Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report mal2.dll

Overview

General Information

Sample Name:mal2.dll
Analysis ID:532100
MD5:9efbd03d5576686dd9f0678c09abe9fc
SHA1:0b821e78137018bbf3f9c67d3b049e33d5b36ae5
SHA256:972f9350219dcc2df463f923ec5b559f4ab69f083da9ccbd0976c51bc19f3f5b
Infos:

Most interesting Screenshot:

Detection

Emotet
Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Emotet
Changes security center settings (notifications, updates, antivirus, firewall)
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
One or more processes crash
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Abnormal high CPU Usage
AV process strings found (often used to terminate AV products)
Tries to load missing DLLs
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Checks if the current process is being debugged
Connects to several IPs in different countries
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries disk information (often used to detect virtual machines)
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 1456 cmdline: loaddll32.exe "C:\Users\user\Desktop\mal2.dll" MD5: 72FCD8FB0ADC38ED9050569AD673650E)
    • cmd.exe (PID: 4892 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\mal2.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 4652 cmdline: rundll32.exe "C:\Users\user\Desktop\mal2.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • rundll32.exe (PID: 6928 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\mal2.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 3868 cmdline: rundll32.exe C:\Users\user\Desktop\mal2.dll,Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • rundll32.exe (PID: 6956 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Xjvbeeymcqp\hqokwlnubzbb.uql",vvWvMRmVQ MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6176 cmdline: rundll32.exe C:\Users\user\Desktop\mal2.dll,axamexdrqyrgb MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • rundll32.exe (PID: 7028 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\mal2.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6220 cmdline: rundll32.exe C:\Users\user\Desktop\mal2.dll,bhramccfbdd MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • rundll32.exe (PID: 7124 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\mal2.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • WerFault.exe (PID: 5064 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1456 -s 304 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • WerFault.exe (PID: 4320 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1456 -s 312 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • svchost.exe (PID: 5888 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6240 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6364 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6464 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • SgrmBroker.exe (PID: 6704 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)
  • svchost.exe (PID: 6752 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • MpCmdRun.exe (PID: 7116 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: A267555174BFA53844371226F482B86B)
      • conhost.exe (PID: 7132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • svchost.exe (PID: 7140 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • WerFault.exe (PID: 5544 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1456 -ip 1456 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • WerFault.exe (PID: 4568 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 168 -p 1456 -ip 1456 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

Threatname: Emotet

{"C2 list": ["46.55.222.11:443", "104.245.52.73:8080", "41.76.108.46:8080", "103.8.26.103:8080", "185.184.25.237:8080", "103.8.26.102:8080", "203.114.109.124:443", "45.118.115.99:8080", "178.79.147.66:8080", "58.227.42.236:80", "45.118.135.203:7080", "103.75.201.2:443", "195.154.133.20:443", "45.142.114.231:8080", "212.237.5.209:443", "207.38.84.195:8080", "104.251.214.46:8080", "212.237.17.99:8080", "212.237.56.116:7080", "216.158.226.206:443", "110.232.117.186:8080", "158.69.222.101:443", "107.182.225.142:8080", "176.104.106.96:8080", "81.0.236.90:443", "50.116.54.215:443", "138.185.72.26:8080", "51.68.175.8:8080", "210.57.217.132:8080"], "Public Key": ["RUNTMSAAAABAX3S2xNjcDD0fBno33Ln5t71eii+mofIPoXkNFOX1MeiwCh48iz97kB0mJjGGZXwardnDXKxI8GCHGNl0PFj5", "RUNLMSAAAADzozW1Di4r9DVWzQpMKT588RDdy7BPILP6AiDOTLYMHkSWvrQO5slbmr1OvZ2Pz+AQWzRMggQmAtO6rPH7nyx2"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000000.566657802.00000000007A0000.00000040.00000010.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
    00000000.00000002.642601650.00000000007A0000.00000040.00000010.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
      00000000.00000000.567231949.0000000000D2C000.00000004.00000020.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
        00000000.00000000.597839039.00000000007A0000.00000040.00000010.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
          00000000.00000000.596491370.00000000007A0000.00000040.00000010.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
            Click to see the 13 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.0.loaddll32.exe.d33b80.10.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
              3.2.rundll32.exe.ba0000.0.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                0.0.loaddll32.exe.7a0000.9.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                  0.0.loaddll32.exe.7a0000.9.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                    0.0.loaddll32.exe.d33b80.7.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                      Click to see the 29 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 0.0.loaddll32.exe.d33b80.10.raw.unpackMalware Configuration Extractor: Emotet {"C2 list": ["46.55.222.11:443", "104.245.52.73:8080", "41.76.108.46:8080", "103.8.26.103:8080", "185.184.25.237:8080", "103.8.26.102:8080", "203.114.109.124:443", "45.118.115.99:8080", "178.79.147.66:8080", "58.227.42.236:80", "45.118.135.203:7080", "103.75.201.2:443", "195.154.133.20:443", "45.142.114.231:8080", "212.237.5.209:443", "207.38.84.195:8080", "104.251.214.46:8080", "212.237.17.99:8080", "212.237.56.116:7080", "216.158.226.206:443", "110.232.117.186:8080", "158.69.222.101:443", "107.182.225.142:8080", "176.104.106.96:8080", "81.0.236.90:443", "50.116.54.215:443", "138.185.72.26:8080", "51.68.175.8:8080", "210.57.217.132:8080"], "Public Key": ["RUNTMSAAAABAX3S2xNjcDD0fBno33Ln5t71eii+mofIPoXkNFOX1MeiwCh48iz97kB0mJjGGZXwardnDXKxI8GCHGNl0PFj5", "RUNLMSAAAADzozW1Di4r9DVWzQpMKT588RDdy7BPILP6AiDOTLYMHkSWvrQO5slbmr1OvZ2Pz+AQWzRMggQmAtO6rPH7nyx2"]}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: mal2.dllReversingLabs: Detection: 24%
                      Source: mal2.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
                      Source: mal2.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000016.00000003.584277033.00000000047F1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.609321694.0000000004C21000.00000004.00000001.sdmp
                      Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000016.00000003.584277033.00000000047F1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.609321694.0000000004C21000.00000004.00000001.sdmp
                      Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000016.00000003.573738619.0000000000F47000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.584277033.00000000047F1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.609321694.0000000004C21000.00000004.00000001.sdmp
                      Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000016.00000003.584277033.00000000047F1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.609321694.0000000004C21000.00000004.00000001.sdmp
                      Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000016.00000003.584277033.00000000047F1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.581262316.0000000000917000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.609321694.0000000004C21000.00000004.00000001.sdmp
                      Source: Binary string: wimm32.pdb source: WerFault.exe, 00000016.00000003.584277033.00000000047F1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.609321694.0000000004C21000.00000004.00000001.sdmp
                      Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000016.00000003.584277033.00000000047F1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.609321694.0000000004C21000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdb source: WerFault.exe, 00000016.00000003.584277033.00000000047F1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.603106130.0000000000B7D000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.609321694.0000000004C21000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.602476954.0000000000B7D000.00000004.00000001.sdmp
                      Source: Binary string: apphelp.pdb source: WerFault.exe, 00000016.00000003.584277033.00000000047F1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.609321694.0000000004C21000.00000004.00000001.sdmp
                      Source: Binary string: upwntdll.pdb source: WerFault.exe, 00000019.00000003.602237788.0000000000BBB000.00000004.00000001.sdmp
                      Source: Binary string: wuser32.pdb source: WerFault.exe, 00000016.00000003.584277033.00000000047F1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.609321694.0000000004C21000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdbk source: WerFault.exe, 00000016.00000003.584277033.00000000047F1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.609321694.0000000004C21000.00000004.00000001.sdmp
                      Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000016.00000003.584277033.00000000047F1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.609321694.0000000004C21000.00000004.00000001.sdmp
                      Source: Binary string: oCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000016.00000002.593818088.00000000003D2000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000019.00000003.603106130.0000000000B7D000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.602476954.0000000000B7D000.00000004.00000001.sdmp
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EDC2FE7 FindFirstFileExW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EDC2FE7 FindFirstFileExW,

                      Networking:

                      barindex
                      C2 URLs / IPs found in malware configurationShow sources
                      Source: Malware configuration extractorIPs: 46.55.222.11:443
                      Source: Malware configuration extractorIPs: 104.245.52.73:8080
                      Source: Malware configuration extractorIPs: 41.76.108.46:8080
                      Source: Malware configuration extractorIPs: 103.8.26.103:8080
                      Source: Malware configuration extractorIPs: 185.184.25.237:8080
                      Source: Malware configuration extractorIPs: 103.8.26.102:8080
                      Source: Malware configuration extractorIPs: 203.114.109.124:443
                      Source: Malware configuration extractorIPs: 45.118.115.99:8080
                      Source: Malware configuration extractorIPs: 178.79.147.66:8080
                      Source: Malware configuration extractorIPs: 58.227.42.236:80
                      Source: Malware configuration extractorIPs: 45.118.135.203:7080
                      Source: Malware configuration extractorIPs: 103.75.201.2:443
                      Source: Malware configuration extractorIPs: 195.154.133.20:443
                      Source: Malware configuration extractorIPs: 45.142.114.231:8080
                      Source: Malware configuration extractorIPs: 212.237.5.209:443
                      Source: Malware configuration extractorIPs: 207.38.84.195:8080
                      Source: Malware configuration extractorIPs: 104.251.214.46:8080
                      Source: Malware configuration extractorIPs: 212.237.17.99:8080
                      Source: Malware configuration extractorIPs: 212.237.56.116:7080
                      Source: Malware configuration extractorIPs: 216.158.226.206:443
                      Source: Malware configuration extractorIPs: 110.232.117.186:8080
                      Source: Malware configuration extractorIPs: 158.69.222.101:443
                      Source: Malware configuration extractorIPs: 107.182.225.142:8080
                      Source: Malware configuration extractorIPs: 176.104.106.96:8080
                      Source: Malware configuration extractorIPs: 81.0.236.90:443
                      Source: Malware configuration extractorIPs: 50.116.54.215:443
                      Source: Malware configuration extractorIPs: 138.185.72.26:8080
                      Source: Malware configuration extractorIPs: 51.68.175.8:8080
                      Source: Malware configuration extractorIPs: 210.57.217.132:8080
                      Source: Joe Sandbox ViewASN Name: OnlineSASFR OnlineSASFR
                      Source: Joe Sandbox ViewASN Name: ARUBA-ASNIT ARUBA-ASNIT
                      Source: Joe Sandbox ViewIP Address: 195.154.133.20 195.154.133.20
                      Source: Joe Sandbox ViewIP Address: 212.237.17.99 212.237.17.99
                      Source: unknownNetwork traffic detected: IP country count 19
                      Source: svchost.exe, 00000004.00000002.567333158.0000028217E61000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000002.640708267.0000000001128000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.639198752.0000000001128000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: svchost.exe, 00000004.00000002.567003860.0000028217E12000.00000004.00000001.sdmpString found in binary or memory: http://crl.ver)
                      Source: svchost.exe, 00000004.00000002.566413205.00000282128AF000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/enumeration/Enumerate
                      Source: Amcache.hve.22.drString found in binary or memory: http://upx.sf.net
                      Source: svchost.exe, 0000000A.00000002.388912529.0000020B26E13000.00000004.00000001.sdmpString found in binary or memory: http://www.bingmapsportal.com
                      Source: svchost.exe, 00000007.00000002.661162395.00000227EB441000.00000004.00000001.sdmpString found in binary or memory: https://%s.dnet.xboxlive.com
                      Source: svchost.exe, 00000007.00000002.661162395.00000227EB441000.00000004.00000001.sdmpString found in binary or memory: https://%s.xboxlive.com
                      Source: svchost.exe, 00000007.00000002.661162395.00000227EB441000.00000004.00000001.sdmpString found in binary or memory: https://%s.xboxlive.com/
                      Source: svchost.exe, 00000007.00000002.661162395.00000227EB441000.00000004.00000001.sdmpString found in binary or memory: https://activity.windows.com
                      Source: svchost.exe, 0000000A.00000003.387932456.0000020B26E63000.00000004.00000001.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
                      Source: svchost.exe, 00000007.00000002.661162395.00000227EB441000.00000004.00000001.sdmpString found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
                      Source: svchost.exe, 00000007.00000002.661162395.00000227EB441000.00000004.00000001.sdmpString found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
                      Source: svchost.exe, 0000000A.00000002.388924782.0000020B26E29000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.387943285.0000020B26E4D000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
                      Source: svchost.exe, 0000000A.00000002.388951772.0000020B26E44000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.387983858.0000020B26E42000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.388012695.0000020B26E43000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
                      Source: svchost.exe, 0000000A.00000003.387932456.0000020B26E63000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
                      Source: svchost.exe, 0000000A.00000002.388924782.0000020B26E29000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
                      Source: svchost.exe, 0000000A.00000002.388951772.0000020B26E44000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.387983858.0000020B26E42000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.388012695.0000020B26E43000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
                      Source: svchost.exe, 0000000A.00000003.387900433.0000020B26E69000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.388989382.0000020B26E6B000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
                      Source: svchost.exe, 0000000A.00000003.387932456.0000020B26E63000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
                      Source: svchost.exe, 0000000A.00000002.388924782.0000020B26E29000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
                      Source: svchost.exe, 0000000A.00000002.388951772.0000020B26E44000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.387983858.0000020B26E42000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.388012695.0000020B26E43000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
                      Source: svchost.exe, 0000000A.00000002.388924782.0000020B26E29000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
                      Source: svchost.exe, 0000000A.00000003.387932456.0000020B26E63000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
                      Source: svchost.exe, 0000000A.00000003.387932456.0000020B26E63000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
                      Source: svchost.exe, 0000000A.00000003.387932456.0000020B26E63000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
                      Source: svchost.exe, 0000000A.00000002.388924782.0000020B26E29000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
                      Source: svchost.exe, 0000000A.00000003.387936814.0000020B26E60000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
                      Source: svchost.exe, 0000000A.00000002.388924782.0000020B26E29000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
                      Source: svchost.exe, 0000000A.00000003.387932456.0000020B26E63000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
                      Source: svchost.exe, 0000000A.00000002.388958286.0000020B26E4A000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.387957781.0000020B26E49000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.387983858.0000020B26E42000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
                      Source: svchost.exe, 0000000A.00000003.387943285.0000020B26E4D000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
                      Source: svchost.exe, 0000000A.00000002.388958286.0000020B26E4A000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.387957781.0000020B26E49000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
                      Source: svchost.exe, 0000000A.00000002.388958286.0000020B26E4A000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.387957781.0000020B26E49000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
                      Source: svchost.exe, 0000000A.00000002.388983797.0000020B26E66000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t
                      Source: svchost.exe, 0000000A.00000003.387932456.0000020B26E63000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
                      Source: svchost.exe, 0000000A.00000002.388924782.0000020B26E29000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
                      Source: svchost.exe, 0000000A.00000002.388951772.0000020B26E44000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.387983858.0000020B26E42000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.388012695.0000020B26E43000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
                      Source: svchost.exe, 0000000A.00000002.388943903.0000020B26E41000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
                      Source: svchost.exe, 0000000A.00000002.388924782.0000020B26E29000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
                      Source: svchost.exe, 0000000A.00000003.338514593.0000020B26E35000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
                      Source: svchost.exe, 0000000A.00000003.338514593.0000020B26E35000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
                      Source: svchost.exe, 0000000A.00000003.338514593.0000020B26E35000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
                      Source: svchost.exe, 0000000A.00000003.338514593.0000020B26E35000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.388024416.0000020B26E3E000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
                      Source: svchost.exe, 0000000A.00000003.387943285.0000020B26E4D000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.388970566.0000020B26E56000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.388048361.0000020B26E50000.00000004.00000001.sdmpString found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen

