Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report YBfn5E3Dlw

Overview

General Information

Sample Name:YBfn5E3Dlw (renamed file extension from none to dll)
Analysis ID:553389
MD5:038f9a9d5b96733a9b3030cfbe4e4535
SHA1:3b8a4b81f0b06514188e4f935d5f4b0858b93806
SHA256:d46762ba155e3345baf5d9e9453e6cd8e0647438693abddf34f98ae8d6bd436a
Tags:32dllexe
Infos:

Most interesting Screenshot:

Detection

Emotet
Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Sigma detected: Suspicious Call by Ordinal
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries the volume information (name, serial number etc) of a device
One or more processes crash
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Creates a DirectInput object (often for capturing keystrokes)
AV process strings found (often used to terminate AV products)
Tries to load missing DLLs
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Connects to several IPs in different countries
Potential key logger detected (key state polling based)
Registers a DLL
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 6260 cmdline: loaddll32.exe "C:\Users\user\Desktop\YBfn5E3Dlw.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938)
    • cmd.exe (PID: 2240 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\YBfn5E3Dlw.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 6072 cmdline: rundll32.exe "C:\Users\user\Desktop\YBfn5E3Dlw.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • rundll32.exe (PID: 4180 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\YBfn5E3Dlw.dll",DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
          • rundll32.exe (PID: 6500 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Dfktehrjwgeevy\pakqi.bja",rArKTBwXKBsr MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
            • rundll32.exe (PID: 6664 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Dfktehrjwgeevy\pakqi.bja",DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • regsvr32.exe (PID: 5396 cmdline: regsvr32.exe /s C:\Users\user\Desktop\YBfn5E3Dlw.dll MD5: 426E7499F6A7346F0410DEAD0805586B)
      • rundll32.exe (PID: 6436 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\YBfn5E3Dlw.dll",DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 1320 cmdline: rundll32.exe C:\Users\user\Desktop\YBfn5E3Dlw.dll,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • WerFault.exe (PID: 6552 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6260 -s 552 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • svchost.exe (PID: 6888 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • WerFault.exe (PID: 5628 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 6260 -ip 6260 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • svchost.exe (PID: 1368 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5416 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 7132 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

Threatname: Emotet

{"C2 list": ["45.138.98.34:80", "69.16.218.101:8080", "51.210.242.234:8080", "185.148.168.220:8080", "142.4.219.173:8080", "54.38.242.185:443", "191.252.103.16:80", "104.131.62.48:8080", "62.171.178.147:8080", "217.182.143.207:443", "168.197.250.14:80", "37.44.244.177:8080", "66.42.57.149:443", "210.57.209.142:8080", "159.69.237.188:443", "116.124.128.206:8080", "128.199.192.135:8080", "195.154.146.35:443", "185.148.168.15:8080", "195.77.239.39:8080", "207.148.81.119:8080", "85.214.67.203:8080", "190.90.233.66:443", "78.46.73.125:443", "78.47.204.80:443", "37.59.209.141:8080", "54.37.228.122:443"], "Public Key": ["RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0", "RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000000.680031217.0000000002AE1000.00000020.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
    0000000B.00000002.687070469.0000000000B50000.00000040.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
      00000007.00000002.684992268.0000000003450000.00000040.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
        00000000.00000002.703964616.0000000002AB0000.00000040.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
          00000007.00000002.687871792.0000000005661000.00000020.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
            Click to see the 27 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            7.2.rundll32.exe.59f0000.10.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
              7.2.rundll32.exe.5630000.6.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                4.2.rundll32.exe.4720000.4.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                  0.2.loaddll32.exe.2ab0000.0.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                    7.2.rundll32.exe.5690000.8.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                      Click to see the 43 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Suspicious Call by OrdinalShow sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: rundll32.exe "C:\Users\user\Desktop\YBfn5E3Dlw.dll",#1, CommandLine: rundll32.exe "C:\Users\user\Desktop\YBfn5E3Dlw.dll",#1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\YBfn5E3Dlw.dll",#1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 2240, ProcessCommandLine: rundll32.exe "C:\Users\user\Desktop\YBfn5E3Dlw.dll",#1, ProcessId: 6072

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 3.2.rundll32.exe.1270000.0.raw.unpackMalware Configuration Extractor: Emotet {"C2 list": ["45.138.98.34:80", "69.16.218.101:8080", "51.210.242.234:8080", "185.148.168.220:8080", "142.4.219.173:8080", "54.38.242.185:443", "191.252.103.16:80", "104.131.62.48:8080", "62.171.178.147:8080", "217.182.143.207:443", "168.197.250.14:80", "37.44.244.177:8080", "66.42.57.149:443", "210.57.209.142:8080", "159.69.237.188:443", "116.124.128.206:8080", "128.199.192.135:8080", "195.154.146.35:443", "185.148.168.15:8080", "195.77.239.39:8080", "207.148.81.119:8080", "85.214.67.203:8080", "190.90.233.66:443", "78.46.73.125:443", "78.47.204.80:443", "37.59.209.141:8080", "54.37.228.122:443"], "Public Key": ["RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0", "RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW"]}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: YBfn5E3Dlw.dllVirustotal: Detection: 13%Perma Link
                      Source: YBfn5E3Dlw.dllReversingLabs: Detection: 16%
                      Source: Binary string: ws2_32.pdb source: WerFault.exe, 0000000C.00000003.690087047.00000000050A8000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.690035610.00000000050A8000.00000004.00000040.sdmp
                      Source: Binary string: winspool.pdb source: WerFault.exe, 0000000C.00000003.690087047.00000000050A8000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.690035610.00000000050A8000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000C.00000003.690016082.00000000050D1000.00000004.00000001.sdmp
                      Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000C.00000003.685499614.0000000004D25000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.685556011.0000000003291000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.690016082.00000000050D1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.685774449.0000000003291000.00000004.00000001.sdmp
                      Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000C.00000003.690087047.00000000050A8000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.690035610.00000000050A8000.00000004.00000040.sdmp
                      Source: Binary string: sechost.pdb source: WerFault.exe, 0000000C.00000003.690025139.00000000050A2000.00000004.00000040.sdmp
                      Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000000C.00000003.690087047.00000000050A8000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.690035610.00000000050A8000.00000004.00000040.sdmp
                      Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000C.00000003.690016082.00000000050D1000.00000004.00000001.sdmp
                      Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000C.00000003.690016082.00000000050D1000.00000004.00000001.sdmp
                      Source: Binary string: propsys.pdb source: WerFault.exe, 0000000C.00000003.690087047.00000000050A8000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.690035610.00000000050A8000.00000004.00000040.sdmp
                      Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000C.00000003.690080981.00000000050A5000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.690025139.00000000050A2000.00000004.00000040.sdmp
                      Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000C.00000003.685541913.000000000328C000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.690016082.00000000050D1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.686171794.000000000328C000.00000004.00000001.sdmp
                      Source: Binary string: wrpcrt4.pdbk source: WerFault.exe, 0000000C.00000003.690080981.00000000050A5000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.690025139.00000000050A2000.00000004.00000040.sdmp
                      Source: Binary string: shcore.pdb source: WerFault.exe, 0000000C.00000003.690087047.00000000050A8000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.690035610.00000000050A8000.00000004.00000040.sdmp
                      Source: Binary string: a,njr/nCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000000C.00000002.702514723.0000000000C92000.00000004.00000001.sdmp
                      Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000C.00000003.690016082.00000000050D1000.00000004.00000001.sdmp
                      Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000C.00000003.690016082.00000000050D1000.00000004.00000001.sdmp
                      Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000C.00000003.690074916.00000000050A0000.00000004.00000040.sdmp
                      Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000C.00000003.690074916.00000000050A0000.00000004.00000040.sdmp
                      Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000C.00000003.690016082.00000000050D1000.00000004.00000001.sdmp
                      Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000C.00000003.690074916.00000000050A0000.00000004.00000040.sdmp
                      Source: Binary string: wimm32.pdb source: WerFault.exe, 0000000C.00000003.690087047.00000000050A8000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.690035610.00000000050A8000.00000004.00000040.sdmp
                      Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000C.00000003.685885045.0000000003297000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.685567908.0000000003297000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.685783143.0000000003297000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.690016082.00000000050D1000.00000004.00000001.sdmp
                      Source: Binary string: sechost.pdbk source: WerFault.exe, 0000000C.00000003.690025139.00000000050A2000.00000004.00000040.sdmp
                      Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000C.00000003.685885045.0000000003297000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.685567908.0000000003297000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.685783143.0000000003297000.00000004.00000001.sdmp
                      Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000C.00000003.690074916.00000000050A0000.00000004.00000040.sdmp
                      Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000C.00000003.690074916.00000000050A0000.00000004.00000040.sdmp
                      Source: Binary string: combase.pdb source: WerFault.exe, 0000000C.00000003.690087047.00000000050A8000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.690035610.00000000050A8000.00000004.00000040.sdmp
                      Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000C.00000003.690016082.00000000050D1000.00000004.00000001.sdmp
                      Source: Binary string: wkernel32.pdb( source: WerFault.exe, 0000000C.00000003.685556011.0000000003291000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.685774449.0000000003291000.00000004.00000001.sdmp
                      Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000C.00000003.690087047.00000000050A8000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.690035610.00000000050A8000.00000004.00000040.sdmp
                      Source: Binary string: apphelp.pdb source: WerFault.exe, 0000000C.00000003.690016082.00000000050D1000.00000004.00000001.sdmp
                      Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000C.00000003.690016082.00000000050D1000.00000004.00000001.sdmp
                      Source: Binary string: Kernel.Appcore.pdb^;V source: WerFault.exe, 0000000C.00000003.690074916.00000000050A0000.00000004.00000040.sdmp
                      Source: Binary string: wntdll.pdb( source: WerFault.exe, 0000000C.00000003.685541913.000000000328C000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.686171794.000000000328C000.00000004.00000001.sdmp

