Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report Zd9TtpY4Kh.dll

Overview

General Information

Sample Name:Zd9TtpY4Kh.dll
Analysis ID:532296
MD5:71eea35f36f3642fdbb94d9310e87747
SHA1:25bcd5a134df55a5465ebe39f57bf758d5672197
SHA256:bbadafe48d63d23d3a2ebb4a4103e32646d314d5ffb8e2551d62270f8b3ec352
Tags:32dllexe
Infos:

Most interesting Screenshot:

Detection

Emotet
Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Emotet
Sigma detected: Emotet RunDLL32 Process Creation
Changes security center settings (notifications, updates, antivirus, firewall)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses 32bit PE files
One or more processes crash
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Abnormal high CPU Usage
AV process strings found (often used to terminate AV products)
Tries to load missing DLLs
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 7160 cmdline: loaddll32.exe "C:\Users\user\Desktop\Zd9TtpY4Kh.dll" MD5: 72FCD8FB0ADC38ED9050569AD673650E)
    • cmd.exe (PID: 5704 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Zd9TtpY4Kh.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 3648 cmdline: rundll32.exe "C:\Users\user\Desktop\Zd9TtpY4Kh.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • rundll32.exe (PID: 7080 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\Zd9TtpY4Kh.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 5688 cmdline: rundll32.exe C:\Users\user\Desktop\Zd9TtpY4Kh.dll,Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • rundll32.exe (PID: 3024 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Lklkgjuftglvvvqq\zogfgblopvxymh.tnq",YYthscLHd MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • rundll32.exe (PID: 6956 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Lklkgjuftglvvvqq\zogfgblopvxymh.tnq",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 3180 cmdline: rundll32.exe C:\Users\user\Desktop\Zd9TtpY4Kh.dll,ajkaibu MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • rundll32.exe (PID: 2316 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\Zd9TtpY4Kh.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 2960 cmdline: rundll32.exe C:\Users\user\Desktop\Zd9TtpY4Kh.dll,akyncbgollmj MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • rundll32.exe (PID: 3156 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\Zd9TtpY4Kh.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • WerFault.exe (PID: 4488 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7160 -s 320 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • WerFault.exe (PID: 1060 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7160 -s 328 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • svchost.exe (PID: 6160 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 4072 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5780 cmdline: c:\windows\system32\svchost.exe -k unistacksvcgroup MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6120 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6668 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • SgrmBroker.exe (PID: 5348 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)
  • svchost.exe (PID: 4020 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • MpCmdRun.exe (PID: 3088 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: A267555174BFA53844371226F482B86B)
      • conhost.exe (PID: 5216 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • svchost.exe (PID: 5676 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • WerFault.exe (PID: 5672 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 7160 -ip 7160 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • WerFault.exe (PID: 3544 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 7160 -ip 7160 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • svchost.exe (PID: 6640 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5696 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 4888 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000000.551258636.0000000000C3C000.00000004.00000020.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
    00000000.00000000.551258636.0000000000C3C000.00000004.00000020.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
      00000003.00000002.549497176.0000000002F70000.00000040.00000010.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
        00000003.00000002.549497176.0000000002F70000.00000040.00000010.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
          0000000F.00000002.662460484.00000000032CA000.00000004.00000020.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
            Click to see the 31 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.loaddll32.exe.af0000.0.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
              0.2.loaddll32.exe.af0000.0.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                0.0.loaddll32.exe.c43b40.4.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                  0.0.loaddll32.exe.c43b40.4.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                    4.2.rundll32.exe.2f80000.0.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                      Click to see the 71 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Emotet RunDLL32 Process CreationShow sources
                      Source: Process startedAuthor: FPT.EagleEye: Data: Command: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Lklkgjuftglvvvqq\zogfgblopvxymh.tnq",Control_RunDLL, CommandLine: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Lklkgjuftglvvvqq\zogfgblopvxymh.tnq",Control_RunDLL, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Lklkgjuftglvvvqq\zogfgblopvxymh.tnq",YYthscLHd, ParentImage: C:\Windows\SysWOW64\rundll32.exe, ParentProcessId: 3024, ProcessCommandLine: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Lklkgjuftglvvvqq\zogfgblopvxymh.tnq",Control_RunDLL, ProcessId: 6956