                      E-Banking Fraud:

                      barindex
                      Yara detected EmotetShow sources
                      Source: Yara matchFile source: 0.0.loaddll32.exe.d33b80.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.ba0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.7a0000.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.7a0000.9.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.d33b80.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.1060000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.7a0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.d33b80.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.7a0000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.d33b80.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.7a0000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.da0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.1060000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.650000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.782138.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.650000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.7a0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.d33b80.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.782138.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.da0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.7a0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.d33b80.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.d33b80.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.7a0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.32a2138.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.7a0000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.d33b80.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.7a0000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.32a2138.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.d13d58.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.ba0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.d33b80.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.d33b80.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.d13d58.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000000.566657802.00000000007A0000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.642601650.00000000007A0000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.567231949.0000000000D2C000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.597839039.00000000007A0000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.596491370.00000000007A0000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.564537877.000000000076A000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.564875818.000000000328A000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.568652514.00000000007A0000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.643009162.0000000000D2C000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.545043648.0000000001060000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.596841009.0000000000D2C000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.526115475.0000000003368000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.564451857.0000000000650000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.598456484.0000000000D2C000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.543502348.0000000000BA0000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.568840979.0000000000D2C000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.564446850.0000000000DA0000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.543542843.0000000000CFA000.00000004.00000020.sdmp, type: MEMORY
                      Source: mal2.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1456 -ip 1456
                      Source: C:\Windows\SysWOW64\rundll32.exeFile deleted: C:\Windows\SysWOW64\Xjvbeeymcqp\hqokwlnubzbb.uql:Zone.IdentifierJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\SysWOW64\Xjvbeeymcqp\Jump to behavior
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007BED95
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007BE478
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007C1C71
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007C0C66
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007B645F
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007B604E
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007A3E3B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007BCC3F
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007B0A37
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007B0824
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007BBA18
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007B1C12
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007C2C16
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007AF20D
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007C20F8
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007AE6FD
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007ABEF5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007AA8E8
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007C06EF
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007B7EDD
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007C0AD3
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007A54C0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007BB0BA
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007AAEB9
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007B3ABE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007B56A9
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007A68AD
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007B04A4
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007AF4A5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007AC69B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007AF699
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007AD899
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007A3085
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007A2B7C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007B5B7C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007A597D
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007BC772
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007A2176
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007A2575
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007A996C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007A196D
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007BF561
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007A5166
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007ADD66
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007C2560
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007A9565
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007A8D59
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007A635F
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007C2D4F
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007C314A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007A4F42
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007BC145
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007B473A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007A7739
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007B3130
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007AE336
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007AB12E
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007BCF2C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007A6125
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007B8518
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007A8112
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007A4716
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007A5314
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007BD10B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007B710D
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007C3306
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007A1DF9
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007A6BFE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007BD5FE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007B91F7
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007AFBEF
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007AB7EC
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007C35E3
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007B13DB
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007BE7DA
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007B89DA
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007A5DC3
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007A39C3
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007B4DC5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007B0FC5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007A2DC5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007A33A9
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007BBFA1
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007B77A7
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007B6B91
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007A938F
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007C1987
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007A7D87
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007AF984
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EDAA6D0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EDAE6E0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EDA66E0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EDA5EA0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EDB0F10
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EDA1C10
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EDA75F4
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EDA9D50
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EDC0A61
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EDAD380
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EDA38C0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EDB01D0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_01065314
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_01068112
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_01073130
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_01068D59
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0106196D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_01062B7C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0107ED95
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0107E7DA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_010789DA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_010791F7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0107BA18
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0107604E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_010756A9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0106AEB9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_010806EF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0107710D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0107D10B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_01083306
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_01064716
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_01078518
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_01066125
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0106B12E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0107CF2C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0106E336
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0107473A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_01067739
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0108314A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0107C145
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_01064F42
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_01082D4F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0106635F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_01065166
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0106DD66
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_01069565
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0107F561
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_01082560
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0106996C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_01062176
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_01062575
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0107C772
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_01075B7C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0106597D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_01067D87
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0106F984
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0106938F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_01081987
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_01076B91
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_010777A7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0107BFA1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_010633A9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_01074DC5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_01070FC5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_01062DC5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_01065DC3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_010639C3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_010713DB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0106FBEF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0106B7EC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_010835E3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_01066BFE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0107D5FE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_01061DF9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0106F20D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_01071C12
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_01082C16
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_01070824
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_01070A37
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0107CC3F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_01063E3B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0107645F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_01080C66
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_01081C71
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0107E478
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_01063085
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0106C69B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0106F699
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0106D899
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_010704A4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0106F4A5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_010668AD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_01073ABE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0107B0BA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_010654C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_01077EDD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_01080AD3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0106A8E8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_010820F8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0106BEF5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0106E6FD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EDAA6D0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EDAE6E0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EDA66E0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EDA5EA0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EDB0F10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EDA1C10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EDA75F4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EDA9D50
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EDC0A61
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EDAD380
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EDA38C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EDB01D0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00DC06EF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00DBED95
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00DB7EDD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00DC0AD3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00DA54C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00DC20F8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00DAE6FD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00DABEF5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00DAA8E8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00DAC69B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00DAF699
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00DAD899
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00DA3085
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00DBB0BA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00DAAEB9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00DB3ABE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00DB56A9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00DA68AD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00DB04A4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00DAF4A5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00DB645F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00DB604E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00DBE478
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00DC1C71
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00DC0C66
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00DBBA18
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00DB1C12
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00DC2C16
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00DAF20D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00DA3E3B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00DBCC3F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00DB0A37
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00DB0824
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00DB13DB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00DBE7DA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00DB89DA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00DA5DC3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00DA39C3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00DB4DC5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00DB0FC5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00DA2DC5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00DA1DF9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00DA6BFE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00DBD5FE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00DB91F7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00DAFBEF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00DAB7EC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00DC35E3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00DB6B91
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00DA938F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00DC1987
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00DA7D87
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00DAF984
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00DA33A9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00DBBFA1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00DB77A7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00DA8D59
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00DA635F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00DC2D4F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00DC314A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00DA4F42
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00DBC145
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00DA2B7C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00DB5B7C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00DA597D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00DBC772
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00DA2176
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00DA2575
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00DA996C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00DA196D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00DBF561
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00DA5166
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00DADD66
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00DC2560
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00DA9565
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00DB8518
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00DA8112
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00DA4716
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00DA5314
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00DBD10B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00DB710D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00DC3306
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00DB473A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00DA7739
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00DB3130
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00DAE336
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00DAB12E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00DBCF2C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00DA6125
                      Source: C:\Windows\System32\loaddll32.exeCode function: String function: 6EDBD350 appears 32 times
                      Source: C:\Windows\System32\loaddll32.exeCode function: String function: 6EDA1C10 appears 92 times
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6EDBD350 appears 33 times
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6EDA1C10 appears 97 times
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess Stats: CPU usage > 98%
                      Source: C:\Windows\System32\svchost.exeSection loaded: xboxlivetitleid.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: cdpsgshims.dll
                      Source: mal2.dllReversingLabs: Detection: 24%
                      Source: mal2.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\mal2.dll"
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\mal2.dll",#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\mal2.dll,Control_RunDLL
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\mal2.dll",#1
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\mal2.dll,axamexdrqyrgb
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\mal2.dll,bhramccfbdd
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
                      Source: unknownProcess created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\mal2.dll",Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Xjvbeeymcqp\hqokwlnubzbb.uql",vvWvMRmVQ
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\mal2.dll",Control_RunDLL
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\mal2.dll",Control_RunDLL
                      Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1456 -ip 1456
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1456 -s 304
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 168 -p 1456 -ip 1456
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1456 -s 312
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\mal2.dll",#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\mal2.dll,Control_RunDLL
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\mal2.dll,axamexdrqyrgb
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\mal2.dll,bhramccfbdd
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\mal2.dll",#1
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Xjvbeeymcqp\hqokwlnubzbb.uql",vvWvMRmVQ
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\mal2.dll",Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\mal2.dll",Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\mal2.dll",Control_RunDLL
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1456 -ip 1456
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1456 -s 304
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 168 -p 1456 -ip 1456
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1456 -s 312
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess created: unknown unknown
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess created: unknown unknown
                      Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32
                      Source: C:\Windows\System32\svchost.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERD250.tmpJump to behavior
                      Source: classification engineClassification label: mal76.troj.evad.winDLL@39/21@0/31
                      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Users\desktop.iniJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\mal2.dll,Control_RunDLL
                      Source: mal2.dllJoe Sandbox Cloud Basic: Detection: clean Score: 0Perma Link
                      Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7132:120:WilError_01
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \BaseNamedObjects\Local\SM0:5544:64:WilError_01
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \BaseNamedObjects\Local\SM0:4568:64:WilError_01
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1456
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                      Source: mal2.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                      Source: mal2.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000016.00000003.584277033.00000000047F1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.609321694.0000000004C21000.00000004.00000001.sdmp
                      Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000016.00000003.584277033.00000000047F1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.609321694.0000000004C21000.00000004.00000001.sdmp
                      Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000016.00000003.573738619.0000000000F47000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.584277033.00000000047F1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.609321694.0000000004C21000.00000004.00000001.sdmp
                      Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000016.00000003.584277033.00000000047F1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.609321694.0000000004C21000.00000004.00000001.sdmp
                      Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000016.00000003.584277033.00000000047F1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.581262316.0000000000917000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.609321694.0000000004C21000.00000004.00000001.sdmp
                      Source: Binary string: wimm32.pdb source: WerFault.exe, 00000016.00000003.584277033.00000000047F1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.609321694.0000000004C21000.00000004.00000001.sdmp
                      Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000016.00000003.584277033.00000000047F1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.609321694.0000000004C21000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdb source: WerFault.exe, 00000016.00000003.584277033.00000000047F1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.603106130.0000000000B7D000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.609321694.0000000004C21000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.602476954.0000000000B7D000.00000004.00000001.sdmp
                      Source: Binary string: apphelp.pdb source: WerFault.exe, 00000016.00000003.584277033.00000000047F1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.609321694.0000000004C21000.00000004.00000001.sdmp
                      Source: Binary string: upwntdll.pdb source: WerFault.exe, 00000019.00000003.602237788.0000000000BBB000.00000004.00000001.sdmp
                      Source: Binary string: wuser32.pdb source: WerFault.exe, 00000016.00000003.584277033.00000000047F1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.609321694.0000000004C21000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdbk source: WerFault.exe, 00000016.00000003.584277033.00000000047F1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.609321694.0000000004C21000.00000004.00000001.sdmp
                      Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000016.00000003.584277033.00000000047F1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.609321694.0000000004C21000.00000004.00000001.sdmp
                      Source: Binary string: oCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000016.00000002.593818088.00000000003D2000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000019.00000003.603106130.0000000000B7D000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.602476954.0000000000B7D000.00000004.00000001.sdmp
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007A151C push ds; ret
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007A150F push ds; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0106150F push ds; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0106151C push ds; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EDC9153 push ecx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00DA151C push ds; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00DA150F push ds; ret
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EDAE4E0 WaitForSingleObjectEx,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,CreateMutexA,CloseHandle,ReleaseMutex,
                      Source: C:\Windows\SysWOW64\rundll32.exePE file moved: C:\Windows\SysWOW64\Xjvbeeymcqp\hqokwlnubzbb.uqlJump to behavior