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 2404332 ET CNC Feodo Tracker Reported CnC Server TCP group 17 192.168.2.4:49790 -> 45.138.98.34:80
                      Source: TrafficSnort IDS: 2404338 ET CNC Feodo Tracker Reported CnC Server TCP group 20 192.168.2.4:49791 -> 69.16.218.101:8080
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 69.16.218.101 144
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 45.138.98.34 80
                      C2 URLs / IPs found in malware configurationShow sources
                      Source: Malware configuration extractorIPs: 45.138.98.34:80
                      Source: Malware configuration extractorIPs: 69.16.218.101:8080
                      Source: Malware configuration extractorIPs: 51.210.242.234:8080
                      Source: Malware configuration extractorIPs: 185.148.168.220:8080
                      Source: Malware configuration extractorIPs: 142.4.219.173:8080
                      Source: Malware configuration extractorIPs: 54.38.242.185:443
                      Source: Malware configuration extractorIPs: 191.252.103.16:80
                      Source: Malware configuration extractorIPs: 104.131.62.48:8080
                      Source: Malware configuration extractorIPs: 62.171.178.147:8080
                      Source: Malware configuration extractorIPs: 217.182.143.207:443
                      Source: Malware configuration extractorIPs: 168.197.250.14:80
                      Source: Malware configuration extractorIPs: 37.44.244.177:8080
                      Source: Malware configuration extractorIPs: 66.42.57.149:443
                      Source: Malware configuration extractorIPs: 210.57.209.142:8080
                      Source: Malware configuration extractorIPs: 159.69.237.188:443
                      Source: Malware configuration extractorIPs: 116.124.128.206:8080
                      Source: Malware configuration extractorIPs: 128.199.192.135:8080
                      Source: Malware configuration extractorIPs: 195.154.146.35:443
                      Source: Malware configuration extractorIPs: 185.148.168.15:8080
                      Source: Malware configuration extractorIPs: 195.77.239.39:8080
                      Source: Malware configuration extractorIPs: 207.148.81.119:8080
                      Source: Malware configuration extractorIPs: 85.214.67.203:8080
                      Source: Malware configuration extractorIPs: 190.90.233.66:443
                      Source: Malware configuration extractorIPs: 78.46.73.125:443
                      Source: Malware configuration extractorIPs: 78.47.204.80:443
                      Source: Malware configuration extractorIPs: 37.59.209.141:8080
                      Source: Malware configuration extractorIPs: 54.37.228.122:443
                      Source: Joe Sandbox ViewASN Name: AS-CHOOPAUS AS-CHOOPAUS
                      Source: Joe Sandbox ViewASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
                      Source: Joe Sandbox ViewIP Address: 207.148.81.119 207.148.81.119
                      Source: Joe Sandbox ViewIP Address: 104.131.62.48 104.131.62.48
                      Source: global trafficTCP traffic: 192.168.2.4:49791 -> 69.16.218.101:8080
                      Source: unknownNetwork traffic detected: IP country count 12
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.98.34
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.98.34
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.98.34
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: svchost.exe, 00000013.00000003.808009499.000002EBAEF89000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","N equals www.facebook.com (Facebook)
                      Source: svchost.exe, 00000013.00000003.808009499.000002EBAEF89000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","N equals www.twitter.com (Twitter)
                      Source: svchost.exe, 00000013.00000003.808009499.000002EBAEF89000.00000004.00000001.sdmp, svchost.exe, 00000013.00000003.808025358.000002EBAEF9A000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-01-07T11:33:20.1626869Z||.||d5cdcec3-04df-404e-ba07-3240047c89f9||1152921505694348672||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
                      Source: svchost.exe, 00000013.00000003.808009499.000002EBAEF89000.00000004.00000001.sdmp, svchost.exe, 00000013.00000003.808025358.000002EBAEF9A000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-01-07T11:33:20.1626869Z||.||d5cdcec3-04df-404e-ba07-3240047c89f9||1152921505694348672||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
                      Source: svchost.exe, 00000013.00000002.823886227.000002EBAE6E9000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: svchost.exe, 00000013.00000002.823886227.000002EBAE6E9000.00000004.00000001.sdmpString found in binary or memory: http://crl.ver)
                      Source: 77EC63BDA74BD0D0E0426DC8F80085060.14.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                      Source: svchost.exe, 00000013.00000003.797831487.000002EBAEF82000.00000004.00000001.sdmpString found in binary or memory: http://help.disneyplus.com.
                      Source: Amcache.hve.12.drString found in binary or memory: http://upx.sf.net
                      Source: svchost.exe, 00000013.00000003.797831487.000002EBAEF82000.00000004.00000001.sdmpString found in binary or memory: https://disneyplus.com/legal.
                      Source: svchost.exe, 00000013.00000003.797831487.000002EBAEF82000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
                      Source: svchost.exe, 00000013.00000003.797831487.000002EBAEF82000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
                      Source: svchost.exe, 00000013.00000003.800383001.000002EBAEF79000.00000004.00000001.sdmpString found in binary or memory: https://www.tiktok.com/legal/report
                      Source: svchost.exe, 00000013.00000003.800332710.000002EBAEFA1000.00000004.00000001.sdmp, svchost.exe, 00000013.00000003.800427811.000002EBAF402000.00000004.00000001.sdmp, svchost.exe, 00000013.00000003.800351036.000002EBAEFA1000.00000004.00000001.sdmp, svchost.exe, 00000013.00000003.800401036.000002EBAEF8A000.00000004.00000001.sdmp, svchost.exe, 00000013.00000003.800383001.000002EBAEF79000.00000004.00000001.sdmpString found in binary or memory: https://www.tiktok.com/legal/report/feedback
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_10001280 recvfrom,
                      Source: loaddll32.exe, 00000000.00000000.678773988.000000000111B000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_10027958 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10027958 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10027958 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,

                      E-Banking Fraud:

                      barindex
                      Yara detected EmotetShow sources
                      Source: Yara matchFile source: 7.2.rundll32.exe.59f0000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.5630000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.4720000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.2ab0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.5690000.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.53f0000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.b50000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.1270000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.56c0000.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.12a0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.1270000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.2ab0000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.2ae0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.4f0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.2ae0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.3450000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.5500000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.5420000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.regsvr32.exe.980000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.5660000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.b80000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.53f0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.2ab0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.11c0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.59f0000.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.3600000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.47b0000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.4780000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.4f0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.2ab0000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.b50000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.54d0000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.11c0000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.5a20000.11.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.2ab0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.2ae0000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.4750000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.4720000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.5690000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.b20000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.5630000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.2ab0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.54d0000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.regsvr32.exe.980000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.3450000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.regsvr32.exe.c60000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.11f0000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.4780000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000000.680031217.0000000002AE1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.687070469.0000000000B50000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.684992268.0000000003450000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.703964616.0000000002AB0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.687871792.0000000005661000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.687254093.0000000005501000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.686420197.00000000053F0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.688080295.0000000005690000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.687539122.0000000005630000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.670630923.0000000001270000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.679124499.0000000002AE1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.717791244.00000000047B1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.687321793.0000000000B81000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.717740715.0000000004780000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.704266978.0000000002AE1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.679046535.0000000002AB0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.670153557.0000000000C61000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.670105180.0000000000980000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.679999425.0000000002AB0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.688465307.00000000059F0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.716834900.00000000011C0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.688659098.0000000005A21000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.670654175.00000000012A1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.716329937.0000000000B21000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.688152191.00000000056C1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.717660130.0000000004720000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.715971380.00000000004F0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.686930115.00000000054D0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.716952958.00000000011F1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.717702240.0000000004751000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.685377727.0000000003601000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.686624450.0000000005421000.00000020.00000001.sdmp, type: MEMORY

