Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report Zd9TtpY4Kh

Overview

General Information

Sample Name:Zd9TtpY4Kh (renamed file extension from none to dll)
Analysis ID:532296
MD5:71eea35f36f3642fdbb94d9310e87747
SHA1:25bcd5a134df55a5465ebe39f57bf758d5672197
SHA256:bbadafe48d63d23d3a2ebb4a4103e32646d314d5ffb8e2551d62270f8b3ec352
Tags:32dllexe
Infos:

Most interesting Screenshot:

Detection

Emotet
Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Emotet
Sigma detected: Emotet RunDLL32 Process Creation
Changes security center settings (notifications, updates, antivirus, firewall)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
One or more processes crash
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Abnormal high CPU Usage
AV process strings found (often used to terminate AV products)
Tries to load missing DLLs
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Checks if the current process is being debugged
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries disk information (often used to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 5444 cmdline: loaddll32.exe "C:\Users\user\Desktop\Zd9TtpY4Kh.dll" MD5: 72FCD8FB0ADC38ED9050569AD673650E)
    • cmd.exe (PID: 5460 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Zd9TtpY4Kh.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 5560 cmdline: rundll32.exe "C:\Users\user\Desktop\Zd9TtpY4Kh.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • rundll32.exe (PID: 6296 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\Zd9TtpY4Kh.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 5724 cmdline: rundll32.exe C:\Users\user\Desktop\Zd9TtpY4Kh.dll,Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • rundll32.exe (PID: 2144 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Kqkxkcs\syeog.ubw",IADPmoEsmQuul MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • rundll32.exe (PID: 6276 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Kqkxkcs\syeog.ubw",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 4396 cmdline: rundll32.exe C:\Users\user\Desktop\Zd9TtpY4Kh.dll,ajkaibu MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • rundll32.exe (PID: 6136 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\Zd9TtpY4Kh.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6244 cmdline: rundll32.exe C:\Users\user\Desktop\Zd9TtpY4Kh.dll,akyncbgollmj MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • rundll32.exe (PID: 6172 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\Zd9TtpY4Kh.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • WerFault.exe (PID: 3664 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5444 -s 320 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • WerFault.exe (PID: 6060 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5444 -s 340 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • svchost.exe (PID: 6200 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6360 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6564 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6892 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • SgrmBroker.exe (PID: 7076 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)
  • svchost.exe (PID: 7116 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • MpCmdRun.exe (PID: 2036 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: A267555174BFA53844371226F482B86B)
      • conhost.exe (PID: 4500 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • svchost.exe (PID: 1884 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • WerFault.exe (PID: 1060 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 5444 -ip 5444 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • WerFault.exe (PID: 5988 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 168 -p 5444 -ip 5444 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • svchost.exe (PID: 6864 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 3420 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 2592 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 1412 cmdline: C:\Windows\system32\svchost.exe -k wsappx -p -s AppXSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000000.539981294.0000000000FA0000.00000040.00000010.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
    00000000.00000000.539981294.0000000000FA0000.00000040.00000010.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
      00000000.00000000.562664559.0000000000FA0000.00000040.00000010.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
        00000000.00000000.562664559.0000000000FA0000.00000040.00000010.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
          00000002.00000003.507700136.0000000002EFC000.00000004.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
            Click to see the 33 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.0.loaddll32.exe.fa0000.9.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
              0.0.loaddll32.exe.fa0000.9.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                0.0.loaddll32.exe.fa0000.9.raw.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                  0.0.loaddll32.exe.fa0000.9.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                    0.0.loaddll32.exe.fa0000.6.raw.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                      Click to see the 75 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Emotet RunDLL32 Process CreationShow sources
                      Source: Process startedAuthor: FPT.EagleEye: Data: Command: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Kqkxkcs\syeog.ubw",Control_RunDLL, CommandLine: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Kqkxkcs\syeog.ubw",Control_RunDLL, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Kqkxkcs\syeog.ubw",IADPmoEsmQuul, ParentImage: C:\Windows\SysWOW64\rundll32.exe, ParentProcessId: 2144, ProcessCommandLine: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Kqkxkcs\syeog.ubw",Control_RunDLL, ProcessId: 6276

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: Zd9TtpY4Kh.dllReversingLabs: Detection: 17%
                      Source: Zd9TtpY4Kh.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
                      Source: Zd9TtpY4Kh.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000016.00000003.550124184.0000000004AE1000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.579244132.0000000004CF1000.00000004.00000001.sdmp
                      Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000016.00000003.550124184.0000000004AE1000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.579244132.0000000004CF1000.00000004.00000001.sdmp
                      Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000016.00000003.550124184.0000000004AE1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.547405637.0000000004247000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.579244132.0000000004CF1000.00000004.00000001.sdmp
                      Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000016.00000003.550124184.0000000004AE1000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.579244132.0000000004CF1000.00000004.00000001.sdmp
                      Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000016.00000003.550124184.0000000004AE1000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.579244132.0000000004CF1000.00000004.00000001.sdmp
                      Source: Binary string: wimm32.pdb source: WerFault.exe, 00000016.00000003.550124184.0000000004AE1000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.579244132.0000000004CF1000.00000004.00000001.sdmp
                      Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000016.00000003.550124184.0000000004AE1000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.579244132.0000000004CF1000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdb source: WerFault.exe, 00000016.00000003.550124184.0000000004AE1000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.579244132.0000000004CF1000.00000004.00000001.sdmp
                      Source: Binary string: apphelp.pdb source: WerFault.exe, 00000016.00000003.550124184.0000000004AE1000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.579244132.0000000004CF1000.00000004.00000001.sdmp
                      Source: Binary string: wuser32.pdb source: WerFault.exe, 00000016.00000003.550124184.0000000004AE1000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.579244132.0000000004CF1000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdbk source: WerFault.exe, 00000016.00000003.550124184.0000000004AE1000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.579244132.0000000004CF1000.00000004.00000001.sdmp
                      Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000016.00000003.550124184.0000000004AE1000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.579244132.0000000004CF1000.00000004.00000001.sdmp
                      Source: Binary string: oCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000016.00000002.558985730.0000000000472000.00000004.00000001.sdmp
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EDD0927 FindFirstFileExW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EDD0927 FindFirstFileExW,
                      Source: svchost.exe, 00000005.00000002.631051852.000001B12B061000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.594100601.000000000492B000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.594133771.000000000492E000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.594163429.0000000004934000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000002.596176213.0000000004935000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: svchost.exe, 00000005.00000002.631051852.000001B12B061000.00000004.00000001.sdmpString found in binary or memory: http://crl.ver)
                      Source: Amcache.hve.22.drString found in binary or memory: http://upx.sf.net
                      Source: svchost.exe, 0000000C.00000002.443019178.0000021775413000.00000004.00000001.sdmpString found in binary or memory: http://www.bingmapsportal.com
                      Source: svchost.exe, 00000007.00000002.774381529.00000281D2C41000.00000004.00000001.sdmpString found in binary or memory: https://%s.dnet.xboxlive.com
                      Source: svchost.exe, 00000007.00000002.774381529.00000281D2C41000.00000004.00000001.sdmpString found in binary or memory: https://%s.dnet.xboxlive.com/
                      Source: svchost.exe, 00000007.00000002.774381529.00000281D2C41000.00000004.00000001.sdmpString found in binary or memory: https://%s.xboxlive.com
                      Source: svchost.exe, 00000007.00000002.774381529.00000281D2C41000.00000004.00000001.sdmpString found in binary or memory: https://activity.windows.com
                      Source: svchost.exe, 0000000C.00000003.417197364.0000021775463000.00000004.00000001.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
                      Source: svchost.exe, 00000007.00000002.774381529.00000281D2C41000.00000004.00000001.sdmpString found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
                      Source: svchost.exe, 00000007.00000002.774381529.00000281D2C41000.00000004.00000001.sdmpString found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
                      Source: svchost.exe, 0000000C.00000002.450658909.000002177543C000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.417204815.000002177545E000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
                      Source: svchost.exe, 0000000C.00000002.454924916.0000021775456000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
                      Source: svchost.exe, 0000000C.00000003.417197364.0000021775463000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
                      Source: svchost.exe, 0000000C.00000002.450658909.000002177543C000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
                      Source: svchost.exe, 0000000C.00000002.454924916.0000021775456000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
                      Source: svchost.exe, 0000000C.00000003.417175938.0000021775469000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000002.458598242.000002177546B000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
                      Source: svchost.exe, 0000000C.00000003.417197364.0000021775463000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
                      Source: svchost.exe, 0000000C.00000003.417255421.0000021775446000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.417221541.0000021775442000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.417236188.0000021775443000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000002.453235698.000002177544E000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
                      Source: svchost.exe, 0000000C.00000002.450658909.000002177543C000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.367845176.0000021775430000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
                      Source: svchost.exe, 0000000C.00000002.454924916.0000021775456000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
                      Source: svchost.exe, 0000000C.00000002.450658909.000002177543C000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
                      Source: svchost.exe, 0000000C.00000003.417197364.0000021775463000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
                      Source: svchost.exe, 0000000C.00000003.417197364.0000021775463000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
                      Source: svchost.exe, 0000000C.00000003.417197364.0000021775463000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
                      Source: svchost.exe, 0000000C.00000002.450658909.000002177543C000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
                      Source: svchost.exe, 0000000C.00000003.417200811.0000021775460000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000002.456745075.0000021775461000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
                      Source: svchost.exe, 0000000C.00000002.450658909.000002177543C000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
                      Source: svchost.exe, 0000000C.00000003.417197364.0000021775463000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
                      Source: svchost.exe, 0000000C.00000002.455648502.000002177545B000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.417221541.0000021775442000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.417211454.000002177545A000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
                      Source: svchost.exe, 0000000C.00000003.367845176.0000021775430000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?entry=
                      Source: svchost.exe, 0000000C.00000003.417204815.000002177545E000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
                      Source: svchost.exe, 0000000C.00000002.455648502.000002177545B000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.417211454.000002177545A000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
                      Source: svchost.exe, 0000000C.00000002.455648502.000002177545B000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.417211454.000002177545A000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
                      Source: svchost.exe, 0000000C.00000002.453235698.000002177544E000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000002.456745075.0000021775461000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t
                      Source: svchost.exe, 0000000C.00000003.417197364.0000021775463000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
                      Source: svchost.exe, 0000000C.00000002.450658909.000002177543C000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.367845176.0000021775430000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
                      Source: svchost.exe, 0000000C.00000002.454924916.0000021775456000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
                      Source: svchost.exe, 0000000C.00000003.367845176.0000021775430000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/roadshield.ashx?bucket=
                      Source: svchost.exe, 0000000C.00000002.451895729.0000021775441000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.417263243.0000021775440000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
                      Source: svchost.exe, 0000000C.00000002.450658909.000002177543C000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
                      Source: svchost.exe, 0000000C.00000003.367845176.0000021775430000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
                      Source: svchost.exe, 0000000C.00000003.367845176.0000021775430000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
                      Source: svchost.exe, 0000000C.00000003.367845176.0000021775430000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
                      Source: svchost.exe, 0000000C.00000003.367845176.0000021775430000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.417243666.0000021775439000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
                      Source: svchost.exe, 0000000C.00000003.417255421.0000021775446000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.417221541.0000021775442000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.417236188.0000021775443000.00000004.00000001.sdmpString found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen19