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: Zd9TtpY4Kh.dllVirustotal: Detection: 18%Perma Link
                      Source: Zd9TtpY4Kh.dllReversingLabs: Detection: 17%
                      Source: Zd9TtpY4Kh.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
                      Source: Zd9TtpY4Kh.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000016.00000003.559101637.0000000004F21000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.585714849.0000000004A41000.00000004.00000001.sdmp
                      Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000016.00000003.559101637.0000000004F21000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.585714849.0000000004A41000.00000004.00000001.sdmp
                      Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000016.00000003.556517753.00000000030A2000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.556334837.0000000004B97000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.556378070.00000000030A2000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.559101637.0000000004F21000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.585714849.0000000004A41000.00000004.00000001.sdmp
                      Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000016.00000003.559101637.0000000004F21000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.585714849.0000000004A41000.00000004.00000001.sdmp
                      Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000016.00000003.556384233.00000000030A8000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.556472913.00000000030A8000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.559101637.0000000004F21000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.585714849.0000000004A41000.00000004.00000001.sdmp
                      Source: Binary string: wimm32.pdb source: WerFault.exe, 00000016.00000003.559101637.0000000004F21000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.585714849.0000000004A41000.00000004.00000001.sdmp
                      Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000016.00000003.556384233.00000000030A8000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.556472913.00000000030A8000.00000004.00000001.sdmp
                      Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000016.00000003.559101637.0000000004F21000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.585714849.0000000004A41000.00000004.00000001.sdmp
                      Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000016.00000003.556517753.00000000030A2000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.556378070.00000000030A2000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdb source: WerFault.exe, 00000016.00000003.559101637.0000000004F21000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.574278186.000000000088B000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.573540381.000000000088B000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.585714849.0000000004A41000.00000004.00000001.sdmp
                      Source: Binary string: apphelp.pdb source: WerFault.exe, 00000016.00000003.559101637.0000000004F21000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.585714849.0000000004A41000.00000004.00000001.sdmp
                      Source: Binary string: wuser32.pdb source: WerFault.exe, 00000016.00000003.559101637.0000000004F21000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.585714849.0000000004A41000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdbk source: WerFault.exe, 00000016.00000003.559101637.0000000004F21000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.585714849.0000000004A41000.00000004.00000001.sdmp
                      Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000016.00000003.559101637.0000000004F21000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.585714849.0000000004A41000.00000004.00000001.sdmp
                      Source: Binary string: oCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000016.00000002.566852906.0000000002B52000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000019.00000003.574278186.000000000088B000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.573540381.000000000088B000.00000004.00000001.sdmp
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E9B0927 FindFirstFileExW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E9B0927 FindFirstFileExW,
                      Source: svchost.exe, 0000001E.00000003.665031982.0000020D89D87000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","A equals www.facebook.com (Facebook)
                      Source: svchost.exe, 0000001E.00000003.665031982.0000020D89D87000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","A equals www.twitter.com (Twitter)
                      Source: svchost.exe, 0000001E.00000003.665066755.0000020D89D98000.00000004.00000001.sdmp, svchost.exe, 0000001E.00000003.665031982.0000020D89D87000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-11-26T13:57:30.0386475Z||.||6f0c105d-3db6-47de-894d-fd95973349e2||1152921505694224549||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
                      Source: svchost.exe, 0000001E.00000003.665066755.0000020D89D98000.00000004.00000001.sdmp, svchost.exe, 0000001E.00000003.665031982.0000020D89D87000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-11-26T13:57:30.0386475Z||.||6f0c105d-3db6-47de-894d-fd95973349e2||1152921505694224549||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
                      Source: WerFault.exe, 00000019.00000002.597736196.00000000046F6000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.595782646.00000000046F4000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: WerFault.exe, 00000019.00000002.597736196.00000000046F6000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.595782646.00000000046F4000.00000004.00000001.sdmpString found in binary or memory: http://crl.m
                      Source: WerFault.exe, 00000019.00000002.597736196.00000000046F6000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.595782646.00000000046F4000.00000004.00000001.sdmpString found in binary or memory: http://crl.microsoft
                      Source: svchost.exe, 0000001E.00000003.655732792.0000020D89D8D000.00000004.00000001.sdmp, svchost.exe, 0000001E.00000003.655842295.0000020D89D6B000.00000004.00000001.sdmp, svchost.exe, 0000001E.00000003.655765717.0000020D89DCF000.00000004.00000001.sdmpString found in binary or memory: http://help.disneyplus.com.
                      Source: Amcache.hve.22.drString found in binary or memory: http://upx.sf.net
                      Source: svchost.exe, 0000000B.00000002.428918410.000002C111813000.00000004.00000001.sdmpString found in binary or memory: http://www.bingmapsportal.com
                      Source: svchost.exe, 00000005.00000002.682659763.0000024A58841000.00000004.00000001.sdmpString found in binary or memory: https://%s.dnet.xboxlive.com
                      Source: svchost.exe, 00000005.00000002.682659763.0000024A58841000.00000004.00000001.sdmpString found in binary or memory: https://%s.dnet.xboxlive.comt
                      Source: svchost.exe, 00000005.00000002.682659763.0000024A58841000.00000004.00000001.sdmpString found in binary or memory: https://%s.xboxlive.com
                      Source: svchost.exe, 00000005.00000002.682659763.0000024A58841000.00000004.00000001.sdmpString found in binary or memory: https://%s.xboxlive.comlCount
                      Source: svchost.exe, 00000005.00000002.682659763.0000024A58841000.00000004.00000001.sdmpString found in binary or memory: https://activity.windows.com
                      Source: svchost.exe, 0000000B.00000003.403196324.000002C111863000.00000004.00000001.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
                      Source: svchost.exe, 00000005.00000002.682659763.0000024A58841000.00000004.00000001.sdmpString found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
                      Source: svchost.exe, 00000005.00000002.682659763.0000024A58841000.00000004.00000001.sdmpString found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
                      Source: svchost.exe, 0000000B.00000003.403202396.000002C11184D000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000002.433607241.000002C111829000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
                      Source: svchost.exe, 0000000B.00000003.403221693.000002C111842000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.403228395.000002C111843000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000002.437894067.000002C111844000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
                      Source: svchost.exe, 0000000B.00000003.403196324.000002C111863000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
                      Source: svchost.exe, 0000000B.00000002.433607241.000002C111829000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
                      Source: svchost.exe, 0000000B.00000003.403221693.000002C111842000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.403228395.000002C111843000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000002.437894067.000002C111844000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
                      Source: svchost.exe, 0000000B.00000002.444224118.000002C11186B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.403182964.000002C111869000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
                      Source: svchost.exe, 0000000B.00000003.403196324.000002C111863000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
                      Source: svchost.exe, 0000000B.00000002.433607241.000002C111829000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
                      Source: svchost.exe, 0000000B.00000003.403221693.000002C111842000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.403228395.000002C111843000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000002.437894067.000002C111844000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
                      Source: svchost.exe, 0000000B.00000002.433607241.000002C111829000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
                      Source: svchost.exe, 0000000B.00000003.403196324.000002C111863000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
                      Source: svchost.exe, 0000000B.00000003.403196324.000002C111863000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
                      Source: svchost.exe, 0000000B.00000003.403196324.000002C111863000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
                      Source: svchost.exe, 0000000B.00000002.433607241.000002C111829000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
                      Source: svchost.exe, 0000000B.00000002.442381647.000002C111861000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.403199024.000002C111860000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
                      Source: svchost.exe, 0000000B.00000002.433607241.000002C111829000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
                      Source: svchost.exe, 0000000B.00000003.403196324.000002C111863000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
                      Source: svchost.exe, 0000000B.00000003.403212606.000002C111849000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.403221693.000002C111842000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000002.438698204.000002C11184A000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
                      Source: svchost.exe, 0000001E.00000003.655732792.0000020D89D8D000.00000004.00000001.sdmp, svchost.exe, 0000001E.00000003.655842295.0000020D89D6B000.00000004.00000001.sdmp, svchost.exe, 0000001E.00000003.655765717.0000020D89DCF000.00000004.00000001.sdmpString found in binary or memory: https://disneyplus.com/legal.
                      Source: svchost.exe, 0000000B.00000003.403202396.000002C11184D000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
                      Source: svchost.exe, 0000000B.00000003.403212606.000002C111849000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000002.438698204.000002C11184A000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
                      Source: svchost.exe, 0000000B.00000003.403212606.000002C111849000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000002.438698204.000002C11184A000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
                      Source: svchost.exe, 0000000B.00000003.403189842.000002C111865000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t
                      Source: svchost.exe, 0000000B.00000003.403196324.000002C111863000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
                      Source: svchost.exe, 0000000B.00000002.433607241.000002C111829000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
                      Source: svchost.exe, 0000000B.00000003.403221693.000002C111842000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.403228395.000002C111843000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000002.437894067.000002C111844000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
                      Source: svchost.exe, 0000000B.00000002.437291550.000002C111841000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
                      Source: svchost.exe, 0000000B.00000002.433607241.000002C111829000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
                      Source: svchost.exe, 0000000B.00000003.368982920.000002C111835000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
                      Source: svchost.exe, 0000000B.00000003.368982920.000002C111835000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
                      Source: svchost.exe, 0000000B.00000003.368982920.000002C111835000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
                      Source: svchost.exe, 0000000B.00000003.403231939.000002C11183E000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.368982920.000002C111835000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
                      Source: svchost.exe, 0000000B.00000003.403235220.000002C111850000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000002.440105242.000002C111856000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.403202396.000002C11184D000.00000004.00000001.sdmpString found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
                      Source: svchost.exe, 0000001E.00000003.655732792.0000020D89D8D000.00000004.00000001.sdmp, svchost.exe, 0000001E.00000003.655842295.0000020D89D6B000.00000004.00000001.sdmp, svchost.exe, 0000001E.00000003.655765717.0000020D89DCF000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
                      Source: svchost.exe, 0000001E.00000003.655732792.0000020D89D8D000.00000004.00000001.sdmp, svchost.exe, 0000001E.00000003.655842295.0000020D89D6B000.00000004.00000001.sdmp, svchost.exe, 0000001E.00000003.655765717.0000020D89DCF000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
                      Source: svchost.exe, 0000001E.00000003.657779525.0000020D89D79000.00000004.00000001.sdmpString found in binary or memory: https://www.tiktok.com/legal/report/feedback