                      System Summary:

                      barindex
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 6260 -ip 6260
                      Source: C:\Windows\SysWOW64\rundll32.exeFile deleted: C:\Windows\SysWOW64\Dfktehrjwgeevy\pakqi.bja:Zone.IdentifierJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\SysWOW64\Ytghf\Jump to behavior
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AFEFDD
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AF3EAA
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AEBAA9
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AFA2A5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02B046BD
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AE1CA1
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AF0EBC
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AF0ABA
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AEC6B8
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02B036AA
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AEF0E9
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AFE4E5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AFBEFD
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02B03EE9
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02B000EF
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AE80C0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AFD8DB
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AFCCD9
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AFCAD5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AEB820
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AE8636
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AE3431
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AF7A0F
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AF8806
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AF9A01
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02B02009
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AF4A66
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02B03263
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02B00A64
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AF567B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AE7078
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AE7E79
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AEDE74
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AFA474
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AFDC71
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AEA871
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AEA445
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AF4244
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AE7442
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AEE640
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AFF840
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AF2E5D
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AFB257
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AF8FAE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02B017BD
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AE77A3
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AEBFBE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AFD1BC
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AE57B8
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02B007AA
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AEFB8E
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AE238C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AF6187
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AF0F86
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AF3D85
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AE2194
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AF67E6
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AF85FF
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AE55FF
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AE4BFC
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AF27F9
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AFE1F8
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AF9DF5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AF07F4
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AEE7DE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AFFBDE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AEC5D8
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AFC5D5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AF8D3D
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AE1F38
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AF5333
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AEEF0C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AE670B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AFAD08
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02B02B09
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AF5515
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AEF369
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AE6B7A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AF017B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AF437A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AF5779
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AF4F74
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AF9774
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AED14C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02B02D53
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AF654A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AF2142
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AF7D5B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AFFF58
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AFE955
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_100291F6
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1002F378
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_100403D7
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1004250B
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_10041557
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_100395A1
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1002F784
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1004091B
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1002EACF
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1002FBA4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100291F6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1002F378
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100403D7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1004250B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10041557
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100395A1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1002F784
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1004091B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1002EACF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1002FBA4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10035D96
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10040E5F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1002EFA4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_100291F6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1002F378
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_100403D7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1004250B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10041557
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_100395A1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1002F784
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1004091B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1002EACF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1002FBA4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10035D96
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10040E5F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1002EFA4
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: String function: 10030E38 appears 49 times
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: String function: 10030535 appears 75 times
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 10030E38 appears 116 times
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 1003578B appears 46 times
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 10030535 appears 174 times
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 10030568 appears 32 times
                      Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dll
                      Source: YBfn5E3Dlw.dllVirustotal: Detection: 13%
                      Source: YBfn5E3Dlw.dllReversingLabs: Detection: 16%
                      Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\YBfn5E3Dlw.dll"
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\YBfn5E3Dlw.dll",#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\YBfn5E3Dlw.dll
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\YBfn5E3Dlw.dll",#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\YBfn5E3Dlw.dll,DllRegisterServer
                      Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\YBfn5E3Dlw.dll",DllRegisterServer
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\YBfn5E3Dlw.dll",DllRegisterServer
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 6260 -ip 6260
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Dfktehrjwgeevy\pakqi.bja",rArKTBwXKBsr
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6260 -s 552
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Dfktehrjwgeevy\pakqi.bja",DllRegisterServer
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\YBfn5E3Dlw.dll",#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\YBfn5E3Dlw.dll
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\YBfn5E3Dlw.dll,DllRegisterServer
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\YBfn5E3Dlw.dll",#1
                      Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\YBfn5E3Dlw.dll",DllRegisterServer
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\YBfn5E3Dlw.dll",DllRegisterServer
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Dfktehrjwgeevy\pakqi.bja",rArKTBwXKBsr
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 6260 -ip 6260
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6260 -s 552
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess created: unknown unknown
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Dfktehrjwgeevy\pakqi.bja",DllRegisterServer
                      Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32
                      Source: C:\Windows\System32\svchost.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERF761.tmpJump to behavior
                      Source: classification engineClassification label: mal92.troj.evad.winDLL@26/10@0/28
                      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Users\desktop.iniJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\YBfn5E3Dlw.dll",#1
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6260
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \BaseNamedObjects\Local\SM0:5628:64:WilError_01
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_10021183 LoadResource,LockResource,SizeofResource,
                      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: Binary string: ws2_32.pdb source: WerFault.exe, 0000000C.00000003.690087047.00000000050A8000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.690035610.00000000050A8000.00000004.00000040.sdmp
                      Source: Binary string: winspool.pdb source: WerFault.exe, 0000000C.00000003.690087047.00000000050A8000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.690035610.00000000050A8000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000C.00000003.690016082.00000000050D1000.00000004.00000001.sdmp
                      Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000C.00000003.685499614.0000000004D25000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.685556011.0000000003291000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.690016082.00000000050D1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.685774449.0000000003291000.00000004.00000001.sdmp
                      Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000C.00000003.690087047.00000000050A8000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.690035610.00000000050A8000.00000004.00000040.sdmp
                      Source: Binary string: sechost.pdb source: WerFault.exe, 0000000C.00000003.690025139.00000000050A2000.00000004.00000040.sdmp
                      Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000000C.00000003.690087047.00000000050A8000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.690035610.00000000050A8000.00000004.00000040.sdmp
                      Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000C.00000003.690016082.00000000050D1000.00000004.00000001.sdmp
                      Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000C.00000003.690016082.00000000050D1000.00000004.00000001.sdmp
                      Source: Binary string: propsys.pdb source: WerFault.exe, 0000000C.00000003.690087047.00000000050A8000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.690035610.00000000050A8000.00000004.00000040.sdmp
                      Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000C.00000003.690080981.00000000050A5000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.690025139.00000000050A2000.00000004.00000040.sdmp
                      Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000C.00000003.685541913.000000000328C000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.690016082.00000000050D1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.686171794.000000000328C000.00000004.00000001.sdmp
                      Source: Binary string: wrpcrt4.pdbk source: WerFault.exe, 0000000C.00000003.690080981.00000000050A5000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.690025139.00000000050A2000.00000004.00000040.sdmp
                      Source: Binary string: shcore.pdb source: WerFault.exe, 0000000C.00000003.690087047.00000000050A8000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.690035610.00000000050A8000.00000004.00000040.sdmp
                      Source: Binary string: a,njr/nCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000000C.00000002.702514723.0000000000C92000.00000004.00000001.sdmp
                      Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000C.00000003.690016082.00000000050D1000.00000004.00000001.sdmp
                      Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000C.00000003.690016082.00000000050D1000.00000004.00000001.sdmp
                      Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000C.00000003.690074916.00000000050A0000.00000004.00000040.sdmp
                      Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000C.00000003.690074916.00000000050A0000.00000004.00000040.sdmp
                      Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000C.00000003.690016082.00000000050D1000.00000004.00000001.sdmp
                      Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000C.00000003.690074916.00000000050A0000.00000004.00000040.sdmp
                      Source: Binary string: wimm32.pdb source: WerFault.exe, 0000000C.00000003.690087047.00000000050A8000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.690035610.00000000050A8000.00000004.00000040.sdmp
                      Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000C.00000003.685885045.0000000003297000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.685567908.0000000003297000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.685783143.0000000003297000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.690016082.00000000050D1000.00000004.00000001.sdmp
                      Source: Binary string: sechost.pdbk source: WerFault.exe, 0000000C.00000003.690025139.00000000050A2000.00000004.00000040.sdmp
                      Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000C.00000003.685885045.0000000003297000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.685567908.0000000003297000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.685783143.0000000003297000.00000004.00000001.sdmp
                      Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000C.00000003.690074916.00000000050A0000.00000004.00000040.sdmp
                      Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000C.00000003.690074916.00000000050A0000.00000004.00000040.sdmp
                      Source: Binary string: combase.pdb source: WerFault.exe, 0000000C.00000003.690087047.00000000050A8000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.690035610.00000000050A8000.00000004.00000040.sdmp
                      Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000C.00000003.690016082.00000000050D1000.00000004.00000001.sdmp
                      Source: Binary string: wkernel32.pdb( source: WerFault.exe, 0000000C.00000003.685556011.0000000003291000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.685774449.0000000003291000.00000004.00000001.sdmp
                      Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000C.00000003.690087047.00000000050A8000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.690035610.00000000050A8000.00000004.00000040.sdmp
                      Source: Binary string: apphelp.pdb source: WerFault.exe, 0000000C.00000003.690016082.00000000050D1000.00000004.00000001.sdmp
                      Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000C.00000003.690016082.00000000050D1000.00000004.00000001.sdmp
                      Source: Binary string: Kernel.Appcore.pdb^;V source: WerFault.exe, 0000000C.00000003.690074916.00000000050A0000.00000004.00000040.sdmp
                      Source: Binary string: wntdll.pdb( source: WerFault.exe, 0000000C.00000003.685541913.000000000328C000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.686171794.000000000328C000.00000004.00000001.sdmp
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AE1195 push cs; iretd
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1003060D push ecx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1003060D push ecx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10030E7D push ecx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1003060D push ecx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10030E7D push ecx; ret
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1003E278 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\YBfn5E3Dlw.dll
                      Source: C:\Windows\SysWOW64\rundll32.exePE file moved: C:\Windows\SysWOW64\Dfktehrjwgeevy\pakqi.bjaJump to behavior

