Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report PtBIxmYbK8

Overview

General Information

Sample Name:PtBIxmYbK8 (renamed file extension from none to dll)
Analysis ID:553387
MD5:cdf3dc30cd25f5dc97c5f7b9c2d1abe5
SHA1:2e60ddf31429088419bdd186f10ff5e2d437236c
SHA256:9b571f59abe91b0684fec7bc2311225630ee92c647cd91f37847cd5f8f1dc85c
Tags:32dllexe
Infos:

Most interesting Screenshot:

Detection

Emotet
Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Sigma detected: Suspicious Call by Ordinal
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
One or more processes crash
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
AV process strings found (often used to terminate AV products)
PE file contains an invalid checksum
PE file contains strange resources
Tries to load missing DLLs
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Connects to several IPs in different countries
Potential key logger detected (key state polling based)
Registers a DLL
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 5048 cmdline: loaddll32.exe "C:\Users\user\Desktop\PtBIxmYbK8.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938)
    • cmd.exe (PID: 5300 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\PtBIxmYbK8.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 4792 cmdline: rundll32.exe "C:\Users\user\Desktop\PtBIxmYbK8.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • rundll32.exe (PID: 6108 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\PtBIxmYbK8.dll",DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
          • rundll32.exe (PID: 2524 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Nvtcylmbo\muiecmoc.icg",BOAeVPaP MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
            • rundll32.exe (PID: 5160 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Nvtcylmbo\muiecmoc.icg",DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • regsvr32.exe (PID: 2948 cmdline: regsvr32.exe /s C:\Users\user\Desktop\PtBIxmYbK8.dll MD5: 426E7499F6A7346F0410DEAD0805586B)
      • rundll32.exe (PID: 6080 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\PtBIxmYbK8.dll",DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6344 cmdline: rundll32.exe C:\Users\user\Desktop\PtBIxmYbK8.dll,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • WerFault.exe (PID: 2352 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5048 -s 516 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • svchost.exe (PID: 2064 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • WerFault.exe (PID: 5932 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 5048 -ip 5048 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • svchost.exe (PID: 6552 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6016 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5644 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5052 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

Threatname: Emotet

{"C2 list": ["45.138.98.34:80", "69.16.218.101:8080", "51.210.242.234:8080", "185.148.168.220:8080", "142.4.219.173:8080", "54.38.242.185:443", "191.252.103.16:80", "104.131.62.48:8080", "62.171.178.147:8080", "217.182.143.207:443", "168.197.250.14:80", "37.44.244.177:8080", "66.42.57.149:443", "210.57.209.142:8080", "159.69.237.188:443", "116.124.128.206:8080", "128.199.192.135:8080", "195.154.146.35:443", "185.148.168.15:8080", "195.77.239.39:8080", "207.148.81.119:8080", "85.214.67.203:8080", "190.90.233.66:443", "78.46.73.125:443", "78.47.204.80:443", "37.59.209.141:8080", "54.37.228.122:443"], "Public Key": ["RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0", "RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000002.317784212.0000000004B11000.00000020.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
    00000008.00000002.318296649.0000000005421000.00000020.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
      0000000E.00000002.821346778.0000000004C61000.00000020.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
        0000000B.00000002.322635855.00000000027B1000.00000020.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
          00000008.00000002.318248935.00000000053F0000.00000040.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
            Click to see the 43 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            8.2.rundll32.exe.5420000.7.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
              8.2.rundll32.exe.4ae0000.0.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                14.2.rundll32.exe.2770000.0.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                  14.2.rundll32.exe.5510000.23.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                    8.2.rundll32.exe.5450000.8.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                      Click to see the 67 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Suspicious Call by OrdinalShow sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: rundll32.exe "C:\Users\user\Desktop\PtBIxmYbK8.dll",#1, CommandLine: rundll32.exe "C:\Users\user\Desktop\PtBIxmYbK8.dll",#1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\PtBIxmYbK8.dll",#1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 5300, ProcessCommandLine: rundll32.exe "C:\Users\user\Desktop\PtBIxmYbK8.dll",#1, ProcessId: 4792

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 0.2.loaddll32.exe.fd0000.0.raw.unpackMalware Configuration Extractor: Emotet {"C2 list": ["45.138.98.34:80", "69.16.218.101:8080", "51.210.242.234:8080", "185.148.168.220:8080", "142.4.219.173:8080", "54.38.242.185:443", "191.252.103.16:80", "104.131.62.48:8080", "62.171.178.147:8080", "217.182.143.207:443", "168.197.250.14:80", "37.44.244.177:8080", "66.42.57.149:443", "210.57.209.142:8080", "159.69.237.188:443", "116.124.128.206:8080", "128.199.192.135:8080", "195.154.146.35:443", "185.148.168.15:8080", "195.77.239.39:8080", "207.148.81.119:8080", "85.214.67.203:8080", "190.90.233.66:443", "78.46.73.125:443", "78.47.204.80:443", "37.59.209.141:8080", "54.37.228.122:443"], "Public Key": ["RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0", "RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW"]}
                      Source: PtBIxmYbK8.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: Binary string: ws2_32.pdb source: WerFault.exe, 0000000C.00000003.324340922.0000000004DD8000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.324430150.0000000004DD8000.00000004.00000040.sdmp
                      Source: Binary string: winspool.pdb source: WerFault.exe, 0000000C.00000003.324340922.0000000004DD8000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.324430150.0000000004DD8000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000C.00000003.324322140.0000000004E01000.00000004.00000001.sdmp
                      Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000C.00000003.318305302.0000000002FA1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.318774680.0000000002FA1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.318180272.0000000004A75000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.324322140.0000000004E01000.00000004.00000001.sdmp
                      Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000C.00000003.324340922.0000000004DD8000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.324430150.0000000004DD8000.00000004.00000040.sdmp
                      Source: Binary string: sechost.pdb source: WerFault.exe, 0000000C.00000003.324332756.0000000004DD2000.00000004.00000040.sdmp
                      Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000000C.00000003.324340922.0000000004DD8000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.324430150.0000000004DD8000.00000004.00000040.sdmp
                      Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000C.00000003.324322140.0000000004E01000.00000004.00000001.sdmp
                      Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000C.00000003.324322140.0000000004E01000.00000004.00000001.sdmp
                      Source: Binary string: propsys.pdb source: WerFault.exe, 0000000C.00000003.324340922.0000000004DD8000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.324430150.0000000004DD8000.00000004.00000040.sdmp
                      Source: Binary string: nCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000000C.00000002.335325526.0000000000952000.00000004.00000001.sdmp
                      Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000C.00000003.324414381.0000000004DD5000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.324332756.0000000004DD2000.00000004.00000040.sdmp
                      Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000C.00000003.318293259.0000000002F9B000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.319074804.0000000002F9B000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.324322140.0000000004E01000.00000004.00000001.sdmp
                      Source: Binary string: wrpcrt4.pdbk source: WerFault.exe, 0000000C.00000003.324414381.0000000004DD5000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.324332756.0000000004DD2000.00000004.00000040.sdmp
                      Source: Binary string: shcore.pdb source: WerFault.exe, 0000000C.00000003.324340922.0000000004DD8000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.324430150.0000000004DD8000.00000004.00000040.sdmp
                      Source: Binary string: winspool.pdbP% source: WerFault.exe, 0000000C.00000003.324340922.0000000004DD8000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.324430150.0000000004DD8000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000C.00000003.324322140.0000000004E01000.00000004.00000001.sdmp
                      Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000C.00000003.324322140.0000000004E01000.00000004.00000001.sdmp
                      Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000C.00000003.324390015.0000000004DD0000.00000004.00000040.sdmp
                      Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000C.00000003.324390015.0000000004DD0000.00000004.00000040.sdmp
                      Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000C.00000003.324322140.0000000004E01000.00000004.00000001.sdmp
                      Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000C.00000003.324390015.0000000004DD0000.00000004.00000040.sdmp
                      Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000C.00000003.318599175.0000000002FA7000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.318317394.0000000002FA7000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.324322140.0000000004E01000.00000004.00000001.sdmp
                      Source: Binary string: wimm32.pdb source: WerFault.exe, 0000000C.00000003.324340922.0000000004DD8000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.324430150.0000000004DD8000.00000004.00000040.sdmp
                      Source: Binary string: combase.pdb^% source: WerFault.exe, 0000000C.00000003.324340922.0000000004DD8000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.324430150.0000000004DD8000.00000004.00000040.sdmp
                      Source: Binary string: sechost.pdbk source: WerFault.exe, 0000000C.00000003.324332756.0000000004DD2000.00000004.00000040.sdmp
                      Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000C.00000003.318599175.0000000002FA7000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.318317394.0000000002FA7000.00000004.00000001.sdmp
                      Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000C.00000003.324390015.0000000004DD0000.00000004.00000040.sdmp
                      Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000C.00000003.324390015.0000000004DD0000.00000004.00000040.sdmp
                      Source: Binary string: combase.pdb source: WerFault.exe, 0000000C.00000003.324340922.0000000004DD8000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.324430150.0000000004DD8000.00000004.00000040.sdmp
                      Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000C.00000003.324322140.0000000004E01000.00000004.00000001.sdmp
                      Source: Binary string: wkernel32.pdb( source: WerFault.exe, 0000000C.00000003.318305302.0000000002FA1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.318774680.0000000002FA1000.00000004.00000001.sdmp
                      Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000C.00000003.324340922.0000000004DD8000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.324430150.0000000004DD8000.00000004.00000040.sdmp
                      Source: Binary string: oleaut32.pdb`%; source: WerFault.exe, 0000000C.00000003.324340922.0000000004DD8000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.324430150.0000000004DD8000.00000004.00000040.sdmp
                      Source: Binary string: apphelp.pdb source: WerFault.exe, 0000000C.00000003.324322140.0000000004E01000.00000004.00000001.sdmp
                      Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000C.00000003.324322140.0000000004E01000.00000004.00000001.sdmp
                      Source: Binary string: propsys.pdb|%/ source: WerFault.exe, 0000000C.00000003.324340922.0000000004DD8000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.324430150.0000000004DD8000.00000004.00000040.sdmp
                      Source: Binary string: iphlpapi.pdbz%1 source: WerFault.exe, 0000000C.00000003.324340922.0000000004DD8000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.324430150.0000000004DD8000.00000004.00000040.sdmp
                      Source: Binary string: wntdll.pdb( source: WerFault.exe, 0000000C.00000003.318293259.0000000002F9B000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.319074804.0000000002F9B000.00000004.00000001.sdmp