                      E-Banking Fraud:

                      barindex
                      Yara detected EmotetShow sources
                      Source: Yara matchFile source: 0.2.loaddll32.exe.af0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.c43b40.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.2f80000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.af0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.rundll32.exe.3210000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.af0000.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.c43b40.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.c43b40.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.c43b40.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.af0000.9.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.3152160.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.3370000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.2e92148.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.c43b40.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.af0000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.2f70000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.c43b40.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.2e40000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.c43b40.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.c43b40.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.af0000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.2e92148.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.2e40000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.c43b40.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.c43b40.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.34220a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.af0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.rundll32.exe.32e2240.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.af0000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.2f70000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.3152160.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.34220a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.rundll32.exe.3210000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.af0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.2f80000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.af0000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.3370000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.rundll32.exe.32e2240.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000000.551258636.0000000000C3C000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.549497176.0000000002F70000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.662460484.00000000032CA000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.552293543.0000000000AF0000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.568744360.0000000000AF0000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.547372307.000000000340A000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.547349453.0000000002E40000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.547377185.0000000002E7A000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.552423599.0000000000C3C000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.569816044.0000000000AF0000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.569948888.0000000000C3C000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.548909255.0000000002F80000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.568827402.0000000000C3C000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.598491073.0000000000AF0000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.518552205.00000000030C5000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.547342704.0000000003370000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.551169265.0000000000AF0000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.549093887.000000000313A000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.598587675.0000000000C3C000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.662344438.0000000003210000.00000040.00000010.sdmp, type: MEMORY