                      E-Banking Fraud:

                      barindex
                      Yara detected EmotetShow sources
                      Source: Yara matchFile source: 0.0.loaddll32.exe.fa0000.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.fa0000.9.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.fa0000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.2da0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 30.2.rundll32.exe.26a0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.2840000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.2840000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.rundll32.exe.2ec0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 30.2.rundll32.exe.26a0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.fa0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.27521e0.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.fa0000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.fa0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.1383618.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.1383618.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.1383618.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.27521e0.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.29121e8.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.2a00000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.1383618.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.1383618.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.1383618.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.1383618.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.29121e8.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.2933508.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.fa0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.fa0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.1383618.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.fa0000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.rundll32.exe.2da24b8.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.2933508.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.2a00000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.rundll32.exe.2ec0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.2660000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.fa0000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.2da0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.1383618.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.1383618.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.2660000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.rundll32.exe.2da24b8.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000000.539981294.0000000000FA0000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.562664559.0000000000FA0000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.507700136.0000000002EFC000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.540057881.000000000137C000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.540904925.00000000028FA000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.534967742.000000000273A000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.561743739.000000000137C000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.538242653.000000000291A000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.537633031.0000000002660000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.534990244.0000000002840000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.542442475.000000000137C000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.563041724.000000000137C000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.651948468.0000000002D8A000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.651976449.0000000002EC0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.541263948.0000000002A00000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001E.00000002.775119059.00000000026A0000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.596937604.000000000137C000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.561459077.0000000000FA0000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.542217719.0000000000FA0000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.521244679.0000000002DA0000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.596698488.0000000000FA0000.00000040.00000010.sdmp, type: MEMORY

                      System Summary:

                      barindex
                      Source: Zd9TtpY4Kh.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 5444 -ip 5444
                      Source: C:\Windows\SysWOW64\rundll32.exeFile deleted: C:\Windows\SysWOW64\Kqkxkcs\syeog.ubw:Zone.IdentifierJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\SysWOW64\Kqkxkcs\Jump to behavior
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00FC1291
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00FA46FA
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00FA1EFB
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00FB40FE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00FA84F0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00FB62F5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00FB4CF5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00FAC0EA
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00FB56E9
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00FA40E2
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00FC1CDB
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00FB52D1
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00FA90D4
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00FB28D5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00FC20CE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00FB10CD
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00FA2CC2
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00FA92C1
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00FBA29B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00FB009A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00FBE899
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00FAFE9D
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00FB0A93
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00FBCE90
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00FB0E97
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00FAF48A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00FAA083
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00FAFA78
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00FA387F
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00FBB677
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00FA3A6C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00FAEE60
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00FAB464
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00FACE5A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00FA6453
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00FBEA55
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00FAAA4E
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00FA544C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00FB3043
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00FAAE43
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00FB7445
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00FA243F
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00FA3432
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00FA3228
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00FB282D
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00FA9824
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00FC261E
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00FA800A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00FBC205
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00FBEDED
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00FA51EC
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00FAA3E7
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00FA75D2
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00FA19C0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00FB85B8
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00FA43BE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00FA59BF
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00FBD7BE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00FBE3B5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00FB89A2
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00FBE5A7
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00FBDDA5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00FB0BA4
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00FB1591
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00FAB191
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00FA7795
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00FA358B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00FB3782
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00FA8D80
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00FA4B81
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00FBDB87
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00FC0370
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00FACF6E
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00FABD61
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00FB6540
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00FAF73B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00FBCD35
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00FAA92F
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00FB9124
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00FA4D1E
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00FACB13
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00FB970A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00FBE10A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00FB590E
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00FB3D0C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00FBBF0C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EDB77B4
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EDB9F10
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EDB1DE0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EDBD530
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EDB3A90
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EDC0380
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EDCE3A1
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EDC10C0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EDBA890
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EDBE890
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EDB68B0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EDB6070
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EDB77B4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EDB9F10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EDB1DE0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EDBD530
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EDB3A90
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EDC0380
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EDCE3A1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EDC10C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EDBA890
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EDBE890
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EDB68B0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EDB6070
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02861291
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0285EA55
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0284A083
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0284F48A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02850E97
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0285CE90
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02850A93
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0284FE9D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0285E899
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0285A29B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0285009A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_028492C1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02842CC2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_028620CE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_028510CD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_028490D4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_028528D5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_028552D1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02861CDB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_028440E2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_028556E9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0284C0EA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_028562F5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02854CF5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_028484F0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_028540FE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_028446FA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02841EFB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0285C205
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0284800A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0286261E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02849824
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0285282D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02843228
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02843432
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0284243F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02857445
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02853043
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0284AE43
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0284544C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0284AA4E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02846453
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0284CE5A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0284B464
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0284EE60
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02843A6C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0285B677
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0284387F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0284FA78
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0285DB87
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02848D80
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02844B81
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02853782
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0284358B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02847795
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02851591
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0284B191
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0285DDA5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02850BA4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0285E5A7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_028589A2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0285E3B5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_028443BE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_028459BF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0285D7BE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_028585B8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_028419C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_028475D2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0284A3E7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0285EDED
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_028451EC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02853D0C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0285BF0C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0285590E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0285970A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0285E10A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0284CB13
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02844D1E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02859124
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0284A92F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0285CD35
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0284F73B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02856540
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0284BD61
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0284CF6E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02860370
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_02EE1291
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_02EDEA55
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_02ED56E9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_02ECC0EA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_02EC40E2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_02ED40FE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_02EC46FA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_02EC1EFB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_02ED62F5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_02ED4CF5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_02EC84F0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_02EE20CE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_02ED10CD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_02EC92C1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_02EC2CC2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_02EE1CDB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_02EC90D4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_02ED28D5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_02ED52D1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_02ECF48A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_02ECA083
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_02ECFE9D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_02EDE899
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_02EDA29B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_02ED009A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_02ED0E97
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_02EDCE90
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_02ED0A93
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_02EC3A6C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_02ECB464
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_02ECEE60
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_02EC387F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_02ECFA78
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_02EDB677
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_02EC544C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_02ECAA4E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_02ED7445
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_02ED3043
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_02ECAE43
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_02ECCE5A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_02EC6453
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_02ED282D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_02EC3228
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_02EC9824
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_02EC243F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_02EC3432
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_02EC800A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_02EDC205
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_02EE261E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_02EDEDED
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_02EC51EC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_02ECA3E7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_02EC19C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_02EC75D2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_02EDDDA5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_02ED0BA4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_02EDE5A7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_02ED89A2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_02EC43BE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_02EC59BF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_02EDD7BE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_02ED85B8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_02EDE3B5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_02EC358B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_02EDDB87
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_02EC8D80
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_02EC4B81
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_02ED3782
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_02EC7795
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_02ED1591
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_02ECB191
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_02ECCF6E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_02ECBD61
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_02EE0370
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_02ED6540
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_02ECA92F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_02ED9124
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_02ECF73B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_02EDCD35
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_02ED3D0C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_02EDBF0C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_02ED590E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_02ED970A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_02EDE10A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_02EC4D1E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_02ECCB13
                      Source: C:\Windows\System32\loaddll32.exeCode function: String function: 6EDCAC90 appears 33 times
                      Source: C:\Windows\System32\loaddll32.exeCode function: String function: 6EDB1DE0 appears 97 times
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6EDCAC90 appears 33 times
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6EDB1DE0 appears 93 times
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess Stats: CPU usage > 98%
                      Source: C:\Windows\System32\svchost.exeSection loaded: xboxlivetitleid.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: cdpsgshims.dll
                      Source: Zd9TtpY4Kh.dllReversingLabs: Detection: 17%
                      Source: Zd9TtpY4Kh.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\Zd9TtpY4Kh.dll"
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Zd9TtpY4Kh.dll",#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Zd9TtpY4Kh.dll,Control_RunDLL
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Zd9TtpY4Kh.dll",#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Zd9TtpY4Kh.dll,ajkaibu
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Zd9TtpY4Kh.dll,akyncbgollmj
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
                      Source: unknownProcess created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\Zd9TtpY4Kh.dll",Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Kqkxkcs\syeog.ubw",IADPmoEsmQuul
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\Zd9TtpY4Kh.dll",Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\Zd9TtpY4Kh.dll",Control_RunDLL
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 5444 -ip 5444
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5444 -s 320
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 168 -p 5444 -ip 5444
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5444 -s 340
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
                      Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Kqkxkcs\syeog.ubw",Control_RunDLL
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k wsappx -p -s AppXSvc
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Zd9TtpY4Kh.dll",#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Zd9TtpY4Kh.dll,Control_RunDLL
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Zd9TtpY4Kh.dll,ajkaibu
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Zd9TtpY4Kh.dll,akyncbgollmj
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Zd9TtpY4Kh.dll",#1
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Kqkxkcs\syeog.ubw",IADPmoEsmQuul
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\Zd9TtpY4Kh.dll",Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\Zd9TtpY4Kh.dll",Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\Zd9TtpY4Kh.dll",Control_RunDLL
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Kqkxkcs\syeog.ubw",Control_RunDLL
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 5444 -ip 5444
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5444 -s 320
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 168 -p 5444 -ip 5444
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5444 -s 340
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess created: unknown unknown
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess created: unknown unknown
                      Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32
                      Source: C:\Windows\System32\svchost.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER2A77.tmpJump to behavior
                      Source: classification engineClassification label: mal80.troj.evad.winDLL@45/21@0/2
                      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Users\desktop.iniJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Zd9TtpY4Kh.dll,Control_RunDLL
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \BaseNamedObjects\Local\SM0:1060:64:WilError_01
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \BaseNamedObjects\Local\SM0:5988:64:WilError_01
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5444
                      Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4500:120:WilError_01
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                      Source: Zd9TtpY4Kh.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                      Source: Zd9TtpY4Kh.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000016.00000003.550124184.0000000004AE1000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.579244132.0000000004CF1000.00000004.00000001.sdmp
                      Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000016.00000003.550124184.0000000004AE1000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.579244132.0000000004CF1000.00000004.00000001.sdmp
                      Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000016.00000003.550124184.0000000004AE1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.547405637.0000000004247000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.579244132.0000000004CF1000.00000004.00000001.sdmp
                      Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000016.00000003.550124184.0000000004AE1000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.579244132.0000000004CF1000.00000004.00000001.sdmp
                      Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000016.00000003.550124184.0000000004AE1000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.579244132.0000000004CF1000.00000004.00000001.sdmp
                      Source: Binary string: wimm32.pdb source: WerFault.exe, 00000016.00000003.550124184.0000000004AE1000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.579244132.0000000004CF1000.00000004.00000001.sdmp
                      Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000016.00000003.550124184.0000000004AE1000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.579244132.0000000004CF1000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdb source: WerFault.exe, 00000016.00000003.550124184.0000000004AE1000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.579244132.0000000004CF1000.00000004.00000001.sdmp
                      Source: Binary string: apphelp.pdb source: WerFault.exe, 00000016.00000003.550124184.0000000004AE1000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.579244132.0000000004CF1000.00000004.00000001.sdmp
                      Source: Binary string: wuser32.pdb source: WerFault.exe, 00000016.00000003.550124184.0000000004AE1000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.579244132.0000000004CF1000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdbk source: WerFault.exe, 00000016.00000003.550124184.0000000004AE1000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.579244132.0000000004CF1000.00000004.00000001.sdmp
                      Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000016.00000003.550124184.0000000004AE1000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.579244132.0000000004CF1000.00000004.00000001.sdmp
                      Source: Binary string: oCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000016.00000002.558985730.0000000000472000.00000004.00000001.sdmp
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00FA13E7 push esi; retf
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EDD6A93 push ecx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EDD6A93 push ecx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_028413E7 push esi; retf
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_02EC13E7 push esi; retf
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EDBE690 WaitForSingleObjectEx,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,CreateMutexA,CloseHandle,ReleaseMutex,
                      Source: C:\Windows\SysWOW64\rundll32.exePE file moved: C:\Windows\SysWOW64\Kqkxkcs\syeog.ubwJump to behavior