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 2404332 ET CNC Feodo Tracker Reported CnC Server TCP group 17 192.168.2.3:49743 -> 45.138.98.34:80
                      Source: TrafficSnort IDS: 2404338 ET CNC Feodo Tracker Reported CnC Server TCP group 20 192.168.2.3:49744 -> 69.16.218.101:8080
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 69.16.218.101 144
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 45.138.98.34 80
                      C2 URLs / IPs found in malware configurationShow sources
                      Source: Malware configuration extractorIPs: 45.138.98.34:80
                      Source: Malware configuration extractorIPs: 69.16.218.101:8080
                      Source: Malware configuration extractorIPs: 51.210.242.234:8080
                      Source: Malware configuration extractorIPs: 185.148.168.220:8080
                      Source: Malware configuration extractorIPs: 142.4.219.173:8080
                      Source: Malware configuration extractorIPs: 54.38.242.185:443
                      Source: Malware configuration extractorIPs: 191.252.103.16:80
                      Source: Malware configuration extractorIPs: 104.131.62.48:8080
                      Source: Malware configuration extractorIPs: 62.171.178.147:8080
                      Source: Malware configuration extractorIPs: 217.182.143.207:443
                      Source: Malware configuration extractorIPs: 168.197.250.14:80
                      Source: Malware configuration extractorIPs: 37.44.244.177:8080
                      Source: Malware configuration extractorIPs: 66.42.57.149:443
                      Source: Malware configuration extractorIPs: 210.57.209.142:8080
                      Source: Malware configuration extractorIPs: 159.69.237.188:443
                      Source: Malware configuration extractorIPs: 116.124.128.206:8080
                      Source: Malware configuration extractorIPs: 128.199.192.135:8080
                      Source: Malware configuration extractorIPs: 195.154.146.35:443
                      Source: Malware configuration extractorIPs: 185.148.168.15:8080
                      Source: Malware configuration extractorIPs: 195.77.239.39:8080
                      Source: Malware configuration extractorIPs: 207.148.81.119:8080
                      Source: Malware configuration extractorIPs: 85.214.67.203:8080
                      Source: Malware configuration extractorIPs: 190.90.233.66:443
                      Source: Malware configuration extractorIPs: 78.46.73.125:443
                      Source: Malware configuration extractorIPs: 78.47.204.80:443
                      Source: Malware configuration extractorIPs: 37.59.209.141:8080
                      Source: Malware configuration extractorIPs: 54.37.228.122:443
                      Source: Joe Sandbox ViewASN Name: AS-CHOOPAUS AS-CHOOPAUS
                      Source: Joe Sandbox ViewASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
                      Source: Joe Sandbox ViewIP Address: 207.148.81.119 207.148.81.119
                      Source: Joe Sandbox ViewIP Address: 104.131.62.48 104.131.62.48
                      Source: global trafficTCP traffic: 192.168.2.3:49744 -> 69.16.218.101:8080
                      Source: unknownNetwork traffic detected: IP country count 12
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.98.34
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.98.34
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.98.34
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: svchost.exe, 00000019.00000003.505360189.000002AE4D591000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","N equals www.facebook.com (Facebook)
                      Source: svchost.exe, 00000019.00000003.505360189.000002AE4D591000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","N equals www.twitter.com (Twitter)
                      Source: svchost.exe, 00000019.00000003.505375546.000002AE4D5A2000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.505360189.000002AE4D591000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-01-07T11:33:20.1626869Z||.||d5cdcec3-04df-404e-ba07-3240047c89f9||1152921505694348672||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
                      Source: svchost.exe, 00000019.00000003.505375546.000002AE4D5A2000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.505360189.000002AE4D591000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-01-07T11:33:20.1626869Z||.||d5cdcec3-04df-404e-ba07-3240047c89f9||1152921505694348672||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
                      Source: svchost.exe, 00000019.00000003.505360189.000002AE4D591000.00000004.00000001.sdmpString found in binary or memory: !ached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify - Music and Podcasts","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NCBCSZSJRSB","Properties":{"FulfillmentData":{"ProductId":"9NCBCSZSJRSB","WuCategoryId":"5c353b9c-7ac7-4d27-af07-923e7d9aa2e2","PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","SkuId":"0011"},"FulfillmentType":"WindowsUpdate","FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"Spotify"}],"Architectures":["x86"],"Capabilities":["internetClient","runFullTrust","Microsoft.storeFilter.core.notSupported_8wekyb3d8bbwe"],"ExperienceIds":[],"MaxDownloadSizeInBytes":104380919,"MaxInstallSizeInBytes":203345920,"PackageFormat":"Appx","PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","MainPackageFamilyNameForDlc":null,"PackageFullName":"SpotifyAB.SpotifyMusic_1.176.447.0_x86__zpdnekdrzrea0","PackageId":"3fbafb47-f476-4c26-4445-49acb9a726e6-X86","PackageRank":30001,"PlatformDependencies":[{"MaxTested":2814750754275328,"MinVersion":2814750710366559,"PlatformName":"Windows.Desktop"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.isMain\":false,\"content.packageId\":\"SpotifyAB.SpotifyMusic_1.176.447.0_x86__zpdnekdrzrea0\",\"content.productId\":\"caac1b9d-621b-4f96-b143-e10e1397740a\",\"content.targetPlatforms\":[{\"platform.maxVersionTested\":2814750754275328,\"platform.minVersion\":2814750710366559,\"platform.target\":3}],\"content.type\":7,\"policy\":{\"category.first\":\"app\",\"category.second\":\"Music\",\"optOut.backupRestore\":true,\"optOut.removeableMedia\":false},\"policy2\":{\"ageRating\":3,\"optOut.DVR\":false,\"thirdPartyAppRatings\":[{\"level\":9,\"systemId\":3},{\"level\":81,\"
                      Source: svchost.exe, 00000019.00000003.505360189.000002AE4D591000.00000004.00000001.sdmpString found in binary or memory: !ached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify - Music and Podcasts","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NCBCSZSJRSB","Properties":{"FulfillmentData":{"ProductId":"9NCBCSZSJRSB","WuCategoryId":"5c353b9c-7ac7-4d27-af07-923e7d9aa2e2","PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","SkuId":"0011"},"FulfillmentType":"WindowsUpdate","FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"Spotify"}],"Architectures":["x86"],"Capabilities":["internetClient","runFullTrust","Microsoft.storeFilter.core.notSupported_8wekyb3d8bbwe"],"ExperienceIds":[],"MaxDownloadSizeInBytes":104380919,"MaxInstallSizeInBytes":203345920,"PackageFormat":"Appx","PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","MainPackageFamilyNameForDlc":null,"PackageFullName":"SpotifyAB.SpotifyMusic_1.176.447.0_x86__zpdnekdrzrea0","PackageId":"3fbafb47-f476-4c26-4445-49acb9a726e6-X86","PackageRank":30001,"PlatformDependencies":[{"MaxTested":2814750754275328,"MinVersion":2814750710366559,"PlatformName":"Windows.Desktop"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.isMain\":false,\"content.packageId\":\"SpotifyAB.SpotifyMusic_1.176.447.0_x86__zpdnekdrzrea0\",\"content.productId\":\"caac1b9d-621b-4f96-b143-e10e1397740a\",\"content.targetPlatforms\":[{\"platform.maxVersionTested\":2814750754275328,\"platform.minVersion\":2814750710366559,\"platform.target\":3}],\"content.type\":7,\"policy\":{\"category.first\":\"app\",\"category.second\":\"Music\",\"optOut.backupRestore\":true,\"optOut.removeableMedia\":false},\"policy2\":{\"ageRating\":3,\"optOut.DVR\":false,\"thirdPartyAppRatings\":[{\"level\":9,\"systemId\":3},{\"level\":81,\"
                      Source: svchost.exe, 00000019.00000002.520960706.000002AE4D500000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: svchost.exe, 00000019.00000002.520960706.000002AE4D500000.00000004.00000001.sdmpString found in binary or memory: http://crl.ver)
                      Source: rundll32.exe, 0000000E.00000003.358145505.000000000523A000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/
                      Source: rundll32.exe, 0000000E.00000003.358145505.000000000523A000.00000004.00000001.sdmp, rundll32.exe, 0000000E.00000003.358271514.000000000523A000.00000004.00000001.sdmp, rundll32.exe, 0000000E.00000002.823109589.000000000523A000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/C
                      Source: 77EC63BDA74BD0D0E0426DC8F80085060.14.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                      Source: rundll32.exe, 0000000E.00000003.356841146.0000000005246000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?c7b29d1b31ef2
                      Source: svchost.exe, 00000019.00000003.500259920.000002AE4D57F000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.500326939.000002AE4D5A0000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.500297835.000002AE4D5C0000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.500278723.000002AE4D5C0000.00000004.00000001.sdmpString found in binary or memory: http://help.disneyplus.com.
                      Source: Amcache.hve.12.drString found in binary or memory: http://upx.sf.net
                      Source: svchost.exe, 00000019.00000003.500259920.000002AE4D57F000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.500326939.000002AE4D5A0000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.500297835.000002AE4D5C0000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.500278723.000002AE4D5C0000.00000004.00000001.sdmpString found in binary or memory: https://disneyplus.com/legal.
                      Source: svchost.exe, 00000019.00000003.500259920.000002AE4D57F000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.500326939.000002AE4D5A0000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.500297835.000002AE4D5C0000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.500278723.000002AE4D5C0000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
                      Source: svchost.exe, 00000019.00000003.500259920.000002AE4D57F000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.500326939.000002AE4D5A0000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.500297835.000002AE4D5C0000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.500278723.000002AE4D5C0000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
                      Source: svchost.exe, 00000019.00000003.501393956.000002AE4D57F000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.501270072.000002AE4D5A7000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.501449448.000002AE4DA02000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.501250445.000002AE4D5A7000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.501407683.000002AE4D590000.00000004.00000001.sdmpString found in binary or memory: https://www.tiktok.com/legal/report/feedback
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_10001280 recvfrom,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10027958 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_10027958 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,

                      E-Banking Fraud:

                      barindex
                      Yara detected EmotetShow sources
                      Source: Yara matchFile source: 8.2.rundll32.exe.5420000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.4ae0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.2770000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.5510000.23.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.5450000.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.fd0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.4c30000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.57d0000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.29d0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.53b0000.19.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.fd0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.5800000.11.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.fd0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.27f0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.4ad0000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.51a0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.54e0000.22.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.5480000.20.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.43a0000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.50a0000.14.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.2c10000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.5450000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.51b0000.17.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.fd0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.fd0000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.5290000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.2c10000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.5180000.16.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.4ad0000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.4ae0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.4b00000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.29d0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.51a0000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.5380000.18.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.49f0000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.52c0000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.57d0000.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.51d0000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.50d0000.15.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.regsvr32.exe.e00000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.4f80000.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.4c30000.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.54e0000.22.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.4cc0000.11.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.2780000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.43a0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.regsvr32.exe.e40000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.5380000.18.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.4fb0000.13.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.4b10000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.4c60000.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.27b0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.2780000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.54b0000.21.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.4a20000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.4c90000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.4f80000.12.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.2770000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.5290000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.5480000.20.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.regsvr32.exe.e00000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.53f0000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.5180000.16.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.2c10000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.50a0000.14.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.2aa0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.4c90000.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.fd0000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.49f0000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.53f0000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.2aa0000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.5480000.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000008.00000002.317784212.0000000004B11000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.318296649.0000000005421000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.821346778.0000000004C61000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.322635855.00000000027B1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.318248935.00000000053F0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.821133025.0000000004AD0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.823386199.0000000005480000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.823214789.0000000005380000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.823440702.00000000054B1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.821423822.0000000004C90000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.318348439.0000000005450000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.318434863.00000000057D0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.823555104.0000000005511000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.820324985.00000000027F1000.00000020.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.820654150.0000000002AA0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.820892029.00000000043A1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.821081659.0000000004A21000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.308585083.0000000000FD0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.822157417.0000000004F80000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.822267335.0000000004FB1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.821518387.0000000004CC1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.338458195.0000000002C11000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.823505581.00000000054E0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.821036845.00000000049F0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.311393772.0000000000FD0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.312025488.0000000002C11000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.302688522.0000000000E41000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.309571551.0000000002C11000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.304075743.00000000043A1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.318371369.0000000005481000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.820233700.0000000002770000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.303853951.00000000029D0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.302564495.0000000000E00000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.822785123.0000000005180000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.318088092.00000000051A0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.318476000.0000000005801000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.337429522.0000000000FD0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.317749398.0000000004AE0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.821283927.0000000004C30000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.322569629.0000000002780000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.318172231.00000000052C1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.823282045.00000000053B1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.821167570.0000000004B01000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.822609344.00000000050A0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.318112393.00000000051D1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.318147984.0000000005290000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.822887843.00000000051B1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.822664620.00000000050D1000.00000020.00000001.sdmp, type: MEMORY