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Xjvbeeymcqp\hqokwlnubzbb.uql:Zone.Identifier read attributes | delete
                      Source: C:\Windows\SysWOW64\WerFault.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exe TID: 6152Thread sleep time: -30000s >= -30000s
                      Source: C:\Windows\System32\svchost.exe TID: 4644Thread sleep time: -30000s >= -30000s
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
                      Source: C:\Windows\System32\loaddll32.exeAPI coverage: 7.3 %
                      Source: C:\Windows\SysWOW64\rundll32.exeAPI coverage: 9.8 %
                      Source: C:\Windows\System32\svchost.exeProcess information queried: ProcessInformation
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EDC2FE7 FindFirstFileExW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EDC2FE7 FindFirstFileExW,
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: Amcache.hve.22.drBinary or memory string: VMware
                      Source: Amcache.hve.22.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
                      Source: Amcache.hve.22.drBinary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
                      Source: Amcache.hve.22.drBinary or memory string: VMware Virtual USB Mouse
                      Source: Amcache.hve.22.drBinary or memory string: VMware, Inc.
                      Source: svchost.exe, 00000004.00000002.567333158.0000028217E61000.00000004.00000001.sdmpBinary or memory string: @Hyper-V RAW
                      Source: Amcache.hve.22.drBinary or memory string: VMware Virtual disk SCSI Disk Devicehbin
                      Source: WerFault.exe, 00000019.00000003.639184264.0000000001110000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000002.640688899.0000000001112000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWigabit Network Connection-WFP Native MAC Layer LightWeight Filter-0000
                      Source: Amcache.hve.22.drBinary or memory string: Microsoft Hyper-V Generation Counter
                      Source: Amcache.hve.22.drBinary or memory string: VMware7,1
                      Source: Amcache.hve.22.drBinary or memory string: NECVMWar VMware SATA CD00
                      Source: Amcache.hve.22.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                      Source: Amcache.hve.22.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                      Source: svchost.exe, 00000004.00000002.565370387.0000028212829000.00000004.00000001.sdmp, svchost.exe, 00000004.00000002.567296199.0000028217E55000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000002.640605241.00000000010E0000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.639184264.0000000001110000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000002.640688899.0000000001112000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                      Source: Amcache.hve.22.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                      Source: Amcache.hve.22.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                      Source: Amcache.hve.22.drBinary or memory string: VMware, Inc.me
                      Source: Amcache.hve.22.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
                      Source: Amcache.hve.22.drBinary or memory string: VMware-42 35 bb 32 33 75 d2 27-52 00 3c e2 4b d4 32 71
                      Source: svchost.exe, 00000007.00000002.661162395.00000227EB441000.00000004.00000001.sdmp, svchost.exe, 00000009.00000002.661148493.0000016AA0A29000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: Amcache.hve.22.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EDBD1CC IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EDAE4E0 WaitForSingleObjectEx,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,CreateMutexA,CloseHandle,ReleaseMutex,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EDA1290 GetProcessHeap,HeapAlloc,RtlAllocateHeap,HeapFree,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007B4315 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EDBC050 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EDBBFE0 mov esi, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EDBBFE0 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EDC12CB mov ecx, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EDC298C mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_01074315 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EDBC050 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EDBBFE0 mov esi, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EDBBFE0 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EDC12CB mov ecx, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EDC298C mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00DB4315 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\loaddll32.exeProcess queried: DebugPort
                      Source: C:\Windows\System32\loaddll32.exeProcess queried: DebugPort
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007AE259 LdrInitializeThunk,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EDBCB22 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EDBD1CC IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EDC29E6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EDBCB22 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EDBD1CC IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EDC29E6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\mal2.dll",#1
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1456 -ip 1456
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1456 -s 304
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 168 -p 1456 -ip 1456
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1456 -s 312
                      Source: loaddll32.exe, 00000000.00000000.567467606.0000000001430000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.568950962.0000000001430000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.596918132.0000000001430000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.598640462.0000000001430000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000002.662938655.00000000030F0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: loaddll32.exe, 00000000.00000000.567467606.0000000001430000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.568950962.0000000001430000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.596918132.0000000001430000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.598640462.0000000001430000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000002.662938655.00000000030F0000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: loaddll32.exe, 00000000.00000000.567467606.0000000001430000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.568950962.0000000001430000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.596918132.0000000001430000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.598640462.0000000001430000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000002.662938655.00000000030F0000.00000002.00020000.sdmpBinary or memory string: SProgram Managerl
                      Source: loaddll32.exe, 00000000.00000000.567467606.0000000001430000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.568950962.0000000001430000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.596918132.0000000001430000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.598640462.0000000001430000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000002.662938655.00000000030F0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd,
                      Source: loaddll32.exe, 00000000.00000000.567467606.0000000001430000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.568950962.0000000001430000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.596918132.0000000001430000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.598640462.0000000001430000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000002.662938655.00000000030F0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EDBCC44 cpuid
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EDBCE15 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

                      Lowering of HIPS / PFW / Operating System Security Settings:

                      barindex
                      Changes security center settings (notifications, updates, antivirus, firewall)Show sources
                      Source: C:\Windows\System32\svchost.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cvalJump to behavior
                      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
                      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
                      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
                      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct
                      Source: Amcache.hve.22.drBinary or memory string: msmpeng.exe
                      Source: Amcache.hve.22.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                      Source: svchost.exe, 0000000C.00000002.661306381.000001F0AB03E000.00000004.00000001.sdmpBinary or memory string: (@\REGISTRY\USER\S-1-5-19ws Defender\MsMpeng.exe
                      Source: svchost.exe, 0000000C.00000002.661514183.000001F0AB102000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000002.661194912.000001F0AB029000.00000004.00000001.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected EmotetShow sources
                      Source: Yara matchFile source: 0.0.loaddll32.exe.d33b80.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.ba0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.7a0000.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.7a0000.9.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.d33b80.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.1060000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.7a0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.d33b80.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.7a0000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.d33b80.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.7a0000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.da0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.1060000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.650000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.782138.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.650000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.7a0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.d33b80.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.782138.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.da0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.7a0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.d33b80.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.d33b80.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.7a0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.32a2138.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.7a0000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.d33b80.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.7a0000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.32a2138.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.d13d58.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.ba0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.d33b80.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.d33b80.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.d13d58.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000000.566657802.00000000007A0000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.642601650.00000000007A0000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.567231949.0000000000D2C000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.597839039.00000000007A0000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.596491370.00000000007A0000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.564537877.000000000076A000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.564875818.000000000328A000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.568652514.00000000007A0000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.643009162.0000000000D2C000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.545043648.0000000001060000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.596841009.0000000000D2C000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.526115475.0000000003368000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.564451857.0000000000650000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.598456484.0000000000D2C000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.543502348.0000000000BA0000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.568840979.0000000000D2C000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.564446850.0000000000DA0000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.543542843.0000000000CFA000.00000004.00000020.sdmp, type: MEMORY

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation1DLL Side-Loading1Process Injection12Masquerading2OS Credential DumpingSystem Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsNative API1Boot or Logon Initialization ScriptsDLL Side-Loading1Disable or Modify Tools1LSASS MemoryQuery Registry1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothApplication Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion3Security Account ManagerSecurity Software Discovery61SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection12NTDSVirtualization/Sandbox Evasion3Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsProcess Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonHidden Files and Directories1Cached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information2DCSyncFile and Directory Discovery2Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobRundll321Proc FilesystemSystem Information Discovery33Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)DLL Side-Loading1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                      Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)File Deletion1Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 532100 Sample: mal2.dll Startdate: 01/12/2021 Architecture: WINDOWS Score: 76 49 210.57.217.132 UNAIR-AS-IDUniversitasAirlanggaID Indonesia 2->49 51 203.114.109.124 TOT-LLI-AS-APTOTPublicCompanyLimitedTH Thailand 2->51 53 27 other IPs or domains 2->53 57 Found malware configuration 2->57 59 Multi AV Scanner detection for submitted file 2->59 61 Yara detected Emotet 2->61 63 C2 URLs / IPs found in malware configuration 2->63 9 loaddll32.exe 1 2->9         started        11 svchost.exe 2->11         started        14 svchost.exe 3 8 2->14         started        16 5 other processes 2->16 signatures3 process4 dnsIp5 19 rundll32.exe 2 9->19         started        22 cmd.exe 1 9->22         started        24 WerFault.exe 3 9 9->24         started        33 3 other processes 9->33 67 Changes security center settings (notifications, updates, antivirus, firewall) 11->67 27 MpCmdRun.exe 1 11->27         started        29 WerFault.exe 14->29         started        31 WerFault.exe 14->31         started        47 127.0.0.1 unknown unknown 16->47 signatures6 process7 dnsIp8 65 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->65 35 rundll32.exe 19->35         started        37 rundll32.exe 22->37         started        55 192.168.2.1 unknown unknown 24->55 39 conhost.exe 27->39         started        41 rundll32.exe 33->41         started        43 rundll32.exe 33->43         started        signatures9 process10 process11 45 rundll32.exe 37->45         started       

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      mal2.dll6%VirustotalBrowse
                      mal2.dll24%ReversingLabsWin32.Trojan.Midie

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      0.0.loaddll32.exe.7a0000.6.unpack100%AviraHEUR/AGEN.1110387Download File
                      6.2.rundll32.exe.650000.0.unpack100%AviraHEUR/AGEN.1110387Download File
                      0.0.loaddll32.exe.7a0000.9.unpack100%AviraHEUR/AGEN.1110387Download File
                      2.2.rundll32.exe.1060000.0.unpack100%AviraHEUR/AGEN.1110387Download File
                      5.2.rundll32.exe.da0000.0.unpack100%AviraHEUR/AGEN.1110387Download File
                      0.2.loaddll32.exe.7a0000.0.unpack100%AviraHEUR/AGEN.1110387Download File
                      0.0.loaddll32.exe.7a0000.0.unpack100%AviraHEUR/AGEN.1110387Download File
                      0.0.loaddll32.exe.7a0000.3.unpack100%AviraHEUR/AGEN.1110387Download File
                      3.2.rundll32.exe.ba0000.0.unpack100%AviraHEUR/AGEN.1110387Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://crl.ver)0%Avira URL Cloudsafe
                      https://%s.xboxlive.com0%URL Reputationsafe
                      https://dynamic.t0%URL Reputationsafe
                      https://%s.xboxlive.com/0%Avira URL Cloudsafe
                      https://%s.dnet.xboxlive.com0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashxsvchost.exe, 0000000A.00000003.387932456.0000020B26E63000.00000004.00000001.sdmpfalse
                        		high
                        https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=svchost.exe, 0000000A.00000003.338514593.0000020B26E35000.00000004.00000001.sdmpfalse
                          		high
                          https://dev.ditu.live.com/REST/v1/Routes/svchost.exe, 0000000A.00000002.388924782.0000020B26E29000.00000004.00000001.sdmpfalse
                            		high
                            https://dev.virtualearth.net/REST/v1/Routes/Drivingsvchost.exe, 0000000A.00000003.387932456.0000020B26E63000.00000004.00000001.sdmpfalse
                              		high
                              https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashxsvchost.exe, 0000000A.00000002.388943903.0000020B26E41000.00000004.00000001.sdmpfalse
                                		high
                                https://dev.ditu.live.com/REST/v1/Traffic/Incidents/svchost.exe, 0000000A.00000002.388951772.0000020B26E44000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.387983858.0000020B26E42000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.388012695.0000020B26E43000.00000004.00000001.sdmpfalse
                                  		high
                                  https://dev.ditu.live.com/REST/v1/Transit/Stops/svchost.exe, 0000000A.00000003.387900433.0000020B26E69000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.388989382.0000020B26E6B000.00000004.00000001.sdmpfalse
                                    		high
                                    https://t0.tiles.ditu.live.com/tiles/gensvchost.exe, 0000000A.00000003.387943285.0000020B26E4D000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.388970566.0000020B26E56000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.388048361.0000020B26E50000.00000004.00000001.sdmpfalse
                                      		high
                                      https://dev.virtualearth.net/REST/v1/Routes/svchost.exe, 0000000A.00000002.388924782.0000020B26E29000.00000004.00000001.sdmpfalse
                                        		high
                                        https://dev.virtualearth.net/REST/v1/Traffic/Incidents/svchost.exe, 0000000A.00000002.388924782.0000020B26E29000.00000004.00000001.sdmpfalse
                                          		high
                                          http://schemas.xmlsoap.org/ws/2004/09/enumeration/Enumeratesvchost.exe, 00000004.00000002.566413205.00000282128AF000.00000004.00000001.sdmpfalse
                                            		high
                                            https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=svchost.exe, 0000000A.00000003.338514593.0000020B26E35000.00000004.00000001.sdmpfalse
                                              		high
                                              https://dev.virtualearth.net/REST/v1/Routes/Walkingsvchost.exe, 0000000A.00000003.387932456.0000020B26E63000.00000004.00000001.sdmpfalse
                                                		high
                                                http://crl.ver)svchost.exe, 00000004.00000002.567003860.0000028217E12000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		low
                                                https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?svchost.exe, 0000000A.00000002.388958286.0000020B26E4A000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.387957781.0000020B26E49000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.387983858.0000020B26E42000.00000004.00000001.sdmpfalse
                                                  		high
                                                  http://upx.sf.netAmcache.hve.22.drfalse
                                                    		high
                                                    https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=svchost.exe, 0000000A.00000002.388924782.0000020B26E29000.00000004.00000001.sdmpfalse
                                                      		high
                                                      https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=svchost.exe, 0000000A.00000002.388924782.0000020B26E29000.00000004.00000001.sdmpfalse
                                                        		high
                                                        https://%s.xboxlive.comsvchost.exe, 00000007.00000002.661162395.00000227EB441000.00000004.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        		low
                                                        https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=svchost.exe, 0000000A.00000002.388951772.0000020B26E44000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.387983858.0000020B26E42000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.388012695.0000020B26E43000.00000004.00000001.sdmpfalse
                                                          		high
                                                          https://dev.virtualearth.net/mapcontrol/logging.ashxsvchost.exe, 0000000A.00000003.387932456.0000020B26E63000.00000004.00000001.sdmpfalse
                                                            		high
                                                            https://dev.ditu.live.com/mapcontrol/logging.ashxsvchost.exe, 0000000A.00000003.387932456.0000020B26E63000.00000004.00000001.sdmpfalse
                                                              		high
                                                              https://dev.ditu.live.com/REST/v1/Imagery/Copyright/svchost.exe, 0000000A.00000002.388924782.0000020B26E29000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.387943285.0000020B26E4D000.00000004.00000001.sdmpfalse
                                                                		high
                                                                https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=svchost.exe, 0000000A.00000003.338514593.0000020B26E35000.00000004.00000001.sdmpfalse
                                                                  		high
                                                                  https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=svchost.exe, 0000000A.00000002.388958286.0000020B26E4A000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.387957781.0000020B26E49000.00000004.00000001.sdmpfalse
                                                                    		high
                                                                    https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/svchost.exe, 0000000A.00000002.388951772.0000020B26E44000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.387983858.0000020B26E42000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.388012695.0000020B26E43000.00000004.00000001.sdmpfalse
                                                                      		high
                                                                      https://dev.virtualearth.net/REST/v1/Transit/Schedules/svchost.exe, 0000000A.00000003.387936814.0000020B26E60000.00000004.00000001.sdmpfalse
                                                                        		high
                                                                        https://dynamic.tsvchost.exe, 0000000A.00000002.388983797.0000020B26E66000.00000004.00000001.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        https://dev.virtualearth.net/REST/v1/Routes/Transitsvchost.exe, 0000000A.00000003.387932456.0000020B26E63000.00000004.00000001.sdmpfalse
                                                                          		high
                                                                          https://t0.ssl.ak.tiles.virtualearth.net/tiles/gensvchost.exe, 0000000A.00000003.338514593.0000020B26E35000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.388024416.0000020B26E3E000.00000004.00000001.sdmpfalse
                                                                            		high
                                                                            https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=svchost.exe, 0000000A.00000002.388958286.0000020B26E4A000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.387957781.0000020B26E49000.00000004.00000001.sdmpfalse
                                                                              		high
                                                                              https://activity.windows.comsvchost.exe, 00000007.00000002.661162395.00000227EB441000.00000004.00000001.sdmpfalse
                                                                                		high
                                                                                http://www.bingmapsportal.comsvchost.exe, 0000000A.00000002.388912529.0000020B26E13000.00000004.00000001.sdmpfalse
                                                                                  		high
                                                                                  https://dev.ditu.live.com/REST/v1/Locationssvchost.exe, 0000000A.00000003.387932456.0000020B26E63000.00000004.00000001.sdmpfalse
                                                                                    		high
                                                                                    https://dev.virtualearth.net/REST/v1/Imagery/Copyright/svchost.exe, 0000000A.00000002.388924782.0000020B26E29000.00000004.00000001.sdmpfalse
                                                                                      		high
                                                                                      https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/svchost.exe, 0000000A.00000002.388924782.0000020B26E29000.00000004.00000001.sdmpfalse
                                                                                        		high
                                                                                        https://%s.xboxlive.com/svchost.exe, 00000007.00000002.661162395.00000227EB441000.00000004.00000001.sdmpfalse
                                                                                        • Avira URL Cloud: safe
                                                                                        		low
                                                                                        https://%s.dnet.xboxlive.comsvchost.exe, 00000007.00000002.661162395.00000227EB441000.00000004.00000001.sdmpfalse
                                                                                        • URL Reputation: safe
                                                                                        		low
                                                                                        https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/svchost.exe, 0000000A.00000002.388951772.0000020B26E44000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.387983858.0000020B26E42000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.388012695.0000020B26E43000.00000004.00000001.sdmpfalse
                                                                                          		high
                                                                                          https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=svchost.exe, 0000000A.00000003.387943285.0000020B26E4D000.00000004.00000001.sdmpfalse
                                                                                            		high