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Ytghf\cgnbs.rer:Zone.Identifier read attributes | delete
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Dfktehrjwgeevy\pakqi.bja:Zone.Identifier read attributes | delete
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_100250A3 IsIconic,GetWindowPlacement,GetWindowRect,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100250A3 IsIconic,GetWindowPlacement,GetWindowRect,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1001DFC0 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_100250A3 IsIconic,GetWindowPlacement,GetWindowRect,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1001DFC0 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,
                      Source: C:\Windows\SysWOW64\rundll32.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exe TID: 5636Thread sleep time: -180000s >= -30000s
                      Source: C:\Windows\SysWOW64\regsvr32.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
                      Source: C:\Windows\SysWOW64\rundll32.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleep
                      Source: C:\Windows\SysWOW64\regsvr32.exeAPI coverage: 4.9 %
                      Source: C:\Windows\SysWOW64\rundll32.exeAPI coverage: 5.2 %
                      Source: C:\Windows\SysWOW64\rundll32.exeAPI coverage: 5.4 %
                      Source: C:\Windows\System32\svchost.exeProcess information queried: ProcessInformation
                      Source: C:\Windows\SysWOW64\regsvr32.exeAPI call chain: ExitProcess graph end node
                      Source: C:\Windows\SysWOW64\rundll32.exeAPI call chain: ExitProcess graph end node
                      Source: C:\Windows\SysWOW64\rundll32.exeAPI call chain: ExitProcess graph end node
                      Source: C:\Windows\SysWOW64\rundll32.exeAPI call chain: ExitProcess graph end node
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: Amcache.hve.12.drBinary or memory string: VMware
                      Source: Amcache.hve.12.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
                      Source: Amcache.hve.12.drBinary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
                      Source: Amcache.hve.12.drBinary or memory string: VMware Virtual USB Mouse
                      Source: Amcache.hve.12.drBinary or memory string: VMware-42 35 9c fb 73 fa 4e 1b-fb a4 60 e7 7b e5 4a ed
                      Source: Amcache.hve.12.drBinary or memory string: VMware, Inc.
                      Source: svchost.exe, 00000013.00000002.823902052.000002EBAE6F8000.00000004.00000001.sdmpBinary or memory string: (@Hyper-V RAW
                      Source: Amcache.hve.12.drBinary or memory string: VMware Virtual disk SCSI Disk Devicehbin
                      Source: Amcache.hve.12.drBinary or memory string: Microsoft Hyper-V Generation Counter
                      Source: Amcache.hve.12.drBinary or memory string: VMware7,1
                      Source: Amcache.hve.12.drBinary or memory string: NECVMWar VMware SATA CD00
                      Source: Amcache.hve.12.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                      Source: Amcache.hve.12.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                      Source: svchost.exe, 00000013.00000002.823886227.000002EBAE6E9000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                      Source: Amcache.hve.12.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                      Source: Amcache.hve.12.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                      Source: Amcache.hve.12.drBinary or memory string: VMware, Inc.me
                      Source: Amcache.hve.12.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
                      Source: svchost.exe, 00000013.00000002.823744367.000002EBAE687000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW`
                      Source: Amcache.hve.12.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1002DB0D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1003E278 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_10002D40 SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,VirtualAlloc,VirtualAlloc,SetLastError,GetProcessHeap,HeapAlloc,VirtualFree,SetLastError,VirtualAlloc,SetLastError,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AEF7F7 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\loaddll32.exeProcess queried: DebugPort
                      Source: C:\Windows\System32\loaddll32.exeProcess queried: DebugPort
                      Source: C:\Windows\System32\loaddll32.exeProcess queried: DebugPort
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02AEC6B8 LdrInitializeThunk,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1003A8D4 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1002DB0D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_10032CB9 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1003A8D4 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1002DB0D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10032CB9 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1003A8D4 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1002DB0D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10032CB9 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 69.16.218.101 144
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 45.138.98.34 80
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\YBfn5E3Dlw.dll",#1
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 6260 -ip 6260
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6260 -s 552
                      Source: loaddll32.exe, 00000000.00000000.678909155.00000000015A0000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.679921964.00000000015A0000.00000002.00020000.sdmpBinary or memory string: Program Manager
                      Source: loaddll32.exe, 00000000.00000000.678909155.00000000015A0000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.679921964.00000000015A0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: loaddll32.exe, 00000000.00000000.678909155.00000000015A0000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.679921964.00000000015A0000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: loaddll32.exe, 00000000.00000000.678909155.00000000015A0000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.679921964.00000000015A0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: GetLocaleInfoA,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: _strcpy_s,GetLocaleInfoA,__snwprintf_s,LoadLibraryA,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: GetLocaleInfoA,GetLocaleInfoA,GetACP,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: _LocaleUpdate::_LocaleUpdate,GetLocaleInfoW,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,__alloca_probe_16,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,GetLocaleInfoA,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: _strcpy_s,GetLocaleInfoA,__snwprintf_s,LoadLibraryA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,GetLocaleInfoA,GetACP,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: _LocaleUpdate::_LocaleUpdate,GetLocaleInfoW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,__alloca_probe_16,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,GetLocaleInfoA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: _strcpy_s,GetLocaleInfoA,__snwprintf_s,LoadLibraryA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,GetLocaleInfoA,GetACP,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: _LocaleUpdate::_LocaleUpdate,GetLocaleInfoW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,__alloca_probe_16,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,GetLocaleInfoA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,
                      Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1003732F GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10024F01 _memset,GetVersionExA,
                      Source: Amcache.hve.12.drBinary or memory string: c:\program files\windows defender\msmpeng.exe

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected EmotetShow sources
                      Source: Yara matchFile source: 7.2.rundll32.exe.59f0000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.5630000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.4720000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.2ab0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.5690000.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.53f0000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.b50000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.1270000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.56c0000.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.12a0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.1270000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.2ab0000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.2ae0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.4f0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.2ae0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.3450000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.5500000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.5420000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.regsvr32.exe.980000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.5660000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.b80000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.53f0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.2ab0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.11c0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.59f0000.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.3600000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.47b0000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.4780000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.4f0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.2ab0000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.b50000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.54d0000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.11c0000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.5a20000.11.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.2ab0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.2ae0000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.4750000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.4720000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.5690000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.b20000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.5630000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.2ab0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.54d0000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.regsvr32.exe.980000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.3450000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.regsvr32.exe.c60000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.11f0000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.4780000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000000.680031217.0000000002AE1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.687070469.0000000000B50000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.684992268.0000000003450000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.703964616.0000000002AB0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.687871792.0000000005661000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.687254093.0000000005501000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.686420197.00000000053F0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.688080295.0000000005690000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.687539122.0000000005630000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.670630923.0000000001270000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.679124499.0000000002AE1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.717791244.00000000047B1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.687321793.0000000000B81000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.717740715.0000000004780000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.704266978.0000000002AE1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.679046535.0000000002AB0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.670153557.0000000000C61000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.670105180.0000000000980000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.679999425.0000000002AB0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.688465307.00000000059F0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.716834900.00000000011C0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.688659098.0000000005A21000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.670654175.00000000012A1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.716329937.0000000000B21000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.688152191.00000000056C1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.717660130.0000000004720000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.715971380.00000000004F0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.686930115.00000000054D0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.716952958.00000000011F1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.717702240.0000000004751000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.685377727.0000000003601000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.686624450.0000000005421000.00000020.00000001.sdmp, type: MEMORY
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_10001160 WSAStartup,_memset,htonl,htons,socket,bind,setsockopt,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10001160 WSAStartup,_memset,htonl,htons,socket,bind,setsockopt,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10001160 WSAStartup,_memset,htonl,htons,socket,bind,setsockopt,

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsNative API2DLL Side-Loading1DLL Side-Loading1Deobfuscate/Decode Files or Information1Input Capture2System Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumIngress Tool Transfer1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsProcess Injection112Obfuscated Files or Information2LSASS MemoryFile and Directory Discovery1Remote Desktop ProtocolInput Capture2Exfiltration Over BluetoothEncrypted Channel1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)DLL Side-Loading1Security Account ManagerSystem Information Discovery25SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Standard Port1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)File Deletion1NTDSQuery Registry1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol1SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptMasquerading2LSA SecretsSecurity Software Discovery41SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonVirtualization/Sandbox Evasion2Cached Domain CredentialsVirtualization/Sandbox Evasion2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsProcess Injection112DCSyncProcess Discovery2Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobHidden Files and Directories1Proc FilesystemApplication Window Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Regsvr321/etc/passwd and /etc/shadowRemote System Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                      Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Rundll321Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 553389 Sample: YBfn5E3Dlw Startdate: 14/01/2022 Architecture: WINDOWS Score: 92 44 210.57.209.142 UNAIR-AS-IDUniversitasAirlanggaID Indonesia 2->44 46 85.214.67.203 STRATOSTRATOAGDE Germany 2->46 48 23 other IPs or domains 2->48 56 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->56 58 Found malware configuration 2->58 60 Multi AV Scanner detection for submitted file 2->60 62 3 other signatures 2->62 11 loaddll32.exe 1 2->11         started        13 svchost.exe 4 2->13         started        15 svchost.exe 1 2->15         started        17 2 other processes 2->17 signatures3 process4 process5 19 cmd.exe 1 11->19         started        21 rundll32.exe 2 11->21         started        25 regsvr32.exe 11->25         started        27 WerFault.exe 3 9 11->27         started        29 WerFault.exe 13->29         started        dnsIp6 31 rundll32.exe 19->31         started        50 192.168.2.1 unknown unknown 21->50 66 Hides that the sample has been downloaded from the Internet (zone.identifier) 21->66 33 rundll32.exe 25->33         started        signatures7 process8 process9 35 rundll32.exe 2 31->35         started        signatures10 64 Hides that the sample has been downloaded from the Internet (zone.identifier) 35->64 38 rundll32.exe 35->38         started        process11 process12 40 rundll32.exe 38->40         started        dnsIp13 52 45.138.98.34, 49790, 80 M247GB Germany 40->52 54 69.16.218.101, 49791, 8080 LIQUIDWEBUS United States 40->54 68 System process connects to network (likely due to code injection or exploit) 40->68 signatures14