                      System Summary:

                      barindex
                      Source: PtBIxmYbK8.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 5048 -ip 5048
                      Source: C:\Windows\SysWOW64\rundll32.exeFile deleted: C:\Windows\SysWOW64\Nvtcylmbo\muiecmoc.icg:Zone.IdentifierJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\SysWOW64\Awlpqazimav\Jump to behavior
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C2EFDD
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C180C0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C2CAD5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C2D8DB
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C2CCD9
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C2E4E5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C1F0E9
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C33EE9
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C300EF
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C2BEFD
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C11CA1
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C2A2A5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C23EAA
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C1BAA9
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C336AA
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C20ABA
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C1C6B8
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C346BD
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C20EBC
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C1E640
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C2F840
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C17442
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C1A445
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C24244
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C2B257
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C22E5D
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C33263
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C24A66
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C30A64
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C1A871
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C2DC71
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C1DE74
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C2A474
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C17E79
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C17078
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C2567B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C29A01
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C28806
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C32009
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C27A0F
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C1B820
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C13431
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C18636
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C2C5D5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C1C5D8
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C1E7DE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C267E6
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C29DF5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C2E1F8
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C285FF
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C14BFC
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C155FF
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C20F86
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C26187
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C23D85
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C1238C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C1FB8E
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C12194
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C177A3
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C307AA
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C28FAE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C157B8
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C2D1BC
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C317BD
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C1BFBE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C22142
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C2654A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C1D14C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C32D53
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C2E955
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C27D5B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C2FF58
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C1F369
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C24F74
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C29774
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C2017B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C25779
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C16B7A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C32B09
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C1670B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C2AD08
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C1EF0C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C25515
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C25333
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C11F38
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C28D3D
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_1004091B
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_100291F6
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_1002EACF
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_100403D7
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_1004250B
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_10041557
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_10035D96
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_100395A1
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_10040E5F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_100291F6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1002F378
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_100403D7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1004250B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10041557
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_100395A1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1002F784
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1004091B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1002EACF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1002FBA4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10035D96
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10040E5F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1002EFA4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_100291F6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_1002F378
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_100403D7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_1004250B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_10041557
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_100395A1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_1002F784
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_1004091B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_1002EACF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_1002FBA4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_10035D96
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_10040E5F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_1002EFA4
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: String function: 10030E38 appears 54 times
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: String function: 10030535 appears 37 times
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 10030E38 appears 116 times
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 1003578B appears 46 times
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 10030535 appears 174 times
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 10030568 appears 32 times
                      Source: PtBIxmYbK8.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dll
                      Source: PtBIxmYbK8.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\PtBIxmYbK8.dll"
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\PtBIxmYbK8.dll",#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\PtBIxmYbK8.dll
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\PtBIxmYbK8.dll",#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\PtBIxmYbK8.dll,DllRegisterServer
                      Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\PtBIxmYbK8.dll",DllRegisterServer
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\PtBIxmYbK8.dll",DllRegisterServer
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 5048 -ip 5048
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Nvtcylmbo\muiecmoc.icg",BOAeVPaP
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5048 -s 516
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Nvtcylmbo\muiecmoc.icg",DllRegisterServer
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\PtBIxmYbK8.dll",#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\PtBIxmYbK8.dll
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\PtBIxmYbK8.dll,DllRegisterServer
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\PtBIxmYbK8.dll",#1
                      Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\PtBIxmYbK8.dll",DllRegisterServer
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\PtBIxmYbK8.dll",DllRegisterServer
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Nvtcylmbo\muiecmoc.icg",BOAeVPaP
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 5048 -ip 5048
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5048 -s 516
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess created: unknown unknown
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Nvtcylmbo\muiecmoc.icg",DllRegisterServer
                      Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32
                      Source: C:\Windows\System32\svchost.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER1607.tmpJump to behavior
                      Source: classification engineClassification label: mal84.troj.evad.winDLL@27/10@0/28
                      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Users\desktop.iniJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\PtBIxmYbK8.dll",#1
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \BaseNamedObjects\Local\SM0:5932:64:WilError_01
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5048
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_10021183 LoadResource,LockResource,SizeofResource,
                      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: Binary string: ws2_32.pdb source: WerFault.exe, 0000000C.00000003.324340922.0000000004DD8000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.324430150.0000000004DD8000.00000004.00000040.sdmp
                      Source: Binary string: winspool.pdb source: WerFault.exe, 0000000C.00000003.324340922.0000000004DD8000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.324430150.0000000004DD8000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000C.00000003.324322140.0000000004E01000.00000004.00000001.sdmp
                      Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000C.00000003.318305302.0000000002FA1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.318774680.0000000002FA1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.318180272.0000000004A75000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.324322140.0000000004E01000.00000004.00000001.sdmp
                      Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000C.00000003.324340922.0000000004DD8000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.324430150.0000000004DD8000.00000004.00000040.sdmp
                      Source: Binary string: sechost.pdb source: WerFault.exe, 0000000C.00000003.324332756.0000000004DD2000.00000004.00000040.sdmp
                      Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000000C.00000003.324340922.0000000004DD8000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.324430150.0000000004DD8000.00000004.00000040.sdmp
                      Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000C.00000003.324322140.0000000004E01000.00000004.00000001.sdmp
                      Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000C.00000003.324322140.0000000004E01000.00000004.00000001.sdmp
                      Source: Binary string: propsys.pdb source: WerFault.exe, 0000000C.00000003.324340922.0000000004DD8000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.324430150.0000000004DD8000.00000004.00000040.sdmp
                      Source: Binary string: nCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000000C.00000002.335325526.0000000000952000.00000004.00000001.sdmp
                      Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000C.00000003.324414381.0000000004DD5000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.324332756.0000000004DD2000.00000004.00000040.sdmp
                      Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000C.00000003.318293259.0000000002F9B000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.319074804.0000000002F9B000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.324322140.0000000004E01000.00000004.00000001.sdmp
                      Source: Binary string: wrpcrt4.pdbk source: WerFault.exe, 0000000C.00000003.324414381.0000000004DD5000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.324332756.0000000004DD2000.00000004.00000040.sdmp
                      Source: Binary string: shcore.pdb source: WerFault.exe, 0000000C.00000003.324340922.0000000004DD8000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.324430150.0000000004DD8000.00000004.00000040.sdmp
                      Source: Binary string: winspool.pdbP% source: WerFault.exe, 0000000C.00000003.324340922.0000000004DD8000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.324430150.0000000004DD8000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000C.00000003.324322140.0000000004E01000.00000004.00000001.sdmp
                      Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000C.00000003.324322140.0000000004E01000.00000004.00000001.sdmp
                      Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000C.00000003.324390015.0000000004DD0000.00000004.00000040.sdmp
                      Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000C.00000003.324390015.0000000004DD0000.00000004.00000040.sdmp
                      Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000C.00000003.324322140.0000000004E01000.00000004.00000001.sdmp
                      Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000C.00000003.324390015.0000000004DD0000.00000004.00000040.sdmp
                      Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000C.00000003.318599175.0000000002FA7000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.318317394.0000000002FA7000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.324322140.0000000004E01000.00000004.00000001.sdmp
                      Source: Binary string: wimm32.pdb source: WerFault.exe, 0000000C.00000003.324340922.0000000004DD8000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.324430150.0000000004DD8000.00000004.00000040.sdmp
                      Source: Binary string: combase.pdb^% source: WerFault.exe, 0000000C.00000003.324340922.0000000004DD8000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.324430150.0000000004DD8000.00000004.00000040.sdmp
                      Source: Binary string: sechost.pdbk source: WerFault.exe, 0000000C.00000003.324332756.0000000004DD2000.00000004.00000040.sdmp
                      Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000C.00000003.318599175.0000000002FA7000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.318317394.0000000002FA7000.00000004.00000001.sdmp
                      Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000C.00000003.324390015.0000000004DD0000.00000004.00000040.sdmp
                      Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000C.00000003.324390015.0000000004DD0000.00000004.00000040.sdmp
                      Source: Binary string: combase.pdb source: WerFault.exe, 0000000C.00000003.324340922.0000000004DD8000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.324430150.0000000004DD8000.00000004.00000040.sdmp
                      Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000C.00000003.324322140.0000000004E01000.00000004.00000001.sdmp
                      Source: Binary string: wkernel32.pdb( source: WerFault.exe, 0000000C.00000003.318305302.0000000002FA1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.318774680.0000000002FA1000.00000004.00000001.sdmp
                      Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000C.00000003.324340922.0000000004DD8000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.324430150.0000000004DD8000.00000004.00000040.sdmp
                      Source: Binary string: oleaut32.pdb`%; source: WerFault.exe, 0000000C.00000003.324340922.0000000004DD8000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.324430150.0000000004DD8000.00000004.00000040.sdmp
                      Source: Binary string: apphelp.pdb source: WerFault.exe, 0000000C.00000003.324322140.0000000004E01000.00000004.00000001.sdmp
                      Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000C.00000003.324322140.0000000004E01000.00000004.00000001.sdmp
                      Source: Binary string: propsys.pdb|%/ source: WerFault.exe, 0000000C.00000003.324340922.0000000004DD8000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.324430150.0000000004DD8000.00000004.00000040.sdmp
                      Source: Binary string: iphlpapi.pdbz%1 source: WerFault.exe, 0000000C.00000003.324340922.0000000004DD8000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.324430150.0000000004DD8000.00000004.00000040.sdmp
                      Source: Binary string: wntdll.pdb( source: WerFault.exe, 0000000C.00000003.318293259.0000000002F9B000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.319074804.0000000002F9B000.00000004.00000001.sdmp
                      Source: PtBIxmYbK8.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                      Source: PtBIxmYbK8.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                      Source: PtBIxmYbK8.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                      Source: PtBIxmYbK8.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                      Source: PtBIxmYbK8.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C208E0 push esp; iretd
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C11195 push cs; iretd
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_1003060D push ecx; ret
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_10030E7D push ecx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1003060D push ecx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10030E7D push ecx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_1003060D push ecx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_10030E7D push ecx; ret
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_1003E278 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,
                      Source: PtBIxmYbK8.dllStatic PE information: real checksum: 0x970bf should be: 0x91160
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\PtBIxmYbK8.dll
                      Source: C:\Windows\SysWOW64\rundll32.exePE file moved: C:\Windows\SysWOW64\Nvtcylmbo\muiecmoc.icgJump to behavior

