "85.214.67.203:8080", "190.90.233.66:443", "78.46.73.125:443", "78.47.204.80:443", "37.59.209.141:8080", "54.37.228.122:443"], "Public Key": ["RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW", "RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0"]}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: nIQCsrVbbw.dllVirustotal: Detection: 15%Perma Link
                      Source: nIQCsrVbbw.dllReversingLabs: Detection: 16%
                      Source: nIQCsrVbbw.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000011.00000003.387819882.00000000053F8000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.387767016.00000000053F8000.00000004.00000040.sdmp
                      Source: Binary string: winspool.pdb source: WerFault.exe, 00000011.00000003.387753281.00000000053F2000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.387809542.00000000053F5000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000011.00000003.387745142.0000000005421000.00000004.00000001.sdmp
                      Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000011.00000003.387745142.0000000005421000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.383845627.00000000035D4000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.383476749.0000000005098000.00000004.00000001.sdmp
                      Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000011.00000003.387819882.00000000053F8000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.387767016.00000000053F8000.00000004.00000040.sdmp
                      Source: Binary string: sechost.pdb source: WerFault.exe, 00000011.00000003.387753281.00000000053F2000.00000004.00000040.sdmp
                      Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000011.00000003.387819882.00000000053F8000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.387767016.00000000053F8000.00000004.00000040.sdmp
                      Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000011.00000003.387745142.0000000005421000.00000004.00000001.sdmp
                      Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000011.00000003.387745142.0000000005421000.00000004.00000001.sdmp
                      Source: Binary string: propsys.pdb source: WerFault.exe, 00000011.00000003.387819882.00000000053F8000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.387767016.00000000053F8000.00000004.00000040.sdmp
                      Source: Binary string: nCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000011.00000002.394941169.0000000000EF2000.00000004.00000001.sdmp
                      Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000011.00000003.387802595.00000000053F0000.00000004.00000040.sdmp
                      Source: Binary string: wntdll.pdb source: WerFault.exe, 00000011.00000003.387745142.0000000005421000.00000004.00000001.sdmp
                      Source: Binary string: shcore.pdb source: WerFault.exe, 00000011.00000003.387819882.00000000053F8000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.387767016.00000000053F8000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000011.00000003.387745142.0000000005421000.00000004.00000001.sdmp
                      Source: Binary string: advapi32.pdb source: WerFault.exe, 00000011.00000003.387745142.0000000005421000.00000004.00000001.sdmp
                      Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000011.00000003.387802595.00000000053F0000.00000004.00000040.sdmp
                      Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000011.00000003.387802595.00000000053F0000.00000004.00000040.sdmp
                      Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000011.00000003.387745142.0000000005421000.00000004.00000001.sdmp
                      Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000011.00000003.387819882.00000000053F8000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.387767016.00000000053F8000.00000004.00000040.sdmp
                      Source: Binary string: wimm32.pdb source: WerFault.exe, 00000011.00000003.387819882.00000000053F8000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.387767016.00000000053F8000.00000004.00000040.sdmp
                      Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000011.00000003.387745142.0000000005421000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.383589686.00000000035DA000.00000004.00000001.sdmp
                      Source: Binary string: sechost.pdbk source: WerFault.exe, 00000011.00000003.387753281.00000000053F2000.00000004.00000040.sdmp
                      Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000011.00000003.387819882.00000000053F8000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.387767016.00000000053F8000.00000004.00000040.sdmp
                      Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000011.00000003.387802595.00000000053F0000.00000004.00000040.sdmp
                      Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000011.00000003.387745142.0000000005421000.00000004.00000001.sdmp
                      Source: Binary string: combase.pdb source: WerFault.exe, 00000011.00000003.387802595.00000000053F0000.00000004.00000040.sdmp
                      Source: Binary string: wsspicli.pdb= source: WerFault.exe, 00000011.00000003.387802595.00000000053F0000.00000004.00000040.sdmp
                      Source: Binary string: winspool.pdbk source: WerFault.exe, 00000011.00000003.387753281.00000000053F2000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.387809542.00000000053F5000.00000004.00000040.sdmp
                      Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000011.00000003.387819882.00000000053F8000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.387767016.00000000053F8000.00000004.00000040.sdmp
                      Source: Binary string: apphelp.pdb source: WerFault.exe, 00000011.00000003.387745142.0000000005421000.00000004.00000001.sdmp
                      Source: Binary string: wuser32.pdb source: WerFault.exe, 00000011.00000003.387745142.0000000005421000.00000004.00000001.sdmp

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 2404332 ET CNC Feodo Tracker Reported CnC Server TCP group 17 192.168.2.3:49743 -> 45.138.98.34:80
                      Source: TrafficSnort IDS: 2404338 ET CNC Feodo Tracker Reported CnC Server TCP group 20 192.168.2.3:49744 -> 69.16.218.101:8080
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 69.16.218.101 144
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 45.138.98.34 80
                      C2 URLs / IPs found in malware configurationShow sources
                      Source: Malware configuration extractorIPs: 45.138.98.34:80
                      Source: Malware configuration extractorIPs: 69.16.218.101:8080
                      Source: Malware configuration extractorIPs: 51.210.242.234:8080
                      Source: Malware configuration extractorIPs: 185.148.168.220:8080
                      Source: Malware configuration extractorIPs: 142.4.219.173:8080
                      Source: Malware configuration extractorIPs: 54.38.242.185:443
                      Source: Malware configuration extractorIPs: 191.252.103.16:80
                      Source: Malware configuration extractorIPs: 104.131.62.48:8080
                      Source: Malware configuration extractorIPs: 62.171.178.147:8080
                      Source: Malware configuration extractorIPs: 217.182.143.207:443
                      Source: Malware configuration extractorIPs: 168.197.250.14:80
                      Source: Malware configuration extractorIPs: 37.44.244.177:8080
                      Source: Malware configuration extractorIPs: 66.42.57.149:443
                      Source: Malware configuration extractorIPs: 210.57.209.142:8080
                      Source: Malware configuration extractorIPs: 159.69.237.188:443
                      Source: Malware configuration extractorIPs: 116.124.128.206:8080
                      Source: Malware configuration extractorIPs: 128.199.192.135:8080
                      Source: Malware configuration extractorIPs: 195.154.146.35:443
                      Source: Malware configuration extractorIPs: 185.148.168.15:8080
                      Source: Malware configuration extractorIPs: 195.77.239.39:8080
                      Source: Malware configuration extractorIPs: 207.148.81.119:8080
                      Source: Malware configuration extractorIPs: 85.214.67.203:8080
                      Source: Malware configuration extractorIPs: 190.90.233.66:443
                      Source: Malware configuration extractorIPs: 78.46.73.125:443
                      Source: Malware configuration extractorIPs: 78.47.204.80:443
                      Source: Malware configuration extractorIPs: 37.59.209.141:8080
                      Source: Malware configuration extractorIPs: 54.37.228.122:443
                      Source: Joe Sandbox ViewASN Name: AS-CHOOPAUS AS-CHOOPAUS
                      Source: Joe Sandbox ViewASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
                      Source: Joe Sandbox ViewIP Address: 207.148.81.119 207.148.81.119
                      Source: Joe Sandbox ViewIP Address: 104.131.62.48 104.131.62.48
                      Source: global trafficTCP traffic: 192.168.2.3:49744 -> 69.16.218.101:8080
                      Source: unknownNetwork traffic detected: IP country count 12
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.98.34
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.98.34
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.98.34
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: svchost.exe, 00000017.00000003.472098316.000001D8FAB5C000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","N equals www.facebook.com (Facebook)
                      Source: svchost.exe, 00000017.00000003.472098316.000001D8FAB5C000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","N equals www.twitter.com (Twitter)
                      Source: svchost.exe, 00000017.00000003.472067286.000001D8FAB99000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.472098316.000001D8FAB5C000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-01-07T11:33:20.1626869Z||.||d5cdcec3-04df-404e-ba07-3240047c89f9||1152921505694348672||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
                      Source: svchost.exe, 00000017.00000003.472067286.000001D8FAB99000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.472098316.000001D8FAB5C000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-01-07T11:33:20.1626869Z||.||d5cdcec3-04df-404e-ba07-3240047c89f9||1152921505694348672||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
                      Source: svchost.exe, 00000017.00000002.488230673.000001D8FAB00000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000002.827577818.0000023AC8E89000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: svchost.exe, 0000001B.00000002.827577818.0000023AC8E89000.00000004.00000001.sdmpString found in binary or memory: http://crl.ver)
                      Source: 77EC63BDA74BD0D0E0426DC8F80085060.14.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                      Source: rundll32.exe, 0000000E.00000003.438068118.00000000006E2000.00000004.00000001.sdmp, rundll32.exe, 0000000E.00000003.436839850.0000000004F9C000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?f94ba70d714c2
                      Source: svchost.exe, 00000017.00000003.464564991.000001D8FAB6A000.00000004.00000001.sdmpString found in binary or memory: http://help.disneyplus.com.
                      Source: Amcache.hve.17.drString found in binary or memory: http://upx.sf.net
                      Source: svchost.exe, 00000017.00000003.464564991.000001D8FAB6A000.00000004.00000001.sdmpString found in binary or memory: https://disneyplus.com/legal.
                      Source: svchost.exe, 00000017.00000003.464564991.000001D8FAB6A000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
                      Source: svchost.exe, 00000017.00000003.464564991.000001D8FAB6A000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
                      Source: svchost.exe, 00000017.00000003.465928142.000001D8FAB90000.00000004.00000001.sdmpString found in binary or memory: https://www.tiktok.com/legal/report/feedback
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_10001280 recvfrom,
                      Source: loaddll32.exe, 00000000.00000000.379244317.00000000006FB000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_10027958 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10027958 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_10027958 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,

