Edit tour

Windows Analysis Report
MIpuuSiSZ4

Overview

General Information

Sample Name:	MIpuuSiSZ4 (renamed file extension from none to dll)
Analysis ID:	671702
MD5:	1dd34935a785a419fb552b5086ea682e
SHA1:	c6c966e4ba623f9972273de07b842ffbb9a9efce
SHA256:	8b5a10f9a8f2b25057442111a01faf021ef7e048eab875a4078a44758d952c6f
Tags:	exeOpenCTIBRSandboxed
Infos:

Detection

Emotet

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Emotet

System process connects to network (likely due to code injection or exploit)

Antivirus detection for URL or domain

Snort IDS alert for network traffic

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Queries the volume information (name, serial number etc) of a device

One or more processes crash

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Deletes files inside the Windows folder

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Tries to load missing DLLs

Drops PE files to the windows directory (C:\Windows)

Detected TCP or UDP traffic on non-standard ports

Checks if the current process is being debugged

Registers a DLL

Queries disk information (often used to detect virtual machines)

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

loaddll64.exe (PID: 7160 cmdline: loaddll64.exe "C:\Users\user\Desktop\MIpuuSiSZ4.dll" MD5: 4E8A40CAD6CCC047914E3A7830A2D8AA)

cmd.exe (PID: 6376 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\MIpuuSiSZ4.dll",#1 MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

rundll32.exe (PID: 6160 cmdline: rundll32.exe "C:\Users\user\Desktop\MIpuuSiSZ4.dll",#1 MD5: 73C519F050C20580F8A62C849D49215A)

WerFault.exe (PID: 6728 cmdline: C:\Windows\system32\WerFault.exe -u -p 6160 -s 336 MD5: 2AFFE478D86272288BBEF5A00BBEF6A0)

regsvr32.exe (PID: 5016 cmdline: regsvr32.exe /s C:\Users\user\Desktop\MIpuuSiSZ4.dll MD5: D78B75FC68247E8A63ACBA846182740E)

regsvr32.exe (PID: 5696 cmdline: C:\Windows\system32\regsvr32.exe "C:\Windows\system32\FmCnbLJkOlaRytmc\QMbXoKRooU.dll" MD5: D78B75FC68247E8A63ACBA846182740E)

rundll32.exe (PID: 3896 cmdline: rundll32.exe C:\Users\user\Desktop\MIpuuSiSZ4.dll,AddStroke MD5: 73C519F050C20580F8A62C849D49215A)

WerFault.exe (PID: 4412 cmdline: C:\Windows\system32\WerFault.exe -u -p 3896 -s 328 MD5: 2AFFE478D86272288BBEF5A00BBEF6A0)

rundll32.exe (PID: 5804 cmdline: rundll32.exe C:\Users\user\Desktop\MIpuuSiSZ4.dll,AddWordsToWordList MD5: 73C519F050C20580F8A62C849D49215A)

rundll32.exe (PID: 2196 cmdline: rundll32.exe C:\Users\user\Desktop\MIpuuSiSZ4.dll,AdviseInkChange MD5: 73C519F050C20580F8A62C849D49215A)

regsvr32.exe (PID: 5428 cmdline: C:\Windows\system32\regsvr32.exe "C:\Windows\system32\YbTPHZsAWIZFUi\eAeQcUPg.dll" MD5: D78B75FC68247E8A63ACBA846182740E)

svchost.exe (PID: 3316 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: 32569E403279B3FD2EDB7EBD036273FA)

WerFault.exe (PID: 6496 cmdline: C:\Windows\system32\WerFault.exe -pss -s 484 -p 6160 -ip 6160 MD5: 2AFFE478D86272288BBEF5A00BBEF6A0)

WerFault.exe (PID: 6568 cmdline: C:\Windows\system32\WerFault.exe -pss -s 516 -p 3896 -ip 3896 MD5: 2AFFE478D86272288BBEF5A00BBEF6A0)

svchost.exe (PID: 6584 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 4900 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 5068 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 5928 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 7032 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 6188 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

cleanup

Malware Configuration

Threatname: Emotet

{"C2 list": ["192.168.2.7:2", "244.26.0.0:1", "240.69.242.0:2", "184.6.0.0:1", "64.6.0.0:1", "192.6.0.0:1", "244.6.0.0:1", "4.7.0.0:1", "20.7.0.0:1", "76.7.0.0:1", "92.7.0.0:1", "108.7.0.0:1", "112.7.0.0:1", "200.6.0.0:1", "16.7.0.0:1", "96.7.0.0:1", "124.7.0.0:1", "80.7.0.0:1", "128.7.0.0:1", "240.6.0.0:1", "32.7.0.0:1", "36.7.0.0:1", "214.112.3.0:5308", "241.112.3.0:5164", "243.112.3.0:1484"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000003.00000000.457523835.000001A6C0911000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000002.00000002.454942955.0000000001411000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000005.00000002.460329273.0000016A80010000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000003.00000002.500443188.000001A6C0911000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000C.00000002.883306468.0000000001000000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000004.00000002.503233757.0000021313901000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000005.00000002.460399040.0000016A80071000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000C.00000002.883481925.0000000002861000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000003.00000002.499993940.000001A6C08B0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000000.00000002.488615007.000001942A671000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000004.00000000.458204040.0000021313901000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000006.00000002.468293754.00000195C58D1000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000004.00000000.457983091.0000021313760000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000003.00000000.457466014.000001A6C08B0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000002.00000002.454887422.00000000013B0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000003.00000000.448855621.000001A6C0911000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000004.00000000.454361313.0000021313901000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000003.00000000.448792384.000001A6C08B0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000006.00000002.468234789.00000195C5870000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000C.00000002.882519844.0000000000E78000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Emotet_3		Joe Security
00000004.00000000.454167344.0000021313760000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000004.00000002.503043476.0000021313760000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000000.00000002.488528971.000001942A5D0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
Click to see the 18 entries

Unpacked PEs

Source	Rule	Description	Author
3.2.rundll32.exe.1a6c08b0000.1.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
6.2.rundll32.exe.195c5870000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
3.0.rundll32.exe.1a6c08b0000.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
4.0.rundll32.exe.21313760000.3.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
12.2.regsvr32.exe.1000000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
4.2.rundll32.exe.21313760000.1.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
3.2.rundll32.exe.1a6c08b0000.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0.2.loaddll64.exe.1942a5d0000.1.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
4.0.rundll32.exe.21313760000.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.2.rundll32.exe.16a80010000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.2.rundll32.exe.16a80010000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
4.0.rundll32.exe.21313760000.1.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
3.0.rundll32.exe.1a6c08b0000.1.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
6.2.rundll32.exe.195c5870000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
3.0.rundll32.exe.1a6c08b0000.3.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
12.2.regsvr32.exe.1000000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
2.2.regsvr32.exe.13b0000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
3.0.rundll32.exe.1a6c08b0000.3.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0.2.loaddll64.exe.1942a5d0000.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
2.2.regsvr32.exe.13b0000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
4.2.rundll32.exe.21313760000.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
4.0.rundll32.exe.21313760000.3.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
Click to see the 17 entries

Snort Signatures

ET CNC Feodo Tracker Reported CnC Server TCP group 9 - Source IP: 192.168.2.7 - Destination IP: 174.138.33.49

Timestamp:	192.168.2.7174.138.33.494979470802404316 07/22/22-13:58:44.263207
SID:	2404316
Source Port:	49794
Destination Port:	7080
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: MIpuuSiSZ4.dll	Virustotal: Detection: 72%	Perma Link
Source: MIpuuSiSZ4.dll	Metadefender: Detection: 54%	Perma Link
Source: MIpuuSiSZ4.dll	ReversingLabs: Detection: 88%

Antivirus detection for URL or domain

Source: https://174.138.33.49/7	Avira URL Cloud: Label: malware
Source: https://174.138.33.49:7080/temy	Avira URL Cloud: Label: malware
Source: https://174.138.33.49:7080/Numv	Avira URL Cloud: Label: malware

Source: 0000000C.00000003.792258520.0000000000F0F000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: Emotet {"C2 list": ["192.168.2.7:2", "244.26.0.0:1", "240.69.242.0:2", "184.6.0.0:1", "64.6.0.0:1", "192.6.0.0:1", "244.6.0.0:1", "4.7.0.0:1", "20.7.0.0:1", "76.7.0.0:1", "92.7.0.0:1", "108.7.0.0:1", "112.7.0.0:1", "200.6.0.0:1", "16.7.0.0:1", "96.7.0.0:1", "124.7.0.0:1", "80.7.0.0:1", "128.7.0.0:1", "240.6.0.0:1", "32.7.0.0:1", "36.7.0.0:1", "214.112.3.0:5308", "241.112.3.0:5164", "243.112.3.0:1484"]}

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001800427CC _invalid_parameter_noinfo,_invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001800427CC _invalid_parameter_noinfo,_invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180042F88 FindFirstFileExW,
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180043464 FindFirstFileExW,FindNextFileW,FindClose,FindClose,
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800427CC _invalid_parameter_noinfo,_invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800427CC _invalid_parameter_noinfo,_invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180042F88 FindFirstFileExW,
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180043464 FindFirstFileExW,FindNextFileW,FindClose,FindClose,
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_0287C9F0 FindFirstFileW,FindNextFileW,

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\regsvr32.exe

Network Connect: 174.138.33.49 7080

Snort IDS alert for network traffic

Source: Traffic

Snort IDS: 2404316 ET CNC Feodo Tracker Reported CnC Server TCP group 9 192.168.2.7:49794 -> 174.138.33.49:7080