                      System Summary:

                      barindex
                      Source: Zd9TtpY4Kh.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 7160 -ip 7160
                      Source: C:\Windows\SysWOW64\rundll32.exeFile deleted: C:\Windows\SysWOW64\Lklkgjuftglvvvqq\zogfgblopvxymh.tnq:Zone.IdentifierJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\SysWOW64\Lklkgjuftglvvvqq\Jump to behavior
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B11291
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B0CE90
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B00A93
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00AFF48A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B00E97
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B0E899
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B0009A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B0A29B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00AFA083
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00AFFE9D
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B062F5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00AFC0EA
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B04CF5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00AF40E2
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B040FE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00AF1EFB
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00AF46FA
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B056E9
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00AF84F0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B052D1
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B028D5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B11CDB
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00AF2CC2
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00AF92C1
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00AF90D4
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B010CD
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B120CE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00AF3228
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00AF9824
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00AF243F
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00AF3432
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B0282D
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00AF800A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B1261E
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B0C205
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00AF3A6C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00AF6869
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B0B677
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00AFB464
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00AFEE60
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00AF387F
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00AFFA78
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00AFAA4E
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00AF544C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B0EA55
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00AFAE43
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B03043
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00AFCE5A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B07445
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00AF6453
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B0E3B5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B085B8
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B0D7BE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00AF59BF
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00AF43BE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B089A2
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B00BA4
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B0DDA5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B0E5A7
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B01591
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00AF358B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00AF4B81
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00AF8D80
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B03782
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B0DB87
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00AF7795
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00AFB191
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00AF51EC
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00AFA3E7
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B0EDED
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00AF19C0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00AF75D2
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00AFA92F
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B0CD35
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00AFF73B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B09124
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00AF4D1E
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B0970A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B0E10A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00AFCB13
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B03D0C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B0BF0C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B0590E
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B10370
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00AFCF6E
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00AFBD61
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B06540
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E9977B4
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E999F10
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E991DE0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E99D530
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E993A90
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E9A0380
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E9AE3A1
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E99A890
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E99E890
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E9968B0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E9A10C0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E996070
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02F840FE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02F810CD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02F792C1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02F920CE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02F91291
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02F7B464
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02F8EA55
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02F7243F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02F79824
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02F83782
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02F8DB87
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02F7CF6E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02F89124
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02F83D0C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02F784F0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02F71EFB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02F862F5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02F746FA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02F84CF5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02F856E9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02F740E2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02F7C0EA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02F91CDB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02F790D4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02F852D1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02F828D5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02F72CC2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02F8E899
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02F8009A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02F8A29B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02F8CE90
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02F7FE9D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02F80A93
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02F80E97
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02F7A083
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02F7F48A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02F7387F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02F8B677
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02F7FA78
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02F7EE60
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02F73A6C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02F76869
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02F76453
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02F7CE5A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02F7AE43
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02F7AA4E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02F83043
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02F7544C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02F87445
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02F73432
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02F8282D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02F73228
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02F9261E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02F8C205
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02F7800A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02F7A3E7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02F8EDED
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02F751EC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02F775D2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02F719C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02F885B8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02F8D7BE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02F759BF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02F743BE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02F8E3B5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02F889A2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02F80BA4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02F8DDA5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02F8E5A7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02F77795
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02F7B191
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02F81591
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02F74B81
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02F78D80
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02F7358B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02F90370
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02F7BD61
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02F86540
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02F7F73B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02F8CD35
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02F7A92F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02F7CB13
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02F74D1E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02F8970A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02F8E10A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02F8BF0C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02F8590E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E999F10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E991DE0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E99D530
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E993A90
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E9A0380
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E9AE3A1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E99A890
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E99E890
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E9968B0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E9A10C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E996070
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02FA1291
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02F9EA55
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02F846FA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02F81EFB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02F940FE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02F884F0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02F962F5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02F94CF5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02F956E9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02F8C0EA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02F840E2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02FA1CDB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02F952D1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02F890D4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02F928D5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02FA20CE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02F910CD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02F892C1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02F82CC2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02F9E899