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Kqkxkcs\syeog.ubw:Zone.Identifier read attributes | delete
                      Source: C:\Windows\SysWOW64\WerFault.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exe TID: 6224Thread sleep time: -30000s >= -30000s
                      Source: C:\Windows\System32\svchost.exe TID: 6288Thread sleep time: -30000s >= -30000s
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
                      Source: C:\Windows\System32\svchost.exeProcess information queried: ProcessInformation
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EDD0927 FindFirstFileExW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EDD0927 FindFirstFileExW,
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: Amcache.hve.22.drBinary or memory string: VMware
                      Source: Amcache.hve.22.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
                      Source: svchost.exe, 00000005.00000002.631051852.000001B12B061000.00000004.00000001.sdmpBinary or memory string: "@Hyper-V RAW
                      Source: Amcache.hve.22.drBinary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
                      Source: Amcache.hve.22.drBinary or memory string: VMware Virtual USB Mouse
                      Source: Amcache.hve.22.drBinary or memory string: VMware, Inc.
                      Source: Amcache.hve.22.drBinary or memory string: VMware Virtual disk SCSI Disk Devicehbin
                      Source: Amcache.hve.22.drBinary or memory string: Microsoft Hyper-V Generation Counter
                      Source: Amcache.hve.22.drBinary or memory string: VMware7,1
                      Source: Amcache.hve.22.drBinary or memory string: NECVMWar VMware SATA CD00
                      Source: Amcache.hve.22.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                      Source: Amcache.hve.22.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                      Source: svchost.exe, 00000005.00000002.631039231.000001B12B054000.00000004.00000001.sdmp, svchost.exe, 00000005.00000002.630734667.000001B125A29000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.594100601.000000000492B000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.594133771.000000000492E000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.594163429.0000000004934000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000002.596176213.0000000004935000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                      Source: Amcache.hve.22.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                      Source: Amcache.hve.22.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                      Source: WerFault.exe, 00000018.00000002.596113457.0000000004900000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW(
                      Source: Amcache.hve.22.drBinary or memory string: VMware, Inc.me
                      Source: Amcache.hve.22.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
                      Source: Amcache.hve.22.drBinary or memory string: VMware-42 35 bb 32 33 75 d2 27-52 00 3c e2 4b d4 32 71
                      Source: svchost.exe, 00000007.00000002.774381529.00000281D2C41000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.774370076.0000029555629000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: Amcache.hve.22.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EDCAB0C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EDBE690 WaitForSingleObjectEx,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,CreateMutexA,CloseHandle,ReleaseMutex,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EDB1290 GetProcessHeap,HeapAlloc,RtlAllocateHeap,HeapFree,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00FB07D2 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EDC9990 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EDCEC0B mov ecx, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EDD02CC mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EDC9920 mov esi, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EDC9920 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EDC9990 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EDCEC0B mov ecx, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EDD02CC mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EDC9920 mov esi, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EDC9920 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_028507D2 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_02ED07D2 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\loaddll32.exeProcess queried: DebugPort
                      Source: C:\Windows\System32\loaddll32.exeProcess queried: DebugPort
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00FA2ADB LdrInitializeThunk,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EDCA462 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EDCAB0C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EDD0326 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EDCA462 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EDCAB0C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EDD0326 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Zd9TtpY4Kh.dll",#1
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 5444 -ip 5444
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5444 -s 320
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 168 -p 5444 -ip 5444
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5444 -s 340
                      Source: loaddll32.exe, 00000000.00000000.563156446.0000000001A40000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.561900218.0000000001A40000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.540227987.0000000001A40000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.542781571.0000000001A40000.00000002.00020000.sdmp, rundll32.exe, 0000001E.00000002.776456437.0000000002DC0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: loaddll32.exe, 00000000.00000000.563156446.0000000001A40000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.561900218.0000000001A40000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.540227987.0000000001A40000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.542781571.0000000001A40000.00000002.00020000.sdmp, rundll32.exe, 0000001E.00000002.776456437.0000000002DC0000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: loaddll32.exe, 00000000.00000000.563156446.0000000001A40000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.561900218.0000000001A40000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.540227987.0000000001A40000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.542781571.0000000001A40000.00000002.00020000.sdmp, rundll32.exe, 0000001E.00000002.776456437.0000000002DC0000.00000002.00020000.sdmpBinary or memory string: SProgram Managerl
                      Source: loaddll32.exe, 00000000.00000000.563156446.0000000001A40000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.561900218.0000000001A40000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.540227987.0000000001A40000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.542781571.0000000001A40000.00000002.00020000.sdmp, rundll32.exe, 0000001E.00000002.776456437.0000000002DC0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd,
                      Source: loaddll32.exe, 00000000.00000000.563156446.0000000001A40000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.561900218.0000000001A40000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.540227987.0000000001A40000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.542781571.0000000001A40000.00000002.00020000.sdmp, rundll32.exe, 0000001E.00000002.776456437.0000000002DC0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EDCA584 cpuid
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EDCA755 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

                      Lowering of HIPS / PFW / Operating System Security Settings:

                      barindex
                      Changes security center settings (notifications, updates, antivirus, firewall)Show sources
                      Source: C:\Windows\System32\svchost.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cvalJump to behavior
                      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
                      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
                      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
                      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct
                      Source: Amcache.hve.22.drBinary or memory string: msmpeng.exe
                      Source: Amcache.hve.22.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                      Source: svchost.exe, 0000000E.00000002.774753733.000002E08A640000.00000004.00000001.sdmpBinary or memory string: &@\REGISTRY\USER\S-1-5-19ws Defender\MsMpeng.exe
                      Source: svchost.exe, 0000000E.00000002.774572684.000002E08A629000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000002.775088869.000002E08A702000.00000004.00000001.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected EmotetShow sources
                      Source: Yara matchFile source: 0.0.loaddll32.exe.fa0000.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.fa0000.9.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.fa0000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.2da0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 30.2.rundll32.exe.26a0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.2840000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.2840000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.rundll32.exe.2ec0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 30.2.rundll32.exe.26a0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.fa0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.27521e0.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.fa0000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.fa0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.1383618.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.1383618.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.1383618.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.27521e0.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.29121e8.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.2a00000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.1383618.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.1383618.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.1383618.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.1383618.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.29121e8.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.2933508.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.fa0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.fa0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.1383618.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.fa0000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.rundll32.exe.2da24b8.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.2933508.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.2a00000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.rundll32.exe.2ec0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.2660000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.fa0000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.2da0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.1383618.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.1383618.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.2660000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.rundll32.exe.2da24b8.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000000.539981294.0000000000FA0000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.562664559.0000000000FA0000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.507700136.0000000002EFC000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.540057881.000000000137C000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.540904925.00000000028FA000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.534967742.000000000273A000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.561743739.000000000137C000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.538242653.000000000291A000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.537633031.0000000002660000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.534990244.0000000002840000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.542442475.000000000137C000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.563041724.000000000137C000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.651948468.0000000002D8A000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.651976449.0000000002EC0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.541263948.0000000002A00000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001E.00000002.775119059.00000000026A0000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.596937604.000000000137C000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.561459077.0000000000FA0000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.542217719.0000000000FA0000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.521244679.0000000002DA0000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.596698488.0000000000FA0000.00000040.00000010.sdmp, type: MEMORY

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation1DLL Side-Loading1Process Injection12Masquerading2OS Credential DumpingSystem Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsNative API1Boot or Logon Initialization ScriptsDLL Side-Loading1Disable or Modify Tools1LSASS MemoryQuery Registry1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion3Security Account ManagerSecurity Software Discovery61SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection12NTDSVirtualization/Sandbox Evasion3Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsProcess Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonHidden Files and Directories1Cached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information2DCSyncFile and Directory Discovery2Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobRundll321Proc FilesystemSystem Information Discovery33Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)DLL Side-Loading1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                      Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)File Deletion1Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 532296 Sample: Zd9TtpY4Kh Startdate: 01/12/2021 Architecture: WINDOWS Score: 80 51 Sigma detected: Emotet RunDLL32 Process Creation 2->51 53 Multi AV Scanner detection for submitted file 2->53 55 Yara detected Emotet 2->55 8 loaddll32.exe 1 2->8         started        10 svchost.exe 2->10         started        13 svchost.exe 3 8 2->13         started        16 9 other processes 2->16 process3 dnsIp4 18 rundll32.exe 2 8->18         started        21 cmd.exe 1 8->21         started        23 rundll32.exe 8->23         started        31 3 other processes 8->31 59 Changes security center settings (notifications, updates, antivirus, firewall) 10->59 25 MpCmdRun.exe 10->25         started        47 192.168.2.1 unknown unknown 13->47 27 WerFault.exe 13->27         started        29 WerFault.exe 13->29         started        49 127.0.0.1 unknown unknown 16->49 signatures5 process6 signatures7 57 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->57 33 rundll32.exe 18->33         started        35 rundll32.exe 21->35         started        37 rundll32.exe 23->37         started        39 conhost.exe 25->39         started        41 rundll32.exe 31->41         started        process8 process9 43 rundll32.exe 33->43         started        45 rundll32.exe 35->45         started       

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      Zd9TtpY4Kh.dll18%ReversingLabsWin32.Infostealer.Convagent