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      YBfn5E3Dlw.dll14%VirustotalBrowse
                      YBfn5E3Dlw.dll16%ReversingLabs

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      11.2.rundll32.exe.b50000.0.unpack100%AviraHEUR/AGEN.1145233Download File
                      0.2.loaddll32.exe.2ab0000.0.unpack100%AviraHEUR/AGEN.1145233Download File
                      7.2.rundll32.exe.56c0000.9.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      3.2.rundll32.exe.1270000.0.unpack100%AviraHEUR/AGEN.1145233Download File
                      7.2.rundll32.exe.59f0000.10.unpack100%AviraHEUR/AGEN.1145233Download File
                      0.2.loaddll32.exe.2ae0000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      0.0.loaddll32.exe.2ae0000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      3.2.rundll32.exe.12a0000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      7.2.rundll32.exe.3450000.0.unpack100%AviraHEUR/AGEN.1145233Download File
                      7.2.rundll32.exe.5420000.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      7.2.rundll32.exe.5500000.5.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      0.0.loaddll32.exe.2ab0000.0.unpack100%AviraHEUR/AGEN.1145233Download File
                      11.2.rundll32.exe.b80000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      7.2.rundll32.exe.53f0000.2.unpack100%AviraHEUR/AGEN.1145233Download File
                      7.2.rundll32.exe.5660000.7.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      4.2.rundll32.exe.11c0000.2.unpack100%AviraHEUR/AGEN.1145233Download File
                      4.2.rundll32.exe.4780000.6.unpack100%AviraHEUR/AGEN.1145233Download File
                      7.2.rundll32.exe.3600000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      4.2.rundll32.exe.47b0000.7.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      0.0.loaddll32.exe.2ab0000.3.unpack100%AviraHEUR/AGEN.1145233Download File
                      4.2.rundll32.exe.4f0000.0.unpack100%AviraHEUR/AGEN.1145233Download File
                      7.2.rundll32.exe.5a20000.11.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      4.2.rundll32.exe.4750000.5.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      0.0.loaddll32.exe.2ae0000.4.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      4.2.rundll32.exe.4720000.4.unpack100%AviraHEUR/AGEN.1145233Download File
                      7.2.rundll32.exe.5690000.8.unpack100%AviraHEUR/AGEN.1145233Download File
                      4.2.rundll32.exe.b20000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      7.2.rundll32.exe.5630000.6.unpack100%AviraHEUR/AGEN.1145233Download File
                      2.2.regsvr32.exe.c60000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      7.2.rundll32.exe.54d0000.4.unpack100%AviraHEUR/AGEN.1145233Download File
                      4.2.rundll32.exe.11f0000.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      2.2.regsvr32.exe.980000.0.unpack100%AviraHEUR/AGEN.1145233Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      https://www.disneyplus.com/legal/your-california-privacy-rights0%URL Reputationsafe
                      http://crl.ver)0%Avira URL Cloudsafe
                      https://www.disneyplus.com/legal/privacy-policy0%URL Reputationsafe
                      https://www.tiktok.com/legal/report0%URL Reputationsafe
                      https://www.tiktok.com/legal/report/feedback0%URL Reputationsafe
                      http://help.disneyplus.com.0%URL Reputationsafe
                      https://disneyplus.com/legal.0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      https://www.disneyplus.com/legal/your-california-privacy-rightssvchost.exe, 00000013.00000003.797831487.000002EBAEF82000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://crl.ver)svchost.exe, 00000013.00000002.823886227.000002EBAE6E9000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		low
                      https://www.disneyplus.com/legal/privacy-policysvchost.exe, 00000013.00000003.797831487.000002EBAEF82000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://upx.sf.netAmcache.hve.12.drfalse
                        		high
                        https://www.tiktok.com/legal/reportsvchost.exe, 00000013.00000003.800383001.000002EBAEF79000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://www.tiktok.com/legal/report/feedbacksvchost.exe, 00000013.00000003.800332710.000002EBAEFA1000.00000004.00000001.sdmp, svchost.exe, 00000013.00000003.800427811.000002EBAF402000.00000004.00000001.sdmp, svchost.exe, 00000013.00000003.800351036.000002EBAEFA1000.00000004.00000001.sdmp, svchost.exe, 00000013.00000003.800401036.000002EBAEF8A000.00000004.00000001.sdmp, svchost.exe, 00000013.00000003.800383001.000002EBAEF79000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://help.disneyplus.com.svchost.exe, 00000013.00000003.797831487.000002EBAEF82000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://disneyplus.com/legal.svchost.exe, 00000013.00000003.797831487.000002EBAEF82000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown

                        Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public

                        IPDomainCountryFlagASNASN NameMalicious
                        207.148.81.119
                        		unknownUnited States
                        		20473AS-CHOOPAUStrue
                        104.131.62.48
                        		unknownUnited States
                        		14061DIGITALOCEAN-ASNUStrue
                        85.214.67.203
                        		unknownGermany
                        		6724STRATOSTRATOAGDEtrue
                        191.252.103.16
                        		unknownBrazil
                        		27715LocawebServicosdeInternetSABRtrue
                        168.197.250.14
                        		unknownArgentina
                        		264776OmarAnselmoRipollTDCNETARtrue
                        66.42.57.149
                        		unknownUnited States
                        		20473AS-CHOOPAUStrue
                        185.148.168.15
                        		unknownGermany
                        		44780EVERSCALE-ASDEtrue
                        51.210.242.234
                        		unknownFrance
                        		16276OVHFRtrue
                        217.182.143.207
                        		unknownFrance
                        		16276OVHFRtrue
                        69.16.218.101
                        		unknownUnited States
                        		32244LIQUIDWEBUStrue
                        159.69.237.188
                        		unknownGermany
                        		24940HETZNER-ASDEtrue
                        45.138.98.34
                        		unknownGermany
                        		9009M247GBtrue
                        116.124.128.206
                        		unknownKorea Republic of
                        		9318SKB-ASSKBroadbandCoLtdKRtrue
                        78.46.73.125
                        		unknownGermany
                        		24940HETZNER-ASDEtrue
                        37.59.209.141
                        		unknownFrance
                        		16276OVHFRtrue
                        210.57.209.142
                        		unknownIndonesia
                        		38142UNAIR-AS-IDUniversitasAirlanggaIDtrue
                        185.148.168.220
                        		unknownGermany
                        		44780EVERSCALE-ASDEtrue
                        54.37.228.122
                        		unknownFrance
                        		16276OVHFRtrue
                        190.90.233.66
                        		unknownColombia
                        		18678INTERNEXASAESPCOtrue
                        142.4.219.173
                        		unknownCanada
                        		16276OVHFRtrue
                        54.38.242.185
                        		unknownFrance
                        		16276OVHFRtrue
                        195.154.146.35
                        		unknownFrance
                        		12876OnlineSASFRtrue
                        195.77.239.39
                        		unknownSpain
                        		60493FICOSA-ASEStrue
                        78.47.204.80
                        		unknownGermany
                        		24940HETZNER-ASDEtrue
                        37.44.244.177
                        		unknownGermany
                        		47583AS-HOSTINGERLTtrue
                        62.171.178.147
                        		unknownUnited Kingdom
                        		51167CONTABODEtrue
                        128.199.192.135
                        		unknownUnited Kingdom
                        		14061DIGITALOCEAN-ASNUStrue