                      E-Banking Fraud:

                      barindex
                      Yara detected EmotetShow sources
                      Source: Yara matchFile source: 5.2.rundll32.exe.4860000.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.1140000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.regsvr32.exe.3330000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.5380000.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.51c0000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.1270000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.5320000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.11d0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.d50000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.1190000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.12a0000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.1190000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.5090000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.d50000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.1270000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.regsvr32.exe.3410000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.1140000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.5060000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.1170000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.56c0000.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.5350000.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.5350000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.1390000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.52f0000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.d00000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.560000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.d00000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.5190000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.7c0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.52f0000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.d00000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.regsvr32.exe.3330000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.4830000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.560000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.d00000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.d00000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.4b70000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.d00000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.1390000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.4860000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.11d0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.7c0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.4c90000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.bc0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.880000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.5060000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.5190000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.56c0000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.56f0000.11.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000002.361373048.0000000000881000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.369867351.0000000005381000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.306596758.0000000003330000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.376038820.0000000000D51000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.369320365.00000000051C1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.370265294.00000000056C0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.359468675.00000000007C0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.368368956.0000000004831000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.369446130.00000000052F0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.368922473.0000000004B71000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.367128450.0000000000560000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.367810302.0000000001270000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.367757114.0000000001171000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.370663067.0000000001190000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.369147966.0000000005060000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.368438775.0000000004860000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.306669964.0000000003411000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.370426063.00000000056F1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.369281669.0000000005190000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.367845396.00000000012A1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.367713608.0000000001140000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.379371136.0000000000D51000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.376060277.0000000004C91000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.369637751.0000000005350000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.397131962.0000000000D00000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.367919454.0000000001390000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.367465277.0000000000BC1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.368222308.00000000011D0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.376003738.0000000000D00000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.379329782.0000000000D00000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.369552219.0000000005321000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.369203622.0000000005091000.00000020.00000001.sdmp, type: MEMORY

                      System Summary:

                      barindex
                      Source: nIQCsrVbbw.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 6748 -ip 6748
                      Source: C:\Windows\SysWOW64\rundll32.exeFile deleted: C:\Windows\SysWOW64\Uibizbzyxusffon\lvdcgmwj.xbl:Zone.IdentifierJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\SysWOW64\Uibizbzyxusffon\Jump to behavior
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_100291F6
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1002F378
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_100403D7
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1004250B
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_10041557
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_100395A1
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1002F784
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1004091B
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1002EACF
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1002FBA4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100291F6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1002F378
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100403D7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1004250B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10041557
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100395A1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1002F784
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1004091B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1002EACF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1002FBA4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10035D96
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10040E5F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1002EFA4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BC8636
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BD7A0F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BE2009
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BCDE74
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BD4A66
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BDB257
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BCA445
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BE17BD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BD85FF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BDEFDD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BCC5D8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BDAD08
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BC670B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BDFF58
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BDE955
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BD654A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BD2142
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BD0EBC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BE46BD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BCC6B8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BD0ABA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BE36AA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BCBAA9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BD3EAA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BDA2A5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BC1CA1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BDBEFD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BE00EF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BCF0E9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BE3EE9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BDE4E5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BDCCD9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BDD8DB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BDCAD5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BC80C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BC3431
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BCB820
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BD8806
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BD9A01
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BC7078
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BC7E79
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BD567B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BDA474
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BDDC71
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BCA871
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BE0A64
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BE3263
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BD2E5D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BD4244
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BCE640
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BDF840
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BC7442
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BDD1BC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BCBFBE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BC57B8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BD8FAE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BE07AA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BC77A3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BC2194
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BC238C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BCFB8E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BD3D85
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BD6187
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BD0F86
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BC4BFC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BC55FF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BD27F9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BDE1F8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BD9DF5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BD07F4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BD67E6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BCE7DE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BDFBDE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BDC5D5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BD8D3D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BC1F38
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BD5333
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BD5515
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BCEF0C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BE2B09
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BD5779
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BC6B7A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BD017B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BD437A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BD4F74
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BD9774
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BCF369
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BD7D5B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BE2D53
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BCD14C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_100291F6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_1002F378
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_100403D7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_1004250B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_10041557
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_100395A1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_1002F784
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_1004091B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_1002EACF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_1002FBA4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_10035D96
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_10040E5F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_1002EFA4
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: String function: 10030E38 appears 49 times
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: String function: 10030535 appears 76 times
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 10030E38 appears 116 times
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 1003578B appears 46 times
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 10030535 appears 174 times
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 10030568 appears 32 times
                      Source: nIQCsrVbbw.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dll
                      Source: nIQCsrVbbw.dllVirustotal: Detection: 15%
                      Source: nIQCsrVbbw.dllReversingLabs: Detection: 16%
                      Source: nIQCsrVbbw.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\nIQCsrVbbw.dll"
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\nIQCsrVbbw.dll",#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\nIQCsrVbbw.dll
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\nIQCsrVbbw.dll",#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\nIQCsrVbbw.dll,DllRegisterServer
                      Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\nIQCsrVbbw.dll",DllRegisterServer
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\nIQCsrVbbw.dll",DllRegisterServer
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Uibizbzyxusffon\lvdcgmwj.xbl",PtnVsXFQteN
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Uibizbzyxusffon\lvdcgmwj.xbl",DllRegisterServer
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 6748 -ip 6748
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6748 -s 512
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k netsvcs -p -s BITS
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\nIQCsrVbbw.dll",#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\nIQCsrVbbw.dll
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\nIQCsrVbbw.dll,DllRegisterServer
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\nIQCsrVbbw.dll",#1
                      Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\nIQCsrVbbw.dll",DllRegisterServer
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\nIQCsrVbbw.dll",DllRegisterServer
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Uibizbzyxusffon\lvdcgmwj.xbl",PtnVsXFQteN
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Uibizbzyxusffon\lvdcgmwj.xbl",DllRegisterServer
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 6748 -ip 6748
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6748 -s 512
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess created: unknown unknown
                      Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32
                      Source: C:\Windows\System32\svchost.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER44E1.tmpJump to behavior
                      Source: classification engineClassification label: mal92.troj.evad.winDLL@29/14@0/28
                      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Users\desktop.iniJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\nIQCsrVbbw.dll",#1
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \BaseNamedObjects\Local\SM0:3876:64:WilError_01
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6748
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_10021183 LoadResource,LockResource,SizeofResource,
                      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000011.00000003.387819882.00000000053F8000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.387767016.00000000053F8000.00000004.00000040.sdmp
                      Source: Binary string: winspool.pdb source: WerFault.exe, 00000011.00000003.387753281.00000000053F2000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.387809542.00000000053F5000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000011.00000003.387745142.0000000005421000.00000004.00000001.sdmp
                      Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000011.00000003.387745142.0000000005421000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.383845627.00000000035D4000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.383476749.0000000005098000.00000004.00000001.sdmp
                      Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000011.00000003.387819882.00000000053F8000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.387767016.00000000053F8000.00000004.00000040.sdmp
                      Source: Binary string: sechost.pdb source: WerFault.exe, 00000011.00000003.387753281.00000000053F2000.00000004.00000040.sdmp
                      Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000011.00000003.387819882.00000000053F8000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.387767016.00000000053F8000.00000004.00000040.sdmp
                      Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000011.00000003.387745142.0000000005421000.00000004.00000001.sdmp
                      Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000011.00000003.387745142.0000000005421000.00000004.00000001.sdmp
                      Source: Binary string: propsys.pdb source: WerFault.exe, 00000011.00000003.387819882.00000000053F8000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.387767016.00000000053F8000.00000004.00000040.sdmp
                      Source: Binary string: nCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000011.00000002.394941169.0000000000EF2000.00000004.00000001.sdmp
                      Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000011.00000003.387802595.00000000053F0000.00000004.00000040.sdmp
                      Source: Binary string: wntdll.pdb source: WerFault.exe, 00000011.00000003.387745142.0000000005421000.00000004.00000001.sdmp
                      Source: Binary string: shcore.pdb source: WerFault.exe, 00000011.00000003.387819882.00000000053F8000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.387767016.00000000053F8000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000011.00000003.387745142.0000000005421000.00000004.00000001.sdmp
                      Source: Binary string: advapi32.pdb source: WerFault.exe, 00000011.00000003.387745142.0000000005421000.00000004.00000001.sdmp
                      Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000011.00000003.387802595.00000000053F0000.00000004.00000040.sdmp
                      Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000011.00000003.387802595.00000000053F0000.00000004.00000040.sdmp
                      Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000011.00000003.387745142.0000000005421000.00000004.00000001.sdmp
                      Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000011.00000003.387819882.00000000053F8000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.387767016.00000000053F8000.00000004.00000040.sdmp
                      Source: Binary string: wimm32.pdb source: WerFault.exe, 00000011.00000003.387819882.00000000053F8000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.387767016.00000000053F8000.00000004.00000040.sdmp
                      Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000011.00000003.387745142.0000000005421000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.383589686.00000000035DA000.00000004.00000001.sdmp
                      Source: Binary string: sechost.pdbk source: WerFault.exe, 00000011.00000003.387753281.00000000053F2000.00000004.00000040.sdmp
                      Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000011.00000003.387819882.00000000053F8000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.387767016.00000000053F8000.00000004.00000040.sdmp
                      Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000011.00000003.387802595.00000000053F0000.00000004.00000040.sdmp
                      Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000011.00000003.387745142.0000000005421000.00000004.00000001.sdmp
                      Source: Binary string: combase.pdb source: WerFault.exe, 00000011.00000003.387802595.00000000053F0000.00000004.00000040.sdmp
                      Source: Binary string: wsspicli.pdb= source: WerFault.exe, 00000011.00000003.387802595.00000000053F0000.00000004.00000040.sdmp
                      Source: Binary string: winspool.pdbk source: WerFault.exe, 00000011.00000003.387753281.00000000053F2000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.387809542.00000000053F5000.00000004.00000040.sdmp
                      Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000011.00000003.387819882.00000000053F8000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.387767016.00000000053F8000.00000004.00000040.sdmp
                      Source: Binary string: apphelp.pdb source: WerFault.exe, 00000011.00000003.387745142.0000000005421000.00000004.00000001.sdmp
                      Source: Binary string: wuser32.pdb source: WerFault.exe, 00000011.00000003.387745142.0000000005421000.00000004.00000001.sdmp
                      Source: nIQCsrVbbw.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                      Source: nIQCsrVbbw.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                      Source: nIQCsrVbbw.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                      Source: nIQCsrVbbw.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                      Source: nIQCsrVbbw.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1003060D push ecx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1003060D push ecx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10030E7D push ecx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BC1195 push cs; iretd
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_1003060D push ecx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_10030E7D push ecx; ret
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1003E278 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,
                      Source: nIQCsrVbbw.dllStatic PE information: real checksum: 0x970bf should be: 0x943a9
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\nIQCsrVbbw.dll
                      Source: C:\Windows\SysWOW64\rundll32.exePE file moved: C:\Windows\SysWOW64\Uibizbzyxusffon\lvdcgmwj.xblJump to behavior