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      0.0.loaddll32.exe.fa0000.0.unpack100%AviraHEUR/AGEN.1110387Download File
                      4.2.rundll32.exe.2840000.1.unpack100%AviraHEUR/AGEN.1110387Download File
                      2.2.rundll32.exe.2da0000.0.unpack100%AviraHEUR/AGEN.1110387Download File
                      16.2.rundll32.exe.2ec0000.1.unpack100%AviraHEUR/AGEN.1110387Download File
                      0.2.loaddll32.exe.fa0000.0.unpack100%AviraHEUR/AGEN.1110387Download File
                      30.2.rundll32.exe.26a0000.0.unpack100%AviraHEUR/AGEN.1110387Download File
                      0.0.loaddll32.exe.fa0000.9.unpack100%AviraHEUR/AGEN.1110387Download File
                      6.2.rundll32.exe.2a00000.1.unpack100%AviraHEUR/AGEN.1110387Download File
                      0.0.loaddll32.exe.fa0000.3.unpack100%AviraHEUR/AGEN.1110387Download File
                      0.0.loaddll32.exe.fa0000.6.unpack100%AviraHEUR/AGEN.1110387Download File
                      3.2.rundll32.exe.2660000.0.unpack100%AviraHEUR/AGEN.1110387Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://crl.ver)0%Avira URL Cloudsafe
                      https://%s.xboxlive.com0%URL Reputationsafe
                      https://dynamic.t0%URL Reputationsafe
                      https://%s.dnet.xboxlive.com/0%Avira URL Cloudsafe
                      https://%s.dnet.xboxlive.com0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashxsvchost.exe, 0000000C.00000003.417197364.0000021775463000.00000004.00000001.sdmpfalse
                        		high
                        https://t0.tiles.ditu.live.com/tiles/gen19svchost.exe, 0000000C.00000003.417255421.0000021775446000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.417221541.0000021775442000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.417236188.0000021775443000.00000004.00000001.sdmpfalse
                          		high
                          https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=svchost.exe, 0000000C.00000003.367845176.0000021775430000.00000004.00000001.sdmpfalse
                            		high
                            https://dev.ditu.live.com/REST/v1/Routes/svchost.exe, 0000000C.00000002.450658909.000002177543C000.00000004.00000001.sdmpfalse
                              		high
                              https://dev.virtualearth.net/REST/v1/Routes/Drivingsvchost.exe, 0000000C.00000003.417197364.0000021775463000.00000004.00000001.sdmpfalse
                                		high
                                https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashxsvchost.exe, 0000000C.00000002.451895729.0000021775441000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.417263243.0000021775440000.00000004.00000001.sdmpfalse
                                  		high
                                  https://dev.ditu.live.com/REST/v1/Traffic/Incidents/svchost.exe, 0000000C.00000002.454924916.0000021775456000.00000004.00000001.sdmpfalse
                                    		high
                                    https://dev.ditu.live.com/REST/v1/Transit/Stops/svchost.exe, 0000000C.00000003.417175938.0000021775469000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000002.458598242.000002177546B000.00000004.00000001.sdmpfalse
                                      		high
                                      https://dev.virtualearth.net/REST/v1/Routes/svchost.exe, 0000000C.00000002.450658909.000002177543C000.00000004.00000001.sdmpfalse
                                        		high
                                        https://dev.virtualearth.net/REST/v1/Traffic/Incidents/svchost.exe, 0000000C.00000002.450658909.000002177543C000.00000004.00000001.sdmpfalse
                                          		high
                                          https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=svchost.exe, 0000000C.00000003.367845176.0000021775430000.00000004.00000001.sdmpfalse
                                            		high
                                            https://dev.virtualearth.net/REST/v1/Routes/Walkingsvchost.exe, 0000000C.00000003.417197364.0000021775463000.00000004.00000001.sdmpfalse
                                              		high
                                              http://crl.ver)svchost.exe, 00000005.00000002.631051852.000001B12B061000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		low
                                              https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?svchost.exe, 0000000C.00000002.455648502.000002177545B000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.417221541.0000021775442000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.417211454.000002177545A000.00000004.00000001.sdmpfalse
                                                		high
                                                http://upx.sf.netAmcache.hve.22.drfalse
                                                  		high
                                                  https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=svchost.exe, 0000000C.00000002.450658909.000002177543C000.00000004.00000001.sdmpfalse
                                                    		high
                                                    https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=svchost.exe, 0000000C.00000002.450658909.000002177543C000.00000004.00000001.sdmpfalse
                                                      		high
                                                      https://%s.xboxlive.comsvchost.exe, 00000007.00000002.774381529.00000281D2C41000.00000004.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      		low
                                                      https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=svchost.exe, 0000000C.00000003.417255421.0000021775446000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.417221541.0000021775442000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.417236188.0000021775443000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000002.453235698.000002177544E000.00000004.00000001.sdmpfalse
                                                        		high
                                                        https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=svchost.exe, 0000000C.00000002.454924916.0000021775456000.00000004.00000001.sdmpfalse
                                                          		high
                                                          https://dev.virtualearth.net/mapcontrol/logging.ashxsvchost.exe, 0000000C.00000003.417197364.0000021775463000.00000004.00000001.sdmpfalse
                                                            		high
                                                            https://dev.ditu.live.com/mapcontrol/logging.ashxsvchost.exe, 0000000C.00000003.417197364.0000021775463000.00000004.00000001.sdmpfalse
                                                              		high
                                                              https://dev.ditu.live.com/REST/v1/Imagery/Copyright/svchost.exe, 0000000C.00000002.450658909.000002177543C000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.417204815.000002177545E000.00000004.00000001.sdmpfalse
                                                                		high
                                                                https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?entry=svchost.exe, 0000000C.00000003.367845176.0000021775430000.00000004.00000001.sdmpfalse
                                                                  		high
                                                                  https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=svchost.exe, 0000000C.00000003.367845176.0000021775430000.00000004.00000001.sdmpfalse
                                                                    		high
                                                                    https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=svchost.exe, 0000000C.00000002.455648502.000002177545B000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.417211454.000002177545A000.00000004.00000001.sdmpfalse
                                                                      		high
                                                                      https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/svchost.exe, 0000000C.00000002.454924916.0000021775456000.00000004.00000001.sdmpfalse
                                                                        		high
                                                                        https://dev.virtualearth.net/REST/v1/Transit/Schedules/svchost.exe, 0000000C.00000003.417200811.0000021775460000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000002.456745075.0000021775461000.00000004.00000001.sdmpfalse
                                                                          		high
                                                                          https://dynamic.tsvchost.exe, 0000000C.00000002.453235698.000002177544E000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000002.456745075.0000021775461000.00000004.00000001.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          https://dev.virtualearth.net/REST/v1/Routes/Transitsvchost.exe, 0000000C.00000003.417197364.0000021775463000.00000004.00000001.sdmpfalse
                                                                            		high
                                                                            https://%s.dnet.xboxlive.com/svchost.exe, 00000007.00000002.774381529.00000281D2C41000.00000004.00000001.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		low
                                                                            https://t0.ssl.ak.tiles.virtualearth.net/tiles/gensvchost.exe, 0000000C.00000003.367845176.0000021775430000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.417243666.0000021775439000.00000004.00000001.sdmpfalse
                                                                              		high
                                                                              https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=svchost.exe, 0000000C.00000002.455648502.000002177545B000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.417211454.000002177545A000.00000004.00000001.sdmpfalse
                                                                                		high
                                                                                https://ecn.dev.virtualearth.net/mapcontrol/roadshield.ashx?bucket=svchost.exe, 0000000C.00000003.367845176.0000021775430000.00000004.00000001.sdmpfalse
                                                                                  		high
                                                                                  https://activity.windows.comsvchost.exe, 00000007.00000002.774381529.00000281D2C41000.00000004.00000001.sdmpfalse
                                                                                    		high
                                                                                    http://www.bingmapsportal.comsvchost.exe, 0000000C.00000002.443019178.0000021775413000.00000004.00000001.sdmpfalse
                                                                                      		high
                                                                                      https://dev.ditu.live.com/REST/v1/Locationssvchost.exe, 0000000C.00000003.417197364.0000021775463000.00000004.00000001.sdmpfalse
                                                                                        		high
                                                                                        https://dev.virtualearth.net/REST/v1/Imagery/Copyright/svchost.exe, 0000000C.00000002.450658909.000002177543C000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.367845176.0000021775430000.00000004.00000001.sdmpfalse
                                                                                          		high
                                                                                          https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/svchost.exe, 0000000C.00000002.450658909.000002177543C000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.367845176.0000021775430000.00000004.00000001.sdmpfalse
                                                                                            		high
                                                                                            https://%s.dnet.xboxlive.comsvchost.exe, 00000007.00000002.774381529.00000281D2C41000.00000004.00000001.sdmpfalse
                                                                                            • URL Reputation: safe
                                                                                            		low
                                                                                            https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/svchost.exe, 0000000C.00000002.454924916.0000021775456000.00000004.00000001.sdmpfalse
                                                                                              		high
                                                                                              https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=svchost.exe, 0000000C.00000003.417204815.000002177545E000.00000004.00000001.sdmpfalse
                                                                                                		high

                                                                                                Contacted IPs

                                                                                                • No. of IPs < 25%
                                                                                                • 25% < No. of IPs < 50%
                                                                                                • 50% < No. of IPs < 75%
                                                                                                • 75% < No. of IPs

                                                                                                Public

                                                                                                IPDomainCountryFlagASNASN NameMalicious

                                                                                                Private

                                                                                                IP
                                                                                                192.168.2.1
                                                                                                127.0.0.1

                                                                                                General Information

                                                                                                Joe Sandbox Version:34.0.0 Boulder Opal
                                                                                                Analysis ID:532296
                                                                                                Start date:01.12.2021
                                                                                                Start time:23:57:16
                                                                                                Joe Sandbox Product:CloudBasic
                                                                                                Overall analysis duration:0h 12m 45s
                                                                                                Hypervisor based Inspection enabled:false
                                                                                                Report type:light
                                                                                                Sample file name:Zd9TtpY4Kh (renamed file extension from none to dll)
                                                                                                Cookbook file name:default.jbs
                                                                                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                Number of analysed new started processes analysed:40
                                                                                                Number of new started drivers analysed:0
                                                                                                Number of existing processes analysed:0
                                                                                                Number of existing drivers analysed:0
                                                                                                Number of injected processes analysed:0
                                                                                                Technologies:
                                                                                                • HCA enabled
                                                                                                • EGA enabled
                                                                                                • HDC enabled
                                                                                                • AMSI enabled
                                                                                                Analysis Mode:default
                                                                                                Analysis stop reason:Timeout
                                                                                                Detection:MAL
                                                                                                Classification:mal80.troj.evad.winDLL@45/21@0/2
                                                                                                EGA Information:Failed
                                                                                                HDC Information:
                                                                                                • Successful, ratio: 21% (good quality ratio 19.5%)
                                                                                                • Quality average: 72.8%
                                                                                                • Quality standard deviation: 27.2%
                                                                                                HCA Information:
                                                                                                • Successful, ratio: 71%
                                                                                                • Number of executed functions: 0
                                                                                                • Number of non-executed functions: 0
                                                                                                Cookbook Comments:
                                                                                                • Adjust boot time
                                                                                                • Enable AMSI
                                                                                                • Override analysis time to 240s for rundll32
                                                                                                Warnings:
                                                                                                Show All
                                                                                                • Exclude process from analysis (whitelisted): audiodg.exe, BackgroundTransferHost.exe, HxTsr.exe, RuntimeBroker.exe, WMIADAP.exe, backgroundTaskHost.exe
                                                                                                • Excluded IPs from analysis (whitelisted): 23.211.4.86, 20.189.173.22, 20.54.110.249
                                                                                                • Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, onedsblobprdwus17.westus.cloudapp.azure.com, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, prod.fs.microsoft.com.akadns.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                                                                • Not all processes where analyzed, report is missing behavior information
                                                                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                • VT rate limit hit for: /opt/package/joesandbox/database/analysis/532296/sample/Zd9TtpY4Kh.dll

                                                                                                Simulations

                                                                                                Behavior and APIs

                                                                                                TimeTypeDescription
                                                                                                00:01:00API Interceptor1x Sleep call for process: WerFault.exe modified
                                                                                                00:01:10API Interceptor1x Sleep call for process: MpCmdRun.exe modified
                                                                                                23:58:24API Interceptor3x Sleep call for process: svchost.exe modified