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Awlpqazimav\qiijqqbfkmpoabz.leo:Zone.Identifier read attributes | delete
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Nvtcylmbo\muiecmoc.icg:Zone.Identifier read attributes | delete
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_100250A3 IsIconic,GetWindowPlacement,GetWindowRect,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_1001DFC0 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_100250A3 IsIconic,GetWindowPlacement,GetWindowRect,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1001DFC0 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_100250A3 IsIconic,GetWindowPlacement,GetWindowRect,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_1001DFC0 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,
                      Source: C:\Windows\SysWOW64\rundll32.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exe TID: 5628Thread sleep time: -120000s >= -30000s
                      Source: C:\Windows\SysWOW64\regsvr32.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleep
                      Source: C:\Windows\SysWOW64\regsvr32.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
                      Source: C:\Windows\SysWOW64\rundll32.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleep
                      Source: C:\Windows\SysWOW64\regsvr32.exeAPI coverage: 5.2 %
                      Source: C:\Windows\SysWOW64\rundll32.exeAPI coverage: 5.0 %
                      Source: C:\Windows\SysWOW64\rundll32.exeAPI coverage: 5.1 %
                      Source: C:\Windows\System32\svchost.exeProcess information queried: ProcessInformation
                      Source: C:\Windows\SysWOW64\regsvr32.exeAPI call chain: ExitProcess graph end node
                      Source: C:\Windows\SysWOW64\rundll32.exeAPI call chain: ExitProcess graph end node
                      Source: C:\Windows\SysWOW64\rundll32.exeAPI call chain: ExitProcess graph end node
                      Source: C:\Windows\SysWOW64\rundll32.exeAPI call chain: ExitProcess graph end node
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: Amcache.hve.12.drBinary or memory string: VMware
                      Source: Amcache.hve.12.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
                      Source: Amcache.hve.12.drBinary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
                      Source: Amcache.hve.12.drBinary or memory string: VMware Virtual USB Mouse
                      Source: Amcache.hve.12.drBinary or memory string: VMware, Inc.
                      Source: Amcache.hve.12.drBinary or memory string: VMware Virtual disk SCSI Disk Devicehbin
                      Source: Amcache.hve.12.drBinary or memory string: Microsoft Hyper-V Generation Counter
                      Source: Amcache.hve.12.drBinary or memory string: VMware7,1
                      Source: Amcache.hve.12.drBinary or memory string: NECVMWar VMware SATA CD00
                      Source: Amcache.hve.12.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                      Source: Amcache.hve.12.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                      Source: svchost.exe, 00000019.00000002.520774041.000002AE4CCEB000.00000004.00000001.sdmp, svchost.exe, 00000019.00000002.520634501.000002AE4CC70000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                      Source: Amcache.hve.12.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                      Source: Amcache.hve.12.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                      Source: Amcache.hve.12.drBinary or memory string: VMware, Inc.me
                      Source: Amcache.hve.12.drBinary or memory string: VMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7
                      Source: Amcache.hve.12.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
                      Source: Amcache.hve.12.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_1002DB0D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_1003E278 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_10002D40 SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,VirtualAlloc,VirtualAlloc,SetLastError,GetProcessHeap,HeapAlloc,VirtualFree,SetLastError,VirtualAlloc,SetLastError,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C1F7F7 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\loaddll32.exeProcess queried: DebugPort
                      Source: C:\Windows\System32\loaddll32.exeProcess queried: DebugPort
                      Source: C:\Windows\System32\loaddll32.exeProcess queried: DebugPort
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C336AA LdrInitializeThunk,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_1003A8D4 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_1002DB0D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_10032CB9 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1003A8D4 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1002DB0D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10032CB9 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_1003A8D4 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_1002DB0D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_10032CB9 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 69.16.218.101 144
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 45.138.98.34 80
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\PtBIxmYbK8.dll",#1
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 5048 -ip 5048
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5048 -s 516
                      Source: loaddll32.exe, 00000000.00000000.309175024.0000000001660000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.311805993.0000000001660000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000002.820766066.0000000002E90000.00000002.00020000.sdmpBinary or memory string: Program Manager
                      Source: loaddll32.exe, 00000000.00000000.309175024.0000000001660000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.311805993.0000000001660000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000002.820766066.0000000002E90000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: loaddll32.exe, 00000000.00000000.309175024.0000000001660000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.311805993.0000000001660000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000002.820766066.0000000002E90000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: loaddll32.exe, 00000000.00000000.309175024.0000000001660000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.311805993.0000000001660000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000002.820766066.0000000002E90000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: GetLocaleInfoA,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: GetLocaleInfoA,GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: _LocaleUpdate::_LocaleUpdate,GetLocaleInfoW,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: _strcpy_s,GetLocaleInfoA,__snwprintf_s,LoadLibraryA,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,GetLocaleInfoA,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: GetLocaleInfoA,GetLocaleInfoA,GetACP,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: _strcpy_s,GetLocaleInfoA,__snwprintf_s,LoadLibraryA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,GetLocaleInfoA,GetACP,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: _LocaleUpdate::_LocaleUpdate,GetLocaleInfoW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,__alloca_probe_16,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,GetLocaleInfoA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: _strcpy_s,GetLocaleInfoA,__snwprintf_s,LoadLibraryA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,GetLocaleInfoA,GetACP,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: _LocaleUpdate::_LocaleUpdate,GetLocaleInfoW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,__alloca_probe_16,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,GetLocaleInfoA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,
                      Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_1003732F GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_10024F01 _memset,GetVersionExA,
                      Source: Amcache.hve.12.dr, Amcache.hve.LOG1.12.drBinary or memory string: c:\users\user\desktop\procexp.exe
                      Source: Amcache.hve.12.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                      Source: Amcache.hve.12.dr, Amcache.hve.LOG1.12.drBinary or memory string: procexp.exe

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected EmotetShow sources
                      Source: Yara matchFile source: 8.2.rundll32.exe.5420000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.4ae0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.2770000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.5510000.23.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.5450000.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.fd0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.4c30000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.57d0000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.29d0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.53b0000.19.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.fd0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.5800000.11.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.fd0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.27f0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.4ad0000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.51a0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.54e0000.22.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.5480000.20.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.43a0000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.50a0000.14.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.2c10000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.5450000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.51b0000.17.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.fd0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.fd0000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.5290000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.2c10000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.5180000.16.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.4ad0000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.4ae0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.4b00000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.29d0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.51a0000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.5380000.18.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.49f0000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.52c0000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.57d0000.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.51d0000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.50d0000.15.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.regsvr32.exe.e00000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.4f80000.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.4c30000.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.54e0000.22.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.4cc0000.11.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.2780000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.43a0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.regsvr32.exe.e40000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.5380000.18.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.4fb0000.13.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.4b10000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.4c60000.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.27b0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.2780000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.54b0000.21.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.4a20000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.4c90000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.4f80000.12.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.2770000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.5290000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.5480000.20.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.regsvr32.exe.e00000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.53f0000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.5180000.16.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.2c10000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.50a0000.14.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.2aa0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.4c90000.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.fd0000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.49f0000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.53f0000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.2aa0000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.5480000.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000008.00000002.317784212.0000000004B11000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.318296649.0000000005421000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.821346778.0000000004C61000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.322635855.00000000027B1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.318248935.00000000053F0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.821133025.0000000004AD0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.823386199.0000000005480000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.823214789.0000000005380000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.823440702.00000000054B1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.821423822.0000000004C90000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.318348439.0000000005450000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.318434863.00000000057D0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.823555104.0000000005511000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.820324985.00000000027F1000.00000020.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.820654150.0000000002AA0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.820892029.00000000043A1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.821081659.0000000004A21000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.308585083.0000000000FD0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.822157417.0000000004F80000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.822267335.0000000004FB1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.821518387.0000000004CC1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.338458195.0000000002C11000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.823505581.00000000054E0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.821036845.00000000049F0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.311393772.0000000000FD0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.312025488.0000000002C11000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.302688522.0000000000E41000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.309571551.0000000002C11000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.304075743.00000000043A1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.318371369.0000000005481000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.820233700.0000000002770000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.303853951.00000000029D0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.302564495.0000000000E00000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.822785123.0000000005180000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.318088092.00000000051A0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.318476000.0000000005801000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.337429522.0000000000FD0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.317749398.0000000004AE0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.821283927.0000000004C30000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.322569629.0000000002780000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.318172231.00000000052C1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.823282045.00000000053B1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.821167570.0000000004B01000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.822609344.00000000050A0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.318112393.00000000051D1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.318147984.0000000005290000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.822887843.00000000051B1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.822664620.00000000050D1000.00000020.00000001.sdmp, type: MEMORY
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_10001160 WSAStartup,_memset,htonl,htons,socket,bind,setsockopt,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10001160 WSAStartup,_memset,htonl,htons,socket,bind,setsockopt,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_10001160 WSAStartup,_memset,htonl,htons,socket,bind,setsockopt,

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsNative API2DLL Side-Loading1DLL Side-Loading1Deobfuscate/Decode Files or Information1Input Capture1System Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumIngress Tool Transfer1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsProcess Injection112Obfuscated Files or Information2LSASS MemoryFile and Directory Discovery1Remote Desktop ProtocolInput Capture1Exfiltration Over BluetoothEncrypted Channel1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)DLL Side-Loading1Security Account ManagerSystem Information Discovery25SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Standard Port1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)File Deletion1NTDSQuery Registry1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol1SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptMasquerading2LSA SecretsSecurity Software Discovery41SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonVirtualization/Sandbox Evasion2Cached Domain CredentialsVirtualization/Sandbox Evasion2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsProcess Injection112DCSyncProcess Discovery2Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobHidden Files and Directories1Proc FilesystemApplication Window Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Regsvr321/etc/passwd and /etc/shadowRemote System Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                      Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Rundll321Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 553387 Sample: PtBIxmYbK8 Startdate: 14/01/2022 Architecture: WINDOWS Score: 84 43 210.57.209.142 UNAIR-AS-IDUniversitasAirlanggaID Indonesia 2->43 45 85.214.67.203 STRATOSTRATOAGDE Germany 2->45 47 23 other IPs or domains 2->47 57 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->57 59 Found malware configuration 2->59 61 Yara detected Emotet 2->61 63 2 other signatures 2->63 11 loaddll32.exe 1 2->11         started        13 svchost.exe 4 2->13         started        15 svchost.exe 1 2->15         started        17 3 other processes 2->17 signatures3 process4 process5 19 cmd.exe 1 11->19         started        21 rundll32.exe 2 11->21         started        24 regsvr32.exe 11->24         started        26 WerFault.exe 3 9 11->26         started        28 WerFault.exe 13->28         started        signatures6 30 rundll32.exe 19->30         started        65 Hides that the sample has been downloaded from the Internet (zone.identifier) 21->65 32 rundll32.exe 24->32         started        process7 process8 34 rundll32.exe 2 30->34         started        signatures9 55 Hides that the sample has been downloaded from the Internet (zone.identifier) 34->55 37 rundll32.exe 34->37         started        process10 process11 39 rundll32.exe 37->39         started        dnsIp12 49 45.138.98.34, 49743, 80 M247GB Germany 39->49 51 69.16.218.101, 49744, 8080 LIQUIDWEBUS United States 39->51 53 192.168.2.1 unknown unknown 39->53 67 System process connects to network (likely due to code injection or exploit) 39->67 signatures13

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      No Antivirus matches

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      14.2.rundll32.exe.4ad0000.6.unpack100%AviraHEUR/AGEN.1145233Download File
                      8.2.rundll32.exe.57d0000.10.unpack100%AviraHEUR/AGEN.1145233Download File
                      14.2.rundll32.exe.27f0000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      14.2.rundll32.exe.53b0000.19.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      14.2.rundll32.exe.5180000.16.unpack100%AviraHEUR/AGEN.1145233Download File
                      0.0.loaddll32.exe.fd0000.0.unpack100%AviraHEUR/AGEN.1145233Download File
                      14.2.rundll32.exe.5510000.23.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      14.2.rundll32.exe.4c30000.8.unpack100%AviraHEUR/AGEN.1145233Download File
                      8.2.rundll32.exe.5800000.11.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      14.2.rundll32.exe.43a0000.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      8.2.rundll32.exe.5420000.7.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      8.2.rundll32.exe.51a0000.2.unpack100%AviraHEUR/AGEN.1145233Download File
                      0.2.loaddll32.exe.2c10000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      0.0.loaddll32.exe.fd0000.3.unpack100%AviraHEUR/AGEN.1145233Download File
                      14.2.rundll32.exe.51b0000.17.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      8.2.rundll32.exe.5450000.8.unpack100%AviraHEUR/AGEN.1145233Download File
                      0.2.loaddll32.exe.fd0000.0.unpack100%AviraHEUR/AGEN.1145233Download File
                      0.0.loaddll32.exe.2c10000.4.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      4.2.rundll32.exe.29d0000.0.unpack100%AviraHEUR/AGEN.1145233Download File
                      14.2.rundll32.exe.4b00000.7.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      8.2.rundll32.exe.4ae0000.0.unpack100%AviraHEUR/AGEN.1145233Download File
                      14.2.rundll32.exe.5380000.18.unpack100%AviraHEUR/AGEN.1145233Download File
                      8.2.rundll32.exe.52c0000.5.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      8.2.rundll32.exe.51d0000.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      14.2.rundll32.exe.50d0000.15.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      14.2.rundll32.exe.4f80000.12.unpack100%AviraHEUR/AGEN.1145233Download File
                      14.2.rundll32.exe.4fb0000.13.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      14.2.rundll32.exe.4cc0000.11.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      14.2.rundll32.exe.54e0000.22.unpack100%AviraHEUR/AGEN.1145233Download File
                      11.2.rundll32.exe.2780000.0.unpack100%AviraHEUR/AGEN.1145233Download File
                      14.2.rundll32.exe.54b0000.21.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      4.2.rundll32.exe.43a0000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      3.2.regsvr32.exe.e40000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      8.2.rundll32.exe.4b10000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      14.2.rundll32.exe.4a20000.5.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      11.2.rundll32.exe.27b0000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      14.2.rundll32.exe.4c60000.9.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      14.2.rundll32.exe.4c90000.10.unpack100%AviraHEUR/AGEN.1145233Download File
                      14.2.rundll32.exe.5480000.20.unpack100%AviraHEUR/AGEN.1145233Download File
                      8.2.rundll32.exe.5290000.4.unpack100%AviraHEUR/AGEN.1145233Download File
                      14.2.rundll32.exe.2770000.0.unpack100%AviraHEUR/AGEN.1145233Download File
                      3.2.regsvr32.exe.e00000.0.unpack100%AviraHEUR/AGEN.1145233Download File
                      8.2.rundll32.exe.53f0000.6.unpack100%AviraHEUR/AGEN.1145233Download File
                      14.2.rundll32.exe.50a0000.14.unpack100%AviraHEUR/AGEN.1145233Download File
                      0.0.loaddll32.exe.2c10000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      14.2.rundll32.exe.2aa0000.2.unpack100%AviraHEUR/AGEN.1145233Download File
                      14.2.rundll32.exe.49f0000.4.unpack100%AviraHEUR/AGEN.1145233Download File
                      8.2.rundll32.exe.5480000.9.unpack100%AviraTR/Crypt.XPACK.GenDownload File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      https://www.disneyplus.com/legal/your-california-privacy-rights0%URL Reputationsafe
                      http://crl.ver)0%Avira URL Cloudsafe
                      https://www.disneyplus.com/legal/privacy-policy0%URL Reputationsafe
                      https://www.tiktok.com/legal/report/feedback0%URL Reputationsafe
                      http://help.disneyplus.com.0%URL Reputationsafe
                      https://disneyplus.com/legal.0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      https://www.disneyplus.com/legal/your-california-privacy-rightssvchost.exe, 00000019.00000003.500259920.000002AE4D57F000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.500326939.000002AE4D5A0000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.500297835.000002AE4D5C0000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.500278723.000002AE4D5C0000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://crl.ver)svchost.exe, 00000019.00000002.520960706.000002AE4D500000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		low
                      https://www.disneyplus.com/legal/privacy-policysvchost.exe, 00000019.00000003.500259920.000002AE4D57F000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.500326939.000002AE4D5A0000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.500297835.000002AE4D5C0000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.500278723.000002AE4D5C0000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://upx.sf.netAmcache.hve.12.drfalse
                        		high
                        https://www.tiktok.com/legal/report/feedbacksvchost.exe, 00000019.00000003.501393956.000002AE4D57F000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.501270072.000002AE4D5A7000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.501449448.000002AE4DA02000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.501250445.000002AE4D5A7000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.501407683.000002AE4D590000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://help.disneyplus.com.svchost.exe, 00000019.00000003.500259920.000002AE4D57F000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.500326939.000002AE4D5A0000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.500297835.000002AE4D5C0000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.500278723.000002AE4D5C0000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://disneyplus.com/legal.svchost.exe, 00000019.00000003.500259920.000002AE4D57F000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.500326939.000002AE4D5A0000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.500297835.000002AE4D5C0000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.500278723.000002AE4D5C0000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown