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	IPs: 192.168.2.7:2
Source: Malware configuration extractor	IPs: 244.26.0.0:1
Source: Malware configuration extractor	IPs: 240.69.242.0:2
Source: Malware configuration extractor	IPs: 184.6.0.0:1
Source: Malware configuration extractor	IPs: 64.6.0.0:1
Source: Malware configuration extractor	IPs: 192.6.0.0:1
Source: Malware configuration extractor	IPs: 244.6.0.0:1
Source: Malware configuration extractor	IPs: 4.7.0.0:1
Source: Malware configuration extractor	IPs: 20.7.0.0:1
Source: Malware configuration extractor	IPs: 76.7.0.0:1
Source: Malware configuration extractor	IPs: 92.7.0.0:1
Source: Malware configuration extractor	IPs: 108.7.0.0:1
Source: Malware configuration extractor	IPs: 112.7.0.0:1
Source: Malware configuration extractor	IPs: 200.6.0.0:1
Source: Malware configuration extractor	IPs: 16.7.0.0:1
Source: Malware configuration extractor	IPs: 96.7.0.0:1
Source: Malware configuration extractor	IPs: 124.7.0.0:1
Source: Malware configuration extractor	IPs: 80.7.0.0:1
Source: Malware configuration extractor	IPs: 128.7.0.0:1
Source: Malware configuration extractor	IPs: 240.6.0.0:1
Source: Malware configuration extractor	IPs: 32.7.0.0:1
Source: Malware configuration extractor	IPs: 36.7.0.0:1
Source: Malware configuration extractor	IPs: 214.112.3.0:5308
Source: Malware configuration extractor	IPs: 241.112.3.0:5164
Source: Malware configuration extractor	IPs: 243.112.3.0:1484

Source: Joe Sandbox View

ASN Name: ATGS-MMD-ASUS ATGS-MMD-ASUS

Source: Joe Sandbox View

IP Address: 174.138.33.49 174.138.33.49

Source: global traffic

TCP traffic: 192.168.2.7:49794 -> 174.138.33.49:7080

Source: unknown	TCP traffic detected without corresponding DNS query: 174.138.33.49
Source: unknown	TCP traffic detected without corresponding DNS query: 174.138.33.49
Source: unknown	TCP traffic detected without corresponding DNS query: 174.138.33.49
Source: unknown	TCP traffic detected without corresponding DNS query: 174.138.33.49
Source: unknown	TCP traffic detected without corresponding DNS query: 174.138.33.49
Source: unknown	TCP traffic detected without corresponding DNS query: 174.138.33.49
Source: unknown	TCP traffic detected without corresponding DNS query: 174.138.33.49
Source: unknown	TCP traffic detected without corresponding DNS query: 174.138.33.49
Source: unknown	TCP traffic detected without corresponding DNS query: 174.138.33.49
Source: unknown	TCP traffic detected without corresponding DNS query: 174.138.33.49
Source: unknown	TCP traffic detected without corresponding DNS query: 174.138.33.49
Source: unknown	TCP traffic detected without corresponding DNS query: 174.138.33.49

Source: regsvr32.exe, 0000000C.00000003.792258520.0000000000F0F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.788408312.0000000000F0F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000002.883040476.0000000000F0F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000002.883963436.00000227B5063000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.740019918.0000014760705000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 00000016.00000002.883963436.00000227B5063000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.739932682.000001475FCE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: regsvr32.exe, 0000000C.00000003.792402869.0000000000EB2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000002.882736405.0000000000EB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: regsvr32.exe, 0000000C.00000003.792258520.0000000000F0F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.788408312.0000000000F0F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000002.883040476.0000000000F0F000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.12.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: regsvr32.exe, 0000000C.00000003.563716950.0000000000F5F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?ba3f020901819
Source: regsvr32.exe, 0000000C.00000003.565719065.000000000300D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000002.883662137.000000000302C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.565412953.0000000002FD1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.565930872.000000000302C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.caby
Source: svchost.exe, 0000001E.00000003.714545443.00000147607A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://help.disneyplus.com.
Source: svchost.exe, 00000016.00000002.883340069.00000227AF8AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: regsvr32.exe, 0000000C.00000003.792402869.0000000000EB2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000002.882736405.0000000000EB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://174.138.33.49/
Source: regsvr32.exe, 0000000C.00000003.792402869.0000000000EB2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000002.882736405.0000000000EB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://174.138.33.49/7
Source: regsvr32.exe, 0000000C.00000003.792402869.0000000000EB2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000002.882736405.0000000000EB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://174.138.33.49:7080/
Source: regsvr32.exe, 0000000C.00000003.792402869.0000000000EB2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000002.882736405.0000000000EB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://174.138.33.49:7080/Numv
Source: regsvr32.exe, 0000000C.00000003.792402869.0000000000EB2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000002.882736405.0000000000EB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://174.138.33.49:7080/temy
Source: svchost.exe, 0000001E.00000003.714545443.00000147607A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://disneyplus.com/legal.
Source: svchost.exe, 0000001E.00000003.710986823.0000014760C19000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.710810502.0000014760C02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.710861874.0000014760C03000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.710944641.00000147607AD000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.710923120.000001476079C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.hotspotshield.com/
Source: svchost.exe, 0000001E.00000003.714545443.00000147607A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
Source: svchost.exe, 0000001E.00000003.714545443.00000147607A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
Source: svchost.exe, 0000001E.00000003.710986823.0000014760C19000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.710810502.0000014760C02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.710861874.0000014760C03000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.710944641.00000147607AD000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.710923120.000001476079C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.hotspotshield.com/terms/
Source: svchost.exe, 0000001E.00000003.710986823.0000014760C19000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.710810502.0000014760C02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.710861874.0000014760C03000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.710944641.00000147607AD000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.710923120.000001476079C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.pango.co/privacy
Source: svchost.exe, 0000001E.00000003.719101021.00000147607A0000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.718967987.00000147607B6000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.719233278.0000014760C02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.718937080.00000147607B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.tiktok.com/legal/report/feedback

E-Banking Fraud

Source: Yara match

File source: 0000000C.00000002.882519844.0000000000E78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Yara detected Emotet

Source: Yara match	File source: 3.2.rundll32.exe.1a6c08b0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.195c5870000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.rundll32.exe.1a6c08b0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rundll32.exe.21313760000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.regsvr32.exe.1000000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.21313760000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.1a6c08b0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll64.exe.1942a5d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rundll32.exe.21313760000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.16a80010000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.16a80010000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rundll32.exe.21313760000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.rundll32.exe.1a6c08b0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.195c5870000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.rundll32.exe.1a6c08b0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.regsvr32.exe.1000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.13b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.rundll32.exe.1a6c08b0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll64.exe.1942a5d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.13b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.21313760000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rundll32.exe.21313760000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000000.457523835.000001A6C0911000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.454942955.0000000001411000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.460329273.0000016A80010000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.500443188.000001A6C0911000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.883306468.0000000001000000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.503233757.0000021313901000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.460399040.0000016A80071000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.883481925.0000000002861000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.499993940.000001A6C08B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.488615007.000001942A671000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.458204040.0000021313901000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.468293754.00000195C58D1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.457983091.0000021313760000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.457466014.000001A6C08B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.454887422.00000000013B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.448855621.000001A6C0911000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.454361313.0000021313901000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.448792384.000001A6C08B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.468234789.00000195C5870000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.454167344.0000021313760000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.503043476.0000021313760000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.488528971.000001942A5D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Windows\System32\svchost.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 484 -p 6160 -ip 6160

Source: C:\Windows\System32\regsvr32.exe

File deleted: C:\Windows\System32\FmCnbLJkOlaRytmc\QMbXoKRooU.dll:Zone.Identifier