                                                                                                Joe Sandbox View / Context

                                                                                                IPs

                                                                                                No context

                                                                                                Domains

                                                                                                No context

                                                                                                ASN

                                                                                                No context

                                                                                                JA3 Fingerprints

                                                                                                No context

                                                                                                Dropped Files

                                                                                                No context

                                                                                                Created / dropped Files

                                                                                                C:\ProgramData\Microsoft\Network\Downloader\edb.chk
                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):8192
                                                                                                Entropy (8bit):0.3593198815979092
                                                                                                Encrypted:false
                                                                                                SSDEEP:12:SnaaD0JcaaD0JwQQU2naaD0JcaaD0JwQQU:4tgJctgJw/tgJctgJw
                                                                                                MD5:BF1DC7D5D8DAD7478F426DF8B3F8BAA6
                                                                                                SHA1:C6B0BDE788F553F865D65F773D8F6A3546887E42
                                                                                                SHA-256:BE47C764C38CA7A90A345BE183F5261E89B98743B5E35989E9A8BE0DA498C0F2
                                                                                                SHA-512:00F2412AA04E09EA19A8315D80BE66D2727C713FC0F5AE6A9334BABA539817F568A98CA3A45B2673282BDD325B8B0E2840A393A4DCFADCB16473F5EAF2AF3180
                                                                                                Malicious:false
                                                                                                Preview: .............*..........3...w..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@......................................................*.............................................................................................................................................................................................................................................................................................................................................................
                                                                                                C:\ProgramData\Microsoft\Network\Downloader\edb.log
                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                File Type:MPEG-4 LOAS
                                                                                                Category:dropped
                                                                                                Size (bytes):1310720
                                                                                                Entropy (8bit):0.24939886406802472
                                                                                                Encrypted:false
                                                                                                SSDEEP:1536:BJiRdfVzkZm3lyf49uyc0ga04PdHS9LrM/oVMUdSRU4d:BJiRdwfu2SRU4d
                                                                                                MD5:0245BC4CBCBB47A4B067A6F47832D223
                                                                                                SHA1:332FEC10CEBE65F76EA7099BF849481FE68AF52D
                                                                                                SHA-256:9051B7B80D2B7D08B06CED1DA66937C3EBE106D729E4BDD508125DE7AADD7540
                                                                                                SHA-512:EA466B0CA9EBC66157D30279076CEAFBCBE33687E5E43E3992E141EACB7BCABCD4822CCDA2A2ED1AB205CB68505438404566761DF6C8644831151DEC0522E790
                                                                                                Malicious:false
                                                                                                Preview: V.d.........@..@.3...w...........................3...w..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@.........................................d#.................................................................................................................................................................................................................................................................................................................................................
                                                                                                C:\ProgramData\Microsoft\Network\Downloader\qmgr.db
                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                File Type:Extensible storage engine DataBase, version 0x620, checksum 0x901c6e77, page size 16384, Windows version 10.0
                                                                                                Category:dropped
                                                                                                Size (bytes):786432
                                                                                                Entropy (8bit):0.25045402319804877
                                                                                                Encrypted:false
                                                                                                SSDEEP:384:IJhJL+W0StseCJ48EApW0StseCJ48E2rTSjlK/ebmLerYSRSY1J2:IH6SB2nSB2RSjlK/+mLesOj1J2
                                                                                                MD5:6FEA800880117319A225AA0B7C4EF63E
                                                                                                SHA1:57FA6C3611E7025EC00B3E0E15F9821476D3FF07
                                                                                                SHA-256:D1778188467E576886A655FEED75FCF10345D12E548BDD67D53963505967F1D7
                                                                                                SHA-512:DF38C37C027BAB784B7C1D685C3A1554B7E0B7DCCBD3528CC8FD769B2C9F68121D40C923E8393E37546D9EA000478529C972D62AAF90F9A492C223C60DD984A0
                                                                                                Malicious:false
                                                                                                Preview: ..nw... ................e.f.3...w........................)..........y]..:...y..h.(..........y]...)..............3...w...........................................................................................................B...........@...................................................................................................... ....................................................................................................................................................................................................................................................}......y].................0.o;.....y].........................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm
                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):16384
                                                                                                Entropy (8bit):0.0742845021942003
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:OxKR7v90Sjl4pcjVygI4+Zlill3Vkttlmlnl:O4RrRjlkcBy73ZlG3
                                                                                                MD5:4AE1252F4F9730592073F18C15A76AB5
                                                                                                SHA1:7373EBE8ED03655378A153A8328C79D05CA9E1E9
                                                                                                SHA-256:BCB477DE94B7B36F81FA99669288B068AC791DCABA7530B66E1B11C659EE337A
                                                                                                SHA-512:59DAB3D7D09C5F4CA05596B2DACE1BC91A81616AB49DA42FF90DA3DE7F4BBF7CA0B267E73C0E7BE785B62116FF076B99D8B7C90BCDFF723CCEFA2078A36F5F9B
                                                                                                Malicious:false
                                                                                                Preview: .........................................3...w...:...y.......y]..............y]......y]....-....y9.................0.o;.....y].........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_747b3d3843a661accc8c92924ccfd5a2e2d128_d70d8aa6_0eb4dee1\Report.wer
                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):65536
                                                                                                Entropy (8bit):0.6753131941863054
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:1Ohd1Zqy0y9hkoyt7JfqpXIQcQ5c6A2cE2cw33+a+z+HbHgLVG4rmMOyWZAXGngC:ObBtHnM28jj/q/u7svS274ItWP
                                                                                                MD5:DB15FC43E38AE2BC4B50631E1AC5DE94
                                                                                                SHA1:75B0A714B3AC3DEAE32FF403CA9D9E515551E849
                                                                                                SHA-256:F8815703A1F6414E9AC0C882A983CF268E08692771855634998B350FA3C2590D
                                                                                                SHA-512:2D36002D4D2CE0A543DEB0F637E9AB01210198447CE8DE53AE38C18380F3F0A2BCF98DE5EF17BEC23ECD19E9B2029F520C4C225D243AD0CF8A4FB5EB23A11A20
                                                                                                Malicious:false
                                                                                                Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.8.2.9.0.5.6.3.8.9.1.7.2.9.5.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.f.3.4.5.c.d.7.-.8.7.2.6.-.4.9.9.d.-.8.f.d.5.-.1.e.6.6.3.f.a.1.b.7.8.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.a.1.4.8.7.0.9.-.2.d.7.4.-.4.d.0.6.-.b.b.2.6.-.6.9.4.9.e.2.3.3.6.7.e.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.l.o.a.d.d.l.l.3.2...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.5.4.4.-.0.0.0.1.-.0.0.1.6.-.e.d.a.a.-.c.4.5.c.5.2.e.7.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.l.o.a.d.d.l.l.3.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.1././.0.9././.2.8.:.1.1.:.5.3.:.0.5.!.0.!.l.o.a.d.d.l.l.3.2...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.
                                                                                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_d71d33d652a62c864cb684e881f783bcee8c2df7_d70d8aa6_174921e5\Report.wer
                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):65536
                                                                                                Entropy (8bit):0.6791326381097368
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:uEFxJd1Zqy8y9hk1Dg3fWpXIQcQhc6tcEMcw32+a+z+HbHgLVG4rmMOyWZAXGng0:HPbBUH/pGoj/q/u7svS274ItW
                                                                                                MD5:D2D87B66ECABE4B40F90D4C19212563F
                                                                                                SHA1:32FCED2D3CC29B2A340CCA82E2FA3C244C68E929
                                                                                                SHA-256:B2542D73D6015FD2443B274AD93CFF540BFC7C8791A904D7049D3AEC9E7CDDDF
                                                                                                SHA-512:DD980130C0E93C50D4238429AA2C8706B28F794D667DB1DFA695D111750BC09DC6B5389C99BD69FA752B55188205E6C106FE24201A4D0A7AAB62B9060C98E451
                                                                                                Malicious:false
                                                                                                Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.8.2.9.0.5.6.5.1.3.1.9.8.0.3.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.8.2.9.0.5.6.5.8.6.1.6.6.7.2.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.a.3.a.2.6.b.8.-.5.0.a.9.-.4.a.5.e.-.b.0.b.9.-.7.4.5.0.0.4.b.6.7.a.5.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.d.3.6.e.3.8.6.-.9.9.a.a.-.4.6.2.0.-.b.6.0.b.-.8.6.2.9.4.b.3.f.a.d.7.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.l.o.a.d.d.l.l.3.2...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.5.4.4.-.0.0.0.1.-.0.0.1.6.-.e.d.a.a.-.c.4.5.c.5.2.e.7.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.l.o.a.d.d.l.l.3.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.
                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER2A77.tmp.csv
                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):52792
                                                                                                Entropy (8bit):3.069987542784775
                                                                                                Encrypted:false
                                                                                                SSDEEP:1536:8fHf1Jnhhyrt4R5LsHno5CovndLWey1tehbNA9gF:8fHf1Jnhhyrt4R5LsHno5CovndLWF1t8
                                                                                                MD5:F2AA7355F0D1B543B4B710F07C9CF9FF
                                                                                                SHA1:4229ED72C68D00C4A3ACC429C2A2EAACD6931019
                                                                                                SHA-256:8C03552A988D496CCD819409B86C6EBC390691DC9329E60836B5800716613499
                                                                                                SHA-512:1CD549E7D4350676B4CD3EE7841265FD25E99FD06F34A1C4226884FEFAB15EFA0DC472A6AA0004A432EC35FF51B4B4A6230504869B3F3693A13B318A1B77CBFD
                                                                                                Malicious:false
                                                                                                Preview: I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.
                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER2F5A.tmp.txt
                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):13340
                                                                                                Entropy (8bit):2.6938126472737847
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:9GiZYWDDQqYBYLYHWkcHbYEZu/utFiQF1KUwmbcaRbAoGooIg113:9jZDDSsaX44aRbAoGoPg113
                                                                                                MD5:EED1EF6E1370C88853CE244909E64FAF
                                                                                                SHA1:DA7EC3123D6139FFBFB8C982A9B09AA28DEA24A3
                                                                                                SHA-256:BA9F8E6F44B6A56CA3B0E32F6E1A314C13BA144AC41A1671D7CBC5CD87082938
                                                                                                SHA-512:5692A9D416B2335343CC94136B0184DC198DF0E5CCBDA01E8256A714E97B7683BF468CDD1828EB369612992068B175135403A5D3A324E03C635AFD4E5C74DF28
                                                                                                Malicious:false
                                                                                                Preview: B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.1.5.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .
                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER5FB2.tmp.csv
                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):52390
                                                                                                Entropy (8bit):3.0703641322109885
                                                                                                Encrypted:false
                                                                                                SSDEEP:1536:xfH0p++339tnR5X6noIfqzLuLVeRVdndbZk:xfH0p++339tnR5X6noIfqzLuLVWVdndK
                                                                                                MD5:3AFF1DB6DF2F39BB9B9528F3EFA244A0
                                                                                                SHA1:48AA9FA44113CE056CE12BACC505BEC4ECD47EFF
                                                                                                SHA-256:59D151D6F50E045E9A32C44E9FB91F5A9311742D11D899EF7245954B6B948F26
                                                                                                SHA-512:0F9027298D44794EF80F4B6926DBC7C6DF430E256E2C0898A432A63C86FACBA1DAA1F261E58B89F5261A07DE00C7D91BEB595BD24B3A38217D7779094D21411F
                                                                                                Malicious:false
                                                                                                Preview: I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.
                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER63F9.tmp.txt
                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):13340
                                                                                                Entropy (8bit):2.694673523958015
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:9GiZYWDTPYBYqYaWZHAYEZ93tri0FPKNwt3UlzLay1sTsoaNICN3:9jZDk9H/EpLay1sTsofCN3
                                                                                                MD5:433F8837A39F0357E4FACCC0AC97C8A8
                                                                                                SHA1:34A0D3555F51061B43E3DD61BD5231148619D33C
                                                                                                SHA-256:4A9189792EA16EA07D1C81C54F514B5720C26927314489B497A96DEE9F7F69C6
                                                                                                SHA-512:86C3DE80094F98D076816A6A530EFBD3506F17F674AA125768FD29C1F4360FB2467D7DEE959864298E50757C14AB099352F79E928D5C9739CAEFE03778460D75
                                                                                                Malicious:false
                                                                                                Preview: B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.1.5.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .
                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER7B7.tmp.WERInternalMetadata.xml
                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):8300
                                                                                                Entropy (8bit):3.6938500408941866
                                                                                                Encrypted:false
                                                                                                SSDEEP:192:Rrl7r3GLNiTm6R6YIdSUEGgmfL8GSjCpDK89bUwsfJ8m:RrlsNiS6R6YCSUEGgmfLrSQUDf3
                                                                                                MD5:0FB45E3D46DFAED31707373B086A468B
                                                                                                SHA1:C01B13A77CCCB6717C8D74138FA88DC8F0FCD6D7
                                                                                                SHA-256:47A90F0F09050A5E60B135AB4BCE2D68A31BF2FCDE13BAEEA119E170E65FE787
                                                                                                SHA-512:2B2D313FC72FA316471D6B0ABCE1A0E07F503D60FFD9B4F37D54A347A30F86F0369F0C86DFAC21C9DF3C183A5744BA95BB17AB8B71DC2002B3C714D6A657DDFF
                                                                                                Malicious:false
                                                                                                Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.4.4.4.<./.P.i.d.>.......
                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERC9A.tmp.xml
                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):4558
                                                                                                Entropy (8bit):4.432009885604335
                                                                                                Encrypted:false
                                                                                                SSDEEP:48:cvIwSD8zsgJgtWI9Jdt1WSC8BL8fm8M4J2yGtFA+q84tjoKcQIcQwQvd:uITfmUiSNuJE4xoKkwQvd
                                                                                                MD5:F481B8D2D1543F60E9E941BAFF59859A
                                                                                                SHA1:CD333017701CCC29474164A6ACD86F66CC5E2379
                                                                                                SHA-256:8F4C4596A8126DD0BFB6F69D60C6087B21146ED689F678EC9805988F12267409
                                                                                                SHA-512:407887639F6CB3A7A2A659CC38D5C0F763EF0BD5448E99CC10A5F2FDFF720DB1D4270ABFA1F581B26E12F001778605989E342FD506DE1287290EEF0178F37134
                                                                                                Malicious:false
                                                                                                Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1279751" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERCE76.tmp.dmp
                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                File Type:Mini DuMP crash report, 15 streams, Thu Dec 2 08:00:39 2021, 0x1205a4 type
                                                                                                Category:dropped
                                                                                                Size (bytes):27744
                                                                                                Entropy (8bit):2.472631846905019
                                                                                                Encrypted:false
                                                                                                SSDEEP:192:X2lh3bGF4COmUXSSnhuGHcamkr21OxSqPJJQS:yrdm2SSnhEaDr21Oz
                                                                                                MD5:80CD0BCCDAB6AD4995B010A9546CD3EA
                                                                                                SHA1:B1179CE447B852C89CBBC2C6C7666D8FB9D7FAC0
                                                                                                SHA-256:73515F0F79A861CD18BEE20AEE51BD2A534C37F345F9658F9DAC3F503A857125
                                                                                                SHA-512:3BEF29CC083F829F3A47C1BC041699A8399E2CBF5826DB45845E376D6AC85EF7B139410E80D0776FE7A53CE6319835362FBDB10C44F0B1CD673BD448B42B74A3
                                                                                                Malicious:false
                                                                                                Preview: MDMP....... .......'}.a............4...............H.......$...........................`.......8...........T...........h...._...........................................................................................U...........B......p.......GenuineIntelW...........T.......D....|.a.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERD28E.tmp.WERInternalMetadata.xml
                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):8340
                                                                                                Entropy (8bit):3.70261848767406
                                                                                                Encrypted:false
                                                                                                SSDEEP:192:Rrl7r3GLNiTn696YIHSUZ+ugmfcSzyCpBU89bewsf0Xqm:RrlsNiT696Y4SUMugmfcSzJeDf+
                                                                                                MD5:7FD9DBB3326A994DDBF0ED60C728548C
                                                                                                SHA1:5E3401C9B55C3244957E5CCF7B4CB7028E3CB13A
                                                                                                SHA-256:CB3EAE541FF7D53DF6A24828FAB6959D5D2A1496225DDA0BF2A4C60576642D36
                                                                                                SHA-512:6F7959B0A086061107533804D7BBFE56BB83BE7682173EC57613D76BC36188FEAC170ABDB1987A7AAD89FE6104A58474F0E29AC2EBFAB86C4BCD5E22BD3D09F5
                                                                                                Malicious:false
                                                                                                Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.4.4.4.<./.P.i.d.>.......
                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERD619.tmp.xml
                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):4598
                                                                                                Entropy (8bit):4.475517527842101
                                                                                                Encrypted:false
                                                                                                SSDEEP:48:cvIwSD8zsgJgtWI9Jdt1WSC8B08fm8M4J2ynZFT+q84WD0KcQIcQwQvd:uITfmUiSNfJ1/Y0KkwQvd
                                                                                                MD5:7A47E5BD4F39B0F172C021080AC68BC3
                                                                                                SHA1:18CFDED79DC6239DE9735D91F590E4B3169289C1
                                                                                                SHA-256:9382642228C995BD31CC1D11E13B8E42BBA42E325177DBCD28B99770C6D37523
                                                                                                SHA-512:C1439BC09EB38FD203A6AE6724D9A08A6957DDD5C64864307D6A9F51BD1454D1342B7F75AFB0ABE76FA9BB9269B4A2390FFEEDEC1AA6BDC513ADD797FD27DA09
                                                                                                Malicious:false
                                                                                                Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1279751" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERFEEC.tmp.dmp
                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                File Type:Mini DuMP crash report, 15 streams, Thu Dec 2 08:00:51 2021, 0x1205a4 type
                                                                                                Category:dropped
                                                                                                Size (bytes):1060760
                                                                                                Entropy (8bit):1.4611665065663524
                                                                                                Encrypted:false
                                                                                                SSDEEP:3072:xrfviF2+D4OZS7z4gM4TQS3jLIjrNCrV+5h08:xrfKFZUOgz4gM4TQS3jgcl8
                                                                                                MD5:7DFE724E49E62605247079FA8EF412F2
                                                                                                SHA1:EB7F96774A3C0647B2A85792A0C07A690932EA8D
                                                                                                SHA-256:4A2BF34679FE90E26DA6D36D44D7244B5653A0335E4DEB0236BFA933667A5D89
                                                                                                SHA-512:A72A967B9482F5893B4D6098957790249905BFEBE64C19EBAE35E9701F7FAD12FF0A9DD03FC0B785B582D6E6B3E2744DD3BE4C7153B78A0EBDB5EF484B918C0E
                                                                                                Malicious:false
                                                                                                Preview: MDMP....... .......3}.a............4...............H.......$...........................`.......8...........T...........@...X#...........................................................................................U...........B......p.......GenuineIntelW...........T.......D....|.a.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):55
                                                                                                Entropy (8bit):4.306461250274409
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                                                MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                                                SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                                                SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                                                SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                                                Malicious:false
                                                                                                Preview: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}
                                                                                                C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log
                                                                                                Process:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                                File Type:Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
                                                                                                Category:modified
                                                                                                Size (bytes):7250
                                                                                                Entropy (8bit):3.1638675934064526
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:cEj+AbCEH+AbuEAc+AbhGEA+AbNEe+Ab/Ee+AbPE6w9+Ab1wTET+Ab2:cY+38+DJc+iGr+MZ+65+6tg+ECY+T
                                                                                                MD5:19D036203BB3EC5E07BAC83F8DBAEB66
                                                                                                SHA1:3EDD1A7F453378F1BC3CD22239DB821F808F069C
                                                                                                SHA-256:1B247B7E58584F83F7D09B47D496C86B65CFA83CF35B5FF91F94D6697F8C908D
                                                                                                SHA-512:3DF8EA9EC236321EA74E54F343B86573DA2464C68CA0E54F5799E65ACD43B89D7C925C5CF6131C341AA0E4A1DC1FE4E0B448241CC7A62DFACB4781475CD0467A
                                                                                                Malicious:false
                                                                                                Preview: ..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. T.h.u. .. J.u.n. .. 2.7. .. 2.0.1.9. .0.1.:.2.9.:.4.9.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e.....E.R.R.O.R.:. .M.p.W.D.E.n.a.b.l.e.(.T.R.U.E.). .f.a.i.l.e.d. .(.8.0.0.7.0.4.E.C.).....M.p.C.m.d.R.u.n.:. .E.n.d. .T.i.m.e.:. .. T.h.u. .. J.u.n. .. 2.7. .. 2.0.1.9. .0.1.:.2.9.:.4.9.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.............-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.
                                                                                                C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Logs\dosvc.20211202_075908_566.etl
                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):12288
                                                                                                Entropy (8bit):3.816953613711694
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:8C/2gwPo+ka5N+9H/Y2WCnU/I2ly3ikr/441T2gjFzQNMCJ6JRI6Y5WIUMCQY56s:X/2gm0fHH2buZCSuTCeCHCmCQCm
                                                                                                MD5:25D83F52831611EC36AABEC832821052
                                                                                                SHA1:59B00827A0DA76004FD662EFEC408D59C476303D
                                                                                                SHA-256:5C35727B729E37102BA452E692B6584E085F34B08B4BD6E96EE9DDB34760423B
                                                                                                SHA-512:C3848F3529ED195D13CB584E431AC38377FB931F47075DC5C2F68EE739E3D3DB86C109DF9A62DA18D9863D13F468F1A50C81310BBFBAB9E4453D840C87793295
                                                                                                Malicious:false
                                                                                                Preview: .... ... ....................................... ...!....................................a%......................B..............Zb... ... ..........................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1............................................................./_8..... .....[..|R...........8.6.9.6.E.A.C.4.-.1.2.8.8.-.4.2.8.8.-.A.4.E.E.-.4.9.E.E.4.3.1.B.0.A.D.9...C.:.\.W.i.n.d.o.w.s.\.S.e.r.v.i.c.e.P.r.o.f.i.l.e.s.\.N.e.t.w.o.r.k.S.e.r.v.i.c.e.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.D.e.l.i.v.e.r.y.O.p.t.i.m.i.z.a.t.i.o.n.\.L.o.g.s.\.d.o.s.v.c...2.0.2.1.1.2.0.2._.0.7.5.9.0.8._.5.6.6...e.t.l.........P.P..........a%.....................................................................................................................................................................................................................................................................
                                                                                                C:\Windows\appcompat\Programs\Amcache.hve
                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                File Type:MS Windows registry file, NT/2000 or above
                                                                                                Category:dropped
                                                                                                Size (bytes):1572864
                                                                                                Entropy (8bit):4.265286956235862
                                                                                                Encrypted:false
                                                                                                SSDEEP:12288:c6FofE2Ub1dQud7QCnz1ZLO561bDn7ad+sz7h+HaE5hDKW/Um9DWCdQw:dFofE2Ub1dQud7QwRrYw
                                                                                                MD5:9B496420DB28F4E286FFEE68D34F525F
                                                                                                SHA1:41366536762D47F866E01A1D721987DDF54C76FA
                                                                                                SHA-256:FBCC028B8D14D416ECE7D23D9E347D9AAA42EF187864B32D09EB174035930BA3
                                                                                                SHA-512:1392368168BA4AACA0448BD703AFF36BF683D852D3A7D3675141C4FDDC10DEDDB10F958DC021BDBF9DC67A2B17812600058DC4D5EE1B30FE5D56A63AF677DB81
                                                                                                Malicious:false
                                                                                                Preview: regfR...R...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm..0.R................................................................................................................................................................................................................................................................................................................................................V4.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                C:\Windows\appcompat\Programs\Amcache.hve.LOG1
                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                File Type:MS Windows registry file, NT/2000 or above
                                                                                                Category:dropped
                                                                                                Size (bytes):16384
                                                                                                Entropy (8bit):3.0491493044179703
                                                                                                Encrypted:false
                                                                                                SSDEEP:192:zya/VO1dvkCu4QY95FSE9lMqXyQVWnxuYW2o5Kqe8mxwpUuN5m:H9E5TXQnxuf2o5PmxwpUuN5m
                                                                                                MD5:42CA41DBE6607C9D0051C4F9B2C462B4
                                                                                                SHA1:93D88F3BA37D35FC24873618D9B8C077454BC416
                                                                                                SHA-256:A085B286280ACDF8F0E022D67A6E94A9AD9E334BE41D665913DFD56E99C99B3E
                                                                                                SHA-512:B4D0E13020FD5F33612BBDE4124E54BD62E934A49AB8445EE21168FFFF127B09E0D6618C5AA418FD71C1093D4755660D1500A0542917EF33269D4909DE606EDF
                                                                                                Malicious:false
                                                                                                Preview: regfQ...Q...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm..0.R................................................................................................................................................................................................................................................................................................................................................V4.HvLE.>......Q...........5...M|...H.Z``e.........................hbin................p.\..,..........nk,..e2.R................................... ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk ..e2.R....... ...........P............... .......Z.......................Root........lf......Root....nk ..e2.R....................}.............. ...............*...............DeviceCensus.......................vk..................WritePermissionsCheck.......p...