                        Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public

                        IPDomainCountryFlagASNASN NameMalicious
                        207.148.81.119
                        		unknownUnited States
                        		20473AS-CHOOPAUStrue
                        104.131.62.48
                        		unknownUnited States
                        		14061DIGITALOCEAN-ASNUStrue
                        85.214.67.203
                        		unknownGermany
                        		6724STRATOSTRATOAGDEtrue
                        191.252.103.16
                        		unknownBrazil
                        		27715LocawebServicosdeInternetSABRtrue
                        168.197.250.14
                        		unknownArgentina
                        		264776OmarAnselmoRipollTDCNETARtrue
                        66.42.57.149
                        		unknownUnited States
                        		20473AS-CHOOPAUStrue
                        185.148.168.15
                        		unknownGermany
                        		44780EVERSCALE-ASDEtrue
                        51.210.242.234
                        		unknownFrance
                        		16276OVHFRtrue
                        217.182.143.207
                        		unknownFrance
                        		16276OVHFRtrue
                        69.16.218.101
                        		unknownUnited States
                        		32244LIQUIDWEBUStrue
                        159.69.237.188
                        		unknownGermany
                        		24940HETZNER-ASDEtrue
                        45.138.98.34
                        		unknownGermany
                        		9009M247GBtrue
                        116.124.128.206
                        		unknownKorea Republic of
                        		9318SKB-ASSKBroadbandCoLtdKRtrue
                        78.46.73.125
                        		unknownGermany
                        		24940HETZNER-ASDEtrue
                        37.59.209.141
                        		unknownFrance
                        		16276OVHFRtrue
                        210.57.209.142
                        		unknownIndonesia
                        		38142UNAIR-AS-IDUniversitasAirlanggaIDtrue
                        185.148.168.220
                        		unknownGermany
                        		44780EVERSCALE-ASDEtrue
                        54.37.228.122
                        		unknownFrance
                        		16276OVHFRtrue
                        190.90.233.66
                        		unknownColombia
                        		18678INTERNEXASAESPCOtrue
                        142.4.219.173
                        		unknownCanada
                        		16276OVHFRtrue
                        54.38.242.185
                        		unknownFrance
                        		16276OVHFRtrue
                        195.154.146.35
                        		unknownFrance
                        		12876OnlineSASFRtrue
                        195.77.239.39
                        		unknownSpain
                        		60493FICOSA-ASEStrue
                        78.47.204.80
                        		unknownGermany
                        		24940HETZNER-ASDEtrue
                        37.44.244.177
                        		unknownGermany
                        		47583AS-HOSTINGERLTtrue
                        62.171.178.147
                        		unknownUnited Kingdom
                        		51167CONTABODEtrue
                        128.199.192.135
                        		unknownUnited Kingdom
                        		14061DIGITALOCEAN-ASNUStrue

                        Private

                        IP
                        192.168.2.1

                        General Information

                        Joe Sandbox Version:34.0.0 Boulder Opal
                        Analysis ID:553387
                        Start date:14.01.2022
                        Start time:19:46:42
                        Joe Sandbox Product:CloudBasic
                        Overall analysis duration:0h 14m 4s
                        Hypervisor based Inspection enabled:false
                        Report type:light
                        Sample file name:PtBIxmYbK8 (renamed file extension from none to dll)
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                        Number of analysed new started processes analysed:30
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • HDC enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Detection:MAL
                        Classification:mal84.troj.evad.winDLL@27/10@0/28
                        EGA Information:
                        • Successful, ratio: 100%
                        HDC Information:
                        • Successful, ratio: 98% (good quality ratio 89.8%)
                        • Quality average: 68.4%
                        • Quality standard deviation: 28.2%
                        HCA Information:
                        • Successful, ratio: 75%
                        • Number of executed functions: 0
                        • Number of non-executed functions: 0
                        Cookbook Comments:
                        • Adjust boot time
                        • Enable AMSI
                        • Override analysis time to 240s for rundll32
                        Warnings:
                        Show All
                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, wuapihost.exe
                        • Excluded IPs from analysis (whitelisted): 173.222.108.210, 173.222.108.226, 20.54.110.249
                        • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu-shim.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, a767.dspw65.akamai.net, arc.msn.com, displaycatalog-rp.md.mp.microsoft.com.akadns.net, download.windowsupdate.com.edgesuite.net
                        • Not all processes where analyzed, report is missing behavior information
                        • Report creation exceeded maximum time and may have missing disassembly code information.
                        • Report size exceeded maximum capacity and may have missing behavior information.
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.
                        • VT rate limit hit for: PtBIxmYbK8.dll

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        19:49:16API Interceptor7x Sleep call for process: svchost.exe modified