Jump to behavior

Source: C:\Windows\System32\loaddll64.exe

File created: C:\Windows\system32\YbTPHZsAWIZFUi\

Jump to behavior

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018001A098
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018003E0D0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001800180E0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018001C0F4
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018001E134
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018002C150
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018001A1A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018004E1C0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001800181E4
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180026288
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018001A2A8
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001800182E8
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018001E320
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018001C324
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180058338
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018001A3B4
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001800063E0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001800183F0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018002E420
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018001E508
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018001C510
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180028514
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018002C51C
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180018548
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018005A5A4
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180026618
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180018650
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180028668
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018004067C
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018004E6F0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018001C6FC
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018001E734
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180018758
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001800427CC
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001800287E4
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180018860
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180016870
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001800548F8
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018002C900
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018001E91C
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018001C92C
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180016978
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001800189CC
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001800427CC
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180026A24
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180016A80
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018001EB04
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180018B10
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018001CB18
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180016B8C
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018004EBA0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180018C54
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018002CCCC
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180016CE8
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018001CD00
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018001ED30
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180018D98
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180016DF0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018004CEC8
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180018EC8
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180016EF8
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018001EF18
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018001CF2C
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180042F88
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180018FD0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180017000
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001800190D8
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018001F104
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018001D114
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180017158
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018002D19C
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001800191E0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180017260
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018001D2FC
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018004F2FC
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018001B310
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018001F334
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180019338
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180017368
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180019440
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180017474
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018002B49C
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018001B4F8
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018001F520
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018001D528
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180019548
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001800175D0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180019650
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018002D680
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001800176D4
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018001F70C
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018001D710
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018001B724
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018004972C
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180025740
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001800197B8
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018004B7E8
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180017800
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001800198C0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018002B8D0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018001D8FC
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180017908
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018001B90C
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018001F93C
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001800199C8
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180017A10
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018003FA6C
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180045A70
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180019AD0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180025AD4
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018001BAF4
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180017B18
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018001DB2C
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018002DB50
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180019C28
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180017C70
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018003BD00
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018001DD18
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018002BD1C
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018001BD20
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180019D30
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180017D78
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180045A70
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180019E38
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180017E80
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180049EEC
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180025EFC
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018001DF04
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018001BF08
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018003FF1C
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180019F40
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180017F88
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018002DFAC
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000019428C20000
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A68EB08
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A68A804
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A68BD64
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A697E28
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A681B88
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A688B3C
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A675B18
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A68FC70
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A67CCC8
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A69B6BC
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A687414
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A686978
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A698990
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A69796C
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A69093C
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A674948
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A694918
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A67D92C
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A6899F4
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A68C9F0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A6829BC
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A68D9C4
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A699A40
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A692AFC
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A691AE0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A672AE4
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A67FAD0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A690AC4
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A673A9C
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A68F764
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A689720
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A68C720
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A683724
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A6907D0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A6827A4
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A68E7A4
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A68484C
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A674848
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A67F850
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A672820
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A68C8C0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A6878C4
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A693894
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A67ED84
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A689D5C
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A683D1C
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A69BD20
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A691D2C
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A67BD24
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A692E04
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A693DD4
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A690DBC
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A672DC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A687DB0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A699DA8
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A69BE90
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A68EE5C
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A67FE58
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A683E18
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A695E30
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A694EF4
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A698EE8
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A689EC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A67DB74
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A680B60
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A67CB6C
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A696B40
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A687B24
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A698B28
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A67BC08
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A68ABD8
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A677BB4
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A683BB4
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A674C64
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A680C68
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A690C68
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A685C50
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A692C48
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A687C30
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A678CE0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A68ACEC
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A673CE8
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A677CAC
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A687144
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A68A130
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A683210
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A6731F0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A675198
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A6741A8
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A67B1A8
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A67F290
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A67E254
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A68D254
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A68F238
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A6912FC
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A67D300
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A69A304
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A693304
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A6772E0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A67B2BC
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A678F5C
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A692F3C
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A696F3C
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A673F40
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A67AFE4
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A67DFCC
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A67EFCC
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A682F94
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A68EFAC
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A674078
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A69A088
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A68406C
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A694020
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A671014
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A68B028
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A67B0F8
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A686110
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A6790D4
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A69B0EC
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A6730BC
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A67F580
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A680578
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A69155C
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A68B558
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A69B570
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A696520
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A683610
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A6725D8
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A684594
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A686594
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A68C5AC
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A680680
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A692638
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A68F61C
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A68D620
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A68762C
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A672708
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A6736E0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A6846B4
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A69369C
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A67B698
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A676698
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A6976A4
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A6916A8
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A671368
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A684368
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A69632C
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A694330
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A6913FC
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A68A408
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A6893E0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A67B3E4
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A6793AC
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A675484
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A67C458
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A69344C
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A686418
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A6984DC
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A6824E4
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A68D4D0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A6814A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A68E4A8
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001A098
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018003E0D0
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800180E0
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001C0F4
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001E134
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018002C150
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001A1A0
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018004E1C0
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800181E4
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180026288
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001A2A8
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800182E8
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001E320
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001C324
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180058338
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001A3B4
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800063E0
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800183F0
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018002E420
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001E508
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001C510
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180028514
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018002C51C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180018548
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018005A5A4
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180026618
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180018650
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180028668
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018004067C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018004E6F0
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001C6FC
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001E734
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180018758
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800427CC
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800287E4
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180018860
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180016870
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800548F8
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018002C900
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001E91C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001C92C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180016978
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800189CC
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800427CC
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180026A24
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180016A80
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001EB04
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180018B10
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001CB18
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180016B8C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018004EBA0
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180018C54
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018002CCCC
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180016CE8
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001CD00
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001ED30
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180018D98
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180016DF0
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018004CEC8
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180018EC8
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180016EF8
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001EF18
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001CF2C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180042F88
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180018FD0
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180017000
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800190D8
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001F104
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001D114
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180017158
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018002D19C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800191E0
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180017260
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001D2FC
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018004F2FC
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001B310
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001F334
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180019338
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180017368
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180019440
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180017474
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018002B49C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001B4F8
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001F520
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001D528
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180019548
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800175D0
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180019650
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018002D680
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800176D4
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001F70C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001D710
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001B724
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018004972C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180025740
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800197B8
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018004B7E8
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180017800
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800198C0
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018002B8D0
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001D8FC
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180017908
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001B90C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001F93C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800199C8
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180017A10
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018003FA6C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180045A70
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180019AD0
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180025AD4
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001BAF4
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180017B18
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001DB2C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018002DB50
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180019C28
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180017C70
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018003BD00
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001DD18
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018002BD1C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001BD20
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180019D30
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180017D78
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180045A70
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180019E38
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180017E80
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180049EEC
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180025EFC
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001DF04
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001BF08
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018003FF1C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180019F40
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180017F88
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018002DFAC
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_01240000
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_01427414
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0143B6BC
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0142A804
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0142C8C0
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0142EB08
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_01415B18
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_01428B3C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_01421B88
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0142BD64
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0141CCC8
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_01437E28
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_01427144
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_01426110
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0142A130
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_014131F0
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_01415198
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_014141A8
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0141B1A8
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0142406C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_01414078
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_01411014
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_01434020
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0142B028
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_014190D4
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0143B0EC
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0141B0F8
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0143A088
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_014130BC
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_01411368
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_01424368
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0141D300
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0143A304
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_01433304
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0143632C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_01434330
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_014293E0
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0141B3E4
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_014313FC
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_014193AC
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0141E254
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0142D254
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_01423210
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0142F238
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_014172E0
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_014312FC
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0141F290
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0141B2BC
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0142B558
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0143155C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0143B570
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_01420578
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_01436520
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_014125D8
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0141F580
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_01424594
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_01426594
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0142C5AC
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0143344C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0141C458
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0142A408
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_01426418
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0142D4D0
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_014384DC
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_014224E4
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_01415484
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_014214A0
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0142E4A8
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0142F764
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_01412708
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_01429720

Source: C:\Windows\System32\loaddll64.exe	Code function: String function: 0000000180046D38 appears 44 times
Source: C:\Windows\System32\regsvr32.exe	Code function: String function: 0000000180046D38 appears 44 times

Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll

Source: MIpuuSiSZ4.dll	Virustotal: Detection: 72%
Source: MIpuuSiSZ4.dll	Metadefender: Detection: 54%
Source: MIpuuSiSZ4.dll	ReversingLabs: Detection: 88%

Source: MIpuuSiSZ4.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\MIpuuSiSZ4.dll"
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\MIpuuSiSZ4.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\MIpuuSiSZ4.dll
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\MIpuuSiSZ4.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\MIpuuSiSZ4.dll,AddStroke
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\MIpuuSiSZ4.dll,AddWordsToWordList
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\MIpuuSiSZ4.dll,AdviseInkChange
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 484 -p 6160 -ip 6160
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\FmCnbLJkOlaRytmc\QMbXoKRooU.dll"
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 516 -p 3896 -ip 3896
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6160 -s 336
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3896 -s 328
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\YbTPHZsAWIZFUi\eAeQcUPg.dll"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\MIpuuSiSZ4.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\MIpuuSiSZ4.dll
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\MIpuuSiSZ4.dll,AddStroke
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\MIpuuSiSZ4.dll,AddWordsToWordList
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\MIpuuSiSZ4.dll,AdviseInkChange
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\YbTPHZsAWIZFUi\eAeQcUPg.dll"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\MIpuuSiSZ4.dll",#1
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\FmCnbLJkOlaRytmc\QMbXoKRooU.dll"
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 484 -p 6160 -ip 6160
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 516 -p 3896 -ip 3896
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6160 -s 336
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3896 -s 328
Source: C:\Windows\System32\WerFault.exe	Process created: unknown unknown
Source: C:\Windows\System32\WerFault.exe	Process created: unknown unknown

Source: C:\Windows\System32\loaddll64.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Source: C:\Windows\System32\svchost.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERB89A.tmp

Jump to behavior

Source: classification engine

Classification label: mal96.troj.evad.winDLL@34/16@0/28

Source: C:\Windows\System32\loaddll64.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_000001942A68A804 Process32FirstW,CreateToolhelp32Snapshot,Process32NextW,FindCloseChangeNotification,

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\MIpuuSiSZ4.dll",#1

Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6160
Source: C:\Windows\System32\WerFault.exe	Mutant created: \BaseNamedObjects\Local\SM0:6496:120:WilError_01
Source: C:\Windows\System32\WerFault.exe	Mutant created: \BaseNamedObjects\Local\SM0:6568:120:WilError_01
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3896

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_00000001800011AC LoadStringW,LoadStringW,FindResourceA,LoadResource,LockResource,

Source: C:\Windows\System32\regsvr32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: MIpuuSiSZ4.dll

Static PE information: Image base 0x180000000 > 0x60000000

Source: MIpuuSiSZ4.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: MIpuuSiSZ4.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: MIpuuSiSZ4.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: MIpuuSiSZ4.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: MIpuuSiSZ4.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: MIpuuSiSZ4.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: MIpuuSiSZ4.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: MIpuuSiSZ4.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: MIpuuSiSZ4.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: MIpuuSiSZ4.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: MIpuuSiSZ4.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: MIpuuSiSZ4.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A678C72 push ebp; ret
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_01418C72 push ebp; ret

Source: MIpuuSiSZ4.dll

Static PE information: section name: _RDATA

Source: C:\Windows\System32\loaddll64.exe

Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\MIpuuSiSZ4.dll

Source: C:\Windows\System32\regsvr32.exe

PE file moved: C:\Windows\System32\FmCnbLJkOlaRytmc\QMbXoKRooU.dll

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\System32\loaddll64.exe	File opened: C:\Windows\system32\YbTPHZsAWIZFUi\eAeQcUPg.dll:Zone.Identifier read attributes \| delete
Source: C:\Windows\System32\regsvr32.exe	File opened: C:\Windows\system32\FmCnbLJkOlaRytmc\QMbXoKRooU.dll:Zone.Identifier read attributes \| delete