                                                                                                Static File Info

                                                                                                General

                                                                                                File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                Entropy (8bit):7.0673548336573475
                                                                                                TrID:
                                                                                                • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
                                                                                                • Generic Win/DOS Executable (2004/3) 0.20%
                                                                                                • DOS Executable Generic (2002/1) 0.20%
                                                                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                File name:Zd9TtpY4Kh.dll
                                                                                                File size:372736
                                                                                                MD5:71eea35f36f3642fdbb94d9310e87747
                                                                                                SHA1:25bcd5a134df55a5465ebe39f57bf758d5672197
                                                                                                SHA256:bbadafe48d63d23d3a2ebb4a4103e32646d314d5ffb8e2551d62270f8b3ec352
                                                                                                SHA512:c6d3628bc45cd0cf237d82f31b170dbffd117e13b6f9ba22f51c81ad91eeb6e992cd253b7b27c0d868078e8686c3b21e6f03ecbe9f8ef9c9725b920eb9f462d0
                                                                                                SSDEEP:6144:qRsMh9YQWtcgA70wgF7nJyk6CQK+kIVDRjudJMrt32fFcRmXIeJXjWMmAD:cvm9Y0HFLFRQKqV4epRmxAvAD
                                                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........0...Q...Q...Q..E#...Q..E#...Q..E#...Q../$...Q...$...Q...$...Q...$...Q..E#...Q...Q...Q...Q...Q../$...Q../$...Q..Rich.Q.........