                        Joe Sandbox View / Context

                        IPs

                        No context

                        Domains

                        No context

                        ASN

                        No context

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        No context

                        Created / dropped Files

                        C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_7d3365b34093db6d884642e334bbbe4e6283fce_7cac0383_08b56415\Report.wer
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):65536
                        Entropy (8bit):0.7985558681406487
                        Encrypted:false
                        SSDEEP:96:wRxE/nYy1y9haol7JfapXIQcQSc6mcEUcw3/s+a+z+HbHgkVG4rmMoVazWbSmEB8:4EnxHsieryj0q/u7sWS274ItWU
                        MD5:6529AFCB3F75A1B224818E36D885B901
                        SHA1:F00D218DE1382C3F9AA3E34C15FE2BDE11482A87
                        SHA-256:B74286272B4575F474D87DBF53C02AE95EDF1F24F13B9D3C20CCE89134B9AB2D
                        SHA-512:E6E2681D3A05E1B0D85CFBA8E029899E7DC9C63DA17697E48C8E70AB2AF42A2A6DC3F71D035C6958F982896457D1CD53FEC96EDDEF291AC74D767A2932810129
                        Malicious:false
                        Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.8.6.6.9.2.0.7.2.9.5.9.4.4.7.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.8.8.e.4.3.8.0.-.c.6.a.b.-.4.c.3.9.-.a.2.d.e.-.5.2.6.2.4.5.d.0.9.9.e.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.6.e.9.4.e.4.0.-.b.6.e.e.-.4.e.c.4.-.a.0.8.d.-.a.4.0.4.d.8.e.0.e.c.a.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.l.o.a.d.d.l.l.3.2...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.3.b.8.-.0.0.0.1.-.0.0.1.c.-.d.9.f.5.-.0.1.a.5.c.2.0.9.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.l.o.a.d.d.l.l.3.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.1././.1.2././.1.3.:.0.9.:.0.7.:.1.6.!.0.!.l.o.a.d.d.l.l.3.2...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.
                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER1607.tmp.csv
                        Process:C:\Windows\System32\svchost.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):52976
                        Entropy (8bit):3.0558188672124182
                        Encrypted:false
                        SSDEEP:1536:vk4HI2iUwrFnUDZ986O6wETo8+84YQwm00SVzNjkv2bj7J:vk4HI2iUwrFnUDZ986O6wETo8+89Qwmo
                        MD5:1C98D20AE6CA955B67E4ABC0ED4086CB
                        SHA1:8B81096AA848A9958881D7E6AE199571C3BA7B57
                        SHA-256:B884189E8E42E943DC544C6165893E3279606C54AC05B5652D2D5A12D96598E4
                        SHA-512:29AC6192B1D056A3D93B3BB48E2A531B43809C6018EE2C5F99A61B59B0ABA0E859F43405F5D9DC47EA7399494328E78F2A2625E3D5A70012FEDAC47A578D1470
                        Malicious:false
                        Preview: I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.
                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER1FFB.tmp.txt
                        Process:C:\Windows\System32\svchost.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):13340
                        Entropy (8bit):2.6955022132026323
                        Encrypted:false
                        SSDEEP:96:9GiZYWSWuVVGYBYoO1W1nUGyGHJUYEZOEtk0iYOsf6wwvDT4a2YRKX8IonI3:9jZDlmucMIN7Ua2YRKX7onI3
                        MD5:03D00E89CD13A17F95F6B9DEB126601A
                        SHA1:3A49B0E608B6B745136D72A0C3A7610A26BFF2F3
                        SHA-256:3057A0EE3559367926F1EDA9E27B39EC3526E52ADAB13912305A49BBCF28CE9B
                        SHA-512:67AC5FF551B9A4786627057C062A501CEB2F6CB5E0BFB46DF20904310338B990D285AB87DBDA242257C1B86C265877CAF38A7ABF48992FBE463D98F30F9C9F37
                        Malicious:false
                        Preview: B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.1.5.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .
                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER4CA5.tmp.dmp
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:Mini DuMP crash report, 15 streams, Sat Jan 15 03:47:54 2022, 0x1205a4 type
                        Category:dropped
                        Size (bytes):44484
                        Entropy (8bit):2.1181908603711563
                        Encrypted:false
                        SSDEEP:192:SEeYwjdjOamYvzAi5e37RgnjELQew/Nemj8nDLCu+3Os2NHEHp2:YUarvsqe37R3Qew/XjUDLCu+XB2
                        MD5:EE62C3C396654E74DDFD3745FCD9F6B5
                        SHA1:92C403FEA7C3C73A15A25E4C17A2546291028CEA
                        SHA-256:3333B74789AB680EE042A71395496B33222AD41900A88EAD3D7B61D13942B903
                        SHA-512:6BD35BE78E907B3CFA887219DDBAFEBC4E060043451E3825E462B9631CBCD6C161BB0A74D455B8F8211272505E219D2E7B5916615254D80E440E6B3342C697EC
                        Malicious:false
                        Preview: MDMP....... ........C.a....................................$...T............%..........`.......8...........T...............<...........x...........d....................................................................U...........B..............GenuineIntelW...........T............C.a.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................................
                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER52DF.tmp.WERInternalMetadata.xml
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):8348
                        Entropy (8bit):3.7010572913797084
                        Encrypted:false
                        SSDEEP:192:Rrl7r3GLNi7D6/Hg6x6YFGSUCagmfzSwGgCpBv89bF6sf+Xm:RrlsNi/6/Hg6x6YkSUCagmfzSwrFZfv
                        MD5:CDDAAB9B8184C856242F0ACB9F8FA232
                        SHA1:EE73E29077DEDACB4D755EBB0310C6EB57052335
                        SHA-256:B926531D3EF3CEE3AAAF19DE9A892E8F639CF3645C9C0B12B73E50C05FACE67F
                        SHA-512:8A81CB579BF2464B982540900B7C523F0D5513ED6CB184AF7CBF28FF85C7202303DCA36078D23E718E7BBCC54AE1E4ECBF26C9EDE5F5E6ABF4B3AC1F7990C601
                        Malicious:false
                        Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.0.4.8.<./.P.i.d.>.......
                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER57F1.tmp.xml
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):4598
                        Entropy (8bit):4.468606320124609
                        Encrypted:false
                        SSDEEP:48:cvIwSD8zsNJgtWI9LikWSC8BnYb8fm8M4J2+WZFyk+q84pvCKcQIcQw0td:uITfnQi9SNxHJAB5CKkw0td
                        MD5:57976DBD376925AC4EFF0C2A9BF98530
                        SHA1:2EFB6BAF18776CFB6DB119B29DCB793F7AF8832A
                        SHA-256:5E3B5776FE8FB137F2523575B39DB7E979FCC096EDB2BFD2F592F187DABEE118
                        SHA-512:AAA1F3D92621DE5BBA9A449B8E23BAD021851E7FFFD5F564EE47F785DB6688BEC5694CA2278920AE344C2103275A0F59FFCD0BE9CC85A3F971C384ACEFFBDCF7
                        Malicious:false
                        Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1342858" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                        C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
                        Process:C:\Windows\SysWOW64\rundll32.exe
                        File Type:Microsoft Cabinet archive data, 61414 bytes, 1 file
                        Category:dropped
                        Size (bytes):61414
                        Entropy (8bit):7.995245868798237
                        Encrypted:true
                        SSDEEP:1536:EysgU6qmzixT64jYMZ8HbVPGfVDwm/xLZ9rP:wF6qmeo4eH1m9wmLvrP
                        MD5:ACAEDA60C79C6BCAC925EEB3653F45E0
                        SHA1:2AAAE490BCDACCC6172240FF1697753B37AC5578
                        SHA-256:6B0CECCF0103AFD89844761417C1D23ACC41F8AEBF3B7230765209B61EEE5658
                        SHA-512:FEAA6E7ED7DDA1583739B3E531AB5C562A222EE6ECD042690AE7DCFF966717C6E968469A7797265A11F6E899479AE0F3031E8CF5BEBE1492D5205E9C59690900
                        Malicious:false
                        Preview: MSCF............,...................I.......;w........RSNj .authroot.stl..>.(.5..CK..8T....c_.d...A.K...+.d.H..*i.RJJ.IQIR..$t)Kd.-[..T\{..ne......<.w......A..B........c...wi......D....c.0D,L........fy....Rg...=........i,3.3..Z....~^ve<...TF.*...f.zy.,...m.@.0.0...m.3..I(..+..v#...(.2....e...L..*y..V.......~U...."<ke.....l.X:Dt..R<7.5\A7L0=..T.V...IDr..8<....r&...I-.^..b.b.".Af....E.._..r.>.`;,.Hob..S.....7'..\.R$.".g..+..64..@nP.....k3...B.`.G..@D.....L.....`^...#OpW.....!....`.....rf:.}.R.@....gR.#7....l..H.#...d.Qh..3..fCX....==#..M.l..~&....[.J9.\..Ww.....Tx.%....]..a4E...q.+...#.*a..x..O..V.t..Y1!.T..`U...-...< _@...|(.....0..3.`.LU...E0.Gu.4KN....5...?.....I.p..'..........N<.d.O..dH@c1t...[w/...T....cYK.X>.0..Z.....O>..9.3.#9X.%.b...5.YK.E.V.....`./.3.._..nN]..=..M.o.F.._..z....._...gY..!Z..?l....vp.l.:.d.Z..W.....~...N.._.k...&.....$......i.F.d.....D!e.....Y..,.E..m.;.1... $.F..O.F.o_}.uG....,.%.>,.Zx.......o....c../.;....g&.....
                        C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
                        Process:C:\Windows\SysWOW64\rundll32.exe
                        File Type:data
                        Category:modified
                        Size (bytes):328
                        Entropy (8bit):3.113451799804698
                        Encrypted:false
                        SSDEEP:6:kK5hk8SN+SkQlPlEGYRMY9z+4KlDA3RUeYlUmlUR/t:39kPlE99SNxAhUeYlUSA/t
                        MD5:4764FD8B35DE262C3F85950E5448BF4A
                        SHA1:9B2665A0F3D06DE10A32E5735F586E116D178C30
                        SHA-256:9E78EE47C41E8CA0D8587E6EA491C948D0DCE773D753628255C16D3F1FD1C538
                        SHA-512:CF5C5779F3963453342CE9700271C0A6D340D4FBB0DFDEE7B73D768A6D9C37CC8A595E19036DF70F322E797CDE95A3A9496CB7D712776AAA22BC91236624FBFA
                        Malicious:false
                        Preview: p...... ........l.9.....(....................................................... ........q.\].......&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.7.1.e.1.5.c.5.d.c.4.d.7.1.:.0."...
                        C:\Windows\appcompat\Programs\Amcache.hve
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:MS Windows registry file, NT/2000 or above
                        Category:dropped
                        Size (bytes):1572864
                        Entropy (8bit):4.271142154487304
                        Encrypted:false
                        SSDEEP:12288:098zYqQ2tJx5J2pcfmkERLkDhBYQiFfQk4FLhxqK4LbhYAKT3i5H8:+8zYqQ2tJx5J2pc8
                        MD5:1F014DDCF8CD94E4BE5F92C1E777165D
                        SHA1:DE15B1B1D364E6D3A97254132072C6A0D4008307
                        SHA-256:A3839E4A773CE3792DE1B7C3660087454780B4F0153F834ABD2FE1C9C57F4F69
                        SHA-512:74BFB5BE1BC62F9D521E53A1568B4237860D3D2AD896D5EE3EBADA52676BF6B66EEB5870109920DA04157099D96AD9942BE2B5B7F7AD7D12254262AAFAF70151
                        Malicious:false
                        Preview: regfZ...Z...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm6...................................................................................................................................................................................................................................................................................................................................................R..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                        C:\Windows\appcompat\Programs\Amcache.hve.LOG1
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:MS Windows registry file, NT/2000 or above
                        Category:dropped
                        Size (bytes):16384
                        Entropy (8bit):3.3969081066165123
                        Encrypted:false
                        SSDEEP:192://wiP/E1m0qN38OYl5FSEsWftx1PxgoJ4XoaJNSdkyFn6yvRrsfUWfYjdsiDoXzq:9Xk5Rftx1PPJ4Xo7FFn7bZd1DoXzCh
                        MD5:11DB2A78709E05EA6D7B7DABD9BC4839
                        SHA1:2A9911BB62D94062DB208D2FF375E93834C48F6E
                        SHA-256:E2D80A8275255351FE5DF6EA7B821308A3909BBD9EABF8BC1F5968C905DD6BEC
                        SHA-512:41FA9CCFF373F70ADF7EA14597688CD78E541623DEB80F0A0FD04BF684244001A10E974859BEF037E58065C94F038C9F201611AD61416AAF5551924193C9FFC5
                        Malicious:false
                        Preview: regfY...Y...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm6...................................................................................................................................................................................................................................................................................................................................................R..HvLE.>......Y............eHBt.R...7"...........0..............hbin................p.\..,..........nk,..J..................................... ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk ..J......... ........................... .......Z.......................Root........lf......Root....nk ..J......................}.............. ...............*...............DeviceCensus.......................vk..................WritePermissionsCheck.......p...

                        Static File Info

                        General

                        File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                        Entropy (8bit):6.76761459656839
                        TrID:
                        • Win32 Dynamic Link Library (generic) (1002004/3) 98.32%
                        • Windows Screen Saver (13104/52) 1.29%
                        • Generic Win/DOS Executable (2004/3) 0.20%
                        • DOS Executable Generic (2002/1) 0.20%
                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                        File name:PtBIxmYbK8.dll
                        File size:588288
                        MD5:cdf3dc30cd25f5dc97c5f7b9c2d1abe5
                        SHA1:2e60ddf31429088419bdd186f10ff5e2d437236c
                        SHA256:9b571f59abe91b0684fec7bc2311225630ee92c647cd91f37847cd5f8f1dc85c
                        SHA512:95c410febe7bcd616f8836ba417d9e46fc94369d102b5debb2fcf57d2613aa7de09300a47858ba583bfc6935986506856be94ce4f6047ac6b36a6abc74104e6c
                        SSDEEP:6144:cNU5LwA22222GgngDrDRVyYli/ci2tEGW78ODQiEatvOSk5DKXOW14IkFxVFgY4E:x5w7YM/cYVV7EDOpOJyvnHtytFyQ
                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m.......................................^F......^P.n....^W.t....^Y......^A......^G......^B.....Rich....................PE..L..

                        File Icon

                        Icon Hash:71b018ccc6577131

                        Static PE Info

                        General

                        Entrypoint:0x1002eaac
                        Entrypoint Section:.text
                        Digitally signed:false
                        Imagebase:0x10000000
                        Subsystem:windows gui
                        Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                        DLL Characteristics:
                        Time Stamp:0x61E03DE6 [Thu Jan 13 14:57:42 2022 UTC]
                        TLS Callbacks:
                        CLR (.Net) Version:
                        OS Version Major:5
                        OS Version Minor:0
                        File Version Major:5
                        File Version Minor:0
                        Subsystem Version Major:5
                        Subsystem Version Minor:0
                        Import Hash:7f57698bb210fa88a6b01b1feaf20957

                        Entrypoint Preview

                        Instruction
                        mov edi, edi
                        push ebp
                        mov ebp, esp
                        cmp dword ptr [ebp+0Ch], 01h
                        jne 00007F1E087A4C07h
                        call 00007F1E087AD478h
                        push dword ptr [ebp+08h]
                        mov ecx, dword ptr [ebp+10h]
                        mov edx, dword ptr [ebp+0Ch]
                        call 00007F1E087A4AF1h
                        pop ecx
                        pop ebp
                        retn 000Ch
                        mov edi, edi
                        push ebp
                        mov ebp, esp
                        push esi
                        push edi
                        mov edi, dword ptr [ebp+10h]
                        mov eax, edi
                        sub eax, 00000000h
                        je 00007F1E087A61EBh
                        dec eax
                        je 00007F1E087A61D3h
                        dec eax
                        je 00007F1E087A619Eh
                        dec eax
                        je 00007F1E087A614Fh
                        dec eax
                        je 00007F1E087A60BFh
                        mov ecx, dword ptr [ebp+0Ch]
                        mov eax, dword ptr [ebp+08h]
                        push ebx
                        push 00000020h
                        pop edx
                        jmp 00007F1E087A5077h
                        mov esi, dword ptr [eax]
                        cmp esi, dword ptr [ecx]
                        je 00007F1E087A4C7Eh
                        movzx esi, byte ptr [eax]
                        movzx ebx, byte ptr [ecx]
                        sub esi, ebx
                        je 00007F1E087A4C17h
                        xor ebx, ebx
                        test esi, esi
                        setnle bl
                        lea ebx, dword ptr [ebx+ebx-01h]
                        mov esi, ebx
                        test esi, esi
                        jne 00007F1E087A506Fh
                        movzx esi, byte ptr [eax+01h]
                        movzx ebx, byte ptr [ecx+01h]
                        sub esi, ebx
                        je 00007F1E087A4C17h
                        xor ebx, ebx
                        test esi, esi
                        setnle bl
                        lea ebx, dword ptr [ebx+ebx-01h]
                        mov esi, ebx
                        test esi, esi
                        jne 00007F1E087A504Eh
                        movzx esi, byte ptr [eax+02h]
                        movzx ebx, byte ptr [ecx+02h]
                        sub esi, ebx
                        je 00007F1E087A4C17h
                        xor ebx, ebx
                        test esi, esi
                        setnle bl
                        lea ebx, dword ptr [ebx+ebx-01h]
                        mov esi, ebx
                        test esi, esi
                        jne 00007F1E087A502Dh