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02F9A29B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02F9009A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02F8FE9D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02F9CE90
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02F90A93
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02F90E97
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02F8F48A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02F8A083
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02F8FA78
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02F8387F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02F9B677
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02F86869
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02F83A6C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02F8EE60
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02F8B464
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02F8CE5A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02F86453
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02F8544C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02F8AA4E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02F93043
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02F8AE43
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02F97445
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02F8243F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02F83432
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02F83228
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02F9282D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02F89824
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02FA261E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02F8800A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02F9C205
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02F9EDED
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02F851EC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02F8A3E7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02F875D2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02F819C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02F985B8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02F843BE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02F859BF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02F9D7BE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02F9E3B5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02F989A2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02F9DDA5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02F90BA4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02F9E5A7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02F91591
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02F8B191
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02F87795
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02F8358B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02F88D80
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02F84B81
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02F93782
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02F9DB87
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02FA0370
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02F8CF6E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02F8BD61
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02F96540
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02F8F73B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02F9CD35
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02F8A92F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02F99124
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02F84D1E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02F8CB13
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02F9970A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02F9E10A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02F93D0C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02F9BF0C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02F9590E
                      Source: C:\Windows\System32\loaddll32.exeCode function: String function: 6E991DE0 appears 97 times
                      Source: C:\Windows\System32\loaddll32.exeCode function: String function: 6E9AAC90 appears 33 times
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6E991DE0 appears 89 times
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6E9AAC90 appears 33 times
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess Stats: CPU usage > 98%
                      Source: C:\Windows\System32\svchost.exeSection loaded: xboxlivetitleid.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: cdpsgshims.dll
                      Source: Zd9TtpY4Kh.dllVirustotal: Detection: 18%
                      Source: Zd9TtpY4Kh.dllReversingLabs: Detection: 17%
                      Source: Zd9TtpY4Kh.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\Zd9TtpY4Kh.dll"
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Zd9TtpY4Kh.dll",#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Zd9TtpY4Kh.dll,Control_RunDLL
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Zd9TtpY4Kh.dll",#1
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k unistacksvcgroup
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Zd9TtpY4Kh.dll,ajkaibu
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Zd9TtpY4Kh.dll,akyncbgollmj
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
                      Source: unknownProcess created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\Zd9TtpY4Kh.dll",Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Lklkgjuftglvvvqq\zogfgblopvxymh.tnq",YYthscLHd
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\Zd9TtpY4Kh.dll",Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\Zd9TtpY4Kh.dll",Control_RunDLL
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 7160 -ip 7160
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7160 -s 320
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 7160 -ip 7160
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7160 -s 328
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
                      Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Lklkgjuftglvvvqq\zogfgblopvxymh.tnq",Control_RunDLL
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Zd9TtpY4Kh.dll",#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Zd9TtpY4Kh.dll,Control_RunDLL
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Zd9TtpY4Kh.dll,ajkaibu
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Zd9TtpY4Kh.dll,akyncbgollmj
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Zd9TtpY4Kh.dll",#1
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Lklkgjuftglvvvqq\zogfgblopvxymh.tnq",YYthscLHd
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\Zd9TtpY4Kh.dll",Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\Zd9TtpY4Kh.dll",Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\Zd9TtpY4Kh.dll",Control_RunDLL
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Lklkgjuftglvvvqq\zogfgblopvxymh.tnq",Control_RunDLL
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 7160 -ip 7160
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7160 -s 320
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 7160 -ip 7160
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7160 -s 328
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess created: unknown unknown
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess created: unknown unknown
                      Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32
                      Source: C:\Windows\System32\svchost.exeFile created: C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etlJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER99E3.tmpJump to behavior
                      Source: classification engineClassification label: mal80.troj.evad.winDLL@45/22@0/0
                      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Users\desktop.iniJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Zd9TtpY4Kh.dll,Control_RunDLL
                      Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5216:120:WilError_01
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7160
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \BaseNamedObjects\Local\SM0:3544:64:WilError_01
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \BaseNamedObjects\Local\SM0:5672:64:WilError_01
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                      Source: Zd9TtpY4Kh.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                      Source: Zd9TtpY4Kh.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000016.00000003.559101637.0000000004F21000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.585714849.0000000004A41000.00000004.00000001.sdmp
                      Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000016.00000003.559101637.0000000004F21000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.585714849.0000000004A41000.00000004.00000001.sdmp
                      Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000016.00000003.556517753.00000000030A2000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.556334837.0000000004B97000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.556378070.00000000030A2000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.559101637.0000000004F21000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.585714849.0000000004A41000.00000004.00000001.sdmp
                      Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000016.00000003.559101637.0000000004F21000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.585714849.0000000004A41000.00000004.00000001.sdmp
                      Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000016.00000003.556384233.00000000030A8000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.556472913.00000000030A8000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.559101637.0000000004F21000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.585714849.0000000004A41000.00000004.00000001.sdmp
                      Source: Binary string: wimm32.pdb source: WerFault.exe, 00000016.00000003.559101637.0000000004F21000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.585714849.0000000004A41000.00000004.00000001.sdmp
                      Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000016.00000003.556384233.00000000030A8000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.556472913.00000000030A8000.00000004.00000001.sdmp
                      Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000016.00000003.559101637.0000000004F21000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.585714849.0000000004A41000.00000004.00000001.sdmp
                      Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000016.00000003.556517753.00000000030A2000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.556378070.00000000030A2000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdb source: WerFault.exe, 00000016.00000003.559101637.0000000004F21000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.574278186.000000000088B000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.573540381.000000000088B000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.585714849.0000000004A41000.00000004.00000001.sdmp
                      Source: Binary string: apphelp.pdb source: WerFault.exe, 00000016.00000003.559101637.0000000004F21000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.585714849.0000000004A41000.00000004.00000001.sdmp
                      Source: Binary string: wuser32.pdb source: WerFault.exe, 00000016.00000003.559101637.0000000004F21000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.585714849.0000000004A41000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdbk source: WerFault.exe, 00000016.00000003.559101637.0000000004F21000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.585714849.0000000004A41000.00000004.00000001.sdmp
                      Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000016.00000003.559101637.0000000004F21000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.585714849.0000000004A41000.00000004.00000001.sdmp
                      Source: Binary string: oCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000016.00000002.566852906.0000000002B52000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000019.00000003.574278186.000000000088B000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.573540381.000000000088B000.00000004.00000001.sdmp
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00AF13E7 push esi; retf
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E9B6A93 push ecx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02F713E7 push esi; retf
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E9B6A93 push ecx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E997B08 push es; retf
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02F813E7 push esi; retf
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E99E690 WaitForSingleObjectEx,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,CreateMutexA,CloseHandle,ReleaseMutex,
                      Source: C:\Windows\SysWOW64\rundll32.exePE file moved: C:\Windows\SysWOW64\Lklkgjuftglvvvqq\zogfgblopvxymh.tnqJump to behavior