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\System32\svchost.exe TID: 2240	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 3160	Thread sleep time: -120000s >= -30000s

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Source: C:\Windows\System32\loaddll64.exe	API coverage: 7.1 %
Source: C:\Windows\System32\regsvr32.exe	API coverage: 7.4 %

Source: C:\Windows\System32\loaddll64.exe

Process information queried: ProcessInformation

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001800427CC _invalid_parameter_noinfo,_invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001800427CC _invalid_parameter_noinfo,_invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180042F88 FindFirstFileExW,
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180043464 FindFirstFileExW,FindNextFileW,FindClose,FindClose,
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800427CC _invalid_parameter_noinfo,_invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800427CC _invalid_parameter_noinfo,_invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180042F88 FindFirstFileExW,
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180043464 FindFirstFileExW,FindNextFileW,FindClose,FindClose,
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_0287C9F0 FindFirstFileW,FindNextFileW,

Source: C:\Windows\System32\regsvr32.exe

File Volume queried: C:\ FullSizeInformation

Source: svchost.exe, 00000016.00000002.883963436.00000227B5063000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.739954619.000001475FCF3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @Hyper-V RAW
Source: regsvr32.exe, 0000000C.00000003.792566060.0000000000EE3000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.792402869.0000000000EB2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000002.882736405.0000000000EB2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000002.882901644.0000000000EE3000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000002.882944619.00000227AF829000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000002.883925272.00000227B504C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.739774338.000001475FC66000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.739198935.000001475FC64000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.739932682.000001475FCE0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 0000000E.00000002.882587569.0000023C76802000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
Source: regsvr32.exe, 0000000C.00000003.792566060.0000000000EE3000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000002.882901644.0000000000EE3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWj
Source: loaddll64.exe, 00000000.00000002.488486061.0000019428C98000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: -b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 0000000E.00000002.882727598.0000023C76828000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_000000018001360C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_0000000180048198 GetProcessHeap,

Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180002F14 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018001360C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018000386C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180003A54 SetUnhandledExceptionFilter,
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180002F14 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001360C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000386C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180003A54 SetUnhandledExceptionFilter,

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\regsvr32.exe

Network Connect: 174.138.33.49 7080

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\MIpuuSiSZ4.dll",#1
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 484 -p 6160 -ip 6160
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 516 -p 3896 -ip 3896
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6160 -s 336
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3896 -s 328

Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Windows\System32\loaddll64.exe	Code function: EnumSystemLocalesW,
Source: C:\Windows\System32\loaddll64.exe	Code function: EnumSystemLocalesW,
Source: C:\Windows\System32\loaddll64.exe	Code function: EnumSystemLocalesW,
Source: C:\Windows\System32\loaddll64.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,
Source: C:\Windows\System32\loaddll64.exe	Code function: GetLocaleInfoW,
Source: C:\Windows\System32\loaddll64.exe	Code function: EnumSystemLocalesW,
Source: C:\Windows\System32\loaddll64.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
Source: C:\Windows\System32\loaddll64.exe	Code function: EnumSystemLocalesW,
Source: C:\Windows\System32\loaddll64.exe	Code function: GetLocaleInfoW,
Source: C:\Windows\System32\loaddll64.exe	Code function: EnumSystemLocalesW,
Source: C:\Windows\System32\loaddll64.exe	Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
Source: C:\Windows\System32\loaddll64.exe	Code function: GetLocaleInfoW,
Source: C:\Windows\System32\loaddll64.exe	Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,
Source: C:\Windows\System32\regsvr32.exe	Code function: EnumSystemLocalesW,
Source: C:\Windows\System32\regsvr32.exe	Code function: EnumSystemLocalesW,
Source: C:\Windows\System32\regsvr32.exe	Code function: EnumSystemLocalesW,
Source: C:\Windows\System32\regsvr32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,
Source: C:\Windows\System32\regsvr32.exe	Code function: GetLocaleInfoW,
Source: C:\Windows\System32\regsvr32.exe	Code function: EnumSystemLocalesW,
Source: C:\Windows\System32\regsvr32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
Source: C:\Windows\System32\regsvr32.exe	Code function: EnumSystemLocalesW,
Source: C:\Windows\System32\regsvr32.exe	Code function: GetLocaleInfoW,
Source: C:\Windows\System32\regsvr32.exe	Code function: EnumSystemLocalesW,
Source: C:\Windows\System32\regsvr32.exe	Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
Source: C:\Windows\System32\regsvr32.exe	Code function: GetLocaleInfoW,
Source: C:\Windows\System32\regsvr32.exe	Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_0000000180059100 cpuid

Source: C:\Windows\System32\regsvr32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_00000001800032C0 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

Stealing of Sensitive Information

Source: Yara match

File source: 0000000C.00000002.882519844.0000000000E78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Yara detected Emotet

Source: Yara match	File source: 3.2.rundll32.exe.1a6c08b0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.195c5870000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.rundll32.exe.1a6c08b0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rundll32.exe.21313760000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.regsvr32.exe.1000000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.21313760000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.1a6c08b0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll64.exe.1942a5d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rundll32.exe.21313760000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.16a80010000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.16a80010000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rundll32.exe.21313760000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.rundll32.exe.1a6c08b0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.195c5870000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.rundll32.exe.1a6c08b0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.regsvr32.exe.1000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.13b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.rundll32.exe.1a6c08b0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll64.exe.1942a5d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.13b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.21313760000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rundll32.exe.21313760000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000000.457523835.000001A6C0911000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.454942955.0000000001411000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.460329273.0000016A80010000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.500443188.000001A6C0911000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.883306468.0000000001000000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.503233757.0000021313901000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.460399040.0000016A80071000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.883481925.0000000002861000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.499993940.000001A6C08B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.488615007.000001942A671000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.458204040.0000021313901000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.468293754.00000195C58D1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.457983091.0000021313760000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.457466014.000001A6C08B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.454887422.00000000013B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.448855621.000001A6C0911000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.454361313.0000021313901000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.448792384.000001A6C08B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.468234789.00000195C5870000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.454167344.0000021313760000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.503043476.0000021313760000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.488528971.000001942A5D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	111 Process Injection	2 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	3 Virtualization/Sandbox Evasion	LSASS Memory	41 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	111 Process Injection	Security Account Manager	3 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Deobfuscate/Decode Files or Information	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Hidden Files and Directories	LSA Secrets	1 Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	2 Obfuscated Files or Information	Cached Domain Credentials	2 File and Directory Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 Regsvr32	DCSync	44 System Information Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	1 Rundll32	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	1 DLL Side-Loading	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	1 File Deletion	Network Sniffing	Process Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
MIpuuSiSZ4.dll	72%	Virustotal		Browse
MIpuuSiSZ4.dll	54%	Metadefender		Browse
MIpuuSiSZ4.dll	88%	ReversingLabs	Win64.Trojan.Emotet

Source	Detection	Scanner	Label
https://174.138.33.49/7	100%	Avira URL Cloud	malware
https://www.disneyplus.com/legal/your-california-privacy-rights	0%	URL Reputation	safe
https://www.disneyplus.com/legal/privacy-policy	0%	URL Reputation	safe
https://174.138.33.49:7080/	0%	URL Reputation	safe
https://174.138.33.49:7080/temy	100%	Avira URL Cloud	malware
https://www.pango.co/privacy	0%	URL Reputation	safe
https://disneyplus.com/legal.	0%	URL Reputation	safe
http://crl.ver)	0%	Avira URL Cloud	safe
https://174.138.33.49:7080/Numv	100%	Avira URL Cloud	malware
https://www.tiktok.com/legal/report/feedback	0%	URL Reputation	safe
http://help.disneyplus.com.	0%	URL Reputation	safe
https://174.138.33.49/	0%	URL Reputation	safe