                                                                                            Contacted IPs

                                                                                            • No. of IPs < 25%
                                                                                            • 25% < No. of IPs < 50%
                                                                                            • 50% < No. of IPs < 75%
                                                                                            • 75% < No. of IPs

                                                                                            Public

                                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                                            195.154.133.20
                                                                                            		unknownFrance
                                                                                            		12876OnlineSASFRtrue
                                                                                            212.237.17.99
                                                                                            		unknownItaly
                                                                                            		31034ARUBA-ASNITtrue
                                                                                            110.232.117.186
                                                                                            		unknownAustralia
                                                                                            		56038RACKCORP-APRackCorpAUtrue
                                                                                            104.245.52.73
                                                                                            		unknownUnited States
                                                                                            		63251METRO-WIRELESSUStrue
                                                                                            138.185.72.26
                                                                                            		unknownBrazil
                                                                                            		264343EmpasoftLtdaMeBRtrue
                                                                                            81.0.236.90
                                                                                            		unknownCzech Republic
                                                                                            		15685CASABLANCA-ASInternetCollocationProviderCZtrue
                                                                                            45.118.115.99
                                                                                            		unknownIndonesia
                                                                                            		131717IDNIC-CIFO-AS-IDPTCitraJelajahInformatikaIDtrue
                                                                                            103.75.201.2
                                                                                            		unknownThailand
                                                                                            		133496CDNPLUSCOLTD-AS-APCDNPLUSCOLTDTHtrue
                                                                                            216.158.226.206
                                                                                            		unknownUnited States
                                                                                            		19318IS-AS-1UStrue
                                                                                            107.182.225.142
                                                                                            		unknownUnited States
                                                                                            		32780HOSTINGSERVICES-INCUStrue
                                                                                            45.118.135.203
                                                                                            		unknownJapan63949LINODE-APLinodeLLCUStrue
                                                                                            50.116.54.215
                                                                                            		unknownUnited States
                                                                                            		63949LINODE-APLinodeLLCUStrue
                                                                                            51.68.175.8
                                                                                            		unknownFrance
                                                                                            		16276OVHFRtrue
                                                                                            103.8.26.102
                                                                                            		unknownMalaysia
                                                                                            		132241SKSATECH1-MYSKSATECHNOLOGYSDNBHDMYtrue
                                                                                            46.55.222.11
                                                                                            		unknownBulgaria
                                                                                            		34841BALCHIKNETBGtrue
                                                                                            41.76.108.46
                                                                                            		unknownSouth Africa
                                                                                            		327979DIAMATRIXZAtrue
                                                                                            103.8.26.103
                                                                                            		unknownMalaysia
                                                                                            		132241SKSATECH1-MYSKSATECHNOLOGYSDNBHDMYtrue
                                                                                            178.79.147.66
                                                                                            		unknownUnited Kingdom
                                                                                            		63949LINODE-APLinodeLLCUStrue
                                                                                            212.237.5.209
                                                                                            		unknownItaly
                                                                                            		31034ARUBA-ASNITtrue
                                                                                            176.104.106.96
                                                                                            		unknownSerbia
                                                                                            		198371NINETRStrue
                                                                                            207.38.84.195
                                                                                            		unknownUnited States
                                                                                            		30083AS-30083-GO-DADDY-COM-LLCUStrue
                                                                                            212.237.56.116
                                                                                            		unknownItaly
                                                                                            		31034ARUBA-ASNITtrue
                                                                                            45.142.114.231
                                                                                            		unknownGermany
                                                                                            		44066DE-FIRSTCOLOwwwfirst-colonetDEtrue
                                                                                            203.114.109.124
                                                                                            		unknownThailand
                                                                                            		131293TOT-LLI-AS-APTOTPublicCompanyLimitedTHtrue
                                                                                            210.57.217.132
                                                                                            		unknownIndonesia
                                                                                            		38142UNAIR-AS-IDUniversitasAirlanggaIDtrue
                                                                                            58.227.42.236
                                                                                            		unknownKorea Republic of
                                                                                            		9318SKB-ASSKBroadbandCoLtdKRtrue
                                                                                            185.184.25.237
                                                                                            		unknownTurkey
                                                                                            		209711MUVHOSTTRtrue
                                                                                            158.69.222.101
                                                                                            		unknownCanada
                                                                                            		16276OVHFRtrue
                                                                                            104.251.214.46
                                                                                            		unknownUnited States
                                                                                            		54540INCERO-HVVCUStrue

                                                                                            Private

                                                                                            IP
                                                                                            192.168.2.1
                                                                                            127.0.0.1

                                                                                            General Information

                                                                                            Joe Sandbox Version:34.0.0 Boulder Opal
                                                                                            Analysis ID:532100
                                                                                            Start date:01.12.2021
                                                                                            Start time:18:26:06
                                                                                            Joe Sandbox Product:CloudBasic
                                                                                            Overall analysis duration:0h 12m 21s
                                                                                            Hypervisor based Inspection enabled:false
                                                                                            Report type:light
                                                                                            Sample file name:mal2.dll
                                                                                            Cookbook file name:default.jbs
                                                                                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                            Run name:Run with higher sleep bypass
                                                                                            Number of analysed new started processes analysed:28
                                                                                            Number of new started drivers analysed:0
                                                                                            Number of existing processes analysed:0
                                                                                            Number of existing drivers analysed:0
                                                                                            Number of injected processes analysed:0
                                                                                            Technologies:
                                                                                            • HCA enabled
                                                                                            • EGA enabled
                                                                                            • HDC enabled
                                                                                            • AMSI enabled
                                                                                            Analysis Mode:default
                                                                                            Analysis stop reason:Timeout
                                                                                            Detection:MAL
                                                                                            Classification:mal76.troj.evad.winDLL@39/21@0/31
                                                                                            EGA Information:
                                                                                            • Successful, ratio: 100%
                                                                                            HDC Information:
                                                                                            • Successful, ratio: 10.3% (good quality ratio 9.8%)
                                                                                            • Quality average: 72.3%
                                                                                            • Quality standard deviation: 24.7%
                                                                                            HCA Information:
                                                                                            • Successful, ratio: 99%
                                                                                            • Number of executed functions: 0
                                                                                            • Number of non-executed functions: 0
                                                                                            Cookbook Comments:
                                                                                            • Adjust boot time
                                                                                            • Enable AMSI
                                                                                            • Sleeps bigger than 120000ms are automatically reduced to 1000ms
                                                                                            • Found application associated with file extension: .dll
                                                                                            Warnings:
                                                                                            Show All
                                                                                            • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe
                                                                                            • Excluded IPs from analysis (whitelisted): 23.35.236.56, 20.42.65.92, 80.67.82.211, 80.67.82.235
                                                                                            • Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, e1723.g.akamaiedge.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, onedsblobprdeus17.eastus.cloudapp.azure.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net
                                                                                            • Not all processes where analyzed, report is missing behavior information
                                                                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                            • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                            Simulations

                                                                                            Behavior and APIs

                                                                                            TimeTypeDescription
                                                                                            18:27:12API Interceptor1x Sleep call for process: svchost.exe modified
                                                                                            18:29:34API Interceptor1x Sleep call for process: MpCmdRun.exe modified

                                                                                            Joe Sandbox View / Context

                                                                                            IPs

                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                            195.154.133.20mal2.dllGet hashmaliciousBrowse
                                                                                              2gyA5uNl6VPQUA.dllGet hashmaliciousBrowse
                                                                                                2gyA5uNl6VPQUA.dllGet hashmaliciousBrowse
                                                                                                  9sQccNfqAR.dllGet hashmaliciousBrowse
                                                                                                    FILE_464863409880121918.xlsmGet hashmaliciousBrowse
                                                                                                      9sQccNfqAR.dllGet hashmaliciousBrowse
                                                                                                        t3XtgyQEoe.dllGet hashmaliciousBrowse
                                                                                                          t3XtgyQEoe.dllGet hashmaliciousBrowse
                                                                                                            SCAN_35292280954166786.xlsmGet hashmaliciousBrowse
                                                                                                              U4pi8WRxNJ.dllGet hashmaliciousBrowse
                                                                                                                oERkAQeB4d.dllGet hashmaliciousBrowse
                                                                                                                  FC9fpZrma1.dllGet hashmaliciousBrowse
                                                                                                                    Z4HpRSQD6I.dllGet hashmaliciousBrowse
                                                                                                                      uLCt7sc5se.dllGet hashmaliciousBrowse
                                                                                                                        rGF1Xgw9Il.dllGet hashmaliciousBrowse
                                                                                                                          nBtjFS1D08.dllGet hashmaliciousBrowse
                                                                                                                            q8HPR8Yypk.dllGet hashmaliciousBrowse
                                                                                                                              mZuFa05xCp.dllGet hashmaliciousBrowse
                                                                                                                                TEm3oBxeXS.dllGet hashmaliciousBrowse
                                                                                                                                  212.237.17.99mal.dllGet hashmaliciousBrowse
                                                                                                                                    mal2.dllGet hashmaliciousBrowse
                                                                                                                                      2gyA5uNl6VPQUA.dllGet hashmaliciousBrowse
                                                                                                                                        2gyA5uNl6VPQUA.dllGet hashmaliciousBrowse
                                                                                                                                          9sQccNfqAR.dllGet hashmaliciousBrowse
                                                                                                                                            FILE_464863409880121918.xlsmGet hashmaliciousBrowse
                                                                                                                                              9sQccNfqAR.dllGet hashmaliciousBrowse
                                                                                                                                                t3XtgyQEoe.dllGet hashmaliciousBrowse
                                                                                                                                                  t3XtgyQEoe.dllGet hashmaliciousBrowse
                                                                                                                                                    SCAN_35292280954166786.xlsmGet hashmaliciousBrowse
                                                                                                                                                      U4pi8WRxNJ.dllGet hashmaliciousBrowse
                                                                                                                                                        oERkAQeB4d.dllGet hashmaliciousBrowse
                                                                                                                                                          FC9fpZrma1.dllGet hashmaliciousBrowse
                                                                                                                                                            Z4HpRSQD6I.dllGet hashmaliciousBrowse
                                                                                                                                                              uLCt7sc5se.dllGet hashmaliciousBrowse
                                                                                                                                                                rGF1Xgw9Il.dllGet hashmaliciousBrowse
                                                                                                                                                                  nBtjFS1D08.dllGet hashmaliciousBrowse
                                                                                                                                                                    q8HPR8Yypk.dllGet hashmaliciousBrowse
                                                                                                                                                                      mZuFa05xCp.dllGet hashmaliciousBrowse
                                                                                                                                                                        TEm3oBxeXS.dllGet hashmaliciousBrowse