                        Private

                        IP
                        192.168.2.1

                        General Information

                        Joe Sandbox Version:34.0.0 Boulder Opal
                        Analysis ID:553389
                        Start date:14.01.2022
                        Start time:19:48:48
                        Joe Sandbox Product:CloudBasic
                        Overall analysis duration:0h 14m 0s
                        Hypervisor based Inspection enabled:false
                        Report type:light
                        Sample file name:YBfn5E3Dlw (renamed file extension from none to dll)
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                        Number of analysed new started processes analysed:26
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • HDC enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Detection:MAL
                        Classification:mal92.troj.evad.winDLL@26/10@0/28
                        EGA Information:
                        • Successful, ratio: 100%
                        HDC Information:
                        • Successful, ratio: 98.9% (good quality ratio 92.4%)
                        • Quality average: 70.5%
                        • Quality standard deviation: 26.8%
                        HCA Information:
                        • Successful, ratio: 76%
                        • Number of executed functions: 0
                        • Number of non-executed functions: 0
                        Cookbook Comments:
                        • Adjust boot time
                        • Enable AMSI
                        • Override analysis time to 240s for rundll32
                        Warnings:
                        Show All
                        • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, wuapihost.exe
                        • Excluded IPs from analysis (whitelisted): 23.211.6.115, 173.222.108.210, 173.222.108.226, 40.91.112.76, 20.54.110.249
                        • Excluded domains from analysis (whitelisted): displaycatalog-rp-uswest.md.mp.microsoft.com.akadns.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu-shim.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, store-images.s-microsoft.com-c.edgekey.net, ctldl.windowsupdate.com, a767.dspw65.akamai.net, wus2-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, arc.msn.com, download.windowsupdate.com.edgesuite.net, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, consumer-displaycatalogrp-aks2aks-uswest.md.mp.microsoft.com.akadns.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                        • Not all processes where analyzed, report is missing behavior information
                        • Report creation exceeded maximum time and may have missing disassembly code information.
                        • Report size exceeded maximum capacity and may have missing behavior information.
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        19:50:46API Interceptor7x Sleep call for process: svchost.exe modified

                        Joe Sandbox View / Context

                        IPs

                        No context

                        Domains

                        No context

                        ASN

                        No context

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        No context

                        Created / dropped Files

                        C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_12a180e49793e381a8b848106c2e1caa7a6a4277_7cac0383_18a51c8a\Report.wer
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):65536
                        Entropy (8bit):0.7981757905947282
                        Encrypted:false
                        SSDEEP:96:kc4SgFonYyBy9haol7Jf0pXIQcQSc6mcEUcw3/s+a+z+HbHgpVG4rmMoVazWbSmj:eunLHsieryjpq/u7saS274ItW
                        MD5:F6F986B555349D70EC66E15ABCC41890
                        SHA1:5C2EF2932A1F16307AC18951CBACD3F50151C05F
                        SHA-256:4D9F534FD2F77A71E36EA3A820599F7C5B4489D1D32039948B965D53AD59414E
                        SHA-512:2A217B88926A7AB47A31A6F472CBF54173675B9502AF968B4BA16FFB2A0C0463CB2F7BB6023111D76890DBD98470A914D42751D7A0F3ECB4204486BCEFD65831
                        Malicious:false
                        Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.8.6.6.5.9.7.9.5.1.6.4.8.8.5.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.f.d.3.1.0.f.2.-.f.9.e.1.-.4.a.d.7.-.a.1.b.3.-.1.2.6.2.3.e.d.3.f.e.2.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.2.e.c.b.1.7.f.-.0.a.4.4.-.4.7.8.e.-.b.e.a.d.-.e.f.e.0.6.4.4.7.9.0.3.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.l.o.a.d.d.l.l.3.2...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.8.7.4.-.0.0.0.1.-.0.0.1.b.-.2.2.e.d.-.a.d.7.e.7.7.0.9.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.l.o.a.d.d.l.l.3.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.1././.1.2././.1.3.:.0.9.:.0.7.:.1.6.!.0.!.l.o.a.d.d.l.l.3.2...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.
                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER355.tmp.dmp
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:Mini DuMP crash report, 15 streams, Fri Jan 14 18:49:56 2022, 0x1205a4 type
                        Category:dropped
                        Size (bytes):44300
                        Entropy (8bit):2.1290506370949975
                        Encrypted:false
                        SSDEEP:192:NedqBIhNxjO5mYROQaPYfEgZGvI0yrfZPZ/PZw/WcmW0v7kcF4Nw7WZNVNF:4ta5rBDYvRgxDw/zmWY7kcF5WXV7
                        MD5:7D5D469A218004033CF0ED3664400CB8
                        SHA1:C4EE2D5FE696E1BD6F71C0E0DD8DA2F3490A1A5E
                        SHA-256:6EFF54679F3143D50E0ABD570796F215A314A2C9944755DF38223084BEEFEC85
                        SHA-512:9E70894E19311018AAD958273E4D0EE97C063967501794D2F81F8243E1591C17310F2836761C28BCA875B2CAFB035E9C50D945CF0410355529C502B196EEA970
                        Malicious:false
                        Preview: MDMP....... ..........a....................................$...T............%..........`.......8...........T...........................x...........d....................................................................U...........B..............GenuineIntelW...........T.......t......a.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................................
                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER961.tmp.WERInternalMetadata.xml
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):8348
                        Entropy (8bit):3.701420415223348
                        Encrypted:false
                        SSDEEP:192:Rrl7r3GLNiYR6OAx6YrJSUXy1gmfdSwGs+pBs89bakKhsf3N+m:RrlsNi26OAx6YlSUXy1gmfdSwCakKaf9
                        MD5:0E3B556676E1972AF45F6860569A4348
                        SHA1:CCA48B9EBB72F6FD774F8A5B325A3F3E01F2CACC
                        SHA-256:75B3330CE4091AB2C41009973760A92D19547054C547DA848BB949965346C191
                        SHA-512:AA446E322338003BA84B921EBBB6EB3F7B7E8618994D96CFB0E0EEF8A8C98B3A33B4D6E0CEFA8362F80E04857643EEBB071D126D5CBF04F1CD544F0EA7CD6B0F
                        Malicious:false
                        Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.2.6.0.<./.P.i.d.>.......
                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERE44.tmp.xml
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):4598
                        Entropy (8bit):4.473108429492209
                        Encrypted:false
                        SSDEEP:48:cvIwSD8zs3JgtWI924WSC8BVp8fm8M4J2+SZFL+q84pzLTKcQIcQw0Vd:uITfZhxSN/OJQfxXKkw0Vd
                        MD5:032926C5777B8A0C1B4AE5FD2E6341A0
                        SHA1:40E9C560877A7DFD13F7B873DB21A94969A4A750
                        SHA-256:8A52CE09864457C05D2CFFC21719F2D4FBD93C39AC133CE67772F37C1192E695
                        SHA-512:789F99617C9DA1188FFABCB71B4DAC6B055BBBE16F83B0962FF121CAD9A81EFA03196AD58FAD7C61FFE7A82FC65E6AF7AA0B5D1283E03CF5BEC27BE3E7BF3A98
                        Malicious:false
                        Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1342320" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERF761.tmp.csv
                        Process:C:\Windows\System32\svchost.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):54270
                        Entropy (8bit):3.039245433474246
                        Encrypted:false
                        SSDEEP:1536:bNHszwoPun9zObOA3An2NH8eII/TlS6KzOojlp2mpoc:bNHszwoPun9zObOA3An2NH8eII/To6KV
                        MD5:E774D2B8707457EEF38FFCD785616182
                        SHA1:D5368EC392C150B5C1D2C5601A775ACD0A3F0E1D
                        SHA-256:77A23CBC153EFAC355ADC08F9839A27BE6B22F69C013158BD4140162E57F60DD
                        SHA-512:DAA572285A4531933A3C0605EE7B40B05E793008F187AB2F7D4588BB970B39EB1561C5A95C5AAB74A77AB9A63A7DD1F29C3CA41D8B4E579E1EF1BB630D8993C9
                        Malicious:false
                        Preview: I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.
                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERFF61.tmp.txt
                        Process:C:\Windows\System32\svchost.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):13340
                        Entropy (8bit):2.694806766675773
                        Encrypted:false
                        SSDEEP:96:9GiZYWlEgJhIqYBYwOW5VHZYEZZmtk0iOlBIHwQAKnaF1BCBwHIA+P3:9jZDl8qWXZHdZnaF1BCBlpP3
                        MD5:548F7476594C65B2D9A44ADBE265DD3B
                        SHA1:4D81020E8B908AA93E7BBF9B4727F6F4EE2EA264
                        SHA-256:C6AF5658B1289EA4A6A4A33E9CD9BFB885277974F2741F5D2EDC54DF3F3F340B
                        SHA-512:3015496AA8DB2EEF81C8B3E35CE453A080293518DE509B6B9D2BC4BA83C58FE0E33A114D12F94387F70DF3C92D62C27F650090FE2B4923706581A26245B5A4D5
                        Malicious:false
                        Preview: B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.1.5.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .
                        C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
                        Process:C:\Windows\SysWOW64\rundll32.exe
                        File Type:Microsoft Cabinet archive data, 61414 bytes, 1 file
                        Category:dropped
                        Size (bytes):61414
                        Entropy (8bit):7.995245868798237
                        Encrypted:true
                        SSDEEP:1536:EysgU6qmzixT64jYMZ8HbVPGfVDwm/xLZ9rP:wF6qmeo4eH1m9wmLvrP
                        MD5:ACAEDA60C79C6BCAC925EEB3653F45E0
                        SHA1:2AAAE490BCDACCC6172240FF1697753B37AC5578
                        SHA-256:6B0CECCF0103AFD89844761417C1D23ACC41F8AEBF3B7230765209B61EEE5658
                        SHA-512:FEAA6E7ED7DDA1583739B3E531AB5C562A222EE6ECD042690AE7DCFF966717C6E968469A7797265A11F6E899479AE0F3031E8CF5BEBE1492D5205E9C59690900
                        Malicious:false
                        Preview: MSCF............,...................I.......;w........RSNj .authroot.stl..>.(.5..CK..8T....c_.d...A.K...+.d.H..*i.RJJ.IQIR..$t)Kd.-[..T\{..ne......<.w......A..B........c...wi......D....c.0D,L........fy....Rg...=........i,3.3..Z....~^ve<...TF.*...f.zy.,...m.@.0.0...m.3..I(..+..v#...(.2....e...L..*y..V.......~U...."<ke.....l.X:Dt..R<7.5\A7L0=..T.V...IDr..8<....r&...I-.^..b.b.".Af....E.._..r.>.`;,.Hob..S.....7'..\.R$.".g..+..64..@nP.....k3...B.`.G..@D.....L.....`^...#OpW.....!....`.....rf:.}.R.@....gR.#7....l..H.#...d.Qh..3..fCX....==#..M.l..~&....[.J9.\..Ww.....Tx.%....]..a4E...q.+...#.*a..x..O..V.t..Y1!.T..`U...-...< _@...|(.....0..3.`.LU...E0.Gu.4KN....5...?.....I.p..'..........N<.d.O..dH@c1t...[w/...T....cYK.X>.0..Z.....O>..9.3.#9X.%.b...5.YK.E.V.....`./.3.._..nN]..=..M.o.F.._..z....._...gY..!Z..?l....vp.l.:.d.Z..W.....~...N.._.k...&.....$......i.F.d.....D!e.....Y..,.E..m.;.1... $.F..O.F.o_}.uG....,.%.>,.Zx.......o....c../.;....g&.....
                        C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
                        Process:C:\Windows\SysWOW64\rundll32.exe
                        File Type:data
                        Category:modified
                        Size (bytes):328
                        Entropy (8bit):3.1084656046114056
                        Encrypted:false
                        SSDEEP:6:kKkahk8SN+SkQlPlEGYRMY9z+4KlDA3RUeYlUmlUR/t:h9kPlE99SNxAhUeYlUSA/t
                        MD5:F265C930EF44E6ACBA853DC0EF3CCA52
                        SHA1:98DBD62394E3FAD572DEAABAD08BF56A2F355F03
                        SHA-256:A51CCED759A41167FA135BF13E26467986C030908DB1B708157F0BD073DA6EDD
                        SHA-512:78A8EB17A923CC0C607BB055AD87B3979E992A165A324E1ABD09BAB284A57B30686C21879DC90C9389EA7F771D8B5AA5767FF5B890DEB6C5B7A631530934D736
                        Malicious:false
                        Preview: p...... .........(..w...(....................................................... ........q.\].......&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.7.1.e.1.5.c.5.d.c.4.d.7.1.:.0."...
                        C:\Windows\appcompat\Programs\Amcache.hve
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:MS Windows registry file, NT/2000 or above
                        Category:dropped
                        Size (bytes):1572864
                        Entropy (8bit):4.23652836958112
                        Encrypted:false
                        SSDEEP:12288:Al/ULFzTnZ67Hr5Kem9F7r66iL9Cvdq6KsqEFm4OrTkkiyrI:y/ULFzTnZ6br5K33i
                        MD5:0F7E9389B8352594A1D1DA63202D5E76
                        SHA1:B8D01D1CAB800DBB068758A3FDA30883C526A6B3
                        SHA-256:C688CB041A1A6F2729B4E4EDBACD0CDC07632B2136EF3D45501BEB791B1D9620
                        SHA-512:4B3AAE60BEA27A4586D32A6C4F63D490BA206EFA136C5792A598756B929EDC42F7B384A068CB3FB653DEE7EB83CF454F20FA5C6AE4BB8719BDD14051E389296B
                        Malicious:false
                        Preview: regfH...H...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm.]..w...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                        C:\Windows\appcompat\Programs\Amcache.hve.LOG1
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:MS Windows registry file, NT/2000 or above
                        Category:dropped
                        Size (bytes):16384
                        Entropy (8bit):3.7219597294472537
                        Encrypted:false
                        SSDEEP:384:z8f5K5lcv4KgnVVeeDzei1NKZtjaT8GRFwWno:QhK+g/eeDzesNYtjnGRFwW
                        MD5:E0EE0560CE5C8770F5E1AE82080874B1
                        SHA1:DBB38E3F880FC4E4EC56BBDA55EB1E633C274E75
                        SHA-256:35AE4F85D7E0B29E096DB29EAF98B81BE8536CF0734CEDDD3847B7CC5D65DD7A
                        SHA-512:7A6C835174199EA9864D4FF672FD07F707B87CF29D280FD1F0CD4B9DA043021D488B1868BDAD3EBB6E847D10B3435F077D445EFE1220BF8F9C26E98CB8503AEB
                        Malicious:false
                        Preview: regfG...G...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm.]..w...................................................................................................................................................................................................................................................................................................................................................HvLE.>......G...........?.G...7...N_.M.........................hbin................p.\..,..........nk,....w................................... ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk ....w....... ........................... .......Z.......................Root........lf......Root....nk ....w................................... ...............*...............DeviceCensus.......................vk..................WritePermissionsCheck.......p...