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Uibizbzyxusffon\lvdcgmwj.xbl:Zone.Identifier read attributes | delete
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Ejank\xjmldn.gsl:Zone.Identifier read attributes | delete
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_100250A3 IsIconic,GetWindowPlacement,GetWindowRect,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100250A3 IsIconic,GetWindowPlacement,GetWindowRect,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1001DFC0 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_100250A3 IsIconic,GetWindowPlacement,GetWindowRect,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_1001DFC0 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,
                      Source: C:\Windows\SysWOW64\rundll32.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exe TID: 3144Thread sleep time: -180000s >= -30000s
                      Source: C:\Windows\System32\svchost.exe TID: 6908Thread sleep time: -30000s >= -30000s
                      Source: C:\Windows\SysWOW64\regsvr32.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
                      Source: C:\Windows\SysWOW64\rundll32.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleep
                      Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
                      Source: C:\Windows\SysWOW64\regsvr32.exeAPI coverage: 4.6 %
                      Source: C:\Windows\SysWOW64\rundll32.exeAPI coverage: 5.0 %
                      Source: C:\Windows\SysWOW64\rundll32.exeAPI coverage: 5.2 %
                      Source: C:\Windows\System32\svchost.exeProcess information queried: ProcessInformation
                      Source: C:\Windows\SysWOW64\regsvr32.exeAPI call chain: ExitProcess graph end node
                      Source: C:\Windows\SysWOW64\rundll32.exeAPI call chain: ExitProcess graph end node
                      Source: C:\Windows\SysWOW64\rundll32.exeAPI call chain: ExitProcess graph end node
                      Source: C:\Windows\SysWOW64\rundll32.exeAPI call chain: ExitProcess graph end node
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: Amcache.hve.17.drBinary or memory string: VMware
                      Source: Amcache.hve.17.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
                      Source: Amcache.hve.17.drBinary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
                      Source: Amcache.hve.17.drBinary or memory string: VMware Virtual USB Mouse
                      Source: Amcache.hve.17.drBinary or memory string: VMware, Inc.
                      Source: svchost.exe, 0000001B.00000002.827552655.0000023AC8E60000.00000004.00000001.sdmpBinary or memory string: y_Event$@Hyper-V RAW2d-4c2f-a0a5-91ba6f8f5c2f}LMEM
                      Source: Amcache.hve.17.drBinary or memory string: VMware Virtual disk SCSI Disk Devicehbin
                      Source: Amcache.hve.17.drBinary or memory string: Microsoft Hyper-V Generation Counter
                      Source: Amcache.hve.17.drBinary or memory string: VMware7,1
                      Source: Amcache.hve.17.drBinary or memory string: NECVMWar VMware SATA CD00
                      Source: Amcache.hve.17.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                      Source: Amcache.hve.17.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                      Source: svchost.exe, 00000017.00000002.488004797.000001D8FA2EF000.00000004.00000001.sdmp, svchost.exe, 00000017.00000002.487873057.000001D8FA284000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.487235003.000001D8FA257000.00000004.00000001.sdmp, svchost.exe, 00000017.00000002.487824691.000001D8FA258000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000002.826608694.0000023AC362A000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000002.827535646.0000023AC8E4A000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                      Source: Amcache.hve.17.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                      Source: Amcache.hve.17.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                      Source: Amcache.hve.17.drBinary or memory string: VMware, Inc.me
                      Source: Amcache.hve.17.drBinary or memory string: VMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7
                      Source: Amcache.hve.17.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
                      Source: Amcache.hve.17.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1002DB0D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1003E278 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_10002D40 SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,VirtualAlloc,VirtualAlloc,SetLastError,GetProcessHeap,HeapAlloc,VirtualFree,SetLastError,VirtualAlloc,SetLastError,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BCF7F7 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\loaddll32.exeProcess queried: DebugPort
                      Source: C:\Windows\System32\loaddll32.exeProcess queried: DebugPort
                      Source: C:\Windows\System32\loaddll32.exeProcess queried: DebugPort
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1003A8D4 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1002DB0D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_10032CB9 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1003A8D4 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1002DB0D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10032CB9 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_1003A8D4 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_1002DB0D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_10032CB9 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 69.16.218.101 144
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 45.138.98.34 80
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\nIQCsrVbbw.dll",#1
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 6748 -ip 6748
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6748 -s 512
                      Source: loaddll32.exe, 00000000.00000000.379490489.0000000001250000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.376314359.0000000001250000.00000002.00020000.sdmpBinary or memory string: Program Manager
                      Source: loaddll32.exe, 00000000.00000000.379490489.0000000001250000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.376314359.0000000001250000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: loaddll32.exe, 00000000.00000000.379490489.0000000001250000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.376314359.0000000001250000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: loaddll32.exe, 00000000.00000000.379490489.0000000001250000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.376314359.0000000001250000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: GetLocaleInfoA,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: _strcpy_s,GetLocaleInfoA,__snwprintf_s,LoadLibraryA,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: GetLocaleInfoA,GetLocaleInfoA,GetACP,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: GetLocaleInfoA,GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: _LocaleUpdate::_LocaleUpdate,GetLocaleInfoW,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,__alloca_probe_16,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,GetLocaleInfoA,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: _strcpy_s,GetLocaleInfoA,__snwprintf_s,LoadLibraryA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,GetLocaleInfoA,GetACP,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: _LocaleUpdate::_LocaleUpdate,GetLocaleInfoW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,__alloca_probe_16,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,GetLocaleInfoA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: _strcpy_s,GetLocaleInfoA,__snwprintf_s,LoadLibraryA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,GetLocaleInfoA,GetACP,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: _LocaleUpdate::_LocaleUpdate,GetLocaleInfoW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,__alloca_probe_16,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,GetLocaleInfoA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,
                      Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1003732F GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10024F01 _memset,GetVersionExA,
                      Source: Amcache.hve.17.dr, Amcache.hve.LOG1.17.drBinary or memory string: c:\users\user\desktop\procexp.exe
                      Source: Amcache.hve.17.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                      Source: Amcache.hve.17.dr, Amcache.hve.LOG1.17.drBinary or memory string: procexp.exe

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected EmotetShow sources
                      Source: Yara matchFile source: 5.2.rundll32.exe.4860000.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.1140000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.regsvr32.exe.3330000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.5380000.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.51c0000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.1270000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.5320000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.11d0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.d50000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.1190000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.12a0000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.1190000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.5090000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.d50000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.1270000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.regsvr32.exe.3410000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.1140000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.5060000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.1170000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.56c0000.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.5350000.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.5350000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.1390000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.52f0000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.d00000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.560000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.d00000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.5190000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.7c0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.52f0000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.d00000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.regsvr32.exe.3330000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.4830000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.560000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.d00000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.d00000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.4b70000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.d00000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.1390000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.4860000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.11d0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.7c0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.4c90000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.bc0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.880000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.5060000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.5190000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.56c0000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.56f0000.11.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000002.361373048.0000000000881000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.369867351.0000000005381000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.306596758.0000000003330000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.376038820.0000000000D51000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.369320365.00000000051C1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.370265294.00000000056C0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.359468675.00000000007C0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.368368956.0000000004831000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.369446130.00000000052F0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.368922473.0000000004B71000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.367128450.0000000000560000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.367810302.0000000001270000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.367757114.0000000001171000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.370663067.0000000001190000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.369147966.0000000005060000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.368438775.0000000004860000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.306669964.0000000003411000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.370426063.00000000056F1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.369281669.0000000005190000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.367845396.00000000012A1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.367713608.0000000001140000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.379371136.0000000000D51000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.376060277.0000000004C91000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.369637751.0000000005350000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.397131962.0000000000D00000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.367919454.0000000001390000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.367465277.0000000000BC1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.368222308.00000000011D0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.376003738.0000000000D00000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.379329782.0000000000D00000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.369552219.0000000005321000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.369203622.0000000005091000.00000020.00000001.sdmp, type: MEMORY
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_10001160 WSAStartup,_memset,htonl,htons,socket,bind,setsockopt,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10001160 WSAStartup,_memset,htonl,htons,socket,bind,setsockopt,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_10001160 WSAStartup,_memset,htonl,htons,socket,bind,setsockopt,

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsNative API2DLL Side-Loading1DLL Side-Loading1Deobfuscate/Decode Files or Information1Input Capture2System Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumIngress Tool Transfer1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsProcess Injection112Obfuscated Files or Information2LSASS MemoryFile and Directory Discovery1Remote Desktop ProtocolInput Capture2Exfiltration Over BluetoothEncrypted Channel1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)DLL Side-Loading1Security Account ManagerSystem Information Discovery35SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Standard Port1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)File Deletion1NTDSQuery Registry1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol1SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptMasquerading2LSA SecretsSecurity Software Discovery51SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonVirtualization/Sandbox Evasion3Cached Domain CredentialsVirtualization/Sandbox Evasion3VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsProcess Injection112DCSyncProcess Discovery2Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobHidden Files and Directories1Proc FilesystemApplication Window Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Regsvr321/etc/passwd and /etc/shadowRemote System Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                      Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Rundll321Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 553359 Sample: nIQCsrVbbw Startdate: 14/01/2022 Architecture: WINDOWS Score: 92 41 210.57.209.142 UNAIR-AS-IDUniversitasAirlanggaID Indonesia 2->41 43 85.214.67.203 STRATOSTRATOAGDE Germany 2->43 45 23 other IPs or domains 2->45 55 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->55 57 Found malware configuration 2->57 59 Multi AV Scanner detection for submitted file 2->59 61 3 other signatures 2->61 9 loaddll32.exe 1 2->9         started        11 svchost.exe 4 2->11         started        13 svchost.exe 1 1 2->13         started        16 5 other processes 2->16 signatures3 process4 dnsIp5 18 rundll32.exe 2 9->18         started        21 cmd.exe 1 9->21         started        23 regsvr32.exe 9->23         started        25 WerFault.exe 3 9 9->25         started        27 WerFault.exe 11->27         started        51 127.0.0.1 unknown unknown 13->51 process6 signatures7 53 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->53 29 rundll32.exe 18->29         started        31 rundll32.exe 21->31         started        33 rundll32.exe 23->33         started        process8 process9 35 rundll32.exe 29->35         started        39 rundll32.exe 2 31->39         started        dnsIp10 47 45.138.98.34, 49743, 80 M247GB Germany 35->47 49 69.16.218.101, 49744, 8080 LIQUIDWEBUS United States 35->49 63 System process connects to network (likely due to code injection or exploit) 35->63 65 Hides that the sample has been downloaded from the Internet (zone.identifier) 39->65 signatures11

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      nIQCsrVbbw.dll16%VirustotalBrowse
                      nIQCsrVbbw.dll16%ReversingLabs