                                                                                                                                                                          Domains

                                                                                                                                                                          No context

                                                                                                                                                                          ASN

                                                                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                                          ARUBA-ASNITmal.dllGet hashmaliciousBrowse
                                                                                                                                                                          • 212.237.56.116
                                                                                                                                                                          GYRxsMXKtvwSwhoreniggagay.dllGet hashmaliciousBrowse
                                                                                                                                                                          • 94.177.217.88
                                                                                                                                                                          KsXtuXmxoZvgudVwhoreniggagay.dllGet hashmaliciousBrowse
                                                                                                                                                                          • 94.177.217.88
                                                                                                                                                                          xTpcaEZvwmHqwhoreniggagay.dllGet hashmaliciousBrowse
                                                                                                                                                                          • 94.177.217.88
                                                                                                                                                                          mal2.dllGet hashmaliciousBrowse
                                                                                                                                                                          • 212.237.56.116
                                                                                                                                                                          GYRxsMXKtvwSwhoreniggagay.dllGet hashmaliciousBrowse
                                                                                                                                                                          • 94.177.217.88
                                                                                                                                                                          KsXtuXmxoZvgudVwhoreniggagay.dllGet hashmaliciousBrowse
                                                                                                                                                                          • 94.177.217.88
                                                                                                                                                                          xTpcaEZvwmHqwhoreniggagay.dllGet hashmaliciousBrowse
                                                                                                                                                                          • 94.177.217.88
                                                                                                                                                                          invoice template 33142738819.docxGet hashmaliciousBrowse
                                                                                                                                                                          • 94.177.217.88
                                                                                                                                                                          2gyA5uNl6VPQUA.dllGet hashmaliciousBrowse
                                                                                                                                                                          • 212.237.56.116
                                                                                                                                                                          2gyA5uNl6VPQUA.dllGet hashmaliciousBrowse
                                                                                                                                                                          • 212.237.56.116
                                                                                                                                                                          9sQccNfqAR.dllGet hashmaliciousBrowse
                                                                                                                                                                          • 212.237.56.116
                                                                                                                                                                          FILE_464863409880121918.xlsmGet hashmaliciousBrowse
                                                                                                                                                                          • 212.237.56.116
                                                                                                                                                                          9sQccNfqAR.dllGet hashmaliciousBrowse
                                                                                                                                                                          • 212.237.56.116
                                                                                                                                                                          t3XtgyQEoe.dllGet hashmaliciousBrowse
                                                                                                                                                                          • 212.237.56.116
                                                                                                                                                                          t3XtgyQEoe.dllGet hashmaliciousBrowse
                                                                                                                                                                          • 212.237.56.116
                                                                                                                                                                          QUOTATION FORM.exeGet hashmaliciousBrowse
                                                                                                                                                                          • 62.149.128.45
                                                                                                                                                                          MA4UA3e5xeGet hashmaliciousBrowse
                                                                                                                                                                          • 46.37.10.252
                                                                                                                                                                          SCAN_35292280954166786.xlsmGet hashmaliciousBrowse
                                                                                                                                                                          • 212.237.56.116
                                                                                                                                                                          seL794VuEmGet hashmaliciousBrowse
                                                                                                                                                                          • 31.14.139.79
                                                                                                                                                                          OnlineSASFRmal.dllGet hashmaliciousBrowse
                                                                                                                                                                          • 195.154.133.20
                                                                                                                                                                          mal2.dllGet hashmaliciousBrowse
                                                                                                                                                                          • 195.154.133.20
                                                                                                                                                                          2gyA5uNl6VPQUA.dllGet hashmaliciousBrowse
                                                                                                                                                                          • 195.154.133.20
                                                                                                                                                                          2gyA5uNl6VPQUA.dllGet hashmaliciousBrowse
                                                                                                                                                                          • 195.154.133.20
                                                                                                                                                                          spZRMihlrkFGqYq1f.dllGet hashmaliciousBrowse
                                                                                                                                                                          • 195.154.146.35
                                                                                                                                                                          spZRMihlrkFGqYq1f.dllGet hashmaliciousBrowse
                                                                                                                                                                          • 195.154.146.35
                                                                                                                                                                          AtlanticareINV25-67431254.htmGet hashmaliciousBrowse
                                                                                                                                                                          • 51.15.17.195
                                                                                                                                                                          9sQccNfqAR.dllGet hashmaliciousBrowse
                                                                                                                                                                          • 195.154.133.20
                                                                                                                                                                          FILE_464863409880121918.xlsmGet hashmaliciousBrowse
                                                                                                                                                                          • 195.154.133.20
                                                                                                                                                                          9sQccNfqAR.dllGet hashmaliciousBrowse
                                                                                                                                                                          • 195.154.133.20
                                                                                                                                                                          t3XtgyQEoe.dllGet hashmaliciousBrowse
                                                                                                                                                                          • 195.154.133.20
                                                                                                                                                                          t3XtgyQEoe.dllGet hashmaliciousBrowse
                                                                                                                                                                          • 195.154.133.20
                                                                                                                                                                          67MPsax8fd.exeGet hashmaliciousBrowse
                                                                                                                                                                          • 163.172.208.8
                                                                                                                                                                          Linux_x86Get hashmaliciousBrowse
                                                                                                                                                                          • 212.83.174.79
                                                                                                                                                                          184285013-044310-Factura pendiente (2).exeGet hashmaliciousBrowse
                                                                                                                                                                          • 212.83.130.20
                                                                                                                                                                          MTjXit7IJnGet hashmaliciousBrowse
                                                                                                                                                                          • 51.158.219.54
                                                                                                                                                                          SCAN_35292280954166786.xlsmGet hashmaliciousBrowse
                                                                                                                                                                          • 195.154.133.20
                                                                                                                                                                          gvtdsqavfej.dllGet hashmaliciousBrowse
                                                                                                                                                                          • 195.154.146.35
                                                                                                                                                                          mhOX6jll6x.dllGet hashmaliciousBrowse
                                                                                                                                                                          • 195.154.146.35
                                                                                                                                                                          dguQYT8p8j.dllGet hashmaliciousBrowse
                                                                                                                                                                          • 195.154.146.35