Name	Source	Malicious	Antivirus Detection	Reputation
https://174.138.33.49/7	regsvr32.exe, 0000000C.00000003.792402869.0000000000EB2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000002.882736405.0000000000EB2000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://www.disneyplus.com/legal/your-california-privacy-rights	svchost.exe, 0000001E.00000003.714545443.00000147607A0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.disneyplus.com/legal/privacy-policy	svchost.exe, 0000001E.00000003.714545443.00000147607A0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing	svchost.exe, 00000016.00000002.883340069.00000227AF8AC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://174.138.33.49:7080/	regsvr32.exe, 0000000C.00000003.792402869.0000000000EB2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000002.882736405.0000000000EB2000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.hotspotshield.com/terms/	svchost.exe, 0000001E.00000003.710986823.0000014760C19000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.710810502.0000014760C02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.710861874.0000014760C03000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.710944641.00000147607AD000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.710923120.000001476079C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://174.138.33.49:7080/temy	regsvr32.exe, 0000000C.00000003.792402869.0000000000EB2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000002.882736405.0000000000EB2000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://www.pango.co/privacy	svchost.exe, 0000001E.00000003.710986823.0000014760C19000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.710810502.0000014760C02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.710861874.0000014760C03000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.710944641.00000147607AD000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.710923120.000001476079C000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://disneyplus.com/legal.	svchost.exe, 0000001E.00000003.714545443.00000147607A0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.ver)	svchost.exe, 00000016.00000002.883963436.00000227B5063000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.739932682.000001475FCE0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://174.138.33.49:7080/Numv	regsvr32.exe, 0000000C.00000003.792402869.0000000000EB2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000002.882736405.0000000000EB2000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://www.tiktok.com/legal/report/feedback	svchost.exe, 0000001E.00000003.719101021.00000147607A0000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.718967987.00000147607B6000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.719233278.0000014760C02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.718937080.00000147607B6000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://help.disneyplus.com.	svchost.exe, 0000001E.00000003.714545443.00000147607A0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.hotspotshield.com/	svchost.exe, 0000001E.00000003.710986823.0000014760C19000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.710810502.0000014760C02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.710861874.0000014760C03000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.710944641.00000147607AD000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.710923120.000001476079C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://174.138.33.49/	regsvr32.exe, 0000000C.00000003.792402869.0000000000EB2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000002.882736405.0000000000EB2000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
32.7.0.0	unknown	United States	2686	ATGS-MMD-ASUS	true
174.138.33.49	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
128.7.0.0	unknown	Germany	680	DFNVereinzurFoerderungeinesDeutschenForschungsnetzese	true
20.7.0.0	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	true
108.7.0.0	unknown	United States	701	UUNETUS	true
80.7.0.0	unknown	United Kingdom	5089	NTLGB	true
92.7.0.0	unknown	United Kingdom	13285	OPALTELECOM-ASTalkTalkCommunicationsLimitedGB	true
244.6.0.0	unknown	Reserved	unknown	unknown	true
240.69.242.0	unknown	Reserved	unknown	unknown	true
184.6.0.0	unknown	United States	209	CENTURYLINK-US-LEGACY-QWESTUS	true
192.6.0.0	unknown	United States	54735	TTGSIUS	true
112.7.0.0	unknown	China	24444	CMNET-V4SHANDONG-AS-APShandongMobileCommunicationCompany	true
64.6.0.0	unknown	United States	14363	MTCCOMMUS	true
214.112.3.0	unknown	United States	721	DNIC-ASBLK-00721-00726US	true
4.7.0.0	unknown	United States	3356	LEVEL3US	true
76.7.0.0	unknown	United States	22186	CENTURYLINK-LEGACY-EMBARQ-KSGRNRUS	true
96.7.0.0	unknown	United States	262589	INTERNEXABRASILOPERADORADETELECOMUNICACOESSABR	true
240.6.0.0	unknown	Reserved	unknown	unknown	true
243.112.3.0	unknown	Reserved	unknown	unknown	true
200.6.0.0	unknown	Ecuador	8151	UninetSAdeCVMX	true
241.112.3.0	unknown	Reserved	unknown	unknown	true
124.7.0.0	unknown	India	4662	QTCN-ASN1GCNetReachRangeIncTW	true
16.7.0.0	unknown	United States	unknown	unknown	true
36.7.0.0	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	true
244.26.0.0	unknown	Reserved	unknown	unknown	true

Private

IP
192.168.2.1
192.168.2.7
127.0.0.1

General Information

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	671702
Start date and time: 22/07/202213:55:58	2022-07-22 13:55:58 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 26s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	MIpuuSiSZ4 (renamed file extension from none to dll)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	32
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal96.troj.evad.winDLL@34/16@0/28
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 86.9% (good quality ratio 81.6%) Quality average: 75% Quality standard deviation: 30.3%
HCA Information:	Successful, ratio: 99% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Override analysis time to 240s for rundll32

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, wuapihost.exe
Excluded IPs from analysis (whitelisted): 23.211.6.115, 209.197.3.8, 20.189.173.22, 20.189.173.21, 23.35.236.56, 20.223.24.244
Excluded domains from analysis (whitelisted): onedsblobprdwus17.westus.cloudapp.azure.com, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, e12564.dspb.akamaiedge.net, rp-consumer-prod-displaycatalog-geomap.trafficmanager.net, login.live.com, sls.update.microsoft.com, onedsblobprdwus16.westus.cloudapp.azure.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, prod.fs.microsoft.com.akadns.net, www.bing.com, client.wns.windows.com, fs.microsoft.com, neu-displaycatalogrp.useroor.bigcatalog.commerce.microsoft.com, settings-win.data.microsoft.com, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, cds.d2s7q6s2.hwcdn.net, wu-bg-shim.trafficmanager.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
13:58:18	API Interceptor	2x Sleep call for process: WerFault.exe modified
13:58:51	API Interceptor	10x Sleep call for process: svchost.exe modified

Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0x9bd413be, page size 16384, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	786432
Entropy (8bit):	0.2507301596835623
Encrypted:	false
SSDEEP:	384:s+W0StseCJ48EApW0StseCJ48E2rTSjlK/ebmLerYSRSY1J2:zSB2nSB2RSjlK/+mLesOj1J2
MD5:	67BC1180577BCAE7AAAB0395C6668DE1
SHA1:	54063A0EBB7A899A61F7B47C28B184EA080C9FEB
SHA-256:	AADEEC33723E9CB7C975F69645141F65B1CF0545EB6FD12269210108B22083D8
SHA-512:	6AF6B62F9A980A09C1C2CF4A5C7297B156B960DAF9280D7F981356EA56096AA9B765F60FB2FA5D8641B3513A03F4C4736DAF0B9D3F0F368E0F212CC2136240A8
Malicious:	false
Preview:	....... ................e.f.3...w........................&..........w..3:...z..h.(..............................3...w...........................................................................................................B...........@...................................................................................................... ........3...w......................................................................................................................................................................................................................................~...4:...z'................... 4:...z'.........................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_MIp_773949b15a9dc27bfcd3f791ccbc8dda8da3511_ceeedb37_116bd172\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.7745360116180453
Encrypted:	false
SSDEEP:	192:U5vigJKVHkhyJdJsjIU/u7sVS274ltNw:uviuKFkEJdJsjj/u7sVX4ltNw
MD5:	DC08AF70F1A9F069487A3081FFAE724A
SHA1:	EE7D71A22BEDE02D198F895950703D4BBF73F5F0
SHA-256:	0D736C5C970F822A0FBB017CA75F4894BAF5E23525FAC93D52720D575D247A4C
SHA-512:	3475021FFDAAD7B6D5AB9ACEE4E5B84B5091AAB192565EB29BAD694D46083E132F31B3B2D157E4346942580D4224FC3FE4743B998935740FFD724E7CDACE20F7
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.0.2.9.9.7.0.8.6.8.5.0.3.1.2.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.0.2.9.9.7.0.9.7.4.4.3.9.5.7.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.c.a.2.3.b.0.8.-.5.7.9.2.-.4.d.9.b.-.8.d.e.9.-.f.0.c.9.f.e.9.2.8.a.9.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.c.f.e.3.b.9.1.-.d.9.1.4.-.4.7.d.9.-.a.8.c.7.-.7.7.4.6.f.5.f.d.b.9.d.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.M.I.p.u.u.S.i.S.Z.4...d.l.l.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.f.3.8.-.0.0.0.1.-.0.0.1.8.-.1.5.a.5.-.5.6.9.e.0.d.9.e.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.2.f.3.4.c.c.f.d.d.8.1.4.1.a.e.e.e.2.e.8.9.f.f.b.0.7.0.c.e.2.3.9.c.7.d.0.0.7.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_MIp_aa8bb9fdf8d32e2840ca8df43968d536d04b9a9_ceeedb37_1a1fcd1c\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.7735005926866978
Encrypted:	false
SSDEEP:	96:aRFnliyQijJPny2jT55I73f2pXIQcQqc620ycEBcw3pXaXz+HbHgSQgJPbwGIDVU:KfixijJKSHkhyLtjIU/u7sVS274ltN
MD5:	A86B7FADCDE51D62CE966354FB5F6D3E
SHA1:	3CDC004C4F0E8C87DEDE02051BD08E5733D5A620
SHA-256:	62D635E063040B7F760E0424452183FB2DBA728192E3559036CECF5DB0A4B868
SHA-512:	686DCADB722410A0A0AC4884411C4742CADB7CE3A81E9B5C38F2C63480FEBCE141912E5E577C73DF0B6D13DF7E6E346CEF1E8F44FD7708E28AE28F3C19EEA75F
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.0.2.9.9.7.0.8.3.8.3.0.0.4.2.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.0.2.9.9.7.0.9.6.3.7.6.7.9.4.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.7.4.5.6.d.6.a.-.4.a.0.3.-.4.1.1.2.-.b.6.0.2.-.7.6.1.0.4.9.f.7.9.0.2.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.0.b.7.e.3.e.8.-.e.b.a.b.-.4.1.8.e.-.8.7.f.f.-.b.e.7.a.0.0.9.2.5.9.8.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.M.I.p.u.u.S.i.S.Z.4...d.l.l.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.8.1.0.-.0.0.0.1.-.0.0.1.8.-.8.8.1.e.-.1.0.9.e.0.d.9.e.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.2.f.3.4.c.c.f.d.d.8.1.4.1.a.e.e.e.2.e.8.9.f.f.b.0.7.0.c.e.2.3.9.c.7.d.0.0.7.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER940B.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Fri Jul 22 20:58:11 2022, 0x1205a4 type
Category:	dropped
Size (bytes):	63490
Entropy (8bit):	2.3463206366673157
Encrypted:	false
SSDEEP:	384:DIyacvV4z7BXVjaKChYAFwvpMlwdbA5AQ:fact4x1COGqbV
MD5:	6DA5CE983BAF9352E00714A8BB39727E
SHA1:	40AC6315F73498356FFD4546AB837B1EDB8E4436
SHA-256:	E1FDAEE089B49ED19476BC82FEADFAC287A65FD3F7FE361C64BEA1CA72FF9F49
SHA-512:	8B22B9B1C1F8DE25E6B994F2143D6D08F4DC8C2285CCADD2968A612209FC7C69CD9849FBD9D6FA9A7BDD322E16B9203585199853F6824CA1C5D4A589572651E1
Malicious:	false
Preview:	MDMP....... .......c..b....................................h...8.......D...8:..........`.......8...........T...............Z............!...........#...................................................................U...........B......$$......Lw.....................T...........)..b.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9FD2.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Fri Jul 22 20:58:12 2022, 0x1205a4 type
Category:	dropped
Size (bytes):	64526
Entropy (8bit):	2.3013812479784215
Encrypted:	false
SSDEEP:	192:0VlvLya1EV4zKQBXVjLSp/JwKOC5CZ5HtitAzdQG0wdS3oCwcPxAX/WjwGvnMrsQ:gyaSV4z7BXVjaeCsTNglwdI4CwG0oH
MD5:	EA3866323B1704449AD420AFF2568E70
SHA1:	A8D86FB576FDACCE09830A84D42D6BEF00BEE8A6
SHA-256:	A076EBFBE6DE8900FA059902F628D87B656F7CA5652162CEFB772D406A486FB2
SHA-512:	A656792FD06E4857B793F3473899619DEEA32D8E33F2706EE12D7D7661618DBDB13558F1908D79D48E38834149EFD3B7608D4CFF570BF3DA0D7CC2AE54677749
Malicious:	false
Preview:	MDMP....... .......d..b....................................h...8.......T...8:..........`.......8...........T...........X................!...........#...................................................................U...........B......$$......Lw................$\a...T.......8...)..b.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB4E2.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8756
Entropy (8bit):	3.699929917648694
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiUdXVS236Yn8Orgmf1RS/9XCprk89bLHexfCl5m:RrlsNiuXVSG6Y8Orgmf1RSVmLHgfCy
MD5:	5707F8FB038E671C7B62CB5035AAAB02
SHA1:	74C594EF9DA77B7F4D233D5F7F6C1961A4D7A113
SHA-256:	7E3AA329FF2FDBF29AFBBAC46A16C4268399B33CF15B4D0105AC15CCD4ADB59E
SHA-512:	882B94720EE909570C32FAC048E9AEF2EC5D5F6374061B7CEAF8B57740ADB0611D89424E18CDEAE72D2ED828B82F6E00EE20085174520DDD56E7BA9EA396D235
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.1.6.0.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB764.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4733
Entropy (8bit):	4.4845182631342055
Encrypted:	false
SSDEEP:	48:cvIwSD8zsqJgtBI9oeWgc8sqYjX8fm8M4JC/WC/J8FHPyq85m/E8pkZESC5S0d:uITf4qfgrsqYIJ8baP9FmVv0d
MD5:	1ADF8A480754A46C16ABB3071BBDE030
SHA1:	4296C5D7A325C8AA4A1EE0E4D31C842A9B7A7F51
SHA-256:	FF255A547C95F1D3E34B22ABD7F4E29D2F61796538E64A29E0C19F082BAAEC36
SHA-512:	1EA031B7241D3D88449510EB32C833A9EE93CFFF6B4F91D14A38D9977D2243F78126688445C124252333F9F172BB02A1D857D5F367641E92C98E5C9A8D208D67
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1614608" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB89A.tmp.csv