                        Static File Info

                        General

                        File type:
                        Entropy (8bit):6.767616444278102
                        TrID:
                        • Win32 Dynamic Link Library (generic) (1002004/3) 98.32%
                        • Windows Screen Saver (13104/52) 1.29%
                        • Generic Win/DOS Executable (2004/3) 0.20%
                        • DOS Executable Generic (2002/1) 0.20%
                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                        File name:YBfn5E3Dlw.dll
                        File size:588288
                        MD5:038f9a9d5b96733a9b3030cfbe4e4535
                        SHA1:3b8a4b81f0b06514188e4f935d5f4b0858b93806
                        SHA256:d46762ba155e3345baf5d9e9453e6cd8e0647438693abddf34f98ae8d6bd436a
                        SHA512:3f9aea01963c0d9daa7739277fea7af2b3fe86c41a211fb73b2a35e9506856da91bc334a7c4e63ae83094fe696a8b45e8e5050240a1545e5f891fa4c22512671
                        SSDEEP:6144:cNU5LwA22222GgngDrDRVyYli/ci2tEGW78ODQiERtvOSk5DKXOW14IkFxVFgY4E:x5w7YM/cYVV7EWOpOJyvnHtytFyQ
                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m.......................................^F......^P.n....^W.t....^Y......^A......^G......^B.....Rich....................PE..L..

                        File Icon

                        Icon Hash:71b018ccc6577131

                        Network Behavior

                        Snort IDS Alerts

                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                        01/14/22-19:50:18.278585TCP2404332ET CNC Feodo Tracker Reported CnC Server TCP group 174979080192.168.2.445.138.98.34
                        01/14/22-19:50:19.639317TCP2404338ET CNC Feodo Tracker Reported CnC Server TCP group 20497918080192.168.2.469.16.218.101

                        Network Port Distribution

                        TCP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Jan 14, 2022 19:50:18.278584957 CET4979080192.168.2.445.138.98.34
                        Jan 14, 2022 19:50:18.295628071 CET804979045.138.98.34192.168.2.4
                        Jan 14, 2022 19:50:18.870325089 CET4979080192.168.2.445.138.98.34
                        Jan 14, 2022 19:50:18.887774944 CET804979045.138.98.34192.168.2.4
                        Jan 14, 2022 19:50:19.573530912 CET4979080192.168.2.445.138.98.34
                        Jan 14, 2022 19:50:19.590563059 CET804979045.138.98.34192.168.2.4
                        Jan 14, 2022 19:50:19.639317036 CET497918080192.168.2.469.16.218.101
                        Jan 14, 2022 19:50:19.765877962 CET80804979169.16.218.101192.168.2.4
                        Jan 14, 2022 19:50:19.766030073 CET497918080192.168.2.469.16.218.101
                        Jan 14, 2022 19:50:19.794168949 CET497918080192.168.2.469.16.218.101
                        Jan 14, 2022 19:50:19.920645952 CET80804979169.16.218.101192.168.2.4
                        Jan 14, 2022 19:50:19.933572054 CET80804979169.16.218.101192.168.2.4
                        Jan 14, 2022 19:50:19.933604002 CET80804979169.16.218.101192.168.2.4
                        Jan 14, 2022 19:50:19.933727026 CET497918080192.168.2.469.16.218.101
                        Jan 14, 2022 19:50:24.897527933 CET497918080192.168.2.469.16.218.101
                        Jan 14, 2022 19:50:25.023994923 CET80804979169.16.218.101192.168.2.4
                        Jan 14, 2022 19:50:25.031388044 CET80804979169.16.218.101192.168.2.4
                        Jan 14, 2022 19:50:25.031488895 CET497918080192.168.2.469.16.218.101
                        Jan 14, 2022 19:50:25.037769079 CET497918080192.168.2.469.16.218.101
                        Jan 14, 2022 19:50:25.164257050 CET80804979169.16.218.101192.168.2.4
                        Jan 14, 2022 19:50:25.677548885 CET80804979169.16.218.101192.168.2.4
                        Jan 14, 2022 19:50:25.678915977 CET497918080192.168.2.469.16.218.101
                        Jan 14, 2022 19:50:28.678262949 CET80804979169.16.218.101192.168.2.4
                        Jan 14, 2022 19:50:28.678286076 CET80804979169.16.218.101192.168.2.4
                        Jan 14, 2022 19:50:28.678374052 CET497918080192.168.2.469.16.218.101
                        Jan 14, 2022 19:52:08.193602085 CET497918080192.168.2.469.16.218.101
                        Jan 14, 2022 19:52:08.193706989 CET497918080192.168.2.469.16.218.101