                                                                                                File Icon

                                                                                                Icon Hash:74f0e4ecccdce0e4

                                                                                                Static PE Info

                                                                                                General

                                                                                                Entrypoint:0x1001a401
                                                                                                Entrypoint Section:.text
                                                                                                Digitally signed:false
                                                                                                Imagebase:0x10000000
                                                                                                Subsystem:windows gui
                                                                                                Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
                                                                                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT
                                                                                                Time Stamp:0x61A7100E [Wed Dec 1 06:02:54 2021 UTC]
                                                                                                TLS Callbacks:0x1000c500
                                                                                                CLR (.Net) Version:
                                                                                                OS Version Major:6
                                                                                                OS Version Minor:0
                                                                                                File Version Major:6
                                                                                                File Version Minor:0
                                                                                                Subsystem Version Major:6
                                                                                                Subsystem Version Minor:0
                                                                                                Import Hash:609402ef170a35cc0e660d7d95ac10ce

                                                                                                Entrypoint Preview

                                                                                                Instruction
                                                                                                push ebp
                                                                                                mov ebp, esp
                                                                                                cmp dword ptr [ebp+0Ch], 01h
                                                                                                jne 00007F90747BAEC7h
                                                                                                call 00007F90747BB258h
                                                                                                push dword ptr [ebp+10h]
                                                                                                push dword ptr [ebp+0Ch]
                                                                                                push dword ptr [ebp+08h]
                                                                                                call 00007F90747BAD73h
                                                                                                add esp, 0Ch
                                                                                                pop ebp
                                                                                                retn 000Ch
                                                                                                push ebp
                                                                                                mov ebp, esp
                                                                                                push dword ptr [ebp+08h]
                                                                                                call 00007F90747BB76Eh
                                                                                                pop ecx
                                                                                                pop ebp
                                                                                                ret
                                                                                                push ebp
                                                                                                mov ebp, esp
                                                                                                jmp 00007F90747BAECFh
                                                                                                push dword ptr [ebp+08h]
                                                                                                call 00007F90747BF254h
                                                                                                pop ecx
                                                                                                test eax, eax
                                                                                                je 00007F90747BAED1h
                                                                                                push dword ptr [ebp+08h]
                                                                                                call 00007F90747BF2D0h
                                                                                                pop ecx
                                                                                                test eax, eax
                                                                                                je 00007F90747BAEA8h
                                                                                                pop ebp
                                                                                                ret
                                                                                                cmp dword ptr [ebp+08h], FFFFFFFFh
                                                                                                je 00007F90747BB833h
                                                                                                jmp 00007F90747BB810h
                                                                                                push ebp
                                                                                                mov ebp, esp
                                                                                                push 00000000h
                                                                                                call dword ptr [1002808Ch]
                                                                                                push dword ptr [ebp+08h]
                                                                                                call dword ptr [10028088h]
                                                                                                push C0000409h
                                                                                                call dword ptr [10028040h]
                                                                                                push eax
                                                                                                call dword ptr [10028090h]
                                                                                                pop ebp
                                                                                                ret
                                                                                                push ebp
                                                                                                mov ebp, esp
                                                                                                sub esp, 00000324h
                                                                                                push 00000017h
                                                                                                call dword ptr [10028094h]
                                                                                                test eax, eax
                                                                                                je 00007F90747BAEC7h
                                                                                                push 00000002h
                                                                                                pop ecx
                                                                                                int 29h
                                                                                                mov dword ptr [1005AF18h], eax
                                                                                                mov dword ptr [1005AF14h], ecx
                                                                                                mov dword ptr [1005AF10h], edx
                                                                                                mov dword ptr [1005AF0Ch], ebx
                                                                                                mov dword ptr [1005AF08h], esi
                                                                                                mov dword ptr [1005AF04h], edi
                                                                                                mov word ptr [eax], es

                                                                                                Data Directories

                                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x583900x8ac.rdata
                                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x58c3c0x3c.rdata
                                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x5d0000x1bb0.reloc
                                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x56fdc0x54.rdata
                                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x571000x18.rdata
                                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x570300x40.rdata
                                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x280000x154.rdata
                                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                Sections

                                                                                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                .text0x10000x264f40x26600False0.546620521173data6.29652715831IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                .rdata0x280000x313fa0x31400False0.822468868972data7.43227552322IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                .data0x5a0000x18440xe00False0.270647321429data2.60881097454IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                .pdata0x5c0000x66c0x800False0.3583984375data2.21689595795IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                .reloc0x5d0000x1bb00x1c00False0.784598214286data6.62358237634IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                Imports

                                                                                                DLLImport
                                                                                                KERNEL32.dllHeapFree, HeapReAlloc, GetProcessHeap, HeapAlloc, GetModuleHandleA, GetProcAddress, TlsGetValue, TlsSetValue, AcquireSRWLockExclusive, ReleaseSRWLockExclusive, AcquireSRWLockShared, ReleaseSRWLockShared, SetLastError, GetEnvironmentVariableW, GetLastError, GetCurrentDirectoryW, GetCurrentProcess, GetCurrentThread, RtlCaptureContext, ReleaseMutex, WaitForSingleObjectEx, LoadLibraryA, CreateMutexA, CloseHandle, GetStdHandle, GetConsoleMode, WriteFile, WriteConsoleW, TlsAlloc, GetCommandLineW, CreateFileA, GetTickCount64, CreateFileW, SetFilePointerEx, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, RaiseException, RtlUnwind, InterlockedFlushSList, EncodePointer, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsFree, FreeLibrary, LoadLibraryExW, ExitProcess, GetModuleHandleExW, GetModuleFileNameW, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetCommandLineA, MultiByteToWideChar, WideCharToMultiByte, GetEnvironmentStringsW, FreeEnvironmentStringsW, LCMapStringW, GetFileType, GetStringTypeW, HeapSize, SetStdHandle, FlushFileBuffers, GetConsoleOutputCP, DecodePointer
                                                                                                USER32.dllGetDC, ReleaseDC, GetWindowRect

                                                                                                Exports

                                                                                                NameOrdinalAddress
                                                                                                Control_RunDLL10x100010a0
                                                                                                ajkaibu20x100016c0
                                                                                                akyncbgollmj30x10001480
                                                                                                alrcidxljxybdggs40x10001860
                                                                                                bgmotrriehds50x10001820
                                                                                                bojkfvynhhupnooyb60x100019f0
                                                                                                bujuoqldqlzaod70x10001800
                                                                                                bunsahctogxzts80x100019e0
                                                                                                cjogbtafwukesw90x10001830
                                                                                                csbbcaopuok100x100016a0
                                                                                                cyqrjpaeorjur110x100015f0
                                                                                                dlrzuyaeqj120x10001840
                                                                                                egiimrq130x10001850
                                                                                                evhgyts140x100014f0
                                                                                                fdqpjjjyuw150x100017e0
                                                                                                finabzjyxhxnnuuv160x10001510
                                                                                                fkeacqpbbfw170x10001910
                                                                                                fuwsgzf180x10001790
                                                                                                fzbmpailk190x10001980
                                                                                                gamsrhauvgl200x10001810
                                                                                                gjfqgtgk210x10001a10
                                                                                                gwsmfxfmekkyr220x100018b0
                                                                                                haymuvtatadeydqmk230x10001530
                                                                                                hqruohhkvpdalhq240x10001620
                                                                                                htdaydfvtjlujwcaj250x10001660
                                                                                                hzyrvjtx260x100017c0
                                                                                                ifnsupqhxkwj270x10001870
                                                                                                ijhgowlpmypocg280x10001720
                                                                                                ispjhrqaxnyflnn290x100015a0
                                                                                                iszvcqv300x100017a0
                                                                                                ixgucop310x100018d0
                                                                                                jcdvrhrguqtjpkc320x100016b0
                                                                                                jkfyadsdpoks330x100019c0
                                                                                                kfzgxmljkwaqy340x10001730
                                                                                                kzfvroxozxufciczm350x10001740
                                                                                                lpstjqa360x10001900
                                                                                                ltkoyvzovzkqemyw370x10001630
                                                                                                mdigcwjymnzvgaql380x100014d0
                                                                                                mefathlzguuhqodfx390x10001950
                                                                                                mgsrmfbja400x10001500
                                                                                                mrxhcceopg410x100014a0
                                                                                                nafhmuoq420x100018f0
                                                                                                nefxgpc430x100018a0
                                                                                                nrehxpiznrppeu440x10001690
                                                                                                nucocnvjyqp450x100018e0
                                                                                                obxoxtcbntaxofr460x10001890
                                                                                                ofrzojd470x100016e0
                                                                                                oofbctfc480x10001550
                                                                                                opzpazspbecyjojf490x100015b0
                                                                                                oqoigff500x10001a00
                                                                                                oujlzhzvhjh510x100016f0
                                                                                                ovpsanbypajv520x100015e0
                                                                                                pblpcaadqbdxyb530x10001680
                                                                                                ragwdgnyohftj540x100017d0
                                                                                                rfosmac550x10001710
                                                                                                rgymbuetvifqjqdlo560x10001930
                                                                                                rmoxbxbbgidnbds570x10001970
                                                                                                rxnkmfbycdcc580x10001560
                                                                                                sefltbc590x10001880
                                                                                                sgieprcsphl600x100019a0
                                                                                                shpcmnqzvyltgdt610x100016d0
                                                                                                slktbekupvmdbt620x100015c0
                                                                                                sormivnk630x10001570
                                                                                                tdblkstlyin640x10001600
                                                                                                tkllyrc650x10001650
                                                                                                tkwpnvfqnbpbdqe660x10001a20
                                                                                                tnhtgnjrabqakgeke670x10001700
                                                                                                tzpmcwwig680x10001520
                                                                                                uceklmggjof690x10001610
                                                                                                ukwdddyj700x10001640
                                                                                                uwnaptydgur710x10001940
                                                                                                vjusqoeo720x10001580
                                                                                                vnyufpq730x10001590
                                                                                                vsrwmkhzkrtlexxb740x100014e0
                                                                                                wermsdfzb750x10001770
                                                                                                wkhpfdjkypy760x100014c0
                                                                                                wksndtayhfm770x100015d0
                                                                                                wnjvxspilxpchq780x10001670
                                                                                                wuqwfssiddrcl790x10001570
                                                                                                wyyhtqptznbrknitg800x100017f0
                                                                                                wzkcijdvadq810x10001540
                                                                                                wzxlvxuyy820x100019b0
                                                                                                xhtxeilfgsghxik830x10001780
                                                                                                xvdijhconoukll840x100014b0
                                                                                                ybbwnezvxfafm850x10001750
                                                                                                yeylpreasnzamgac860x100019d0
                                                                                                ypkidshxgzkkehc870x100018c0
                                                                                                ypzvmpfbgai880x10001760
                                                                                                zbrzizodycg890x10001990
                                                                                                zdiuqcnzg900x10001920
                                                                                                zfkwwtxd910x10001490
                                                                                                zktykfwmaehxg920x10001600
                                                                                                zmkbqvofdhermov930x10001960
                                                                                                zvtqmkitgmzgo940x100017b0

                                                                                                Network Behavior

                                                                                                No network behavior found

                                                                                                Code Manipulations

                                                                                                Statistics

                                                                                                Behavior

                                                                                                Click to jump to process

                                                                                                System Behavior

                                                                                                Analysis Process: loaddll32.exe PID: 5444 Parent PID: 5696

                                                                                                General

                                                                                                Start time:23:58:16
                                                                                                Start date:01/12/2021
                                                                                                Path:C:\Windows\System32\loaddll32.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:loaddll32.exe "C:\Users\user\Desktop\Zd9TtpY4Kh.dll"
                                                                                                Imagebase:0xd60000
                                                                                                File size:893440 bytes
                                                                                                MD5 hash:72FCD8FB0ADC38ED9050569AD673650E
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Yara matches:
                                                                                                • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000000.539981294.0000000000FA0000.00000040.00000010.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.539981294.0000000000FA0000.00000040.00000010.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000000.562664559.0000000000FA0000.00000040.00000010.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.562664559.0000000000FA0000.00000040.00000010.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000000.540057881.000000000137C000.00000004.00000020.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.540057881.000000000137C000.00000004.00000020.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000000.561743739.000000000137C000.00000004.00000020.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.561743739.000000000137C000.00000004.00000020.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000000.542442475.000000000137C000.00000004.00000020.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.542442475.000000000137C000.00000004.00000020.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000000.563041724.000000000137C000.00000004.00000020.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.563041724.000000000137C000.00000004.00000020.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000002.596937604.000000000137C000.00000004.00000020.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000002.596937604.000000000137C000.00000004.00000020.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000000.561459077.0000000000FA0000.00000040.00000010.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.561459077.0000000000FA0000.00000040.00000010.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000000.542217719.0000000000FA0000.00000040.00000010.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.542217719.0000000000FA0000.00000040.00000010.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000002.596698488.0000000000FA0000.00000040.00000010.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000002.596698488.0000000000FA0000.00000040.00000010.sdmp, Author: Joe Security
                                                                                                Reputation:high