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	53366
Entropy (8bit):	3.039602557285005
Encrypted:	false
SSDEEP:	1536:7pHolfWew9msUxoufVGpupKCxx8a4JIR1efcW6qbwYsbTRVK:7pHolfWew9msUxoufVGpupKax8a4JIRM
MD5:	AD9B2D87A8B0A0650C811F0196D3FC69
SHA1:	E589D91FD2A256451BDD824C34DC087AA4C18F99
SHA-256:	8D499200DC2DC20F84F58BC3CB5E051FA9854AFA7A889D84EED09EE5F81E49A5
SHA-512:	FFFD113868323A53C6453B1A351B18CA23079C23C0E839E96EB776983F70B86184A21413DE003E518D8133820935F665E6A9F9BD64A3B719D15055D6E7CE766B
Malicious:	false
Preview:	I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBB5A.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8780
Entropy (8bit):	3.7024676918374104
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNi5M4SC6YZiD/dgmf15S/3J0XCprpx89b90qf+7fm:RrlsNiC4SC6Y8D/dgmf15SvJ0P9pf+K
MD5:	351B391DF4BC5442150F6F2B00D5BD60
SHA1:	79BD5E9F2C1D8B703125E7E0DBC2F0451C6E048E
SHA-256:	A3451CB058B5E7CD354B15B5414F4845CD0C6E54A6A823D4BE11F550011DEB0D
SHA-512:	8074FDBA7BBBDFDB2945D905D8E20222A7DEFB83EB731847D8F152892F92E505CD144413115FA7208F08924309D7AEBB268BFFB4665FD24B1B75CB8C7903DC74
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.8.9.6.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBE49.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4733
Entropy (8bit):	4.488917511624953
Encrypted:	false
SSDEEP:	48:cvIwSD8zsqJgtBI9oeWgc8sqYj1a8fm8M4JC/WC/JsFP+yq85m/EkZESC5SRd:uITf4qfgrsqYpvJ8b6+9hVvRd
MD5:	03A8266176247D4230025BA8D9AF1772
SHA1:	FED690D9A1A7086A597B418949F8C37323751285
SHA-256:	AA9C108A14F8B04E30FD522AF6327172D809E5DD94B8668DDA229D1CF9CD988C
SHA-512:	92A1E68401BE0F368347E41EBD3BAF3241567D6C387E9A465AB8D0E66AA13E3360ABE225679C7BA24203C83E48E2284351A28C1071DE13631B80FE2DF8E8BB05
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1614608" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC0F8.tmp.csv

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	53030
Entropy (8bit):	3.0405121690366794
Encrypted:	false
SSDEEP:	1536:qmHjfXV+vnUwuufdGpupKCxqgafJIRbefeZUNjYs0rG:qmHjfXV+vnUwuufdGpupKaqgafJIRbe5
MD5:	7D1A88D60AF131C65C41EAF82B0BDEDA
SHA1:	606F6D475DB41C98C1C3A50E9ADFDBD3933E5F57
SHA-256:	837BCFBD3BC1953219F1DB90CBE1B34E991CE28DA0AD3F9D3AE530A916061087
SHA-512:	A439134254BF5E700398ED342298DB0DBBA141D8B167701E01A073166C2AC6CBC70D3372E91BA33C0920BF7C6F3181D3946D3E0B330362782E0560E2D41A08ED
Malicious:	false
Preview:	I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC28F.tmp.txt

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	13340
Entropy (8bit):	2.7042695129115457
Encrypted:	false
SSDEEP:	96:kiZYWR4EGQY0iYGQPiHSUYEZBOt8iOO78dwaWuzraoLRtKlcNIcNy:hZDNELvWuXaoLRtKGScNy
MD5:	D113A605C42A9F5B80205B269AFE4CD8
SHA1:	CF90AA4AB1E3B96324E23C137534C2724086C13A
SHA-256:	E75D7414ADD5AEFF36D29530716015AF2E6141BB95B1A7C35606363169D1143A
SHA-512:	FCBD8EB398D82EB7B866C6EC6B4305C8448AB5AFE4C36DC04F091301423177BBAD8ACA98D9A62D56574EF3DE0D4B76456E3C489B69B78DC84E8496FED1897FCB
Malicious:	false
Preview:	B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.2.6.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC6A7.tmp.txt

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	13340
Entropy (8bit):	2.7045158693525706
Encrypted:	false
SSDEEP:	96:kiZYWGMk+kONYxYSQOpHSUYEZpst8i5O78qwTSG8PtDaGL1DKlcNIbNy:hZDGtSGTQSZtDaGL1DKGSbNy
MD5:	DDA604DCF734EE681590803CEC9FAFE3
SHA1:	862AA166DA42679D7DCA16A4273F829C04FA219E
SHA-256:	6444E6B751946D2B298A87E8EA6589E582E2DD588F5D4790B59A8952EA6F862D
SHA-512:	FA7D844BB510EFE0F1A4BE13AAFA94E94216AD0D6B7290B3AD505E7E3D17435531855D911A135B38C73E99CECA0DD0D0C8EB068FBB21CE2B83F128D66F7A5E2B
Malicious:	false
Preview:	B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.2.6.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Windows\System32\regsvr32.exe
File Type:	Microsoft Cabinet archive data, 61712 bytes, 1 file
Category:	dropped
Size (bytes):	61712
Entropy (8bit):	7.995044632446497
Encrypted:	true
SSDEEP:	1536:gzjJiDImMsrjCtGLaexX/zL09mX/lZHIxs:gPJiDI/sr0Hexv/0S/zx
MD5:	589C442FC7A0C70DCA927115A700D41E
SHA1:	66A07DACE3AFBFD1AA07A47E6875BEAB62C4BB31
SHA-256:	2E5CB72E9EB43BAAFB6C6BFCC573AAC92F49A8064C483F9D378A9E8E781A526A
SHA-512:	1B5FA79E52BE495C42CF49618441FB7012E28C02E7A08A91DA9213DB3AB810F0E83485BC1DD5F625A47D0BA7CFCDD5EA50ACC9A8DCEBB39F048C40F01E94155B
Malicious:	false
Preview:	MSCF............,...................I........y.........Tf. .authroot.stl..W.`.4..CK..8U[...q.yL'sf!d.D..."2.2g.<dVI.!.....$).\...!2s..(...[.T7..{}...g....g.....w.km$.&\|..qe.n.8+..&...O...`...+..C......`h!0.I.(C..1Q*L.p..".s..B.....H......fUP@..5...(X#.t.2lX.>.y\|D.0Z0...M....I(.#.-... ...(.J....2..`.hO..{l+.bd7y.j..u.....3....<......3....s.T...._.'...%{v...s..............KgV.0..X=.A.9w9.Ea.x..........\.=.e.C2......9.......`.o... .......@pm.. a.....-M.....{...s.mW.....;.+...A......0.g..L9#.v.&O>./xSH.S.....GH.6.j...`2.(0g..... Lt........h4.iQ?....[.K.....uI......}.....d....M.....6q.Q~.0.\.'U^)`..u.....-........d..7...2.-.2+3.....A./.%Q...k...Q.,...H.B.%..O..x..5\...Hk.......B.';"Ym.'....X.l.E.6..a8.6..nq..x.r4..1t.....,..u.O..O.L...Uf...X.u.F .(.(.....".q...n{%U.-u....l6!....Z....~o0.}Q'.s.i....7...>4x...A.h.Mk].O.z.].6...53...b^;..>e..x.'1..\p.O.k..B1w..\|..K.R.....2.e0..X.^...I...w..!.v5B]x..z.6.G^uF..].b.W...'..I.;..p..@L{.E..@W..3.&...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Windows\System32\regsvr32.exe
File Type:	data
Category:	modified
Size (bytes):	326
Entropy (8bit):	3.1297566246827087
Encrypted:	false
SSDEEP:	6:kKme+N+SkQlPlEGYRMY9z+4KlDA3RUeWlEZ21:+eNkPlE99SNxAhUeE1
MD5:	A42B93B0EC145424B2143A7E54D44391
SHA1:	46B8C15CCF1EEB1A3E06B2AD72434B33E8466FB7
SHA-256:	9B6D154A211EA55DA2EF86DCEDA82C22BD0868650C70EE05239917587950244E
SHA-512:	80B432F4390423D2D7CF28FDFC1D4DFAAEFF939B3576F745775F0FD674F1517C4C10E1BB7B3193506F8A4795DD0DDF5C0C9438DE91A42415F1E40CF5802D81B7
Malicious:	false
Preview:	p...... ........k.'.....(....................................................... .........L.........$...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.9.f.4.c.9.6.9.8.b.d.8.1.:.0."...