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      0.2.loaddll32.exe.d00000.0.unpack100%AviraHEUR/AGEN.1145233Download File
                      0.2.loaddll32.exe.d50000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      12.2.rundll32.exe.11d0000.0.unpack100%AviraHEUR/AGEN.1145233Download File
                      12.2.rundll32.exe.5380000.9.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      12.2.rundll32.exe.51c0000.5.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      2.2.regsvr32.exe.3410000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      5.2.rundll32.exe.12a0000.5.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      13.2.rundll32.exe.1190000.0.unpack100%AviraHEUR/AGEN.1145233Download File
                      5.2.rundll32.exe.1390000.6.unpack100%AviraHEUR/AGEN.1145233Download File
                      5.2.rundll32.exe.1270000.4.unpack100%AviraHEUR/AGEN.1145233Download File
                      0.0.loaddll32.exe.d50000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      12.2.rundll32.exe.5320000.7.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      12.2.rundll32.exe.5090000.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      0.0.loaddll32.exe.d50000.4.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      5.2.rundll32.exe.1140000.2.unpack100%AviraHEUR/AGEN.1145233Download File
                      5.2.rundll32.exe.1170000.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      12.2.rundll32.exe.5060000.2.unpack100%AviraHEUR/AGEN.1145233Download File
                      12.2.rundll32.exe.5350000.8.unpack100%AviraHEUR/AGEN.1145233Download File
                      5.2.rundll32.exe.560000.0.unpack100%AviraHEUR/AGEN.1145233Download File
                      5.2.rundll32.exe.4830000.7.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      3.2.rundll32.exe.7c0000.0.unpack100%AviraHEUR/AGEN.1145233Download File
                      2.2.regsvr32.exe.3330000.0.unpack100%AviraHEUR/AGEN.1145233Download File
                      0.0.loaddll32.exe.d00000.0.unpack100%AviraHEUR/AGEN.1145233Download File
                      12.2.rundll32.exe.52f0000.6.unpack100%AviraHEUR/AGEN.1145233Download File
                      5.2.rundll32.exe.4860000.8.unpack100%AviraHEUR/AGEN.1145233Download File
                      0.0.loaddll32.exe.d00000.3.unpack100%AviraHEUR/AGEN.1145233Download File
                      12.2.rundll32.exe.4b70000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      13.2.rundll32.exe.4c90000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      3.2.rundll32.exe.880000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      5.2.rundll32.exe.bc0000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      12.2.rundll32.exe.5190000.4.unpack100%AviraHEUR/AGEN.1145233Download File
                      12.2.rundll32.exe.56f0000.11.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      12.2.rundll32.exe.56c0000.10.unpack100%AviraHEUR/AGEN.1145233Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      https://www.disneyplus.com/legal/your-california-privacy-rights0%URL Reputationsafe
                      http://crl.ver)0%Avira URL Cloudsafe
                      https://www.disneyplus.com/legal/privacy-policy0%URL Reputationsafe
                      https://www.tiktok.com/legal/report/feedback0%URL Reputationsafe
                      http://help.disneyplus.com.0%URL Reputationsafe
                      https://disneyplus.com/legal.0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      https://www.disneyplus.com/legal/your-california-privacy-rightssvchost.exe, 00000017.00000003.464564991.000001D8FAB6A000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://crl.ver)svchost.exe, 0000001B.00000002.827577818.0000023AC8E89000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		low
                      https://www.disneyplus.com/legal/privacy-policysvchost.exe, 00000017.00000003.464564991.000001D8FAB6A000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://upx.sf.netAmcache.hve.17.drfalse
                        		high
                        https://www.tiktok.com/legal/report/feedbacksvchost.exe, 00000017.00000003.465928142.000001D8FAB90000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://help.disneyplus.com.svchost.exe, 00000017.00000003.464564991.000001D8FAB6A000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://disneyplus.com/legal.svchost.exe, 00000017.00000003.464564991.000001D8FAB6A000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown

                        Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public

                        IPDomainCountryFlagASNASN NameMalicious
                        207.148.81.119
                        		unknownUnited States
                        		20473AS-CHOOPAUStrue
                        104.131.62.48
                        		unknownUnited States
                        		14061DIGITALOCEAN-ASNUStrue
                        85.214.67.203
                        		unknownGermany
                        		6724STRATOSTRATOAGDEtrue
                        191.252.103.16
                        		unknownBrazil
                        		27715LocawebServicosdeInternetSABRtrue
                        168.197.250.14
                        		unknownArgentina
                        		264776OmarAnselmoRipollTDCNETARtrue
                        66.42.57.149
                        		unknownUnited States
                        		20473AS-CHOOPAUStrue
                        185.148.168.15
                        		unknownGermany
                        		44780EVERSCALE-ASDEtrue
                        51.210.242.234
                        		unknownFrance
                        		16276OVHFRtrue
                        217.182.143.207
                        		unknownFrance
                        		16276OVHFRtrue
                        69.16.218.101
                        		unknownUnited States
                        		32244LIQUIDWEBUStrue
                        159.69.237.188
                        		unknownGermany
                        		24940HETZNER-ASDEtrue
                        45.138.98.34
                        		unknownGermany
                        		9009M247GBtrue
                        116.124.128.206
                        		unknownKorea Republic of
                        		9318SKB-ASSKBroadbandCoLtdKRtrue
                        78.46.73.125
                        		unknownGermany
                        		24940HETZNER-ASDEtrue
                        37.59.209.141
                        		unknownFrance
                        		16276OVHFRtrue
                        210.57.209.142
                        		unknownIndonesia
                        		38142UNAIR-AS-IDUniversitasAirlanggaIDtrue
                        185.148.168.220
                        		unknownGermany
                        		44780EVERSCALE-ASDEtrue
                        54.37.228.122
                        		unknownFrance
                        		16276OVHFRtrue
                        190.90.233.66
                        		unknownColombia
                        		18678INTERNEXASAESPCOtrue
                        142.4.219.173
                        		unknownCanada
                        		16276OVHFRtrue
                        54.38.242.185
                        		unknownFrance
                        		16276OVHFRtrue
                        195.154.146.35
                        		unknownFrance
                        		12876OnlineSASFRtrue
                        195.77.239.39
                        		unknownSpain
                        		60493FICOSA-ASEStrue
                        78.47.204.80
                        		unknownGermany
                        		24940HETZNER-ASDEtrue
                        37.44.244.177
                        		unknownGermany
                        		47583AS-HOSTINGERLTtrue
                        62.171.178.147
                        		unknownUnited Kingdom
                        		51167CONTABODEtrue
                        128.199.192.135
                        		unknownUnited Kingdom
                        		14061DIGITALOCEAN-ASNUStrue

                        Private

                        IP
                        127.0.0.1

                        General Information

                        Joe Sandbox Version:34.0.0 Boulder Opal
                        Analysis ID:553359
                        Start date:14.01.2022
                        Start time:18:58:28
                        Joe Sandbox Product:CloudBasic
                        Overall analysis duration:0h 14m 16s
                        Hypervisor based Inspection enabled:false
                        Report type:light
                        Sample file name:nIQCsrVbbw (renamed file extension from none to dll)
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                        Number of analysed new started processes analysed:33
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • HDC enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Detection:MAL
                        Classification:mal92.troj.evad.winDLL@29/14@0/28
                        EGA Information:
                        • Successful, ratio: 80%
                        HDC Information:
                        • Successful, ratio: 99.3% (good quality ratio 92.4%)
                        • Quality average: 70.9%
                        • Quality standard deviation: 27.1%
                        HCA Information:
                        • Successful, ratio: 80%
                        • Number of executed functions: 0
                        • Number of non-executed functions: 0
                        Cookbook Comments:
                        • Adjust boot time
                        • Enable AMSI
                        • Override analysis time to 240s for rundll32
                        Warnings:
                        Show All
                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, wuapihost.exe
                        • Excluded IPs from analysis (whitelisted): 23.211.6.115, 209.197.3.8, 93.184.221.240, 40.91.112.76, 20.54.110.249, 23.35.236.56
                        • Excluded domains from analysis (whitelisted): displaycatalog-rp-uswest.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com-c.edgekey.net, wus2-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, wu.azureedge.net, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, consumer-displaycatalogrp-aks2aks-uswest.md.mp.microsoft.com.akadns.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu.ec.azureedge.net, wu-shim.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, cds.d2s7q6s2.hwcdn.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                        • Not all processes where analyzed, report is missing behavior information
                        • Report creation exceeded maximum time and may have missing disassembly code information.
                        • Report size exceeded maximum capacity and may have missing behavior information.
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        19:00:45API Interceptor9x Sleep call for process: svchost.exe modified