                                                                                                                                                                          JA3 Fingerprints

                                                                                                                                                                          No context

                                                                                                                                                                          Dropped Files

                                                                                                                                                                          No context

                                                                                                                                                                          Created / dropped Files

                                                                                                                                                                          C:\ProgramData\Microsoft\Network\Downloader\edb.chk
                                                                                                                                                                          Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                          File Type:data
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):8192
                                                                                                                                                                          Entropy (8bit):0.3593198815979092
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:12:SnaaD0JcaaD0JwQQU2naaD0JcaaD0JwQQU:4tgJctgJw/tgJctgJw
                                                                                                                                                                          MD5:BF1DC7D5D8DAD7478F426DF8B3F8BAA6
                                                                                                                                                                          SHA1:C6B0BDE788F553F865D65F773D8F6A3546887E42
                                                                                                                                                                          SHA-256:BE47C764C38CA7A90A345BE183F5261E89B98743B5E35989E9A8BE0DA498C0F2
                                                                                                                                                                          SHA-512:00F2412AA04E09EA19A8315D80BE66D2727C713FC0F5AE6A9334BABA539817F568A98CA3A45B2673282BDD325B8B0E2840A393A4DCFADCB16473F5EAF2AF3180
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview: .............*..........3...w..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@......................................................*.............................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                          C:\ProgramData\Microsoft\Network\Downloader\edb.log
                                                                                                                                                                          Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                          File Type:MPEG-4 LOAS
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):1310720
                                                                                                                                                                          Entropy (8bit):0.24942706526168892
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:1536:BJiRdfVzkZm3lyf49uyc0ga04PdHS9LrM/oVMUdSRU4x:BJiRdwfu2SRU4x
                                                                                                                                                                          MD5:46882A6830E76E84809FF61D41FC1A60
                                                                                                                                                                          SHA1:62C986CAD7FC75056669C8366B6299D7EC088CA9
                                                                                                                                                                          SHA-256:763C6AFC1CDB01A68D4CA86AB03C92DF28C1E60C840AECC73FA960C48D26CD32
                                                                                                                                                                          SHA-512:37F2DC3EA70AA2A9926010784A619B78AB5BA70F4CEA1C466C68699E59F9E360473A906AF50895BFCDB42980BDDBC1CB321E9D8FF432F1628A9F65A99FC08B29
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview: V.d.........@..@.3...w...........................3...w..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@.........................................d#.................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                          C:\ProgramData\Microsoft\Network\Downloader\qmgr.db
                                                                                                                                                                          Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                          File Type:Extensible storage engine DataBase, version 0x620, checksum 0xecb7d22b, page size 16384, Windows version 10.0
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):786432
                                                                                                                                                                          Entropy (8bit):0.2506006063210868
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:384:xrK+W0StseCJ48EApW0StseCJ48E2rTSjlK/ebmLerYSRSY1J2:xrlSB2nSB2RSjlK/+mLesOj1J2
                                                                                                                                                                          MD5:A47C47EF3D00475460F84F8516370E92
                                                                                                                                                                          SHA1:7F689445BF7967C5252B85CA244EE87D5B5C30C9
                                                                                                                                                                          SHA-256:4F0043163E1434024C3DE253F0DAF6FE34477506B00A169EF90DEEEDC8B172BE
                                                                                                                                                                          SHA-512:6B1E60A8946E8B00D01C081063CCDF145032767B76CDF694A59EA509638174C19BDD9729C46399A14547497884C5D94C0EF0CAAA77D91B7C62C612F482849951
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview: ..+... ................e.f.3...w........................)..........y.......y#.h.(..........y....)..............3...w...........................................................................................................B...........@...................................................................................................... ...................................................................................................................................................................................................................................................N>8`.....y...................A......y..........................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                          C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm
                                                                                                                                                                          Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                          File Type:data
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):16384
                                                                                                                                                                          Entropy (8bit):0.07605342734948045
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:3:rVT7vpPA4np/l/Ky67cyORShtl4AyOl/ill3Vkttlmlnl:RTrJAY/l/P67cyORifyOl/G3
                                                                                                                                                                          MD5:400EA9108E962862766500814F7D3466
                                                                                                                                                                          SHA1:87F9A5FC0B7C862F8C32D5847BCEF1C9450FE8A3
                                                                                                                                                                          SHA-256:FD04432EDFD989575D48B36ECC56286B108A9917AB6A23E340A5168DB780C7BF
                                                                                                                                                                          SHA-512:BABB9019C2631B2095B88F19BBEE29A3892C4F098ECFB31435FC669300F08C29AF03AD8315290324CFEFABD9BFBAB0EC8C3270767ABB8540E7057955297334E0
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview: 8......................................3...w.......y.......y...............y.......y..x........y...................A......y..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_747b3d3843a661accc8c92924ccfd5a2e2d128_d70d8aa6_12d2c47d\Report.wer
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):65536
                                                                                                                                                                          Entropy (8bit):0.6740553107090325
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:96:vh2Zqy4ky9hkoyt7JfqpXIQcQ5c6A2cE2cw33+a+z+HbHg4VG4rmMOyWZAXGng5+:OBwHnM28jj0q/u7sQS274ItW
                                                                                                                                                                          MD5:BE82113082E2819C42982B02E0A9BD2E
                                                                                                                                                                          SHA1:0063CD51A4884D06C037EDAED974D114F1AE3B69
                                                                                                                                                                          SHA-256:71EA212CDCB5DA9D3FB46094F4F25860CC7938FFBC922EAE53A7DE6F02E5149F
                                                                                                                                                                          SHA-512:1D8AA30CA1532B3DE428D0974918460BE02EFD9398FB2C1CDB40A1D53B2C62F1164F4CBD86D1CA9591DB41EE2C8F0F476957712E2598B23B9354398E5BB4BE1F
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.8.2.8.8.5.7.8.2.7.4.8.5.7.8.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.2.6.4.7.0.1.f.-.4.b.f.f.-.4.a.a.5.-.9.7.c.a.-.9.6.d.8.6.6.f.f.1.5.f.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.6.6.6.1.7.1.1.-.e.1.3.8.-.4.9.4.1.-.b.f.b.5.-.b.5.f.7.a.9.4.9.9.7.d.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.l.o.a.d.d.l.l.3.2...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.5.b.0.-.0.0.0.1.-.0.0.1.6.-.a.b.1.c.-.c.4.1.b.2.4.e.7.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.l.o.a.d.d.l.l.3.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.1././.0.9././.2.8.:.1.1.:.5.3.:.0.5.!.0.!.l.o.a.d.d.l.l.3.2...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.
                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_d71d33d652a62c864cb684e881f783bcee8c2df7_d70d8aa6_11fb1c03\Report.wer
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):65536
                                                                                                                                                                          Entropy (8bit):0.6753216957227272
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:96:0RFB82ZqyFky9hk1Dg3fWpXIQcQec6XFcE1cw3f+a+z+HbHg4VG4rmMOyWZAXGn5:ALvBmHgx/Lj0q/u7sQS274ItWA
                                                                                                                                                                          MD5:5B1C5CCFBA925A0022F40E0CEE00FEDB
                                                                                                                                                                          SHA1:CA6DA28C640B5982213ACEF6FEC1B111C089EE22
                                                                                                                                                                          SHA-256:57535D7DA24E9548E19ECAE80CEA01F7D68326C3EEC78D647305F3F7B3399D1F
                                                                                                                                                                          SHA-512:9E180B8A14A0384BB34784E16FEFD92EEFE4E8A22CA103E3B247174517DD7C14744873A5FDBA32867C6EC161CBEA45DB3C043E6A26CBE62D1B0F7C9A52D400E6
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.8.2.8.8.5.7.9.2.9.1.7.2.0.6.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.8.2.8.8.5.8.0.7.3.7.0.3.0.2.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.c.1.d.6.8.5.4.-.3.6.a.8.-.4.2.5.3.-.b.2.c.5.-.e.b.7.c.4.7.a.4.8.c.a.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.3.5.0.b.8.0.5.-.a.b.8.f.-.4.3.e.f.-.8.e.e.5.-.a.3.6.3.8.d.8.7.f.1.e.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.l.o.a.d.d.l.l.3.2...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.5.b.0.-.0.0.0.1.-.0.0.1.6.-.a.b.1.c.-.c.4.1.b.2.4.e.7.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.l.o.a.d.d.l.l.3.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.
                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERB46F.tmp.dmp
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          File Type:Mini DuMP crash report, 15 streams, Thu Dec 2 02:29:43 2021, 0x1205a4 type
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):26296
                                                                                                                                                                          Entropy (8bit):2.5210712860247995
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:192:BLSTpuda2OX0cYPKfXHWRlhvnQsPPud0MnY:MpBX0DPKf3WTh4sPPuK
                                                                                                                                                                          MD5:AAB65F6BFD0CCCB966FA7D8B3C42EED1
                                                                                                                                                                          SHA1:C5208BC22BF1768A49E1FAC1868CE5786BC7496B
                                                                                                                                                                          SHA-256:DB94B5E3D75A56D250D4A656C127B918D42A8B88635C72D0D4C3811F2C23DE9E
                                                                                                                                                                          SHA-512:80C7C663745DFD436D820EC3A4CB847A873044C959406F86D06FEFCE4C7B287FE7F59AF624DC3FA71D49D216C1808DC199FB2DCBC01E3B0EF65D3FF91843DB15
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview: MDMP....... ......../.a............4...............H.......$...........................`.......8...........T...........h...PZ...........................................................................................U...........B......p.......GenuineIntelW...........T..............a0............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERB8C6.tmp.WERInternalMetadata.xml
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):8340
                                                                                                                                                                          Entropy (8bit):3.702469143283619
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:192:Rrl7r3GLNisX6TBi6YIFSUEsgmfcSzpCpBx89bL5sfG5m:RrlsNi86Q6Y6SUEsgmfcSzdLSfJ
                                                                                                                                                                          MD5:E1387B79527B0F7C5B2F7AF6E4A19E54
                                                                                                                                                                          SHA1:44B0651BB01C15A2813E87D0D623A0F02354EA1B
                                                                                                                                                                          SHA-256:420AE0927113DAF8FD0BC36D83AB80D62239FB7E9B7AE97DDF382FD72CDEFAA0
                                                                                                                                                                          SHA-512:90FF0BC1B0684C978CA4F9F9E01155AE4E8916BC0D8F67C212B0CF8604990839FB228A0A88D222375F7EC8A0D38D31ACB5B5CC1EB8F8CE7F112C8E22437C2DF1
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.4.5.6.<./.P.i.d.>.......
                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERBC41.tmp.xml
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):4598
                                                                                                                                                                          Entropy (8bit):4.478117007255109
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:48:cvIwSD8zs7uiJgtWI9HoSWSC8Bv8fm8M4J2ynZF8+q84WDhKcQIcQwQVTd:uITf7uwsozSNOJ1YYhKkwQVTd
                                                                                                                                                                          MD5:2D3F62C4A24855DABE5433BF864A0808
                                                                                                                                                                          SHA1:425FDF2F32B9B96E06F14A0737032C6D05F1D61F
                                                                                                                                                                          SHA-256:BFA43B078D32ADB3D8A78A94108E56A392A80539D2F451E338647F61858FFF58
                                                                                                                                                                          SHA-512:E5EFF8935C708AC7EC8E4369A8298403270A2122C8322906F03BD239AE207F9F4C7102A3CE9BC57E7B77DB8AC566D6CCF6828A774E487AA1863B3D4C0F47AEB0
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1279420" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERD250.tmp.csv
                                                                                                                                                                          Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                          File Type:data
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):48280
                                                                                                                                                                          Entropy (8bit):3.0668805174003246
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:768:4oHIWaUE2sVcr22+ktXYVnZiCnN/17yikONct9d3FA/vEyaw/R:4oHjaGsVcr22jtXYVnZiUN/17yikONc6
                                                                                                                                                                          MD5:9D6EA18F0C9A3E42895DCE6A7D053153
                                                                                                                                                                          SHA1:292776A1784841FB8747847B331AF63CC0BE3B5F
                                                                                                                                                                          SHA-256:3AA4FBF2E7004BFF21138200358B14F8163767731CD42A4A998E08E996458596
                                                                                                                                                                          SHA-512:913AC1F2E21B5404A28B0356EC0057597A93DFBDDCC637789FE779810B498D183C0FF51835096716F6A9B64881245FA91117A43B53256F2283DC87ADC311440E
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview: I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.
                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERD704.tmp.txt
                                                                                                                                                                          Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                          File Type:data
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):13340
                                                                                                                                                                          Entropy (8bit):2.69398988774531
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:96:9GiZYWfo9Ye2gYJpYVWqpOH+UYEZ2LtFivZWoAwOO3AO2adEYcRoIhS3:9jZDYgqkoadEYcRPhS3
                                                                                                                                                                          MD5:8BCF9317469B01F7DA25DEBEB94A1BC3
                                                                                                                                                                          SHA1:0C8E3189A1989713BC69F55BCECC9A7259C59EDC
                                                                                                                                                                          SHA-256:81A00250D03925CE08193E09D29FCA1034984D12ED7268F7DA2FEEC1F3505B99
                                                                                                                                                                          SHA-512:F95E1979E53BBAD689D698DDDAACEBFC7EBD6028951D7C282A6506D9F445162CBBE227DBB0BE3F8611278FD796AF85D75093BCCE69E13EE2066322B3FE4D10E9
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview: B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.1.5.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .
                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERDC2B.tmp.dmp
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          File Type:Mini DuMP crash report, 15 streams, Thu Dec 2 02:29:53 2021, 0x1205a4 type
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):1059292
                                                                                                                                                                          Entropy (8bit):1.3394211426156184
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:1536:Q63A0FeV+OijAJI3zesnL+c+Nxn0zdC8JytfBLfVt5YotOWr8/OQK:X3A0FeEjssnL+c+Nxn0zdCxfBLfCjK
                                                                                                                                                                          MD5:B6F12D89DCD06074C15E346D0C902E31
                                                                                                                                                                          SHA1:13044E542E7BDE9206E9825793CF5F392E16F43D
                                                                                                                                                                          SHA-256:1D1EA0E145FECBFAE10B1267DF2ED6619DB413D1A0AB930E4065875FF9939DA1
                                                                                                                                                                          SHA-512:F2B7A31FE3A5BA908E540A5CC7F97752D386C3330A40DA992ED29C668251EFCC33D6A5A39F7A77C9D2D53E195E9ABFB3599C62B836B2AFB9F9F4BC53B3930AB2
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview: MDMP....... ......../.a............4...............H.......$...........................`.......8...........T...........@................................................................................................U...........B......p.......GenuineIntelW...........T..............a1............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERE6BB.tmp.WERInternalMetadata.xml
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):8298
                                                                                                                                                                          Entropy (8bit):3.695238338561699
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:192:Rrl7r3GLNisA6oi6YI0SU/gmfL8GS5JCpDx89bj5sfNBm:RrlsNir6F6YLSU/gmfLrSJjSfi
                                                                                                                                                                          MD5:E93183C3F58E98E6C1E7DA3D5B4F4ACE
                                                                                                                                                                          SHA1:A380DC8E1EC24DE82245EAFAA86E036038CCB650
                                                                                                                                                                          SHA-256:9825CFD4238956F06D375D3065938D03A0CEEED6C4E657DE6CD2A3D1FA28FAF3
                                                                                                                                                                          SHA-512:6A8FEF1588000E848EE4D5DAF9B3F4BF5E7674173D660D76C679AE8E87A6650D2FF860739D8F93C284A1EFA17BD3CBD0BAAE2A87DFD21D6B607ED26E8440A5AA
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.4.5.6.<./.P.i.d.>.......
                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WEREAD3.tmp.xml
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):4558
                                                                                                                                                                          Entropy (8bit):4.432755522380974
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:48:cvIwSD8zs7uiJgtWI9HoSWSC8Bl8fm8M4J2yGtFmIp+q84tjNKcQIcQwQVTd:uITf7uwsozSNwJExpxNKkwQVTd
                                                                                                                                                                          MD5:0CCD3E2FE0BCD82AFC1EF99DC0F4B7FE
                                                                                                                                                                          SHA1:540B7C5A57950860C3DAB0B07F22C461C6B52EB1
                                                                                                                                                                          SHA-256:8AF913F7FD1C2FA96865DCC8F62FB4F94C9A32F673AB8AB2C91864911CD94E65
                                                                                                                                                                          SHA-512:17F8597FDC2A882CDF0D114DE481520B9D0B836DE350B743319050FA2D782ED674037CF05E655591D8ACADCC3483BBE26994C3ACA0C290E0E9E080D0553B17A0
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1279420" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERF3D.tmp.txt
                                                                                                                                                                          Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                          File Type:data
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):13340
                                                                                                                                                                          Entropy (8bit):2.6939928290108095
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:96:9GiZYWcZVqGYIYyWqHbRHsUYEZojtriIZZonwrXVa1PUKxjzIQj3:9jZDyPK/la1PUKF8Qj3
                                                                                                                                                                          MD5:56AE4194C1BB65AD9AF492B9491A5C71
                                                                                                                                                                          SHA1:15B5F6602BEE253ED6D9CE5F8010BD8FFAC71029
                                                                                                                                                                          SHA-256:7212649472ABFBE93D55BB3A2E96A261A09CCAB292AFBB723DDD54E1C2CCAD8D
                                                                                                                                                                          SHA-512:1E12ADF8EABC2AEF70D8D7074ABA57BA47A0F9AFEEF3BB9105CA4ACCACA404C328625FA037093DC0555CD2C7CA051CE23560CA582F71AE01CA271C8A0BDAFFEA
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview: B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.1.5.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .
                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERFFDB.tmp.csv
                                                                                                                                                                          Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                          File Type:data
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):47834
                                                                                                                                                                          Entropy (8bit):3.066530967527075
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:768:CaHU6UEZjoSW22BktVgDVnZnKINpg7y8kMRg8tHZ1/RiYr:CaHU6pUSW22itVgDVnZnDNpg7y8kMRgy
                                                                                                                                                                          MD5:CCAEEAC32B5802D28F61DC7EB35C34B6
                                                                                                                                                                          SHA1:22B309FDB15FE6C3A19670D7F3C60B029CD95906
                                                                                                                                                                          SHA-256:DB8FF87D34A276D88FD5E154A2EFEE86C440FAEDB82344B95A7D7FE6DC6A5F53
                                                                                                                                                                          SHA-512:0646030B04F91F7B5BFE28C6579E645FD3B70DB7215403B6559DF66CCF82B57756BE2928B58D996F6CC2160ABD21AF378466A81D19E4896F765D475F6B130F42
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview: I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.
                                                                                                                                                                          C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
                                                                                                                                                                          Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):55
                                                                                                                                                                          Entropy (8bit):4.306461250274409
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                                                                                                                          MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                                                                                                                          SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                                                                                                                          SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                                                                                                                          SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}
                                                                                                                                                                          C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log
                                                                                                                                                                          Process:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                                                                                                          File Type:Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
                                                                                                                                                                          Category:modified
                                                                                                                                                                          Size (bytes):7250
                                                                                                                                                                          Entropy (8bit):3.166050568584806
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:96:cEj+AbCEH+AbuEAc+AbhGEA+AbNEe+Ab/Ee+AbPE6w9+Ab1wTEl+AbB:cY+38+DJc+iGr+MZ+65+6tg+ECa+I
                                                                                                                                                                          MD5:95A18A0B546B551A9112E9FEBA266B36
                                                                                                                                                                          SHA1:BA13E20597440DEEA08F7EA9DE5005359510D0FF
                                                                                                                                                                          SHA-256:BC6DE2D0EDE221EB64960702F74D1F894897F276389FC07DC69E9033E5671555
                                                                                                                                                                          SHA-512:5C5B0A1E2C37559134482364E07549587E2B95FD07671E45F23AC5C45F975B89F9A1EBD40D51B5CC108E9588C82420F1F5131B5BC4766757EE6ED08A30FCD56A
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview: ..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. T.h.u. .. J.u.n. .. 2.7. .. 2.0.1.9. .0.1.:.2.9.:.4.9.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e.....E.R.R.O.R.:. .M.p.W.D.E.n.a.b.l.e.(.T.R.U.E.). .f.a.i.l.e.d. .(.8.0.0.7.0.4.E.C.).....M.p.C.m.d.R.u.n.:. .E.n.d. .T.i.m.e.:. .. T.h.u. .. J.u.n. .. 2.7. .. 2.0.1.9. .0.1.:.2.9.:.4.9.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.............-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.
                                                                                                                                                                          C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Logs\dosvc.20211202_022741_833.etl
                                                                                                                                                                          Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                          File Type:data
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):12288
                                                                                                                                                                          Entropy (8bit):3.8177630021785336
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:96:g7CTaIPo+U/5lD9S/YqVCDCI2lOfk0c4v+T2XjFz5NMCvdJRwj5DNTNMCYj5YUMd:VZg46N2gAVCLRCVCEC9CKCl
                                                                                                                                                                          MD5:E0D1E78802BDE82B83FD99A15EF7BABA
                                                                                                                                                                          SHA1:B3DC38EBD2659EFBA4CE05162C54A32E76DCE98A
                                                                                                                                                                          SHA-256:DF16AD69D70D465FAC34CB8F4053CA88A4438A02C8BF5535B4F7BBCF7195E661
                                                                                                                                                                          SHA-512:6846993E4645CD270596CA5029BBDABCDCC92E870D60F713D2FB9951DB55C4C04A03E19601FCA11AA80FA8926067E4A0C338A5B40E9C180873A3CB3D5DCD87A6
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview: .... ... ....................................... ...!....................................C......................B..............Zb... ... ..........................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1............................................................./_8..... .....m...$...........8.6.9.6.E.A.C.4.-.1.2.8.8.-.4.2.8.8.-.A.4.E.E.-.4.9.E.E.4.3.1.B.0.A.D.9...C.:.\.W.i.n.d.o.w.s.\.S.e.r.v.i.c.e.P.r.o.f.i.l.e.s.\.N.e.t.w.o.r.k.S.e.r.v.i.c.e.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.D.e.l.i.v.e.r.y.O.p.t.i.m.i.z.a.t.i.o.n.\.L.o.g.s.\.d.o.s.v.c...2.0.2.1.1.2.0.2._.0.2.2.7.4.1._.8.3.3...e.t.l.........P.P..........C.....................................................................................................................................................................................................................................................................
                                                                                                                                                                          C:\Windows\appcompat\Programs\Amcache.hve
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          File Type:MS Windows registry file, NT/2000 or above
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):1572864
                                                                                                                                                                          Entropy (8bit):4.264641005685364
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:12288:USVCOdRHvb/XjPUXtSa8TRl6R5Umg2VnPr4kgjEDbCOKnf4QK3DjTvZl:tVCOdRHvb/XjPUXeN0fl
                                                                                                                                                                          MD5:045F66989BC9205C456E041FFFC8F4ED
                                                                                                                                                                          SHA1:658910D42949706991D1B2456FA0A15ED51EFEE2
                                                                                                                                                                          SHA-256:494836BB7203B77BD212C641C1FFC4C82CA86FE0A8716604C8982D62B53FBE3A
                                                                                                                                                                          SHA-512:ED4A3D464C136F03D4269F9EE9EFF039C0A6EEC10936E701C940BA314A7B60ED3AE838F0C0D7F82A804F89D406D34EEB5F5EE48656C556848690DF487CEDBE1E
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview: regfR...R...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm.W.s$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                          C:\Windows\appcompat\Programs\Amcache.hve.LOG1
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          File Type:MS Windows registry file, NT/2000 or above
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):16384
                                                                                                                                                                          Entropy (8bit):3.0508349292287393
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:192:xXiqAM1ayVRDlfYb5FSE9lMqXyQVWnxuYW2oCKqe8mxwpLuN5Z:pi5z5TXQnxuf2oCPmxwpLuN5Z
                                                                                                                                                                          MD5:F1B58F5B7D299D4061CA93F06CEB6B6E
                                                                                                                                                                          SHA1:ED84123DB60948661D8BAE7F50B35057673F4ADC
                                                                                                                                                                          SHA-256:E3BD54AA97BE3E68FBF0C4A185A622D67132835F785F516BCF5EA231B3E23E29
                                                                                                                                                                          SHA-512:FC0223155CA4449DEE6E02153E8EA25A9AE0BD287A74BEFB23209FB3DAB580BFEB96F0CA02E371994E2C67A435155AD035215F0CA3FFBFBFF88BCD2C85E1A9A6
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview: regfQ...Q...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm.W.s$...................................................................................................................................................................................................................................................................................................................................................HvLE.>......Q...............j{L...0............................hbin................p.\..,..........nk,....s$.......@........................... ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk ....s$....... ...........P............... .......Z.......................Root........lf......Root....nk ....s$....................}.............. ...............*...............DeviceCensus.......................vk..................WritePermissionsCheck.......p...