                        Rich Headers

                        Programming Language:
                        • [ C ] VS2008 build 21022
                        • [LNK] VS2008 build 21022
                        • [ C ] VS2005 build 50727
                        • [ASM] VS2008 build 21022
                        • [IMP] VS2005 build 50727
                        • [RES] VS2008 build 21022
                        • [EXP] VS2008 build 21022
                        • [C++] VS2008 build 21022

                        Data Directories

                        NameVirtual AddressVirtual Size Is in Section
                        IMAGE_DIRECTORY_ENTRY_EXPORT0x50bc00x50.rdata
                        IMAGE_DIRECTORY_ENTRY_IMPORT0x4f5380xb4.rdata
                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x890000x3410.rsrc
                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x8d0000x415c.reloc
                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x4bd000x40.rdata
                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IAT0x470000x454.rdata
                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x4f4b00x40.rdata
                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                        Sections

                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                        .text0x10000x45bb90x45c00False0.379756804435data6.37093799262IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                        .rdata0x470000x9c100x9e00False0.357372428797data5.22198617118IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                        .data0x510000x3735c0x33800False0.741035535498data6.11335979295IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                        .rsrc0x890000x34100x3600False0.306640625data4.34913645958IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                        .reloc0x8d0000x8c340x8e00False0.346308318662data4.00973830682IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                        Resources

                        NameRVASizeTypeLanguageCountry
                        RT_CURSOR0x89ac00x134dataChineseChina
                        RT_CURSOR0x89bf40xb4dataChineseChina
                        RT_CURSOR0x89ca80x134AmigaOS bitmap fontChineseChina
                        RT_CURSOR0x89ddc0x134dataChineseChina
                        RT_CURSOR0x89f100x134dataChineseChina
                        RT_CURSOR0x8a0440x134dataChineseChina
                        RT_CURSOR0x8a1780x134dataChineseChina
                        RT_CURSOR0x8a2ac0x134dataChineseChina
                        RT_CURSOR0x8a3e00x134dataChineseChina
                        RT_CURSOR0x8a5140x134dataChineseChina
                        RT_CURSOR0x8a6480x134dataChineseChina
                        RT_CURSOR0x8a77c0x134dataChineseChina
                        RT_CURSOR0x8a8b00x134AmigaOS bitmap fontChineseChina
                        RT_CURSOR0x8a9e40x134dataChineseChina
                        RT_CURSOR0x8ab180x134dataChineseChina
                        RT_CURSOR0x8ac4c0x134dataChineseChina
                        RT_BITMAP0x8ad800xb8dataChineseChina
                        RT_BITMAP0x8ae380x144dataChineseChina
                        RT_ICON0x8af7c0x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 67108992, next used block 3293332676ChineseChina
                        RT_ICON0x8b2640x128GLS_BINARY_LSB_FIRSTChineseChina
                        RT_DIALOG0x8b38c0x33cdataChineseChina
                        RT_DIALOG0x8b6c80xe2dataChineseChina
                        RT_DIALOG0x8b7ac0x34dataChineseChina
                        RT_STRING0x8b7e00x4edataChineseChina
                        RT_STRING0x8b8300x2cdataChineseChina
                        RT_STRING0x8b85c0x82dataChineseChina
                        RT_STRING0x8b8e00x1d6dataChineseChina
                        RT_STRING0x8bab80x160dataChineseChina
                        RT_STRING0x8bc180x12edataChineseChina
                        RT_STRING0x8bd480x50dataChineseChina
                        RT_STRING0x8bd980x44dataChineseChina
                        RT_STRING0x8bddc0x68dataChineseChina
                        RT_STRING0x8be440x1b8dataChineseChina
                        RT_STRING0x8bffc0x104dataChineseChina
                        RT_STRING0x8c1000x24dataChineseChina
                        RT_STRING0x8c1240x30dataChineseChina
                        RT_GROUP_CURSOR0x8c1540x22Lotus unknown worksheet or configuration, revision 0x2ChineseChina
                        RT_GROUP_CURSOR0x8c1780x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
                        RT_GROUP_CURSOR0x8c18c0x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
                        RT_GROUP_CURSOR0x8c1a00x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
                        RT_GROUP_CURSOR0x8c1b40x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
                        RT_GROUP_CURSOR0x8c1c80x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
                        RT_GROUP_CURSOR0x8c1dc0x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
                        RT_GROUP_CURSOR0x8c1f00x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
                        RT_GROUP_CURSOR0x8c2040x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
                        RT_GROUP_CURSOR0x8c2180x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
                        RT_GROUP_CURSOR0x8c22c0x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
                        RT_GROUP_CURSOR0x8c2400x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
                        RT_GROUP_CURSOR0x8c2540x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
                        RT_GROUP_CURSOR0x8c2680x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
                        RT_GROUP_CURSOR0x8c27c0x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
                        RT_GROUP_ICON0x8c2900x22dataChineseChina
                        RT_MANIFEST0x8c2b40x15aASCII text, with CRLF line terminatorsEnglishUnited States

                        Imports

                        DLLImport
                        KERNEL32.dllGetOEMCP, GetCommandLineA, RtlUnwind, ExitProcess, HeapReAlloc, RaiseException, HeapSize, TerminateProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetACP, IsValidCodePage, LCMapStringA, LCMapStringW, HeapCreate, HeapDestroy, GetStdHandle, GetCPInfo, GetFileType, GetStartupInfoA, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, QueryPerformanceCounter, GetTickCount, GetSystemTimeAsFileTime, InitializeCriticalSectionAndSpinCount, GetConsoleCP, GetConsoleMode, GetStringTypeA, GetStringTypeW, GetUserDefaultLCID, EnumSystemLocalesA, IsValidLocale, GetLocaleInfoW, SetStdHandle, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, GetModuleHandleW, CreateFileA, GetCurrentProcess, FlushFileBuffers, SetFilePointer, WriteFile, ReadFile, InterlockedIncrement, TlsFree, LocalReAlloc, TlsSetValue, TlsAlloc, GlobalHandle, GlobalReAlloc, TlsGetValue, LocalAlloc, WritePrivateProfileStringA, GlobalFlags, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSection, GlobalGetAtomNameA, GlobalFindAtomA, lstrcmpW, GetVersionExA, FormatMessageA, LocalFree, lstrlenA, InterlockedDecrement, MulDiv, MultiByteToWideChar, GlobalUnlock, GlobalFree, FreeResource, GlobalAddAtomA, GetCurrentProcessId, GetLastError, GlobalDeleteAtom, GetCurrentThread, GetCurrentThreadId, ConvertDefaultLocale, EnumResourceLanguagesA, GetModuleFileNameA, GetLocaleInfoA, WideCharToMultiByte, CompareStringA, FindResourceA, LoadResource, LockResource, SizeofResource, InterlockedExchange, GlobalLock, lstrcmpA, GlobalAlloc, GetModuleHandleA, CreateThread, CloseHandle, VirtualProtect, LoadLibraryA, VirtualAlloc, GetProcAddress, SetLastError, Sleep, IsBadReadPtr, GetProcessHeap, VirtualFree, HeapFree, HeapAlloc, FreeLibrary, VirtualQuery, SetHandleCount, GetNativeSystemInfo
                        USER32.dllLoadCursorA, GetSysColorBrush, SetWindowTextA, IsDialogMessageA, SetDlgItemTextA, GetDlgItemTextA, RegisterWindowMessageA, SendDlgItemMessageA, WinHelpA, GetCapture, GetClassLongA, GetClassNameA, SetPropA, GetPropA, RemovePropA, GetForegroundWindow, GetTopWindow, GetMessageTime, GetMessagePos, MapWindowPoints, SetMenu, SetForegroundWindow, CreateWindowExA, GetClassInfoExA, GetClassInfoA, RegisterClassA, AdjustWindowRectEx, CopyRect, PtInRect, GetDlgCtrlID, DefWindowProcA, CallWindowProcA, SetWindowLongA, SetWindowPos, SystemParametersInfoA, GetWindowPlacement, GetWindowRect, GetMenuItemID, GetMenuItemCount, GetSubMenu, UnhookWindowsHookEx, GetSysColor, EndPaint, BeginPaint, ReleaseDC, GetDC, ClientToScreen, GrayStringA, DrawTextExA, DrawTextA, TabbedTextOutA, GetWindowTextLengthA, GetWindowTextA, GetWindow, SetFocus, GetDesktopWindow, SetActiveWindow, CreateDialogIndirectParamA, DestroyWindow, IsWindow, GetDlgItem, GetNextDlgTabItem, EndDialog, SetWindowsHookExA, CallNextHookEx, GetMessageA, DestroyMenu, UpdateWindow, TranslateMessage, DispatchMessageA, GetActiveWindow, IsWindowVisible, GetKeyState, PeekMessageA, GetCursorPos, ValidateRect, GetWindowThreadProcessId, GetWindowLongA, GetLastActivePopup, IsWindowEnabled, MessageBoxA, SetCursor, PostQuitMessage, SetMenuItemBitmaps, GetMenuCheckMarkDimensions, LoadBitmapA, GetFocus, GetParent, ModifyMenuA, GetMenuState, EnableMenuItem, CheckMenuItem, SetTimer, IsIconic, KillTimer, LoadIconA, DrawIcon, GetClientRect, SendMessageA, ShowWindow, PostMessageA, GetSystemMetrics, EnableWindow, GetMenu
                        GDI32.dllGetStockObject, SelectObject, GetDeviceCaps, DeleteDC, Escape, ExtTextOutA, TextOutA, RectVisible, ScaleWindowExtEx, SetWindowExtEx, ScaleViewportExtEx, SetViewportExtEx, OffsetViewportOrgEx, CreateBitmap, PtVisible, GetObjectA, DeleteObject, GetClipBox, SetMapMode, SetTextColor, SetBkColor, RestoreDC, SaveDC, SetViewportOrgEx
                        WINSPOOL.DRVDocumentPropertiesA, ClosePrinter, OpenPrinterA
                        ADVAPI32.dllRegSetValueExA, RegCreateKeyExA, RegQueryValueA, RegOpenKeyA, RegEnumKeyA, RegDeleteKeyA, RegOpenKeyExA, RegQueryValueExA, RegCloseKey
                        SHLWAPI.dllPathFindExtensionA
                        OLEAUT32.dllVariantClear, VariantChangeType, VariantInit
                        WS2_32.dllhtons, setsockopt, sendto, htonl, bind, socket, closesocket, inet_addr, recvfrom, WSACleanup, WSAStartup

                        Exports

                        NameOrdinalAddress
                        DllRegisterServer10x1001df20

                        Possible Origin

                        Language of compilation systemCountry where language is spokenMap
                        ChineseChina
                        EnglishUnited States

                        Network Behavior

                        Snort IDS Alerts

                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                        01/14/22-19:48:04.868357TCP2404332ET CNC Feodo Tracker Reported CnC Server TCP group 174974380192.168.2.345.138.98.34
                        01/14/22-19:48:06.096818TCP2404338ET CNC Feodo Tracker Reported CnC Server TCP group 20497448080192.168.2.369.16.218.101