                        Joe Sandbox View / Context

                        IPs

                        No context

                        Domains

                        No context

                        ASN

                        No context

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        No context

                        Created / dropped Files

                        C:\ProgramData\Microsoft\Network\Downloader\edb.log
                        Process:C:\Windows\System32\svchost.exe
                        File Type:MPEG-4 LOAS
                        Category:dropped
                        Size (bytes):1310720
                        Entropy (8bit):0.24859478426505882
                        Encrypted:false
                        SSDEEP:1536:BJiRdfVzkZm3lyf49uyc0ga04PdHS9LrM/oVMUdSRU4l:BJiRdwfu2SRU4l
                        MD5:51DC402A9F6C81E0BED7BE8CD9693A66
                        SHA1:0860EAFD248F50CE399F8BE75302C69B9AC2186B
                        SHA-256:AD6EA2A2ACEB0426A47FA5716F3F8A683FA9C5497ED8B73C9273746BAC5B030C
                        SHA-512:BD128F1262BF2AAB7A90E9824DED287F376666D570FEC5714BF74D9BE7B44F22E45AB09825A255AAE7F0CC0564ABD9B7E9DB9FC6F1C36CDDCA23215BCF0AA5F0
                        Malicious:false
                        Preview: V.d.........@..@.3...w...........................3...w..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@.........................................d#.................................................................................................................................................................................................................................................................................................................................................
                        C:\ProgramData\Microsoft\Network\Downloader\qmgr.db
                        Process:C:\Windows\System32\svchost.exe
                        File Type:Extensible storage engine DataBase, version 0x620, checksum 0xb577f95a, page size 16384, DirtyShutdown, Windows version 10.0
                        Category:dropped
                        Size (bytes):786432
                        Entropy (8bit):0.2506719702516563
                        Encrypted:false
                        SSDEEP:384:s+W0StseCJ48EApW0StseCJ48E2rTSjlK/ebmLerYSRSY1J2:zSB2nSB2RSjlK/+mLesOj1J2
                        MD5:D3944AD90064A7E4584F2DB27C5ADC86
                        SHA1:2E44696DFB217829BFF20523DC3B477A0811F074
                        SHA-256:934257669376A2690EB42234D498CF5709DFDDA7130025751526D7F382C2B793
                        SHA-512:EE003A63F02462D270612ABB17874E8CDC0DC5E3024CE48F5B1E898E480D42305AA7E1A6F796D07FCBD58B18F969266E341DD0A34C494C51FC1E6A82F3AB40DD
                        Malicious:false
                        Preview: .w.Z... ................e.f.3...w........................&..........w.......z..h.(..............................3...w...........................................................................................................B...........@...................................................................................................... ........3...w........................................................................................................................................................................................................................................v......z.u................8.3......z..........................................................................................................................................................................................................................................................................................................................................................................................
                        C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm
                        Process:C:\Windows\System32\svchost.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):16384
                        Entropy (8bit):0.07672007947968082
                        Encrypted:false
                        SSDEEP:3:Wl/ll7EvvyBhI+j8l/bJdAtiGmmhttoll3Vkttlmlnl:2liaBhDj8t4VRhQ3
                        MD5:6C470310ECBB4F35FA720C7BC188746B
                        SHA1:2C392A6FDBF24BB955C99B1FEB373CA48642D8C5
                        SHA-256:B896754FCB6CC2860AABDB82A1AC5DE93ECA2410EA5A3497B0FD38C21A779E66
                        SHA-512:3D9C4281529A6DDF4B5DB8721903C37ED4C5587419EC07DEAECF9E1F1B584BA3F380981719D6C52BB0996F2A6D67A86AD441A199C6F8F261B70245F3255E74A9
                        Malicious:false
                        Preview: ..E......................................3...w.......z.......w...............w.......w....:O.....w..................8.3......z..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                        C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_7d3365b34093db6d884642e334bbbe4e6283fce_7cac0383_1858c648\Report.wer
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):65536
                        Entropy (8bit):0.7987766774476208
                        Encrypted:false
                        SSDEEP:96:9RrdnYyXy9haol7JfapXIQcQSc6mcEUcw3/s+a+z+HbHgLVG4rmMoVaz2PnmnPej:VnjHsieryj7q/u7saS274ItW
                        MD5:030E2D9BBA13D29640FC53D6F406D48D
                        SHA1:AA68FC7ECDD6942B61FC27365E34E791BD2ED08F
                        SHA-256:B67B89C0D3FA51AB3D8C74CDEE6DB758AB665E338104A154E864C1936481F936
                        SHA-512:86ACB807926A2A764A5199C4DD58239C5854E36B954DB8946168C9EEDD111E31B19CB26C9897B2632F7EB6237A35923A731E37BEE9E59E681D56F3DA11A098C9
                        Malicious:false
                        Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.8.6.6.8.9.2.0.8.5.1.0.3.9.8.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.a.9.3.b.7.5.b.-.d.4.6.d.-.4.c.b.8.-.9.4.5.b.-.8.c.1.c.1.5.2.3.b.5.3.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.8.a.9.3.b.3.a.-.a.a.4.9.-.4.9.c.8.-.9.0.3.1.-.b.6.6.6.5.a.c.8.1.1.5.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.l.o.a.d.d.l.l.3.2...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.5.c.-.0.0.0.1.-.0.0.1.c.-.e.8.9.2.-.6.b.e.9.b.b.0.9.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.l.o.a.d.d.l.l.3.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.1././.1.2././.1.3.:.0.9.:.0.7.:.1.6.!.0.!.l.o.a.d.d.l.l.3.2...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.
                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER44E1.tmp.csv
                        Process:C:\Windows\System32\svchost.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):51348
                        Entropy (8bit):3.0619519178684405
                        Encrypted:false
                        SSDEEP:1536:RnHX0mJFybvGHRd10T2LcYzr1pib0lqtWBKXTdPjQjC:RnHX0mJFybvGHRd10T2LcYzr1Mb0lqt3
                        MD5:6B1E58957A41AF1EC4FC58CA70BD59CD
                        SHA1:C8412D5B6DE309505D5E562B31460A21A87744C2
                        SHA-256:63051A2FC6AC62D918072A5CD2184BE7A278D034871139ED77865C9FAAF787B0
                        SHA-512:5F3DC03B5B8EAB0857CEB652D50A4A7F7B386E61DA52B9B56E2969129AA4B4DA44D88399D43444A2318D31C9ED2CC3B7CC8497B4B2B602F4E5C9070BBCF556F8
                        Malicious:false
                        Preview: I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.
                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER48CA.tmp.txt
                        Process:C:\Windows\System32\svchost.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):13340
                        Entropy (8bit):2.6947815228058167
                        Encrypted:false
                        SSDEEP:96:9GiZYWXbIfriyY7YFTWkiH6YEZpmtoijOO+hwjqRaljS9x4kIvv3:9jZDXos+oaaljux4Tvv3
                        MD5:45928CC03A93897925D4ED016E93C10C
                        SHA1:FCE2AFF07EF67490416298A848BB5E7F99E235A9
                        SHA-256:D3006E019A2F2729BFF81B10D0F7CAA814DD6959425E1F4F6BDFE9812AF5D50E
                        SHA-512:04530BCAFB114F0005E8F02F2044E5D028EE0D0269B1B2F3CF2B7E8FDA8E1521675B53A1CAD9E53B3C55D865EB1DC13C0716C5AAFC28EF0E3C97346C2CC551A0
                        Malicious:false
                        Preview: B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.1.5.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .
                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERB61B.tmp.dmp
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:Mini DuMP crash report, 15 streams, Sat Jan 15 03:00:09 2022, 0x1205a4 type
                        Category:dropped
                        Size (bytes):45464
                        Entropy (8bit):2.0702878641495355
                        Encrypted:false
                        SSDEEP:192:g317XMoyAKOuWtzZoPJZ2a2LYw/ZILmCEi7zYGbI0dG4Woq:C7pfuWVZoPGvLYw/eLmXi7zYGbIl
                        MD5:BD343ADAD03C9995B4EA2C3EB1373745
                        SHA1:240981625408A7E4800196D0BED975AE1E97C531
                        SHA-256:94000B5C993375C966E713E7886E9CD1B9F018FDA7958DF6959130753E26CB55
                        SHA-512:B683B8879B180766802B02E0C94B93D2A28267F602D305FB7A095EE435DB8033D55AD9681C8D94208FD14DA1BFFA620163AE1E3A726639B459A4CB033DCB095A
                        Malicious:false
                        Preview: MDMP....... ........8.a....................................$...T............%..........`.......8...........T...........................x...........d....................................................................U...........B..............GenuineIntelW...........T.......\....8.a.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................................
                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERBC85.tmp.WERInternalMetadata.xml
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):8352
                        Entropy (8bit):3.699125370720691
                        Encrypted:false
                        SSDEEP:192:Rrl7r3GLNiHR6HRbx6YF8SURbgmfzSwGmCpBh89bvmsftFm:RrlsNix6xbx6YeSURbgmfzSwTvFfO
                        MD5:DA7CFC33DFCE8DABA83C4EA42ADF32C6
                        SHA1:63D2E474088C182A4711071B217918858C89EA71
                        SHA-256:95967CA4FB21A290203A7574A307999BDE48EC81A80D9C1EBEBB427EC77A6436
                        SHA-512:EDC65F6F32A9DBE2BAB9D3C3D3E3A166FD47F8FAC68700FE3CABF7F6BD1261D0A45CF765037197ACCBA9343549B9CA0AA70A97ADF78A3422C13E75B766640E8E
                        Malicious:false
                        Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.7.4.8.<./.P.i.d.>.......
                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERBF45.tmp.xml
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):4598
                        Entropy (8bit):4.471806726263325
                        Encrypted:false
                        SSDEEP:48:cvIwSD8zsRJgtWI9gjeWSC8BU8fm8M4J2+WZF1+q84pvEKcQIcQw0cQd:uITfjHjfSN3JAx5EKkw0fd
                        MD5:662A1A367461BA31DB23340401FD97AB
                        SHA1:523C2303A37800C0E8A73B16DC5EE89FA379130E
                        SHA-256:917F8CDCF7BF4FDAC65412CFBE5C28FBE72D4D28A2B8E48E8712252A697CC62C
                        SHA-512:16A4238C54AC27E4719D0900BCCB823D38A882CE07E42B0BD21DE4A7902A20E0515FA3D0BE11BEDAAFA21FAD4C77D0BD2FA5B46683239EFC113EBE51572A18A0
                        Malicious:false
                        Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1342810" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                        C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
                        Process:C:\Windows\SysWOW64\rundll32.exe
                        File Type:Microsoft Cabinet archive data, 61414 bytes, 1 file
                        Category:dropped
                        Size (bytes):61414
                        Entropy (8bit):7.995245868798237
                        Encrypted:true
                        SSDEEP:1536:EysgU6qmzixT64jYMZ8HbVPGfVDwm/xLZ9rP:wF6qmeo4eH1m9wmLvrP
                        MD5:ACAEDA60C79C6BCAC925EEB3653F45E0
                        SHA1:2AAAE490BCDACCC6172240FF1697753B37AC5578
                        SHA-256:6B0CECCF0103AFD89844761417C1D23ACC41F8AEBF3B7230765209B61EEE5658
                        SHA-512:FEAA6E7ED7DDA1583739B3E531AB5C562A222EE6ECD042690AE7DCFF966717C6E968469A7797265A11F6E899479AE0F3031E8CF5BEBE1492D5205E9C59690900
                        Malicious:false
                        Preview: MSCF............,...................I.......;w........RSNj .authroot.stl..>.(.5..CK..8T....c_.d...A.K...+.d.H..*i.RJJ.IQIR..$t)Kd.-[..T\{..ne......<.w......A..B........c...wi......D....c.0D,L........fy....Rg...=........i,3.3..Z....~^ve<...TF.*...f.zy.,...m.@.0.0...m.3..I(..+..v#...(.2....e...L..*y..V.......~U...."<ke.....l.X:Dt..R<7.5\A7L0=..T.V...IDr..8<....r&...I-.^..b.b.".Af....E.._..r.>.`;,.Hob..S.....7'..\.R$.".g..+..64..@nP.....k3...B.`.G..@D.....L.....`^...#OpW.....!....`.....rf:.}.R.@....gR.#7....l..H.#...d.Qh..3..fCX....==#..M.l..~&....[.J9.\..Ww.....Tx.%....]..a4E...q.+...#.*a..x..O..V.t..Y1!.T..`U...-...< _@...|(.....0..3.`.LU...E0.Gu.4KN....5...?.....I.p..'..........N<.d.O..dH@c1t...[w/...T....cYK.X>.0..Z.....O>..9.3.#9X.%.b...5.YK.E.V.....`./.3.._..nN]..=..M.o.F.._..z....._...gY..!Z..?l....vp.l.:.d.Z..W.....~...N.._.k...&.....$......i.F.d.....D!e.....Y..,.E..m.;.1... $.F..O.F.o_}.uG....,.%.>,.Zx.......o....c../.;....g&.....
                        C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
                        Process:C:\Windows\SysWOW64\rundll32.exe
                        File Type:data
                        Category:modified
                        Size (bytes):328
                        Entropy (8bit):3.1244568012511515
                        Encrypted:false
                        SSDEEP:6:kKu0k8SN+SkQlPlEGYRMY9z+4KlDA3RUeYlUmlUR/t:209kPlE99SNxAhUeYlUSA/t
                        MD5:7F09ADF005426F52A243F8841E74EFE3
                        SHA1:DBF5C90A9BBAE8BFA3C60F2F1B7E0B4C58254C71
                        SHA-256:C3D2BE8AB9CD6874A1D13CCAFCEB3FE354986399118D9756427EB9C40DE192FC
                        SHA-512:90D651BBDD3482441168A16CE9318BE8936D24C43A46BD9B15CB20D7BF6D5EE7E699110F4578CDDF55F7C05B36D4AA26751E11CA87C3C355836F321D7E3FA36B
                        Malicious:false
                        Preview: p...... .........}9.....(....................................................... ........q.\].......&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.7.1.e.1.5.c.5.d.c.4.d.7.1.:.0."...
                        C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
                        Process:C:\Windows\System32\svchost.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):55
                        Entropy (8bit):4.306461250274409
                        Encrypted:false
                        SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                        MD5:DCA83F08D448911A14C22EBCACC5AD57
                        SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                        SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                        SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                        Malicious:false
                        Preview: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}
                        C:\Windows\appcompat\Programs\Amcache.hve
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:MS Windows registry file, NT/2000 or above
                        Category:dropped
                        Size (bytes):1572864
                        Entropy (8bit):4.264668857187777
                        Encrypted:false
                        SSDEEP:12288:352KJvR+Eb3Bmgn1HZfkx3kDKj64WZpJYZE7Yc7GpqP4BxzSq/bdL:p2KJvR+Eb3BmgnTo
                        MD5:E6298D490A541EF8F687C9FE5B0DFC20
                        SHA1:AC6036A760334F24CBC3B7FECC0C9102778FB889
                        SHA-256:D39DE5CA4FB67686131204CFB251D3C5DA07CA486AC985C85C4548D527B33660
                        SHA-512:AED007A7A5970462C141C11BEB66F0A4D60581FDC928E945EAFAC86700C540F8D8B49BDD3407EB222A610956B3700DA06312744C22C54C8ED865F301969597FB
                        Malicious:false
                        Preview: regfZ...Z...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtmf]h...................................................................................................................................................................................................................................................................................................................................................c]........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                        C:\Windows\appcompat\Programs\Amcache.hve.LOG1
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:MS Windows registry file, NT/2000 or above
                        Category:dropped
                        Size (bytes):16384
                        Entropy (8bit):3.3825589105427794
                        Encrypted:false
                        SSDEEP:192:Y9wUv1du5m0KCYO5FSEsWftx19xgoJ4XSaJNSdkyFn6yvRrsfmWfYjdsiDoXzCF:Ojw5Rftx19PJ4XS7FFn7RZd1DoXzCF
                        MD5:B55740C905DEDF938ECE9AA720F2D7AF
                        SHA1:8AAAF759CF0C4BE4B0F7EBC792C35397A58A33BD
                        SHA-256:2D1F3529349467CCF6270C3D0955E5371A66958620B99777B362F22AC547A828
                        SHA-512:5047D80FA3EBFCB5BB948803F15E22537B93C01B72B67CFDF39FBB47AFBC653CD78EEAAD43C368B5DEFCD04A43DE1440C5CC250F08850291C5F544EFBA97C740
                        Malicious:false
                        Preview: regfY...Y...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtmf]h...................................................................................................................................................................................................................................................................................................................................................c]HvLE.>......Y.............(.Z...=.....1.........0..............hbin................p.\..,..........nk,..j..................................... ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk ..j......... ........................... .......Z.......................Root........lf......Root....nk ..j......................}.............. ...............*...............DeviceCensus.......................vk..................WritePermissionsCheck.......p...