                                                                                                                                                                          Static File Info

                                                                                                                                                                          General

                                                                                                                                                                          File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                          Entropy (8bit):6.970959661903669
                                                                                                                                                                          TrID:
                                                                                                                                                                          • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
                                                                                                                                                                          • Generic Win/DOS Executable (2004/3) 0.20%
                                                                                                                                                                          • DOS Executable Generic (2002/1) 0.20%
                                                                                                                                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                          File name:mal2.dll
                                                                                                                                                                          File size:387072
                                                                                                                                                                          MD5:9efbd03d5576686dd9f0678c09abe9fc
                                                                                                                                                                          SHA1:0b821e78137018bbf3f9c67d3b049e33d5b36ae5
                                                                                                                                                                          SHA256:972f9350219dcc2df463f923ec5b559f4ab69f083da9ccbd0976c51bc19f3f5b
                                                                                                                                                                          SHA512:fa2def2a793d79b63cf2c808c62e031544282bc3e01f97efa47b3114c702b004d767b818764f47c120007c680274ad9327587ac235186ee6e6d7bb168a19acc9
                                                                                                                                                                          SSDEEP:6144:zBYrPMTsY8GR3j4fubnY6Zs/Bv6yM6aSTsfA2qL6jpXNcc6CEteuQJPIgtlpZ5L:yhmT4GbnYks/BJNWo2LjpScDEteuOIoZ
                                                                                                                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........0...Q...Q...Q..E#...Q..E#...Q..E#...Q../$...Q...$...Q...$...Q...$...Q..E#...Q...Q...Q...Q...Q../$...Q../$...Q..Rich.Q.........

                                                                                                                                                                          File Icon

                                                                                                                                                                          Icon Hash:74f0e4ecccdce0e4

                                                                                                                                                                          Static PE Info

                                                                                                                                                                          General

                                                                                                                                                                          Entrypoint:0x1001cac1
                                                                                                                                                                          Entrypoint Section:.text
                                                                                                                                                                          Digitally signed:false
                                                                                                                                                                          Imagebase:0x10000000
                                                                                                                                                                          Subsystem:windows gui
                                                                                                                                                                          Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
                                                                                                                                                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT
                                                                                                                                                                          Time Stamp:0x61A73B52 [Wed Dec 1 09:07:30 2021 UTC]
                                                                                                                                                                          TLS Callbacks:0x1000c340
                                                                                                                                                                          CLR (.Net) Version:
                                                                                                                                                                          OS Version Major:6
                                                                                                                                                                          OS Version Minor:0
                                                                                                                                                                          File Version Major:6
                                                                                                                                                                          File Version Minor:0
                                                                                                                                                                          Subsystem Version Major:6
                                                                                                                                                                          Subsystem Version Minor:0
                                                                                                                                                                          Import Hash:609402ef170a35cc0e660d7d95ac10ce

                                                                                                                                                                          Entrypoint Preview

                                                                                                                                                                          Instruction
                                                                                                                                                                          push ebp
                                                                                                                                                                          mov ebp, esp
                                                                                                                                                                          cmp dword ptr [ebp+0Ch], 01h
                                                                                                                                                                          jne 00007F95B4A4F8F7h
                                                                                                                                                                          call 00007F95B4A4FC88h
                                                                                                                                                                          push dword ptr [ebp+10h]
                                                                                                                                                                          push dword ptr [ebp+0Ch]
                                                                                                                                                                          push dword ptr [ebp+08h]
                                                                                                                                                                          call 00007F95B4A4F7A3h
                                                                                                                                                                          add esp, 0Ch
                                                                                                                                                                          pop ebp
                                                                                                                                                                          retn 000Ch
                                                                                                                                                                          push ebp
                                                                                                                                                                          mov ebp, esp
                                                                                                                                                                          push dword ptr [ebp+08h]
                                                                                                                                                                          call 00007F95B4A5019Eh
                                                                                                                                                                          pop ecx
                                                                                                                                                                          pop ebp
                                                                                                                                                                          ret
                                                                                                                                                                          push ebp
                                                                                                                                                                          mov ebp, esp
                                                                                                                                                                          jmp 00007F95B4A4F8FFh
                                                                                                                                                                          push dword ptr [ebp+08h]
                                                                                                                                                                          call 00007F95B4A53C84h
                                                                                                                                                                          pop ecx
                                                                                                                                                                          test eax, eax
                                                                                                                                                                          je 00007F95B4A4F901h
                                                                                                                                                                          push dword ptr [ebp+08h]
                                                                                                                                                                          call 00007F95B4A53D00h
                                                                                                                                                                          pop ecx
                                                                                                                                                                          test eax, eax
                                                                                                                                                                          je 00007F95B4A4F8D8h
                                                                                                                                                                          pop ebp
                                                                                                                                                                          ret
                                                                                                                                                                          cmp dword ptr [ebp+08h], FFFFFFFFh
                                                                                                                                                                          je 00007F95B4A50263h
                                                                                                                                                                          jmp 00007F95B4A50240h
                                                                                                                                                                          push ebp
                                                                                                                                                                          mov ebp, esp
                                                                                                                                                                          push 00000000h
                                                                                                                                                                          call dword ptr [1002A08Ch]
                                                                                                                                                                          push dword ptr [ebp+08h]
                                                                                                                                                                          call dword ptr [1002A088h]
                                                                                                                                                                          push C0000409h
                                                                                                                                                                          call dword ptr [1002A040h]
                                                                                                                                                                          push eax
                                                                                                                                                                          call dword ptr [1002A090h]
                                                                                                                                                                          pop ebp
                                                                                                                                                                          ret
                                                                                                                                                                          push ebp
                                                                                                                                                                          mov ebp, esp
                                                                                                                                                                          sub esp, 00000324h
                                                                                                                                                                          push 00000017h
                                                                                                                                                                          call dword ptr [1002A094h]
                                                                                                                                                                          test eax, eax
                                                                                                                                                                          je 00007F95B4A4F8F7h
                                                                                                                                                                          push 00000002h
                                                                                                                                                                          pop ecx
                                                                                                                                                                          int 29h
                                                                                                                                                                          mov dword ptr [1005E278h], eax
                                                                                                                                                                          mov dword ptr [1005E274h], ecx
                                                                                                                                                                          mov dword ptr [1005E270h], edx
                                                                                                                                                                          mov dword ptr [1005E26Ch], ebx
                                                                                                                                                                          mov dword ptr [1005E268h], esi
                                                                                                                                                                          mov dword ptr [1005E264h], edi
                                                                                                                                                                          mov word ptr [eax], es

                                                                                                                                                                          Data Directories

                                                                                                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x5b5900x614.rdata
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x5bba40x3c.rdata
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x600000x1bc0.reloc
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x5a1dc0x54.rdata
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x5a3000x18.rdata
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x5a2300x40.rdata
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x2a0000x154.rdata
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                          Sections

                                                                                                                                                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                          .text0x10000x28bb40x28c00False0.53924822661data6.1540438823IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                                                                                          .rdata0x2a0000x323620x32400False0.817800645211data7.40644078277IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                          .data0x5d0000x1ba40x1200False0.287109375data2.60484752417IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                                                                                          .pdata0x5f0000x4c40x600False0.360677083333AmigaOS bitmap font2.17228109861IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                                                                                          .reloc0x600000x1bc00x1c00False0.7880859375data6.62631718459IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                                          Imports

                                                                                                                                                                          DLLImport
                                                                                                                                                                          KERNEL32.dllHeapFree, HeapReAlloc, GetProcessHeap, HeapAlloc, GetModuleHandleA, GetProcAddress, TlsGetValue, TlsSetValue, AcquireSRWLockExclusive, ReleaseSRWLockExclusive, AcquireSRWLockShared, ReleaseSRWLockShared, SetLastError, GetEnvironmentVariableW, GetLastError, GetCurrentDirectoryW, GetCurrentProcess, GetCurrentThread, RtlCaptureContext, ReleaseMutex, WaitForSingleObjectEx, LoadLibraryA, CreateMutexA, CloseHandle, GetStdHandle, GetConsoleMode, WriteFile, WriteConsoleW, TlsAlloc, GetCommandLineW, CreateFileA, GetTickCount64, CreateFileW, SetFilePointerEx, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, RaiseException, RtlUnwind, InterlockedFlushSList, EncodePointer, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsFree, FreeLibrary, LoadLibraryExW, ExitProcess, GetModuleHandleExW, GetModuleFileNameW, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetCommandLineA, MultiByteToWideChar, WideCharToMultiByte, GetEnvironmentStringsW, FreeEnvironmentStringsW, LCMapStringW, GetFileType, GetStringTypeW, HeapSize, SetStdHandle, FlushFileBuffers, GetConsoleOutputCP, DecodePointer
                                                                                                                                                                          USER32.dllGetDC, ReleaseDC, GetWindowRect

                                                                                                                                                                          Exports

                                                                                                                                                                          NameOrdinalAddress
                                                                                                                                                                          Control_RunDLL10x100010a0
                                                                                                                                                                          axamexdrqyrgb20x100017b0
                                                                                                                                                                          bhramccfbdd30x10001690
                                                                                                                                                                          bptyjtyr40x10001640
                                                                                                                                                                          bxoqrnuua50x100016c0
                                                                                                                                                                          cegjceivzmgdcffk60x100014e0
                                                                                                                                                                          cgxpyqfkocm70x10001480
                                                                                                                                                                          chjbtsnqmvl80x10001540
                                                                                                                                                                          crfsijq90x10001730
                                                                                                                                                                          empxfws100x10001590
                                                                                                                                                                          fbgcvvbrlowsjsj110x10001550
                                                                                                                                                                          fjhmprw120x10001660
                                                                                                                                                                          gfqdajfucnxrv130x10001850
                                                                                                                                                                          hcloldazhuvj140x10001790
                                                                                                                                                                          idcumrbybo150x10001500
                                                                                                                                                                          ihvpwdsfllpvrzy160x10001750
                                                                                                                                                                          iuzqizpdhxqkmf170x100014c0
                                                                                                                                                                          jaarlqsruhrwpipt180x100016e0
                                                                                                                                                                          jndshbhgxdkvvtj190x10001600
                                                                                                                                                                          jniijdleqsyajeis200x10001650
                                                                                                                                                                          jtjqgma210x100016f0
                                                                                                                                                                          kffxtbzhfgbqlu220x10001630
                                                                                                                                                                          kwxkzdhqe230x100016d0
                                                                                                                                                                          lidhnvsukgiuabh240x100016b0
                                                                                                                                                                          ltcrkednwfkup250x10001820
                                                                                                                                                                          lvrmqgtvhsegpbvmq260x10001770
                                                                                                                                                                          mxvwvnerswyylp270x10001520
                                                                                                                                                                          ndlmbjceavqdintmv280x100017d0
                                                                                                                                                                          nvnriipkwrmxwsu290x10001510
                                                                                                                                                                          oafxfavxmi300x10001570
                                                                                                                                                                          ocwutlohg310x100014b0
                                                                                                                                                                          olcklbdvo320x10001680
                                                                                                                                                                          pawvqfmiz330x100015e0
                                                                                                                                                                          pdmomnjmmryopqza340x10001560
                                                                                                                                                                          plzkvjcbz350x10001710
                                                                                                                                                                          poasqvltrkgvepng360x10001840
                                                                                                                                                                          psjoyjhsrkg370x100015b0
                                                                                                                                                                          qdimtzieldbl380x10001620
                                                                                                                                                                          qzvngjfyuxpjag390x10001580
                                                                                                                                                                          relsounb400x100016a0
                                                                                                                                                                          rykebhcisi410x10001670
                                                                                                                                                                          snrvgvzpjh420x100017c0
                                                                                                                                                                          sqnfcfmocgbg430x10001740
                                                                                                                                                                          sxgllzweihxqxi440x10001760
                                                                                                                                                                          tgagxhhcfj450x10001780
                                                                                                                                                                          thjyvtvttwpah460x10001830
                                                                                                                                                                          uvypobslemtipv470x10001640
                                                                                                                                                                          vgidwtjsbwpxkdxj480x100017a0
                                                                                                                                                                          wahhdker490x100014a0
                                                                                                                                                                          wamqmispvbxt500x100015f0
                                                                                                                                                                          witvsjavqyw510x10001720
                                                                                                                                                                          wopabadcwdizvwlgk520x10001490
                                                                                                                                                                          wpzyecljz530x10001800
                                                                                                                                                                          wukgfirfwilhu540x100015d0
                                                                                                                                                                          xntbmrrxs550x100017f0
                                                                                                                                                                          xsxwxreryufxwuhh560x10001700
                                                                                                                                                                          xvgdevijtw570x10001610
                                                                                                                                                                          ydvqidso580x100015c0
                                                                                                                                                                          yggdjrsewuw590x100015a0
                                                                                                                                                                          zaeqdmhaky600x100017e0
                                                                                                                                                                          zakvwkjnk610x10001700
                                                                                                                                                                          zqbggkzy620x100014f0
                                                                                                                                                                          zqtdpertk630x100014d0
                                                                                                                                                                          zshfybkvzv640x10001810
                                                                                                                                                                          zxxopqyvfoesyhmup650x10001530