                        Code Manipulations

                        Statistics

                        Behavior

                        Click to jump to process

                        System Behavior

                        Analysis Process: loaddll32.exe PID: 6260 Parent PID: 5916

                        General

                        Start time:19:49:43
                        Start date:14/01/2022
                        Path:C:\Windows\System32\loaddll32.exe
                        Wow64 process (32bit):true
                        Commandline:loaddll32.exe "C:\Users\user\Desktop\YBfn5E3Dlw.dll"
                        Imagebase:0xef0000
                        File size:116736 bytes
                        MD5 hash:7DEB5DB86C0AC789123DEC286286B938
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.680031217.0000000002AE1000.00000020.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000002.703964616.0000000002AB0000.00000040.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.679124499.0000000002AE1000.00000020.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000002.704266978.0000000002AE1000.00000020.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.679046535.0000000002AB0000.00000040.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.679999425.0000000002AB0000.00000040.00000001.sdmp, Author: Joe Security
                        Reputation:moderate

                        Analysis Process: cmd.exe PID: 2240 Parent PID: 6260

                        General

                        Start time:19:49:44
                        Start date:14/01/2022
                        Path:C:\Windows\SysWOW64\cmd.exe
                        Wow64 process (32bit):true
                        Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\YBfn5E3Dlw.dll",#1
                        Imagebase:0x11d0000
                        File size:232960 bytes
                        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high

                        Analysis Process: regsvr32.exe PID: 5396 Parent PID: 6260

                        General

                        Start time:19:49:44
                        Start date:14/01/2022
                        Path:C:\Windows\SysWOW64\regsvr32.exe
                        Wow64 process (32bit):true
                        Commandline:regsvr32.exe /s C:\Users\user\Desktop\YBfn5E3Dlw.dll
                        Imagebase:0xcf0000
                        File size:20992 bytes
                        MD5 hash:426E7499F6A7346F0410DEAD0805586B
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000002.00000002.670153557.0000000000C61000.00000020.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000002.00000002.670105180.0000000000980000.00000040.00000001.sdmp, Author: Joe Security
                        Reputation:high

                        Analysis Process: rundll32.exe PID: 6072 Parent PID: 2240

                        General

                        Start time:19:49:44
                        Start date:14/01/2022
                        Path:C:\Windows\SysWOW64\rundll32.exe
                        Wow64 process (32bit):true
                        Commandline:rundll32.exe "C:\Users\user\Desktop\YBfn5E3Dlw.dll",#1
                        Imagebase:0x12f0000
                        File size:61952 bytes
                        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.670630923.0000000001270000.00000040.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.670654175.00000000012A1000.00000020.00000001.sdmp, Author: Joe Security
                        Reputation:high

                        Analysis Process: rundll32.exe PID: 1320 Parent PID: 6260

                        General

                        Start time:19:49:45
                        Start date:14/01/2022
                        Path:C:\Windows\SysWOW64\rundll32.exe
                        Wow64 process (32bit):true
                        Commandline:rundll32.exe C:\Users\user\Desktop\YBfn5E3Dlw.dll,DllRegisterServer
                        Imagebase:0x12f0000
                        File size:61952 bytes
                        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.717791244.00000000047B1000.00000020.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.717740715.0000000004780000.00000040.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.716834900.00000000011C0000.00000040.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.716329937.0000000000B21000.00000020.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.717660130.0000000004720000.00000040.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.715971380.00000000004F0000.00000040.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.716952958.00000000011F1000.00000020.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.717702240.0000000004751000.00000020.00000001.sdmp, Author: Joe Security
                        Reputation:high

                        Analysis Process: rundll32.exe PID: 6436 Parent PID: 5396

                        General

                        Start time:19:49:46
                        Start date:14/01/2022
                        Path:C:\Windows\SysWOW64\rundll32.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\YBfn5E3Dlw.dll",DllRegisterServer
                        Imagebase:0x12f0000
                        File size:61952 bytes
                        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high

                        Analysis Process: rundll32.exe PID: 4180 Parent PID: 6072

                        General

                        Start time:19:49:46
                        Start date:14/01/2022
                        Path:C:\Windows\SysWOW64\rundll32.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\YBfn5E3Dlw.dll",DllRegisterServer
                        Imagebase:0x12f0000
                        File size:61952 bytes
                        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.684992268.0000000003450000.00000040.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.687871792.0000000005661000.00000020.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.687254093.0000000005501000.00000020.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.686420197.00000000053F0000.00000040.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.688080295.0000000005690000.00000040.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.687539122.0000000005630000.00000040.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.688465307.00000000059F0000.00000040.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.688659098.0000000005A21000.00000020.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.688152191.00000000056C1000.00000020.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.686930115.00000000054D0000.00000040.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.685377727.0000000003601000.00000020.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.686624450.0000000005421000.00000020.00000001.sdmp, Author: Joe Security
                        Reputation:high

                        Analysis Process: svchost.exe PID: 6888 Parent PID: 568

                        General

                        Start time:19:49:50
                        Start date:14/01/2022
                        Path:C:\Windows\System32\svchost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\System32\svchost.exe -k WerSvcGroup
                        Imagebase:0x7ff6eb840000
                        File size:51288 bytes
                        MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high

                        Analysis Process: WerFault.exe PID: 5628 Parent PID: 6888

                        General

                        Start time:19:49:50
                        Start date:14/01/2022
                        Path:C:\Windows\SysWOW64\WerFault.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 6260 -ip 6260
                        Imagebase:0xd70000
                        File size:434592 bytes
                        MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high

                        Analysis Process: rundll32.exe PID: 6500 Parent PID: 4180

                        General

                        Start time:19:49:51
                        Start date:14/01/2022
                        Path:C:\Windows\SysWOW64\rundll32.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Dfktehrjwgeevy\pakqi.bja",rArKTBwXKBsr
                        Imagebase:0x12f0000
                        File size:61952 bytes
                        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000B.00000002.687070469.0000000000B50000.00000040.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000B.00000002.687321793.0000000000B81000.00000020.00000001.sdmp, Author: Joe Security

                        Analysis Process: WerFault.exe PID: 6552 Parent PID: 6260

                        General

                        Start time:19:49:52
                        Start date:14/01/2022
                        Path:C:\Windows\SysWOW64\WerFault.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6260 -s 552
                        Imagebase:0xd70000
                        File size:434592 bytes
                        MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language

                        Analysis Process: rundll32.exe PID: 6664 Parent PID: 6500

                        General

                        Start time:19:49:53
                        Start date:14/01/2022
                        Path:C:\Windows\SysWOW64\rundll32.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Dfktehrjwgeevy\pakqi.bja",DllRegisterServer
                        Imagebase:0x12f0000
                        File size:61952 bytes
                        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language

                        Analysis Process: svchost.exe PID: 1368 Parent PID: 568

                        General

                        Start time:19:50:07
                        Start date:14/01/2022
                        Path:C:\Windows\System32\svchost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                        Imagebase:0x7ff6eb840000
                        File size:51288 bytes
                        MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language

                        Analysis Process: svchost.exe PID: 5416 Parent PID: 568

                        General

                        Start time:19:50:31
                        Start date:14/01/2022
                        Path:C:\Windows\System32\svchost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                        Imagebase:0x7ff6eb840000
                        File size:51288 bytes
                        MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language

                        Analysis Process: svchost.exe PID: 7132 Parent PID: 568

                        General

                        Start time:19:50:44
                        Start date:14/01/2022
                        Path:C:\Windows\System32\svchost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                        Imagebase:0x7ff6eb840000
                        File size:51288 bytes
                        MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language

                        Disassembly

                        Code Analysis

                        Reset < >