                        Static File Info

                        General

                        File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                        Entropy (8bit):6.767603370761852
                        TrID:
                        • Win32 Dynamic Link Library (generic) (1002004/3) 98.32%
                        • Windows Screen Saver (13104/52) 1.29%
                        • Generic Win/DOS Executable (2004/3) 0.20%
                        • DOS Executable Generic (2002/1) 0.20%
                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                        File name:nIQCsrVbbw.dll
                        File size:588288
                        MD5:06b75d254c6844f78c7d7eefa5b1243e
                        SHA1:af4b4dccf317dbeeab97868a9514a7c9e496c8d3
                        SHA256:b0e46325319e75a2490a73045a60030961851c07d266df73d7e048799e133ec7
                        SHA512:afe13aee5ffa87d65a2d39a2b9aae1fcbc222e843497bf00744d82a543078235a4d648b78a9e66142d952650bb36caa319176ec445346e4ed4aef59fd7dd5200
                        SSDEEP:6144:cNU5LwA22222GgngDrDRVyYli/ci2tEGW78ODQiEJtvOSk5DKXOW14IkFxVFgY4E:x5w7YM/cYVV7EOOpOJyvnHtytFyQ
                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m.......................................^F......^P.n....^W.t....^Y......^A......^G......^B.....Rich....................PE..L..

                        File Icon

                        Icon Hash:71b018ccc6577131

                        Static PE Info

                        General

                        Entrypoint:0x1002eaac
                        Entrypoint Section:.text
                        Digitally signed:false
                        Imagebase:0x10000000
                        Subsystem:windows gui
                        Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                        DLL Characteristics:
                        Time Stamp:0x61E03DE6 [Thu Jan 13 14:57:42 2022 UTC]
                        TLS Callbacks:
                        CLR (.Net) Version:
                        OS Version Major:5
                        OS Version Minor:0
                        File Version Major:5
                        File Version Minor:0
                        Subsystem Version Major:5
                        Subsystem Version Minor:0
                        Import Hash:7f57698bb210fa88a6b01b1feaf20957

                        Entrypoint Preview

                        Instruction
                        mov edi, edi
                        push ebp
                        mov ebp, esp
                        cmp dword ptr [ebp+0Ch], 01h
                        jne 00007FD91CB75077h
                        call 00007FD91CB7D8E8h
                        push dword ptr [ebp+08h]
                        mov ecx, dword ptr [ebp+10h]
                        mov edx, dword ptr [ebp+0Ch]
                        call 00007FD91CB74F61h
                        pop ecx
                        pop ebp
                        retn 000Ch
                        mov edi, edi
                        push ebp
                        mov ebp, esp
                        push esi
                        push edi
                        mov edi, dword ptr [ebp+10h]
                        mov eax, edi
                        sub eax, 00000000h
                        je 00007FD91CB7665Bh
                        dec eax
                        je 00007FD91CB76643h
                        dec eax
                        je 00007FD91CB7660Eh
                        dec eax
                        je 00007FD91CB765BFh
                        dec eax
                        je 00007FD91CB7652Fh
                        mov ecx, dword ptr [ebp+0Ch]
                        mov eax, dword ptr [ebp+08h]
                        push ebx
                        push 00000020h
                        pop edx
                        jmp 00007FD91CB754E7h
                        mov esi, dword ptr [eax]
                        cmp esi, dword ptr [ecx]
                        je 00007FD91CB750EEh
                        movzx esi, byte ptr [eax]
                        movzx ebx, byte ptr [ecx]
                        sub esi, ebx
                        je 00007FD91CB75087h
                        xor ebx, ebx
                        test esi, esi
                        setnle bl
                        lea ebx, dword ptr [ebx+ebx-01h]
                        mov esi, ebx
                        test esi, esi
                        jne 00007FD91CB754DFh
                        movzx esi, byte ptr [eax+01h]
                        movzx ebx, byte ptr [ecx+01h]
                        sub esi, ebx
                        je 00007FD91CB75087h
                        xor ebx, ebx
                        test esi, esi
                        setnle bl
                        lea ebx, dword ptr [ebx+ebx-01h]
                        mov esi, ebx
                        test esi, esi
                        jne 00007FD91CB754BEh
                        movzx esi, byte ptr [eax+02h]
                        movzx ebx, byte ptr [ecx+02h]
                        sub esi, ebx
                        je 00007FD91CB75087h
                        xor ebx, ebx
                        test esi, esi
                        setnle bl
                        lea ebx, dword ptr [ebx+ebx-01h]
                        mov esi, ebx
                        test esi, esi
                        jne 00007FD91CB7549Dh

                        Rich Headers

                        Programming Language:
                        • [ C ] VS2008 build 21022
                        • [LNK] VS2008 build 21022
                        • [ C ] VS2005 build 50727
                        • [ASM] VS2008 build 21022
                        • [IMP] VS2005 build 50727
                        • [RES] VS2008 build 21022
                        • [EXP] VS2008 build 21022
                        • [C++] VS2008 build 21022

                        Data Directories

                        NameVirtual AddressVirtual Size Is in Section
                        IMAGE_DIRECTORY_ENTRY_EXPORT0x50bc00x50.rdata
                        IMAGE_DIRECTORY_ENTRY_IMPORT0x4f5380xb4.rdata
                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x890000x3410.rsrc
                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x8d0000x415c.reloc
                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x4bd000x40.rdata
                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IAT0x470000x454.rdata
                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x4f4b00x40.rdata
                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                        Sections

                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                        .text0x10000x45bb90x45c00False0.379756804435data6.37093799262IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                        .rdata0x470000x9c100x9e00False0.357397151899data5.22179618791IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                        .data0x510000x3735c0x33800False0.741035535498data6.11335979295IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                        .rsrc0x890000x34100x3600False0.306640625data4.34913645958IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                        .reloc0x8d0000x8c340x8e00False0.346308318662data4.00973830682IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                        Resources