                                                                                                Analysis Process: cmd.exe PID: 5460 Parent PID: 5444

                                                                                                General

                                                                                                Start time:23:58:16
                                                                                                Start date:01/12/2021
                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Zd9TtpY4Kh.dll",#1
                                                                                                Imagebase:0x150000
                                                                                                File size:232960 bytes
                                                                                                MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high

                                                                                                Analysis Process: rundll32.exe PID: 5724 Parent PID: 5444

                                                                                                General

                                                                                                Start time:23:58:16
                                                                                                Start date:01/12/2021
                                                                                                Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:rundll32.exe C:\Users\user\Desktop\Zd9TtpY4Kh.dll,Control_RunDLL
                                                                                                Imagebase:0x120000
                                                                                                File size:61952 bytes
                                                                                                MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Yara matches:
                                                                                                • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000002.00000003.507700136.0000000002EFC000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000002.00000003.507700136.0000000002EFC000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000002.00000002.521244679.0000000002DA0000.00000040.00000010.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000002.00000002.521244679.0000000002DA0000.00000040.00000010.sdmp, Author: Joe Security
                                                                                                Reputation:high

                                                                                                Analysis Process: rundll32.exe PID: 5560 Parent PID: 5460

                                                                                                General

                                                                                                Start time:23:58:17
                                                                                                Start date:01/12/2021
                                                                                                Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:rundll32.exe "C:\Users\user\Desktop\Zd9TtpY4Kh.dll",#1
                                                                                                Imagebase:0x120000
                                                                                                File size:61952 bytes
                                                                                                MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Yara matches:
                                                                                                • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.538242653.000000000291A000.00000004.00000020.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000003.00000002.537633031.0000000002660000.00000040.00000010.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.537633031.0000000002660000.00000040.00000010.sdmp, Author: Joe Security
                                                                                                Reputation:high

                                                                                                Analysis Process: rundll32.exe PID: 4396 Parent PID: 5444

                                                                                                General

                                                                                                Start time:23:58:21
                                                                                                Start date:01/12/2021
                                                                                                Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:rundll32.exe C:\Users\user\Desktop\Zd9TtpY4Kh.dll,ajkaibu
                                                                                                Imagebase:0x120000
                                                                                                File size:61952 bytes
                                                                                                MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Yara matches:
                                                                                                • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.534967742.000000000273A000.00000004.00000020.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000004.00000002.534990244.0000000002840000.00000040.00000010.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.534990244.0000000002840000.00000040.00000010.sdmp, Author: Joe Security
                                                                                                Reputation:high

                                                                                                Analysis Process: svchost.exe PID: 6200 Parent PID: 556

                                                                                                General

                                                                                                Start time:23:58:23
                                                                                                Start date:01/12/2021
                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                                Imagebase:0x7ff797770000
                                                                                                File size:51288 bytes
                                                                                                MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high

                                                                                                Analysis Process: rundll32.exe PID: 6244 Parent PID: 5444

                                                                                                General

                                                                                                Start time:23:58:25
                                                                                                Start date:01/12/2021
                                                                                                Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:rundll32.exe C:\Users\user\Desktop\Zd9TtpY4Kh.dll,akyncbgollmj
                                                                                                Imagebase:0x120000
                                                                                                File size:61952 bytes
                                                                                                MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Yara matches:
                                                                                                • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.540904925.00000000028FA000.00000004.00000020.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000006.00000002.541263948.0000000002A00000.00000040.00000010.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.541263948.0000000002A00000.00000040.00000010.sdmp, Author: Joe Security
                                                                                                Reputation:high

                                                                                                Analysis Process: svchost.exe PID: 6360 Parent PID: 556

                                                                                                General

                                                                                                Start time:23:58:33
                                                                                                Start date:01/12/2021
                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
                                                                                                Imagebase:0x7ff797770000
                                                                                                File size:51288 bytes
                                                                                                MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:false
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high

                                                                                                Analysis Process: svchost.exe PID: 6564 Parent PID: 556

                                                                                                General

                                                                                                Start time:23:58:49
                                                                                                Start date:01/12/2021
                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
                                                                                                Imagebase:0x7ff797770000
                                                                                                File size:51288 bytes
                                                                                                MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:false
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high

                                                                                                Analysis Process: svchost.exe PID: 6892 Parent PID: 556

                                                                                                General

                                                                                                Start time:23:59:08
                                                                                                Start date:01/12/2021
                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\System32\svchost.exe -k NetworkService -p
                                                                                                Imagebase:0x7ff797770000
                                                                                                File size:51288 bytes
                                                                                                MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:false
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high

                                                                                                Analysis Process: SgrmBroker.exe PID: 7076 Parent PID: 556

                                                                                                General

                                                                                                Start time:23:59:37
                                                                                                Start date:01/12/2021
                                                                                                Path:C:\Windows\System32\SgrmBroker.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\SgrmBroker.exe
                                                                                                Imagebase:0x7ff779920000
                                                                                                File size:163336 bytes
                                                                                                MD5 hash:D3170A3F3A9626597EEE1888686E3EA6
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high

                                                                                                Analysis Process: svchost.exe PID: 7116 Parent PID: 556

                                                                                                General

                                                                                                Start time:23:59:53
                                                                                                Start date:01/12/2021
                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
                                                                                                Imagebase:0x7ff797770000
                                                                                                File size:51288 bytes
                                                                                                MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:false
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high

                                                                                                Analysis Process: rundll32.exe PID: 6296 Parent PID: 5560

                                                                                                General

                                                                                                Start time:00:00:19
                                                                                                Start date:02/12/2021
                                                                                                Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\Zd9TtpY4Kh.dll",Control_RunDLL
                                                                                                Imagebase:0x120000
                                                                                                File size:61952 bytes
                                                                                                MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language

                                                                                                Analysis Process: rundll32.exe PID: 2144 Parent PID: 5724

                                                                                                General

                                                                                                Start time:00:00:22
                                                                                                Start date:02/12/2021
                                                                                                Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Kqkxkcs\syeog.ubw",IADPmoEsmQuul
                                                                                                Imagebase:0x120000
                                                                                                File size:61952 bytes
                                                                                                MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Yara matches:
                                                                                                • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000010.00000002.651948468.0000000002D8A000.00000004.00000020.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000010.00000002.651976449.0000000002EC0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000010.00000002.651976449.0000000002EC0000.00000040.00000001.sdmp, Author: Joe Security

                                                                                                Analysis Process: rundll32.exe PID: 6136 Parent PID: 4396

                                                                                                General

                                                                                                Start time:00:00:26
                                                                                                Start date:02/12/2021
                                                                                                Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\Zd9TtpY4Kh.dll",Control_RunDLL
                                                                                                Imagebase:0x120000
                                                                                                File size:61952 bytes
                                                                                                MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language

                                                                                                Analysis Process: rundll32.exe PID: 6172 Parent PID: 6244

                                                                                                General

                                                                                                Start time:00:00:32
                                                                                                Start date:02/12/2021
                                                                                                Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\Zd9TtpY4Kh.dll",Control_RunDLL
                                                                                                Imagebase:0x120000
                                                                                                File size:61952 bytes
                                                                                                MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language

                                                                                                Analysis Process: svchost.exe PID: 1884 Parent PID: 556

                                                                                                General

                                                                                                Start time:00:00:33
                                                                                                Start date:02/12/2021
                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\System32\svchost.exe -k WerSvcGroup
                                                                                                Imagebase:0x7ff797770000
                                                                                                File size:51288 bytes
                                                                                                MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language

                                                                                                Analysis Process: WerFault.exe PID: 1060 Parent PID: 1884

                                                                                                General

                                                                                                Start time:00:00:34
                                                                                                Start date:02/12/2021
                                                                                                Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 5444 -ip 5444
                                                                                                Imagebase:0xc30000
                                                                                                File size:434592 bytes
                                                                                                MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language

                                                                                                Analysis Process: WerFault.exe PID: 3664 Parent PID: 5444

                                                                                                General

                                                                                                Start time:00:00:36
                                                                                                Start date:02/12/2021
                                                                                                Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5444 -s 320
                                                                                                Imagebase:0xc30000
                                                                                                File size:434592 bytes
                                                                                                MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language

                                                                                                Analysis Process: WerFault.exe PID: 5988 Parent PID: 1884

                                                                                                General

                                                                                                Start time:00:00:44
                                                                                                Start date:02/12/2021
                                                                                                Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:C:\Windows\SysWOW64\WerFault.exe -pss -s 168 -p 5444 -ip 5444
                                                                                                Imagebase:0xc30000
                                                                                                File size:434592 bytes
                                                                                                MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language

                                                                                                Analysis Process: WerFault.exe PID: 6060 Parent PID: 5444

                                                                                                General

                                                                                                Start time:00:00:46
                                                                                                Start date:02/12/2021
                                                                                                Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5444 -s 340
                                                                                                Imagebase:0xc30000
                                                                                                File size:434592 bytes
                                                                                                MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language

                                                                                                Analysis Process: MpCmdRun.exe PID: 2036 Parent PID: 7116

                                                                                                General

                                                                                                Start time:00:01:09
                                                                                                Start date:02/12/2021
                                                                                                Path:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:"C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
                                                                                                Imagebase:0x7ff71d680000
                                                                                                File size:455656 bytes
                                                                                                MD5 hash:A267555174BFA53844371226F482B86B
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:false
                                                                                                Programmed in:C, C++ or other language

                                                                                                Analysis Process: conhost.exe PID: 4500 Parent PID: 2036

                                                                                                General

                                                                                                Start time:00:01:10
                                                                                                Start date:02/12/2021
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff7ecfc0000
                                                                                                File size:625664 bytes
                                                                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:false
                                                                                                Programmed in:C, C++ or other language

                                                                                                Analysis Process: svchost.exe PID: 6864 Parent PID: 556

                                                                                                General

                                                                                                Start time:00:01:15
                                                                                                Start date:02/12/2021
                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                Imagebase:0x7ff797770000
                                                                                                File size:51288 bytes
                                                                                                MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language

                                                                                                Analysis Process: rundll32.exe PID: 6276 Parent PID: 2144

                                                                                                General

                                                                                                Start time:00:01:24
                                                                                                Start date:02/12/2021
                                                                                                Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Kqkxkcs\syeog.ubw",Control_RunDLL
                                                                                                Imagebase:0x120000
                                                                                                File size:61952 bytes
                                                                                                MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Yara matches:
                                                                                                • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000001E.00000002.775119059.00000000026A0000.00000040.00000010.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000001E.00000002.775119059.00000000026A0000.00000040.00000010.sdmp, Author: Joe Security

                                                                                                Analysis Process: svchost.exe PID: 3420 Parent PID: 556

                                                                                                General

                                                                                                Start time:00:01:54
                                                                                                Start date:02/12/2021
                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                Imagebase:0x7ff797770000
                                                                                                File size:51288 bytes
                                                                                                MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language

                                                                                                Analysis Process: svchost.exe PID: 2592 Parent PID: 556

                                                                                                General

                                                                                                Start time:00:02:03
                                                                                                Start date:02/12/2021
                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                Imagebase:0x7ff797770000
                                                                                                File size:51288 bytes
                                                                                                MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language

                                                                                                Analysis Process: svchost.exe PID: 1412 Parent PID: 556

                                                                                                General

                                                                                                Start time:00:02:11
                                                                                                Start date:02/12/2021
                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\svchost.exe -k wsappx -p -s AppXSvc
                                                                                                Imagebase:0x7ff797770000
                                                                                                File size:51288 bytes
                                                                                                MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language

                                                                                                Disassembly

                                                                                                Code Analysis

                                                                                                Reset < >