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Lklkgjuftglvvvqq\zogfgblopvxymh.tnq:Zone.Identifier read attributes | delete
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exe TID: 924Thread sleep time: -30000s >= -30000s
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\svchost.exeProcess information queried: ProcessInformation
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E9B0927 FindFirstFileExW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E9B0927 FindFirstFileExW,
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: Amcache.hve.22.drBinary or memory string: VMware
                      Source: Amcache.hve.22.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
                      Source: Amcache.hve.22.drBinary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
                      Source: Amcache.hve.22.drBinary or memory string: VMware Virtual USB Mouse
                      Source: Amcache.hve.22.drBinary or memory string: VMware, Inc.
                      Source: Amcache.hve.22.drBinary or memory string: VMware Virtual disk SCSI Disk Devicehbin
                      Source: Amcache.hve.22.drBinary or memory string: Microsoft Hyper-V Generation Counter
                      Source: Amcache.hve.22.drBinary or memory string: VMware7,1
                      Source: Amcache.hve.22.drBinary or memory string: NECVMWar VMware SATA CD00
                      Source: Amcache.hve.22.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                      Source: Amcache.hve.22.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                      Source: svchost.exe, 00000001.00000002.682610533.0000025E21402000.00000004.00000001.sdmpBinary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
                      Source: WerFault.exe, 00000019.00000002.597687109.00000000046C6000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000002.597736196.00000000046F6000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.595782646.00000000046F4000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.595850658.00000000046C6000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                      Source: Amcache.hve.22.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                      Source: Amcache.hve.22.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                      Source: Amcache.hve.22.drBinary or memory string: VMware, Inc.me
                      Source: Amcache.hve.22.drBinary or memory string: VMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7
                      Source: svchost.exe, 00000001.00000002.682665171.0000025E21428000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll&
                      Source: Amcache.hve.22.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
                      Source: svchost.exe, 00000005.00000002.682659763.0000024A58841000.00000004.00000001.sdmp, svchost.exe, 00000009.00000002.682371732.000001E0B4629000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.593861160.00000000046DC000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: Amcache.hve.22.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E9AAB0C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E99E690 WaitForSingleObjectEx,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,CreateMutexA,CloseHandle,ReleaseMutex,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E991290 GetProcessHeap,HeapAlloc,RtlAllocateHeap,HeapFree,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B007D2 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E9A9990 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E9AEC0B mov ecx, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E9B02CC mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E9A9920 mov esi, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E9A9920 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02F807D2 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E9A9990 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E9AEC0B mov ecx, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E9B02CC mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E9A9920 mov esi, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E9A9920 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02F907D2 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\loaddll32.exeProcess queried: DebugPort
                      Source: C:\Windows\System32\loaddll32.exeProcess queried: DebugPort
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B028D5 LdrInitializeThunk,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E9AA462 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E9AAB0C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E9B0326 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E9AA462 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E9AAB0C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E9B0326 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Zd9TtpY4Kh.dll",#1
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 7160 -ip 7160
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7160 -s 320
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 7160 -ip 7160
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7160 -s 328
                      Source: loaddll32.exe, 00000000.00000000.552534627.0000000001410000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.570145922.0000000001410000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.568927758.0000000001410000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.551349425.0000000001410000.00000002.00020000.sdmp, svchost.exe, 00000006.00000002.683234293.000001BF1B990000.00000002.00020000.sdmp, rundll32.exe, 00000020.00000002.684873888.0000000003380000.00000002.00020000.sdmpBinary or memory string: Program Manager
                      Source: loaddll32.exe, 00000000.00000000.552534627.0000000001410000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.570145922.0000000001410000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.568927758.0000000001410000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.551349425.0000000001410000.00000002.00020000.sdmp, svchost.exe, 00000006.00000002.683234293.000001BF1B990000.00000002.00020000.sdmp, rundll32.exe, 00000020.00000002.684873888.0000000003380000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: loaddll32.exe, 00000000.00000000.552534627.0000000001410000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.570145922.0000000001410000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.568927758.0000000001410000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.551349425.0000000001410000.00000002.00020000.sdmp, svchost.exe, 00000006.00000002.683234293.000001BF1B990000.00000002.00020000.sdmp, rundll32.exe, 00000020.00000002.684873888.0000000003380000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: loaddll32.exe, 00000000.00000000.552534627.0000000001410000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.570145922.0000000001410000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.568927758.0000000001410000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.551349425.0000000001410000.00000002.00020000.sdmp, svchost.exe, 00000006.00000002.683234293.000001BF1B990000.00000002.00020000.sdmp, rundll32.exe, 00000020.00000002.684873888.0000000003380000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E9AA584 cpuid
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E9AA755 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

                      Lowering of HIPS / PFW / Operating System Security Settings:

                      barindex
                      Changes security center settings (notifications, updates, antivirus, firewall)Show sources
                      Source: C:\Windows\System32\svchost.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cvalJump to behavior
                      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
                      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
                      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
                      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct
                      Source: Amcache.hve.LOG1.22.dr, Amcache.hve.22.drBinary or memory string: c:\users\user\desktop\procexp.exe
                      Source: Amcache.hve.22.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                      Source: svchost.exe, 0000000D.00000002.683335686.000001D56DE40000.00000004.00000001.sdmpBinary or memory string: @V%ProgramFiles%\Windows Defender\MsMpeng.exe
                      Source: svchost.exe, 0000000D.00000002.683184608.000001D56DE29000.00000004.00000001.sdmp, svchost.exe, 0000000D.00000002.683539954.000001D56DF02000.00000004.00000001.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                      Source: Amcache.hve.LOG1.22.dr, Amcache.hve.22.drBinary or memory string: procexp.exe