                        Network Port Distribution

                        TCP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Jan 14, 2022 19:48:04.868356943 CET4974380192.168.2.345.138.98.34
                        Jan 14, 2022 19:48:04.885901928 CET804974345.138.98.34192.168.2.3
                        Jan 14, 2022 19:48:05.455316067 CET4974380192.168.2.345.138.98.34
                        Jan 14, 2022 19:48:05.472565889 CET804974345.138.98.34192.168.2.3
                        Jan 14, 2022 19:48:06.068423033 CET4974380192.168.2.345.138.98.34
                        Jan 14, 2022 19:48:06.087671041 CET804974345.138.98.34192.168.2.3
                        Jan 14, 2022 19:48:06.096817970 CET497448080192.168.2.369.16.218.101
                        Jan 14, 2022 19:48:06.235723972 CET80804974469.16.218.101192.168.2.3
                        Jan 14, 2022 19:48:06.235879898 CET497448080192.168.2.369.16.218.101
                        Jan 14, 2022 19:48:06.310767889 CET497448080192.168.2.369.16.218.101
                        Jan 14, 2022 19:48:06.447163105 CET80804974469.16.218.101192.168.2.3
                        Jan 14, 2022 19:48:06.460182905 CET80804974469.16.218.101192.168.2.3
                        Jan 14, 2022 19:48:06.460217953 CET80804974469.16.218.101192.168.2.3
                        Jan 14, 2022 19:48:06.460530996 CET497448080192.168.2.369.16.218.101
                        Jan 14, 2022 19:48:11.426649094 CET497448080192.168.2.369.16.218.101
                        Jan 14, 2022 19:48:11.562936068 CET80804974469.16.218.101192.168.2.3
                        Jan 14, 2022 19:48:11.563620090 CET80804974469.16.218.101192.168.2.3
                        Jan 14, 2022 19:48:11.563821077 CET497448080192.168.2.369.16.218.101
                        Jan 14, 2022 19:48:11.566965103 CET497448080192.168.2.369.16.218.101
                        Jan 14, 2022 19:48:11.703223944 CET80804974469.16.218.101192.168.2.3
                        Jan 14, 2022 19:48:12.220818996 CET80804974469.16.218.101192.168.2.3
                        Jan 14, 2022 19:48:12.221153021 CET497448080192.168.2.369.16.218.101
                        Jan 14, 2022 19:48:15.221715927 CET80804974469.16.218.101192.168.2.3
                        Jan 14, 2022 19:48:15.221791983 CET497448080192.168.2.369.16.218.101
                        Jan 14, 2022 19:48:15.224180937 CET80804974469.16.218.101192.168.2.3
                        Jan 14, 2022 19:48:15.224283934 CET497448080192.168.2.369.16.218.101
                        Jan 14, 2022 19:49:54.750998974 CET497448080192.168.2.369.16.218.101
                        Jan 14, 2022 19:49:54.751054049 CET497448080192.168.2.369.16.218.101

                        Code Manipulations

                        Statistics

                        Behavior

                        Click to jump to process

                        System Behavior

                        Analysis Process: loaddll32.exe PID: 5048 Parent PID: 4760

                        General

                        Start time:19:47:40
                        Start date:14/01/2022
                        Path:C:\Windows\System32\loaddll32.exe
                        Wow64 process (32bit):true
                        Commandline:loaddll32.exe "C:\Users\user\Desktop\PtBIxmYbK8.dll"
                        Imagebase:0x1090000
                        File size:116736 bytes
                        MD5 hash:7DEB5DB86C0AC789123DEC286286B938
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.308585083.0000000000FD0000.00000040.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000002.338458195.0000000002C11000.00000020.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.311393772.0000000000FD0000.00000040.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.312025488.0000000002C11000.00000020.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.309571551.0000000002C11000.00000020.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000002.337429522.0000000000FD0000.00000040.00000001.sdmp, Author: Joe Security
                        Reputation:moderate

                        Analysis Process: cmd.exe PID: 5300 Parent PID: 5048

                        General

                        Start time:19:47:41
                        Start date:14/01/2022
                        Path:C:\Windows\SysWOW64\cmd.exe
                        Wow64 process (32bit):true
                        Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\PtBIxmYbK8.dll",#1
                        Imagebase:0xd80000
                        File size:232960 bytes
                        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high

                        Analysis Process: regsvr32.exe PID: 2948 Parent PID: 5048

                        General

                        Start time:19:47:41
                        Start date:14/01/2022
                        Path:C:\Windows\SysWOW64\regsvr32.exe
                        Wow64 process (32bit):true
                        Commandline:regsvr32.exe /s C:\Users\user\Desktop\PtBIxmYbK8.dll
                        Imagebase:0xf70000
                        File size:20992 bytes
                        MD5 hash:426E7499F6A7346F0410DEAD0805586B
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.302688522.0000000000E41000.00000020.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.302564495.0000000000E00000.00000040.00000001.sdmp, Author: Joe Security
                        Reputation:high

                        Analysis Process: rundll32.exe PID: 4792 Parent PID: 5300

                        General

                        Start time:19:47:41
                        Start date:14/01/2022
                        Path:C:\Windows\SysWOW64\rundll32.exe
                        Wow64 process (32bit):true
                        Commandline:rundll32.exe "C:\Users\user\Desktop\PtBIxmYbK8.dll",#1
                        Imagebase:0x320000
                        File size:61952 bytes
                        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.304075743.00000000043A1000.00000020.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.303853951.00000000029D0000.00000040.00000001.sdmp, Author: Joe Security
                        Reputation:high

                        Analysis Process: rundll32.exe PID: 6344 Parent PID: 5048

                        General

                        Start time:19:47:41
                        Start date:14/01/2022
                        Path:C:\Windows\SysWOW64\rundll32.exe
                        Wow64 process (32bit):true
                        Commandline:rundll32.exe C:\Users\user\Desktop\PtBIxmYbK8.dll,DllRegisterServer
                        Imagebase:0x320000
                        File size:61952 bytes
                        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high

                        Analysis Process: rundll32.exe PID: 6080 Parent PID: 2948

                        General

                        Start time:19:47:43
                        Start date:14/01/2022
                        Path:C:\Windows\SysWOW64\rundll32.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\PtBIxmYbK8.dll",DllRegisterServer
                        Imagebase:0x320000
                        File size:61952 bytes
                        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high

                        Analysis Process: rundll32.exe PID: 6108 Parent PID: 4792

                        General

                        Start time:19:47:43
                        Start date:14/01/2022
                        Path:C:\Windows\SysWOW64\rundll32.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\PtBIxmYbK8.dll",DllRegisterServer
                        Imagebase:0x320000
                        File size:61952 bytes
                        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000008.00000002.317784212.0000000004B11000.00000020.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000008.00000002.318296649.0000000005421000.00000020.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000008.00000002.318248935.00000000053F0000.00000040.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000008.00000002.318348439.0000000005450000.00000040.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000008.00000002.318434863.00000000057D0000.00000040.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000008.00000002.318371369.0000000005481000.00000020.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000008.00000002.318088092.00000000051A0000.00000040.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000008.00000002.318476000.0000000005801000.00000020.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000008.00000002.317749398.0000000004AE0000.00000040.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000008.00000002.318172231.00000000052C1000.00000020.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000008.00000002.318112393.00000000051D1000.00000020.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000008.00000002.318147984.0000000005290000.00000040.00000001.sdmp, Author: Joe Security
                        Reputation:high

                        Analysis Process: svchost.exe PID: 2064 Parent PID: 572

                        General

                        Start time:19:47:45
                        Start date:14/01/2022
                        Path:C:\Windows\System32\svchost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\System32\svchost.exe -k WerSvcGroup
                        Imagebase:0x7ff70d6e0000
                        File size:51288 bytes
                        MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high

                        Analysis Process: WerFault.exe PID: 5932 Parent PID: 2064

                        General

                        Start time:19:47:46
                        Start date:14/01/2022
                        Path:C:\Windows\SysWOW64\WerFault.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 5048 -ip 5048
                        Imagebase:0xa70000
                        File size:434592 bytes
                        MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high

                        Analysis Process: rundll32.exe PID: 2524 Parent PID: 6108

                        General

                        Start time:19:47:48
                        Start date:14/01/2022
                        Path:C:\Windows\SysWOW64\rundll32.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Nvtcylmbo\muiecmoc.icg",BOAeVPaP
                        Imagebase:0x320000
                        File size:61952 bytes
                        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000B.00000002.322635855.00000000027B1000.00000020.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000B.00000002.322569629.0000000002780000.00000040.00000001.sdmp, Author: Joe Security

                        Analysis Process: WerFault.exe PID: 2352 Parent PID: 5048

                        General

                        Start time:19:47:48
                        Start date:14/01/2022
                        Path:C:\Windows\SysWOW64\WerFault.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5048 -s 516
                        Imagebase:0xa70000
                        File size:434592 bytes
                        MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language

                        Analysis Process: rundll32.exe PID: 5160 Parent PID: 2524

                        General

                        Start time:19:47:51
                        Start date:14/01/2022
                        Path:C:\Windows\SysWOW64\rundll32.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Nvtcylmbo\muiecmoc.icg",DllRegisterServer
                        Imagebase:0x320000
                        File size:61952 bytes
                        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000E.00000002.821346778.0000000004C61000.00000020.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000E.00000002.821133025.0000000004AD0000.00000040.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000E.00000002.823386199.0000000005480000.00000040.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000E.00000002.823214789.0000000005380000.00000040.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000E.00000002.823440702.00000000054B1000.00000020.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000E.00000002.821423822.0000000004C90000.00000040.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000E.00000002.823555104.0000000005511000.00000020.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000E.00000002.820324985.00000000027F1000.00000020.00000010.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000E.00000002.820654150.0000000002AA0000.00000040.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000E.00000002.820892029.00000000043A1000.00000020.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000E.00000002.821081659.0000000004A21000.00000020.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000E.00000002.822157417.0000000004F80000.00000040.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000E.00000002.822267335.0000000004FB1000.00000020.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000E.00000002.821518387.0000000004CC1000.00000020.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000E.00000002.823505581.00000000054E0000.00000040.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000E.00000002.821036845.00000000049F0000.00000040.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000E.00000002.820233700.0000000002770000.00000040.00000010.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000E.00000002.822785123.0000000005180000.00000040.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000E.00000002.821283927.0000000004C30000.00000040.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000E.00000002.823282045.00000000053B1000.00000020.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000E.00000002.821167570.0000000004B01000.00000020.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000E.00000002.822609344.00000000050A0000.00000040.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000E.00000002.822887843.00000000051B1000.00000020.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000E.00000002.822664620.00000000050D1000.00000020.00000001.sdmp, Author: Joe Security

                        Analysis Process: svchost.exe PID: 6552 Parent PID: 572

                        General

                        Start time:19:48:09
                        Start date:14/01/2022
                        Path:C:\Windows\System32\svchost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                        Imagebase:0x7ff70d6e0000
                        File size:51288 bytes
                        MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language

                        Analysis Process: svchost.exe PID: 6016 Parent PID: 572

                        General

                        Start time:19:48:44
                        Start date:14/01/2022
                        Path:C:\Windows\System32\svchost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                        Imagebase:0x7ff70d6e0000
                        File size:51288 bytes
                        MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language

                        Analysis Process: svchost.exe PID: 5644 Parent PID: 572

                        General

                        Start time:19:49:02
                        Start date:14/01/2022
                        Path:C:\Windows\System32\svchost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                        Imagebase:0x7ff70d6e0000
                        File size:51288 bytes
                        MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language

                        Analysis Process: svchost.exe PID: 5052 Parent PID: 572

                        General

                        Start time:19:49:14
                        Start date:14/01/2022
                        Path:C:\Windows\System32\svchost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                        Imagebase:0x7ff70d6e0000
                        File size:51288 bytes
                        MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language

                        Disassembly

                        Code Analysis

                        Reset < >