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Static File Info

General

File type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Entropy (8bit):	7.372720093100094
TrID:	Win64 Dynamic Link Library (generic) (102004/3) 86.43% Win64 Executable (generic) (12005/4) 10.17% Generic Win/DOS Executable (2004/3) 1.70% DOS Executable Generic (2002/1) 1.70% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
File name:	MIpuuSiSZ4.dll
File size:	850944
MD5:	1dd34935a785a419fb552b5086ea682e
SHA1:	c6c966e4ba623f9972273de07b842ffbb9a9efce
SHA256:	8b5a10f9a8f2b25057442111a01faf021ef7e048eab875a4078a44758d952c6f
SHA512:	79ab4a827fd581cd87fad4b0470bfcaf26f9471181c6c199706c54cc1b636cc7719306feac1b50c24d051f65c3b4d84bc662b8e33c03a1fced07f8023689dcfc
SSDEEP:	12288:jRCGXj4KVB9abMfyzfqvHWnyPv+LVHT2+2JNdX712kBjtOJZObrGzifb97Vw+Uvf:kGXj3X7FjkZqrqiBVwDbu5nP2F
TLSH:	7005D06773A509B5E0B7D139CA128E86FAB2BC091720F74B03E495752F23750A67F722
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........d..t7..t7..t7w.w6..t7w.q6!.t7w.p6..t7..q6..t7..p6..t7..w6..t7w.u6..t7..u7..t7e.q6..t7e.t6..t7e..7..t7...7..t7e.v6..t7Rich..t

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General

Entrypoint:	0x180002c54
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x180000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DLL
DLL Characteristics:	HIGH_ENTROPY_VA, NX_COMPAT
Time Stamp:	0x62CC7629 [Mon Jul 11 19:12:41 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	c2b03f92959f67ac494853faf0032582

Entrypoint Preview

Instruction
dec eax
mov dword ptr [esp+08h], ebx
dec eax
mov dword ptr [esp+10h], esi
push edi
dec eax
sub esp, 20h
dec ecx
mov edi, eax
mov ebx, edx
dec eax
mov esi, ecx
cmp edx, 01h
jne 00007F0048B8B8E7h
call 00007F0048B8BF9Ch
dec esp
mov eax, edi
mov edx, ebx
dec eax
mov ecx, esi
dec eax
mov ebx, dword ptr [esp+30h]
dec eax
mov esi, dword ptr [esp+38h]
dec eax
add esp, 20h
pop edi
jmp 00007F0048B8B750h
int3
int3
int3
dec eax
and dword ptr [ecx+10h], 00000000h
dec eax
lea eax, dword ptr [0005B5E0h]
dec eax
mov dword ptr [ecx], eax
dec eax
mov eax, ecx
dec eax
mov dword ptr [ecx+08h], edx
ret
int3
inc eax
push ebx
dec eax
sub esp, 20h
dec eax
mov ebx, ecx
dec eax
mov eax, edx
dec eax
lea ecx, dword ptr [0005B591h]
xorps xmm0, xmm0
dec eax
mov dword ptr [ebx], ecx
dec eax
lea edx, dword ptr [ebx+08h]
dec eax
lea ecx, dword ptr [eax+08h]
movups dqword ptr [edx], xmm0
call 00007F0048B8D6B0h
dec eax
lea eax, dword ptr [0005B5A4h]
dec eax
mov dword ptr [ebx], eax
dec eax
mov eax, ebx
dec eax
add esp, 20h
pop ebx
ret
dec eax
and dword ptr [ecx+10h], 00000000h
dec eax
lea eax, dword ptr [0005B59Ch]
dec eax
mov dword ptr [ecx+08h], eax
dec eax
lea eax, dword ptr [0005B581h]
dec eax
mov dword ptr [ecx], eax
dec eax
mov eax, ecx
ret
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
dec eax
mov ebx, ecx
dec eax
mov eax, edx
dec eax
lea ecx, dword ptr [0005B535h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x6eeb0	0x414	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x6f2c4	0x64	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x79000	0x5b020	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x73000	0x4638	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xd5000	0x80c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x687c0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x687e0	0x138	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x5d000	0x338	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5b4c0	0x5b600	False	0.39445376624487005	data	6.495530086549807	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x5d000	0x12dae	0x12e00	False	0.39502276490066224	data	5.29311907790045	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x70000	0x2740	0xe00	False	0.17606026785714285	data	2.4721317906474725	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x73000	0x4638	0x4800	False	0.5061848958333334	data	5.700987254121771	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
_RDATA	0x78000	0xf4	0x200	False	0.306640625	data	1.9910589321100538	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x79000	0x5b020	0x5b200	False	0.9233324759945131	data	7.923209381955667	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xd5000	0x80c	0xa00	False	0.453515625	data	4.916763645477666	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_HTML	0x790a0	0x5ae00	data	English	United States
RT_MANIFEST	0xd3ea0	0x17d	XML 1.0 document text	English	United States

Imports

DLL	Import
KERNEL32.dll	LockResource, CreateFileW, OutputDebugStringW, LoadResource, GetModuleFileNameW, VirtualAllocExNuma, WriteConsoleW, FindResourceA, GetCurrentProcess, CloseHandle, ReadConsoleW, ReadFile, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, RtlUnwindEx, RtlPcToFileHeader, RaiseException, InterlockedPushEntrySList, InterlockedFlushSList, GetLastError, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, GetProcAddress, LoadLibraryExW, EncodePointer, ExitProcess, GetModuleHandleExW, GetCurrentThread, HeapFree, HeapAlloc, GetStdHandle, GetFileType, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, MultiByteToWideChar, WideCharToMultiByte, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableW, FlsAlloc, FlsGetValue, FlsSetValue, FlsFree, GetDateFormatW, GetTimeFormatW, CompareStringW, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetProcessHeap, SetConsoleCtrlHandler, GetStringTypeW, GetFileSizeEx, SetFilePointerEx, SetStdHandle, HeapSize, HeapReAlloc, FlushFileBuffers, WriteFile, GetConsoleOutputCP, GetConsoleMode, RtlUnwind
USER32.dll	LoadStringW
ADVAPI32.dll	RegDeleteKeyW, RegCreateKeyExW, RegCloseKey, RegSetValueExW
ole32.dll	StringFromCLSID, CoTaskMemFree

Exports

Name	Ordinal	Address
AddStroke	2	0x180001744
AddWordsToWordList	3	0x180001970
AdviseInkChange	4	0x180001978
CloneContext	5	0x18000197c
CreateContext	6	0x180001984
CreateRecognizer	7	0x1800019ec
DestroyAlternate	8	0x180001a54
DestroyContext	9	0x180001a5c
DestroyRecognizer	10	0x180001ac4
DestroyWordList	11	0x180001ae8
DllRegisterServer	12	0x180001e0c
DllUnregisterServer	13	0x180001fc0
GetBestResultString	1	0x1800010b8
GetContextPreferenceFlags	14	0x18000201c
GetContextPropertyList	15	0x180002024
GetContextPropertyValue	16	0x18000202c
GetEnabledUnicodeRanges	17	0x180002034
GetGuide	18	0x18000203c
GetLatticePtr	19	0x180002080
GetLeftSeparator	20	0x1800022a4
GetPreferredPacketDescription	21	0x1800022ac
GetRecoAttributes	22	0x180002328
GetResultPropertyList	23	0x180002340
GetRightSeparator	24	0x180002348
GetUnicodeRanges	25	0x180002350
IsStringSupported	26	0x180002358
MakeWordList	27	0x180002360
Process	28	0x180002368
ResetContext	29	0x180002688
SetCACMode	30	0x1800026e0
SetContextPropertyValue	31	0x1800026e8
SetEnabledUnicodeRanges	32	0x1800026f0
SetFactoid	33	0x1800026f8
SetFlags	34	0x1800026fc
SetGuide	35	0x180002700
SetTextContext	36	0x1800027a8
SetWordList	37	0x1800027b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.7174.138.33.494979470802404316 07/22/22-13:58:44.263207	TCP	2404316	ET CNC Feodo Tracker Reported CnC Server TCP group 9	49794	7080	192.168.2.7	174.138.33.49