                        NameRVASizeTypeLanguageCountry
                        RT_CURSOR0x89ac00x134dataChineseChina
                        RT_CURSOR0x89bf40xb4dataChineseChina
                        RT_CURSOR0x89ca80x134AmigaOS bitmap fontChineseChina
                        RT_CURSOR0x89ddc0x134dataChineseChina
                        RT_CURSOR0x89f100x134dataChineseChina
                        RT_CURSOR0x8a0440x134dataChineseChina
                        RT_CURSOR0x8a1780x134dataChineseChina
                        RT_CURSOR0x8a2ac0x134dataChineseChina
                        RT_CURSOR0x8a3e00x134dataChineseChina
                        RT_CURSOR0x8a5140x134dataChineseChina
                        RT_CURSOR0x8a6480x134dataChineseChina
                        RT_CURSOR0x8a77c0x134dataChineseChina
                        RT_CURSOR0x8a8b00x134AmigaOS bitmap fontChineseChina
                        RT_CURSOR0x8a9e40x134dataChineseChina
                        RT_CURSOR0x8ab180x134dataChineseChina
                        RT_CURSOR0x8ac4c0x134dataChineseChina
                        RT_BITMAP0x8ad800xb8dataChineseChina
                        RT_BITMAP0x8ae380x144dataChineseChina
                        RT_ICON0x8af7c0x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 67108992, next used block 3293332676ChineseChina
                        RT_ICON0x8b2640x128GLS_BINARY_LSB_FIRSTChineseChina
                        RT_DIALOG0x8b38c0x33cdataChineseChina
                        RT_DIALOG0x8b6c80xe2dataChineseChina
                        RT_DIALOG0x8b7ac0x34dataChineseChina
                        RT_STRING0x8b7e00x4edataChineseChina
                        RT_STRING0x8b8300x2cdataChineseChina
                        RT_STRING0x8b85c0x82dataChineseChina
                        RT_STRING0x8b8e00x1d6dataChineseChina
                        RT_STRING0x8bab80x160dataChineseChina
                        RT_STRING0x8bc180x12edataChineseChina
                        RT_STRING0x8bd480x50dataChineseChina
                        RT_STRING0x8bd980x44dataChineseChina
                        RT_STRING0x8bddc0x68dataChineseChina
                        RT_STRING0x8be440x1b8dataChineseChina
                        RT_STRING0x8bffc0x104dataChineseChina
                        RT_STRING0x8c1000x24dataChineseChina
                        RT_STRING0x8c1240x30dataChineseChina
                        RT_GROUP_CURSOR0x8c1540x22Lotus unknown worksheet or configuration, revision 0x2ChineseChina
                        RT_GROUP_CURSOR0x8c1780x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
                        RT_GROUP_CURSOR0x8c18c0x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
                        RT_GROUP_CURSOR0x8c1a00x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
                        RT_GROUP_CURSOR0x8c1b40x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
                        RT_GROUP_CURSOR0x8c1c80x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
                        RT_GROUP_CURSOR0x8c1dc0x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
                        RT_GROUP_CURSOR0x8c1f00x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
                        RT_GROUP_CURSOR0x8c2040x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
                        RT_GROUP_CURSOR0x8c2180x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
                        RT_GROUP_CURSOR0x8c22c0x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
                        RT_GROUP_CURSOR0x8c2400x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
                        RT_GROUP_CURSOR0x8c2540x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
                        RT_GROUP_CURSOR0x8c2680x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
                        RT_GROUP_CURSOR0x8c27c0x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
                        RT_GROUP_ICON0x8c2900x22dataChineseChina
                        RT_MANIFEST0x8c2b40x15aASCII text, with CRLF line terminatorsEnglishUnited States

                        Imports

                        DLLImport
                        KERNEL32.dllGetOEMCP, GetCommandLineA, RtlUnwind, ExitProcess, HeapReAlloc, RaiseException, HeapSize, TerminateProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetACP, IsValidCodePage, LCMapStringA, LCMapStringW, HeapCreate, HeapDestroy, GetStdHandle, GetCPInfo, GetFileType, GetStartupInfoA, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, QueryPerformanceCounter, GetTickCount, GetSystemTimeAsFileTime, InitializeCriticalSectionAndSpinCount, GetConsoleCP, GetConsoleMode, GetStringTypeA, GetStringTypeW, GetUserDefaultLCID, EnumSystemLocalesA, IsValidLocale, GetLocaleInfoW, SetStdHandle, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, GetModuleHandleW, CreateFileA, GetCurrentProcess, FlushFileBuffers, SetFilePointer, WriteFile, ReadFile, InterlockedIncrement, TlsFree, LocalReAlloc, TlsSetValue, TlsAlloc, GlobalHandle, GlobalReAlloc, TlsGetValue, LocalAlloc, WritePrivateProfileStringA, GlobalFlags, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSection, GlobalGetAtomNameA, GlobalFindAtomA, lstrcmpW, GetVersionExA, FormatMessageA, LocalFree, lstrlenA, InterlockedDecrement, MulDiv, MultiByteToWideChar, GlobalUnlock, GlobalFree, FreeResource, GlobalAddAtomA, GetCurrentProcessId, GetLastError, GlobalDeleteAtom, GetCurrentThread, GetCurrentThreadId, ConvertDefaultLocale, EnumResourceLanguagesA, GetModuleFileNameA, GetLocaleInfoA, WideCharToMultiByte, CompareStringA, FindResourceA, LoadResource, LockResource, SizeofResource, InterlockedExchange, GlobalLock, lstrcmpA, GlobalAlloc, GetModuleHandleA, CreateThread, CloseHandle, VirtualProtect, LoadLibraryA, VirtualAlloc, GetProcAddress, SetLastError, Sleep, IsBadReadPtr, GetProcessHeap, VirtualFree, HeapFree, HeapAlloc, FreeLibrary, VirtualQuery, SetHandleCount, GetNativeSystemInfo
                        USER32.dllLoadCursorA, GetSysColorBrush, SetWindowTextA, IsDialogMessageA, SetDlgItemTextA, GetDlgItemTextA, RegisterWindowMessageA, SendDlgItemMessageA, WinHelpA, GetCapture, GetClassLongA, GetClassNameA, SetPropA, GetPropA, RemovePropA, GetForegroundWindow, GetTopWindow, GetMessageTime, GetMessagePos, MapWindowPoints, SetMenu, SetForegroundWindow, CreateWindowExA, GetClassInfoExA, GetClassInfoA, RegisterClassA, AdjustWindowRectEx, CopyRect, PtInRect, GetDlgCtrlID, DefWindowProcA, CallWindowProcA, SetWindowLongA, SetWindowPos, SystemParametersInfoA, GetWindowPlacement, GetWindowRect, GetMenuItemID, GetMenuItemCount, GetSubMenu, UnhookWindowsHookEx, GetSysColor, EndPaint, BeginPaint, ReleaseDC, GetDC, ClientToScreen, GrayStringA, DrawTextExA, DrawTextA, TabbedTextOutA, GetWindowTextLengthA, GetWindowTextA, GetWindow, SetFocus, GetDesktopWindow, SetActiveWindow, CreateDialogIndirectParamA, DestroyWindow, IsWindow, GetDlgItem, GetNextDlgTabItem, EndDialog, SetWindowsHookExA, CallNextHookEx, GetMessageA, DestroyMenu, UpdateWindow, TranslateMessage, DispatchMessageA, GetActiveWindow, IsWindowVisible, GetKeyState, PeekMessageA, GetCursorPos, ValidateRect, GetWindowThreadProcessId, GetWindowLongA, GetLastActivePopup, IsWindowEnabled, MessageBoxA, SetCursor, PostQuitMessage, SetMenuItemBitmaps, GetMenuCheckMarkDimensions, LoadBitmapA, GetFocus, GetParent, ModifyMenuA, GetMenuState, EnableMenuItem, CheckMenuItem, SetTimer, IsIconic, KillTimer, LoadIconA, DrawIcon, GetClientRect, SendMessageA, ShowWindow, PostMessageA, GetSystemMetrics, EnableWindow, GetMenu
                        GDI32.dllGetStockObject, SelectObject, GetDeviceCaps, DeleteDC, Escape, ExtTextOutA, TextOutA, RectVisible, ScaleWindowExtEx, SetWindowExtEx, ScaleViewportExtEx, SetViewportExtEx, OffsetViewportOrgEx, CreateBitmap, PtVisible, GetObjectA, DeleteObject, GetClipBox, SetMapMode, SetTextColor, SetBkColor, RestoreDC, SaveDC, SetViewportOrgEx
                        WINSPOOL.DRVDocumentPropertiesA, ClosePrinter, OpenPrinterA
                        ADVAPI32.dllRegSetValueExA, RegCreateKeyExA, RegQueryValueA, RegOpenKeyA, RegEnumKeyA, RegDeleteKeyA, RegOpenKeyExA, RegQueryValueExA, RegCloseKey
                        SHLWAPI.dllPathFindExtensionA
                        OLEAUT32.dllVariantClear, VariantChangeType, VariantInit
                        WS2_32.dllhtons, setsockopt, sendto, htonl, bind, socket, closesocket, inet_addr, recvfrom, WSACleanup, WSAStartup

                        Exports

                        NameOrdinalAddress
                        DllRegisterServer10x1001df20

                        Possible Origin

                        Language of compilation systemCountry where language is spokenMap
                        ChineseChina
                        EnglishUnited States

                        Network Behavior

                        Snort IDS Alerts

                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                        01/14/22-19:00:14.694584TCP2404332ET CNC Feodo Tracker Reported CnC Server TCP group 174974380192.168.2.345.138.98.34
                        01/14/22-19:00:15.994724TCP2404338ET CNC Feodo Tracker Reported CnC Server TCP group 20497448080192.168.2.369.16.218.101