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected EmotetShow sources
                      Source: Yara matchFile source: 0.2.loaddll32.exe.af0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.c43b40.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.2f80000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.af0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.rundll32.exe.3210000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.af0000.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.c43b40.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.c43b40.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.c43b40.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.af0000.9.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.3152160.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.3370000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.2e92148.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.c43b40.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.af0000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.2f70000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.c43b40.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.2e40000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.c43b40.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.c43b40.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.af0000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.2e92148.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.2e40000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.c43b40.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.c43b40.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.34220a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.af0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.rundll32.exe.32e2240.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.af0000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.2f70000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.3152160.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.34220a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.rundll32.exe.3210000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.af0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.2f80000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.af0000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.3370000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.rundll32.exe.32e2240.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000000.551258636.0000000000C3C000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.549497176.0000000002F70000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.662460484.00000000032CA000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.552293543.0000000000AF0000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.568744360.0000000000AF0000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.547372307.000000000340A000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.547349453.0000000002E40000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.547377185.0000000002E7A000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.552423599.0000000000C3C000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.569816044.0000000000AF0000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.569948888.0000000000C3C000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.548909255.0000000002F80000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.568827402.0000000000C3C000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.598491073.0000000000AF0000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.518552205.00000000030C5000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.547342704.0000000003370000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.551169265.0000000000AF0000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.549093887.000000000313A000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.598587675.0000000000C3C000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.662344438.0000000003210000.00000040.00000010.sdmp, type: MEMORY

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation1DLL Side-Loading1Process Injection12Masquerading21OS Credential DumpingSystem Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsNative API1Boot or Logon Initialization ScriptsDLL Side-Loading1Disable or Modify Tools1LSASS MemorySecurity Software Discovery51Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion2Security Account ManagerVirtualization/Sandbox Evasion2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection12NTDSProcess Discovery2Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonHidden Files and Directories1Cached Domain CredentialsFile and Directory Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information2DCSyncSystem Information Discovery13Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobRundll321Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)DLL Side-Loading1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                      Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)File Deletion1Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 532296 Sample: Zd9TtpY4Kh.dll Startdate: 02/12/2021 Architecture: WINDOWS Score: 80 48 Sigma detected: Emotet RunDLL32 Process Creation 2->48 50 Multi AV Scanner detection for submitted file 2->50 52 Yara detected Emotet 2->52 8 loaddll32.exe 1 2->8         started        10 svchost.exe 2->10         started        13 svchost.exe 3 8 2->13         started        15 9 other processes 2->15 process3 signatures4 17 rundll32.exe 2 8->17         started        20 cmd.exe 1 8->20         started        22 rundll32.exe 8->22         started        30 3 other processes 8->30 54 Changes security center settings (notifications, updates, antivirus, firewall) 10->54 24 MpCmdRun.exe 10->24         started        26 WerFault.exe 13->26         started        28 WerFault.exe 13->28         started        process5 signatures6 46 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->46 32 rundll32.exe 17->32         started        34 rundll32.exe 20->34         started        36 rundll32.exe 22->36         started        38 conhost.exe 24->38         started        40 rundll32.exe 30->40         started        process7 process8 42 rundll32.exe 32->42         started        44 rundll32.exe 34->44         started       

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      Zd9TtpY4Kh.dll19%VirustotalBrowse
                      Zd9TtpY4Kh.dll18%ReversingLabsWin32.Infostealer.Convagent