                                                                                                                                                                          Network Behavior

                                                                                                                                                                          No network behavior found

                                                                                                                                                                          Code Manipulations

                                                                                                                                                                          Statistics

                                                                                                                                                                          Behavior

                                                                                                                                                                          Click to jump to process

                                                                                                                                                                          System Behavior

                                                                                                                                                                          Analysis Process: loaddll32.exe PID: 1456 Parent PID: 6140

                                                                                                                                                                          General

                                                                                                                                                                          Start time:18:27:10
                                                                                                                                                                          Start date:01/12/2021
                                                                                                                                                                          Path:C:\Windows\System32\loaddll32.exe
                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                          Commandline:loaddll32.exe "C:\Users\user\Desktop\mal2.dll"
                                                                                                                                                                          Imagebase:0x1170000
                                                                                                                                                                          File size:893440 bytes
                                                                                                                                                                          MD5 hash:72FCD8FB0ADC38ED9050569AD673650E
                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Yara matches:
                                                                                                                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.566657802.00000000007A0000.00000040.00000010.sdmp, Author: Joe Security
                                                                                                                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000002.642601650.00000000007A0000.00000040.00000010.sdmp, Author: Joe Security
                                                                                                                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.567231949.0000000000D2C000.00000004.00000020.sdmp, Author: Joe Security
                                                                                                                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.597839039.00000000007A0000.00000040.00000010.sdmp, Author: Joe Security
                                                                                                                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.596491370.00000000007A0000.00000040.00000010.sdmp, Author: Joe Security
                                                                                                                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.568652514.00000000007A0000.00000040.00000010.sdmp, Author: Joe Security
                                                                                                                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000002.643009162.0000000000D2C000.00000004.00000020.sdmp, Author: Joe Security
                                                                                                                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.596841009.0000000000D2C000.00000004.00000020.sdmp, Author: Joe Security
                                                                                                                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.598456484.0000000000D2C000.00000004.00000020.sdmp, Author: Joe Security
                                                                                                                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.568840979.0000000000D2C000.00000004.00000020.sdmp, Author: Joe Security
                                                                                                                                                                          Reputation:high

                                                                                                                                                                          Analysis Process: cmd.exe PID: 4892 Parent PID: 1456

                                                                                                                                                                          General

                                                                                                                                                                          Start time:18:27:10
                                                                                                                                                                          Start date:01/12/2021
                                                                                                                                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                          Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\mal2.dll",#1
                                                                                                                                                                          Imagebase:0x150000
                                                                                                                                                                          File size:232960 bytes
                                                                                                                                                                          MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Reputation:high

                                                                                                                                                                          Analysis Process: rundll32.exe PID: 3868 Parent PID: 1456

                                                                                                                                                                          General

                                                                                                                                                                          Start time:18:27:10
                                                                                                                                                                          Start date:01/12/2021
                                                                                                                                                                          Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                          Commandline:rundll32.exe C:\Users\user\Desktop\mal2.dll,Control_RunDLL
                                                                                                                                                                          Imagebase:0x10d0000
                                                                                                                                                                          File size:61952 bytes
                                                                                                                                                                          MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Yara matches:
                                                                                                                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000002.00000002.545043648.0000000001060000.00000040.00000010.sdmp, Author: Joe Security
                                                                                                                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000002.00000003.526115475.0000000003368000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                          Reputation:high

                                                                                                                                                                          Analysis Process: rundll32.exe PID: 4652 Parent PID: 4892

                                                                                                                                                                          General

                                                                                                                                                                          Start time:18:27:11
                                                                                                                                                                          Start date:01/12/2021
                                                                                                                                                                          Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                          Commandline:rundll32.exe "C:\Users\user\Desktop\mal2.dll",#1
                                                                                                                                                                          Imagebase:0x10d0000
                                                                                                                                                                          File size:61952 bytes
                                                                                                                                                                          MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Yara matches:
                                                                                                                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.543502348.0000000000BA0000.00000040.00000010.sdmp, Author: Joe Security
                                                                                                                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.543542843.0000000000CFA000.00000004.00000020.sdmp, Author: Joe Security
                                                                                                                                                                          Reputation:high

                                                                                                                                                                          Analysis Process: svchost.exe PID: 5888 Parent PID: 556

                                                                                                                                                                          General

                                                                                                                                                                          Start time:18:27:11
                                                                                                                                                                          Start date:01/12/2021
                                                                                                                                                                          Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                          Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                                                                                                          Imagebase:0x7ff797770000
                                                                                                                                                                          File size:51288 bytes
                                                                                                                                                                          MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Reputation:high

                                                                                                                                                                          Analysis Process: rundll32.exe PID: 6176 Parent PID: 1456

                                                                                                                                                                          General

                                                                                                                                                                          Start time:18:27:15
                                                                                                                                                                          Start date:01/12/2021
                                                                                                                                                                          Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                          Commandline:rundll32.exe C:\Users\user\Desktop\mal2.dll,axamexdrqyrgb
                                                                                                                                                                          Imagebase:0x10d0000
                                                                                                                                                                          File size:61952 bytes
                                                                                                                                                                          MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Yara matches:
                                                                                                                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.564875818.000000000328A000.00000004.00000020.sdmp, Author: Joe Security
                                                                                                                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.564446850.0000000000DA0000.00000040.00000010.sdmp, Author: Joe Security
                                                                                                                                                                          Reputation:high

                                                                                                                                                                          Analysis Process: rundll32.exe PID: 6220 Parent PID: 1456

                                                                                                                                                                          General

                                                                                                                                                                          Start time:18:27:21
                                                                                                                                                                          Start date:01/12/2021
                                                                                                                                                                          Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                          Commandline:rundll32.exe C:\Users\user\Desktop\mal2.dll,bhramccfbdd
                                                                                                                                                                          Imagebase:0x10d0000
                                                                                                                                                                          File size:61952 bytes
                                                                                                                                                                          MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Yara matches:
                                                                                                                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.564537877.000000000076A000.00000004.00000020.sdmp, Author: Joe Security
                                                                                                                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.564451857.0000000000650000.00000040.00000010.sdmp, Author: Joe Security
                                                                                                                                                                          Reputation:high

                                                                                                                                                                          Analysis Process: svchost.exe PID: 6240 Parent PID: 556

                                                                                                                                                                          General

                                                                                                                                                                          Start time:18:27:21
                                                                                                                                                                          Start date:01/12/2021
                                                                                                                                                                          Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                          Commandline:c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
                                                                                                                                                                          Imagebase:0x7ff797770000
                                                                                                                                                                          File size:51288 bytes
                                                                                                                                                                          MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Reputation:high

                                                                                                                                                                          Analysis Process: svchost.exe PID: 6364 Parent PID: 556

                                                                                                                                                                          General

                                                                                                                                                                          Start time:18:27:36
                                                                                                                                                                          Start date:01/12/2021
                                                                                                                                                                          Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                          Commandline:c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
                                                                                                                                                                          Imagebase:0x7ff797770000
                                                                                                                                                                          File size:51288 bytes
                                                                                                                                                                          MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Reputation:high

                                                                                                                                                                          Analysis Process: svchost.exe PID: 6464 Parent PID: 556

                                                                                                                                                                          General

                                                                                                                                                                          Start time:18:27:43
                                                                                                                                                                          Start date:01/12/2021
                                                                                                                                                                          Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                          Commandline:C:\Windows\System32\svchost.exe -k NetworkService -p
                                                                                                                                                                          Imagebase:0x7ff797770000
                                                                                                                                                                          File size:51288 bytes
                                                                                                                                                                          MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                          Programmed in:C, C++ or other language

                                                                                                                                                                          Analysis Process: SgrmBroker.exe PID: 6704 Parent PID: 556

                                                                                                                                                                          General

                                                                                                                                                                          Start time:18:28:02
                                                                                                                                                                          Start date:01/12/2021
                                                                                                                                                                          Path:C:\Windows\System32\SgrmBroker.exe
                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                          Commandline:C:\Windows\system32\SgrmBroker.exe
                                                                                                                                                                          Imagebase:0x7ff711470000
                                                                                                                                                                          File size:163336 bytes
                                                                                                                                                                          MD5 hash:D3170A3F3A9626597EEE1888686E3EA6
                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                          Programmed in:C, C++ or other language

                                                                                                                                                                          Analysis Process: svchost.exe PID: 6752 Parent PID: 556

                                                                                                                                                                          General

                                                                                                                                                                          Start time:18:28:18
                                                                                                                                                                          Start date:01/12/2021
                                                                                                                                                                          Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                          Commandline:c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
                                                                                                                                                                          Imagebase:0x7ff797770000
                                                                                                                                                                          File size:51288 bytes
                                                                                                                                                                          MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                          Programmed in:C, C++ or other language

                                                                                                                                                                          Analysis Process: rundll32.exe PID: 6928 Parent PID: 4652

                                                                                                                                                                          General

                                                                                                                                                                          Start time:18:29:18
                                                                                                                                                                          Start date:01/12/2021
                                                                                                                                                                          Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                          Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\mal2.dll",Control_RunDLL
                                                                                                                                                                          Imagebase:0x10d0000
                                                                                                                                                                          File size:61952 bytes
                                                                                                                                                                          MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                          Programmed in:C, C++ or other language

                                                                                                                                                                          Analysis Process: rundll32.exe PID: 6956 Parent PID: 3868

                                                                                                                                                                          General

                                                                                                                                                                          Start time:18:29:18
                                                                                                                                                                          Start date:01/12/2021
                                                                                                                                                                          Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                          Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Xjvbeeymcqp\hqokwlnubzbb.uql",vvWvMRmVQ
                                                                                                                                                                          Imagebase:0x10d0000
                                                                                                                                                                          File size:61952 bytes
                                                                                                                                                                          MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                          Programmed in:C, C++ or other language

                                                                                                                                                                          Analysis Process: rundll32.exe PID: 7028 Parent PID: 6176

                                                                                                                                                                          General

                                                                                                                                                                          Start time:18:29:26
                                                                                                                                                                          Start date:01/12/2021
                                                                                                                                                                          Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                          Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\mal2.dll",Control_RunDLL
                                                                                                                                                                          Imagebase:0x10d0000
                                                                                                                                                                          File size:61952 bytes
                                                                                                                                                                          MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                          Programmed in:C, C++ or other language

                                                                                                                                                                          Analysis Process: MpCmdRun.exe PID: 7116 Parent PID: 6752

                                                                                                                                                                          General

                                                                                                                                                                          Start time:18:29:33
                                                                                                                                                                          Start date:01/12/2021
                                                                                                                                                                          Path:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                          Commandline:"C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
                                                                                                                                                                          Imagebase:0x7ff737de0000
                                                                                                                                                                          File size:455656 bytes
                                                                                                                                                                          MD5 hash:A267555174BFA53844371226F482B86B
                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                          Programmed in:C, C++ or other language

                                                                                                                                                                          Analysis Process: rundll32.exe PID: 7124 Parent PID: 6220

                                                                                                                                                                          General

                                                                                                                                                                          Start time:18:29:33
                                                                                                                                                                          Start date:01/12/2021
                                                                                                                                                                          Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                          Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\mal2.dll",Control_RunDLL
                                                                                                                                                                          Imagebase:0x10d0000
                                                                                                                                                                          File size:61952 bytes
                                                                                                                                                                          MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                          Programmed in:C, C++ or other language

                                                                                                                                                                          Analysis Process: conhost.exe PID: 7132 Parent PID: 7116

                                                                                                                                                                          General

                                                                                                                                                                          Start time:18:29:33
                                                                                                                                                                          Start date:01/12/2021
                                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                          Imagebase:0x7ff7ecfc0000
                                                                                                                                                                          File size:625664 bytes
                                                                                                                                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                          Programmed in:C, C++ or other language

                                                                                                                                                                          Analysis Process: svchost.exe PID: 7140 Parent PID: 556

                                                                                                                                                                          General

                                                                                                                                                                          Start time:18:29:33
                                                                                                                                                                          Start date:01/12/2021
                                                                                                                                                                          Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                          Commandline:C:\Windows\System32\svchost.exe -k WerSvcGroup
                                                                                                                                                                          Imagebase:0x7ff797770000
                                                                                                                                                                          File size:51288 bytes
                                                                                                                                                                          MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                          Programmed in:C, C++ or other language

                                                                                                                                                                          Analysis Process: WerFault.exe PID: 5544 Parent PID: 7140

                                                                                                                                                                          General

                                                                                                                                                                          Start time:18:29:34
                                                                                                                                                                          Start date:01/12/2021
                                                                                                                                                                          Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                          Commandline:C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1456 -ip 1456
                                                                                                                                                                          Imagebase:0x1360000
                                                                                                                                                                          File size:434592 bytes
                                                                                                                                                                          MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                          Programmed in:C, C++ or other language

                                                                                                                                                                          Analysis Process: WerFault.exe PID: 5064 Parent PID: 1456

                                                                                                                                                                          General

                                                                                                                                                                          Start time:18:29:36
                                                                                                                                                                          Start date:01/12/2021
                                                                                                                                                                          Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                          Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 1456 -s 304
                                                                                                                                                                          Imagebase:0x1360000
                                                                                                                                                                          File size:434592 bytes
                                                                                                                                                                          MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                          Programmed in:C, C++ or other language

                                                                                                                                                                          Analysis Process: WerFault.exe PID: 4568 Parent PID: 7140

                                                                                                                                                                          General

                                                                                                                                                                          Start time:18:29:48
                                                                                                                                                                          Start date:01/12/2021
                                                                                                                                                                          Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                          Commandline:C:\Windows\SysWOW64\WerFault.exe -pss -s 168 -p 1456 -ip 1456
                                                                                                                                                                          Imagebase:0x1360000
                                                                                                                                                                          File size:434592 bytes
                                                                                                                                                                          MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                          Programmed in:C, C++ or other language

                                                                                                                                                                          Analysis Process: WerFault.exe PID: 4320 Parent PID: 1456

                                                                                                                                                                          General

                                                                                                                                                                          Start time:18:29:50
                                                                                                                                                                          Start date:01/12/2021
                                                                                                                                                                          Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                          Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 1456 -s 312
                                                                                                                                                                          Imagebase:0x1360000
                                                                                                                                                                          File size:434592 bytes
                                                                                                                                                                          MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                          Programmed in:C, C++ or other language

                                                                                                                                                                          Disassembly

                                                                                                                                                                          Code Analysis

                                                                                                                                                                          Reset < >