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 22, 2022 13:58:44.263206959 CEST	49794	7080	192.168.2.7	174.138.33.49
Jul 22, 2022 13:58:44.370028973 CEST	7080	49794	174.138.33.49	192.168.2.7
Jul 22, 2022 13:58:44.370176077 CEST	49794	7080	192.168.2.7	174.138.33.49
Jul 22, 2022 13:58:44.402960062 CEST	49794	7080	192.168.2.7	174.138.33.49
Jul 22, 2022 13:58:44.509370089 CEST	7080	49794	174.138.33.49	192.168.2.7
Jul 22, 2022 13:58:44.540781021 CEST	7080	49794	174.138.33.49	192.168.2.7
Jul 22, 2022 13:58:44.540803909 CEST	7080	49794	174.138.33.49	192.168.2.7
Jul 22, 2022 13:58:44.540869951 CEST	49794	7080	192.168.2.7	174.138.33.49
Jul 22, 2022 13:58:44.540894985 CEST	49794	7080	192.168.2.7	174.138.33.49
Jul 22, 2022 13:58:51.413127899 CEST	49794	7080	192.168.2.7	174.138.33.49
Jul 22, 2022 13:58:51.526726961 CEST	7080	49794	174.138.33.49	192.168.2.7
Jul 22, 2022 13:58:51.526912928 CEST	49794	7080	192.168.2.7	174.138.33.49
Jul 22, 2022 13:58:51.534461975 CEST	49794	7080	192.168.2.7	174.138.33.49
Jul 22, 2022 13:58:51.682136059 CEST	7080	49794	174.138.33.49	192.168.2.7
Jul 22, 2022 13:58:52.064332008 CEST	7080	49794	174.138.33.49	192.168.2.7
Jul 22, 2022 13:58:52.064538002 CEST	49794	7080	192.168.2.7	174.138.33.49
Jul 22, 2022 13:58:55.067655087 CEST	7080	49794	174.138.33.49	192.168.2.7
Jul 22, 2022 13:58:55.067689896 CEST	7080	49794	174.138.33.49	192.168.2.7
Jul 22, 2022 13:58:55.067923069 CEST	49794	7080	192.168.2.7	174.138.33.49
Jul 22, 2022 14:00:36.722028017 CEST	49794	7080	192.168.2.7	174.138.33.49
Jul 22, 2022 14:00:36.722055912 CEST	49794	7080	192.168.2.7	174.138.33.49

Target ID:	0
Start time:	13:57:12
Start date:	22/07/2022
Path:	C:\Windows\System32\loaddll64.exe
Wow64 process (32bit):	false
Commandline:	loaddll64.exe "C:\Users\user\Desktop\MIpuuSiSZ4.dll"
Imagebase:	0x7ff620870000
File size:	140288 bytes
MD5 hash:	4E8A40CAD6CCC047914E3A7830A2D8AA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000002.488615007.000001942A671000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000002.488528971.000001942A5D0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: cmd.exePID: 6376, Parent PID: 7160

General

Target ID:	1
Start time:	13:57:12
Start date:	22/07/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\MIpuuSiSZ4.dll",#1
Imagebase:	0x7ff6a6590000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: regsvr32.exePID: 5016, Parent PID: 7160

General

Target ID:	2
Start time:	13:57:13
Start date:	22/07/2022
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	regsvr32.exe /s C:\Users\user\Desktop\MIpuuSiSZ4.dll
Imagebase:	0x7ff655380000
File size:	24064 bytes
MD5 hash:	D78B75FC68247E8A63ACBA846182740E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000002.00000002.454942955.0000000001411000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000002.00000002.454887422.00000000013B0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: rundll32.exePID: 6160, Parent PID: 6376

General

Target ID:	3
Start time:	13:57:13
Start date:	22/07/2022
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\MIpuuSiSZ4.dll",#1
Imagebase:	0x7ff66c6b0000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000000.457523835.000001A6C0911000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.500443188.000001A6C0911000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.499993940.000001A6C08B0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000000.457466014.000001A6C08B0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000000.448855621.000001A6C0911000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000000.448792384.000001A6C08B0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: rundll32.exePID: 3896, Parent PID: 7160

General

Target ID:	4
Start time:	13:57:13
Start date:	22/07/2022
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\MIpuuSiSZ4.dll,AddStroke
Imagebase:	0x7ff66c6b0000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.503233757.0000021313901000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000000.458204040.0000021313901000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000000.457983091.0000021313760000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000000.454361313.0000021313901000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000000.454167344.0000021313760000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.503043476.0000021313760000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: rundll32.exePID: 5804, Parent PID: 7160

General

Target ID:	5
Start time:	13:57:17
Start date:	22/07/2022
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\MIpuuSiSZ4.dll,AddWordsToWordList
Imagebase:	0x7ff66c6b0000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.460329273.0000016A80010000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.460399040.0000016A80071000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: rundll32.exePID: 2196, Parent PID: 7160

General

Target ID:	6
Start time:	13:57:21
Start date:	22/07/2022
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\MIpuuSiSZ4.dll,AdviseInkChange
Imagebase:	0x7ff66c6b0000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.468293754.00000195C58D1000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.468234789.00000195C5870000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: svchost.exePID: 3316, Parent PID: 604

General

Target ID:	10
Start time:	13:57:51
Start date:	22/07/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k WerSvcGroup
Imagebase:	0x7ff7e8070000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: WerFault.exePID: 6496, Parent PID: 3316

General

Target ID:	11
Start time:	13:57:52
Start date:	22/07/2022
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -pss -s 484 -p 6160 -ip 6160
Imagebase:	0x7ff7fe6b0000
File size:	494488 bytes
MD5 hash:	2AFFE478D86272288BBEF5A00BBEF6A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: regsvr32.exePID: 5696, Parent PID: 5016

General

Target ID:	12
Start time:	13:57:54
Start date:	22/07/2022
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\regsvr32.exe "C:\Windows\system32\FmCnbLJkOlaRytmc\QMbXoKRooU.dll"
Imagebase:	0x7ff655380000
File size:	24064 bytes
MD5 hash:	D78B75FC68247E8A63ACBA846182740E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000C.00000002.883306468.0000000001000000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000C.00000002.883481925.0000000002861000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_3, Description: , Source: 0000000C.00000002.882519844.0000000000E78000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security

Analysis Process: WerFault.exePID: 6568, Parent PID: 3316

General

Target ID:	13
Start time:	13:57:55
Start date:	22/07/2022
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -pss -s 516 -p 3896 -ip 3896
Imagebase:	0x7ff7fe6b0000
File size:	494488 bytes
MD5 hash:	2AFFE478D86272288BBEF5A00BBEF6A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: svchost.exePID: 6584, Parent PID: 604

General

Target ID:	14
Start time:	13:57:55
Start date:	22/07/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Imagebase:	0x7ff7e8070000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: WerFault.exePID: 6728, Parent PID: 6160

General

Target ID:	15
Start time:	13:58:01
Start date:	22/07/2022
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 6160 -s 336
Imagebase:	0x7ff7fe6b0000
File size:	494488 bytes
MD5 hash:	2AFFE478D86272288BBEF5A00BBEF6A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: WerFault.exePID: 4412, Parent PID: 3896

General

Target ID:	16
Start time:	13:58:02
Start date:	22/07/2022
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 3896 -s 328
Imagebase:	0x7ff7fe6b0000
File size:	494488 bytes
MD5 hash:	2AFFE478D86272288BBEF5A00BBEF6A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: regsvr32.exePID: 5428, Parent PID: 7160

General

Target ID:	17
Start time:	13:58:11
Start date:	22/07/2022
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\regsvr32.exe "C:\Windows\system32\YbTPHZsAWIZFUi\eAeQcUPg.dll"
Imagebase:	0x7ff655380000
File size:	24064 bytes
MD5 hash:	D78B75FC68247E8A63ACBA846182740E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: svchost.exePID: 4900, Parent PID: 604

General

Target ID:	20
Start time:	13:58:39
Start date:	22/07/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff7e8070000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: svchost.exePID: 5068, Parent PID: 604

General

Target ID:	22
Start time:	13:58:51
Start date:	22/07/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff7e8070000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: svchost.exePID: 5928, Parent PID: 604

General

Target ID:	24
Start time:	13:59:10
Start date:	22/07/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff6ec1c0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: svchost.exePID: 7032, Parent PID: 604

General

Target ID:	28
Start time:	13:59:32
Start date:	22/07/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff7e8070000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: svchost.exePID: 6188, Parent PID: 604

General

Target ID:	30
Start time:	13:59:44
Start date:	22/07/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff7e8070000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Disassembly

⊘No disassembly

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe is also a Microsoft signed binary.
Tactics:	Defense Evasion
Data Sources:	Loaded DLLs, Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report MIpuuSiSZ4

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Emotet

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Spreading

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_MIp_773949b15a9dc27bfcd3f791ccbc8dda8da3511_ceeedb37_116bd172\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_MIp_aa8bb9fdf8d32e2840ca8df43968d536d04b9a9_ceeedb37_1a1fcd1c\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER940B.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9FD2.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB4E2.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB764.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB89A.tmp.csv

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBB5A.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBE49.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC0F8.tmp.csv

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC28F.tmp.txt

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC6A7.tmp.txt

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Static File Info

General

Windows Analysis Report
MIpuuSiSZ4