                        Network Port Distribution

                        TCP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Jan 14, 2022 19:00:14.694583893 CET4974380192.168.2.345.138.98.34
                        Jan 14, 2022 19:00:14.711357117 CET804974345.138.98.34192.168.2.3
                        Jan 14, 2022 19:00:15.266978979 CET4974380192.168.2.345.138.98.34
                        Jan 14, 2022 19:00:15.284024000 CET804974345.138.98.34192.168.2.3
                        Jan 14, 2022 19:00:15.970160961 CET4974380192.168.2.345.138.98.34
                        Jan 14, 2022 19:00:15.987149954 CET804974345.138.98.34192.168.2.3
                        Jan 14, 2022 19:00:15.994724035 CET497448080192.168.2.369.16.218.101
                        Jan 14, 2022 19:00:16.131238937 CET80804974469.16.218.101192.168.2.3
                        Jan 14, 2022 19:00:16.131366968 CET497448080192.168.2.369.16.218.101
                        Jan 14, 2022 19:00:16.161581039 CET497448080192.168.2.369.16.218.101
                        Jan 14, 2022 19:00:16.299078941 CET80804974469.16.218.101192.168.2.3
                        Jan 14, 2022 19:00:16.310969114 CET80804974469.16.218.101192.168.2.3
                        Jan 14, 2022 19:00:16.310992956 CET80804974469.16.218.101192.168.2.3
                        Jan 14, 2022 19:00:16.311106920 CET497448080192.168.2.369.16.218.101
                        Jan 14, 2022 19:00:34.780533075 CET497448080192.168.2.369.16.218.101
                        Jan 14, 2022 19:00:34.916532993 CET80804974469.16.218.101192.168.2.3
                        Jan 14, 2022 19:00:34.917233944 CET80804974469.16.218.101192.168.2.3
                        Jan 14, 2022 19:00:34.917412996 CET497448080192.168.2.369.16.218.101
                        Jan 14, 2022 19:00:34.921559095 CET497448080192.168.2.369.16.218.101
                        Jan 14, 2022 19:00:35.057970047 CET80804974469.16.218.101192.168.2.3
                        Jan 14, 2022 19:00:35.583663940 CET80804974469.16.218.101192.168.2.3
                        Jan 14, 2022 19:00:35.584063053 CET497448080192.168.2.369.16.218.101
                        Jan 14, 2022 19:00:38.579396009 CET80804974469.16.218.101192.168.2.3
                        Jan 14, 2022 19:00:38.579415083 CET80804974469.16.218.101192.168.2.3
                        Jan 14, 2022 19:00:38.579514027 CET497448080192.168.2.369.16.218.101
                        Jan 14, 2022 19:00:38.579566956 CET497448080192.168.2.369.16.218.101
                        Jan 14, 2022 19:02:04.643764019 CET497448080192.168.2.369.16.218.101
                        Jan 14, 2022 19:02:04.643863916 CET497448080192.168.2.369.16.218.101

                        Code Manipulations

                        Statistics

                        Behavior

                        Click to jump to process

                        System Behavior

                        Analysis Process: loaddll32.exe PID: 6748 Parent PID: 4636

                        General

                        Start time:18:59:28
                        Start date:14/01/2022
                        Path:C:\Windows\System32\loaddll32.exe
                        Wow64 process (32bit):true
                        Commandline:loaddll32.exe "C:\Users\user\Desktop\nIQCsrVbbw.dll"
                        Imagebase:0x1220000
                        File size:116736 bytes
                        MD5 hash:7DEB5DB86C0AC789123DEC286286B938
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.376038820.0000000000D51000.00000020.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.379371136.0000000000D51000.00000020.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000002.397131962.0000000000D00000.00000040.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.376003738.0000000000D00000.00000040.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.379329782.0000000000D00000.00000040.00000001.sdmp, Author: Joe Security
                        Reputation:moderate

                        Analysis Process: cmd.exe PID: 6764 Parent PID: 6748

                        General

                        Start time:18:59:29
                        Start date:14/01/2022
                        Path:C:\Windows\SysWOW64\cmd.exe
                        Wow64 process (32bit):true
                        Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\nIQCsrVbbw.dll",#1
                        Imagebase:0xd80000
                        File size:232960 bytes
                        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high

                        Analysis Process: regsvr32.exe PID: 6772 Parent PID: 6748

                        General

                        Start time:18:59:29
                        Start date:14/01/2022
                        Path:C:\Windows\SysWOW64\regsvr32.exe
                        Wow64 process (32bit):true
                        Commandline:regsvr32.exe /s C:\Users\user\Desktop\nIQCsrVbbw.dll
                        Imagebase:0xae0000
                        File size:20992 bytes
                        MD5 hash:426E7499F6A7346F0410DEAD0805586B
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000002.00000002.306596758.0000000003330000.00000040.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000002.00000002.306669964.0000000003411000.00000020.00000001.sdmp, Author: Joe Security
                        Reputation:high

                        Analysis Process: rundll32.exe PID: 6784 Parent PID: 6764

                        General

                        Start time:18:59:29
                        Start date:14/01/2022
                        Path:C:\Windows\SysWOW64\rundll32.exe
                        Wow64 process (32bit):true
                        Commandline:rundll32.exe "C:\Users\user\Desktop\nIQCsrVbbw.dll",#1
                        Imagebase:0x13c0000
                        File size:61952 bytes
                        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.361373048.0000000000881000.00000020.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.359468675.00000000007C0000.00000040.00000001.sdmp, Author: Joe Security
                        Reputation:high

                        Analysis Process: rundll32.exe PID: 6816 Parent PID: 6748

                        General

                        Start time:18:59:29
                        Start date:14/01/2022
                        Path:C:\Windows\SysWOW64\rundll32.exe
                        Wow64 process (32bit):true
                        Commandline:rundll32.exe C:\Users\user\Desktop\nIQCsrVbbw.dll,DllRegisterServer
                        Imagebase:0x13c0000
                        File size:61952 bytes
                        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.368368956.0000000004831000.00000020.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.367128450.0000000000560000.00000040.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.367810302.0000000001270000.00000040.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.367757114.0000000001171000.00000020.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.368438775.0000000004860000.00000040.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.367845396.00000000012A1000.00000020.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.367713608.0000000001140000.00000040.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.367919454.0000000001390000.00000040.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.367465277.0000000000BC1000.00000020.00000001.sdmp, Author: Joe Security
                        Reputation:high

                        Analysis Process: rundll32.exe PID: 6844 Parent PID: 6772

                        General

                        Start time:18:59:30
                        Start date:14/01/2022
                        Path:C:\Windows\SysWOW64\rundll32.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\nIQCsrVbbw.dll",DllRegisterServer
                        Imagebase:0x13c0000
                        File size:61952 bytes
                        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high

                        Analysis Process: svchost.exe PID: 7056 Parent PID: 572

                        General

                        Start time:18:59:42
                        Start date:14/01/2022
                        Path:C:\Windows\System32\svchost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                        Imagebase:0x7ff70d6e0000
                        File size:51288 bytes
                        MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high

                        Analysis Process: svchost.exe PID: 2920 Parent PID: 572

                        General

                        Start time:18:59:53
                        Start date:14/01/2022
                        Path:C:\Windows\System32\svchost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                        Imagebase:0x7ff70d6e0000
                        File size:51288 bytes
                        MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high

                        Analysis Process: rundll32.exe PID: 2484 Parent PID: 6784

                        General

                        Start time:18:59:53
                        Start date:14/01/2022
                        Path:C:\Windows\SysWOW64\rundll32.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\nIQCsrVbbw.dll",DllRegisterServer
                        Imagebase:0x13c0000
                        File size:61952 bytes
                        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000C.00000002.369867351.0000000005381000.00000020.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000C.00000002.369320365.00000000051C1000.00000020.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000C.00000002.370265294.00000000056C0000.00000040.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000C.00000002.369446130.00000000052F0000.00000040.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000C.00000002.368922473.0000000004B71000.00000020.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000C.00000002.369147966.0000000005060000.00000040.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000C.00000002.370426063.00000000056F1000.00000020.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000C.00000002.369281669.0000000005190000.00000040.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000C.00000002.369637751.0000000005350000.00000040.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000C.00000002.368222308.00000000011D0000.00000040.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000C.00000002.369552219.0000000005321000.00000020.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000C.00000002.369203622.0000000005091000.00000020.00000001.sdmp, Author: Joe Security
                        Reputation:high

                        Analysis Process: rundll32.exe PID: 4872 Parent PID: 6816

                        General

                        Start time:18:59:58
                        Start date:14/01/2022
                        Path:C:\Windows\SysWOW64\rundll32.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Uibizbzyxusffon\lvdcgmwj.xbl",PtnVsXFQteN
                        Imagebase:0x13c0000
                        File size:61952 bytes
                        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000D.00000002.370663067.0000000001190000.00000040.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000D.00000002.376060277.0000000004C91000.00000020.00000001.sdmp, Author: Joe Security
                        Reputation:high

                        Analysis Process: rundll32.exe PID: 6012 Parent PID: 4872

                        General

                        Start time:19:00:00
                        Start date:14/01/2022
                        Path:C:\Windows\SysWOW64\rundll32.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Uibizbzyxusffon\lvdcgmwj.xbl",DllRegisterServer
                        Imagebase:0x13c0000
                        File size:61952 bytes
                        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high

                        Analysis Process: svchost.exe PID: 1768 Parent PID: 572

                        General

                        Start time:19:00:01
                        Start date:14/01/2022
                        Path:C:\Windows\System32\svchost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\System32\svchost.exe -k WerSvcGroup
                        Imagebase:0x7ff70d6e0000
                        File size:51288 bytes
                        MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language

                        Analysis Process: WerFault.exe PID: 3876 Parent PID: 1768

                        General

                        Start time:19:00:02
                        Start date:14/01/2022
                        Path:C:\Windows\SysWOW64\WerFault.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 6748 -ip 6748
                        Imagebase:0x1120000
                        File size:434592 bytes
                        MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language

                        Analysis Process: WerFault.exe PID: 6632 Parent PID: 6748

                        General

                        Start time:19:00:06
                        Start date:14/01/2022
                        Path:C:\Windows\SysWOW64\WerFault.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6748 -s 512
                        Imagebase:0x1120000
                        File size:434592 bytes
                        MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language

                        Analysis Process: svchost.exe PID: 6636 Parent PID: 572

                        General

                        Start time:19:00:06
                        Start date:14/01/2022
                        Path:C:\Windows\System32\svchost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                        Imagebase:0x7ff70d6e0000
                        File size:51288 bytes
                        MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language

                        Analysis Process: svchost.exe PID: 6980 Parent PID: 572

                        General

                        Start time:19:00:27
                        Start date:14/01/2022
                        Path:C:\Windows\System32\svchost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                        Imagebase:0x7ff70d6e0000
                        File size:51288 bytes
                        MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language

                        Analysis Process: svchost.exe PID: 7080 Parent PID: 572

                        General

                        Start time:19:00:41
                        Start date:14/01/2022
                        Path:C:\Windows\System32\svchost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                        Imagebase:0x7ff70d6e0000
                        File size:51288 bytes
                        MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language

                        Analysis Process: svchost.exe PID: 2064 Parent PID: 572

                        General

                        Start time:19:01:09
                        Start date:14/01/2022
                        Path:C:\Windows\System32\svchost.exe
                        Wow64 process (32bit):false
                        Commandline:c:\windows\system32\svchost.exe -k netsvcs -p -s BITS
                        Imagebase:0x7ff70d6e0000
                        File size:51288 bytes
                        MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language

                        Disassembly

                        Code Analysis

                        Reset < >