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      4.2.rundll32.exe.2f80000.0.unpack100%AviraHEUR/AGEN.1110387Download File
                      15.2.rundll32.exe.3210000.0.unpack100%AviraHEUR/AGEN.1110387Download File
                      0.0.loaddll32.exe.af0000.0.unpack100%AviraHEUR/AGEN.1110387Download File
                      0.0.loaddll32.exe.af0000.9.unpack100%AviraHEUR/AGEN.1110387Download File
                      0.2.loaddll32.exe.af0000.0.unpack100%AviraHEUR/AGEN.1110387Download File
                      3.2.rundll32.exe.2f70000.0.unpack100%AviraHEUR/AGEN.1110387Download File
                      8.2.rundll32.exe.2e40000.0.unpack100%AviraHEUR/AGEN.1110387Download File
                      0.0.loaddll32.exe.af0000.3.unpack100%AviraHEUR/AGEN.1110387Download File
                      7.2.rundll32.exe.3370000.0.unpack100%AviraHEUR/AGEN.1110387Download File
                      0.0.loaddll32.exe.af0000.6.unpack100%AviraHEUR/AGEN.1110387Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      https://www.disneyplus.com/legal/your-california-privacy-rights0%URL Reputationsafe
                      http://crl.microsoft0%URL Reputationsafe
                      https://www.tiktok.com/legal/report/feedback0%URL Reputationsafe
                      https://%s.xboxlive.com0%URL Reputationsafe
                      https://www.disneyplus.com/legal/privacy-policy0%URL Reputationsafe
                      http://crl.m0%URL Reputationsafe
                      https://dynamic.t0%URL Reputationsafe
                      https://%s.xboxlive.comlCount0%Avira URL Cloudsafe
                      https://%s.dnet.xboxlive.comt0%Avira URL Cloudsafe
                      https://disneyplus.com/legal.0%URL Reputationsafe
                      http://help.disneyplus.com.0%URL Reputationsafe
                      https://%s.dnet.xboxlive.com0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashxsvchost.exe, 0000000B.00000003.403196324.000002C111863000.00000004.00000001.sdmpfalse
                        		high
                        https://www.disneyplus.com/legal/your-california-privacy-rightssvchost.exe, 0000001E.00000003.655732792.0000020D89D8D000.00000004.00000001.sdmp, svchost.exe, 0000001E.00000003.655842295.0000020D89D6B000.00000004.00000001.sdmp, svchost.exe, 0000001E.00000003.655765717.0000020D89DCF000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=svchost.exe, 0000000B.00000003.368982920.000002C111835000.00000004.00000001.sdmpfalse
                          		high
                          https://dev.ditu.live.com/REST/v1/Routes/svchost.exe, 0000000B.00000002.433607241.000002C111829000.00000004.00000001.sdmpfalse
                            		high
                            https://dev.virtualearth.net/REST/v1/Routes/Drivingsvchost.exe, 0000000B.00000003.403196324.000002C111863000.00000004.00000001.sdmpfalse
                              		high
                              http://crl.microsoftWerFault.exe, 00000019.00000002.597736196.00000000046F6000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.595782646.00000000046F4000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashxsvchost.exe, 0000000B.00000002.437291550.000002C111841000.00000004.00000001.sdmpfalse
                                		high
                                https://dev.ditu.live.com/REST/v1/Traffic/Incidents/svchost.exe, 0000000B.00000003.403221693.000002C111842000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.403228395.000002C111843000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000002.437894067.000002C111844000.00000004.00000001.sdmpfalse
                                  		high
                                  https://dev.ditu.live.com/REST/v1/Transit/Stops/svchost.exe, 0000000B.00000002.444224118.000002C11186B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.403182964.000002C111869000.00000004.00000001.sdmpfalse
                                    		high
                                    https://t0.tiles.ditu.live.com/tiles/gensvchost.exe, 0000000B.00000003.403235220.000002C111850000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000002.440105242.000002C111856000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.403202396.000002C11184D000.00000004.00000001.sdmpfalse
                                      		high
                                      https://dev.virtualearth.net/REST/v1/Routes/svchost.exe, 0000000B.00000002.433607241.000002C111829000.00000004.00000001.sdmpfalse
                                        		high
                                        https://dev.virtualearth.net/REST/v1/Traffic/Incidents/svchost.exe, 0000000B.00000002.433607241.000002C111829000.00000004.00000001.sdmpfalse
                                          		high
                                          https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=svchost.exe, 0000000B.00000003.368982920.000002C111835000.00000004.00000001.sdmpfalse
                                            		high
                                            https://dev.virtualearth.net/REST/v1/Routes/Walkingsvchost.exe, 0000000B.00000003.403196324.000002C111863000.00000004.00000001.sdmpfalse
                                              		high
                                              https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?svchost.exe, 0000000B.00000003.403212606.000002C111849000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.403221693.000002C111842000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000002.438698204.000002C11184A000.00000004.00000001.sdmpfalse
                                                		high
                                                http://upx.sf.netAmcache.hve.22.drfalse
                                                  		high
                                                  https://www.tiktok.com/legal/report/feedbacksvchost.exe, 0000001E.00000003.657779525.0000020D89D79000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=svchost.exe, 0000000B.00000002.433607241.000002C111829000.00000004.00000001.sdmpfalse
                                                    		high
                                                    https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=svchost.exe, 0000000B.00000002.433607241.000002C111829000.00000004.00000001.sdmpfalse
                                                      		high
                                                      https://%s.xboxlive.comsvchost.exe, 00000005.00000002.682659763.0000024A58841000.00000004.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      		low
                                                      https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=svchost.exe, 0000000B.00000003.403221693.000002C111842000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.403228395.000002C111843000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000002.437894067.000002C111844000.00000004.00000001.sdmpfalse
                                                        		high
                                                        https://dev.virtualearth.net/mapcontrol/logging.ashxsvchost.exe, 0000000B.00000003.403196324.000002C111863000.00000004.00000001.sdmpfalse
                                                          		high
                                                          https://dev.ditu.live.com/mapcontrol/logging.ashxsvchost.exe, 0000000B.00000003.403196324.000002C111863000.00000004.00000001.sdmpfalse
                                                            		high
                                                            https://dev.ditu.live.com/REST/v1/Imagery/Copyright/svchost.exe, 0000000B.00000003.403202396.000002C11184D000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000002.433607241.000002C111829000.00000004.00000001.sdmpfalse
                                                              		high
                                                              https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=svchost.exe, 0000000B.00000003.368982920.000002C111835000.00000004.00000001.sdmpfalse
                                                                		high
                                                                https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=svchost.exe, 0000000B.00000003.403212606.000002C111849000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000002.438698204.000002C11184A000.00000004.00000001.sdmpfalse
                                                                  		high
                                                                  https://www.disneyplus.com/legal/privacy-policysvchost.exe, 0000001E.00000003.655732792.0000020D89D8D000.00000004.00000001.sdmp, svchost.exe, 0000001E.00000003.655842295.0000020D89D6B000.00000004.00000001.sdmp, svchost.exe, 0000001E.00000003.655765717.0000020D89DCF000.00000004.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://crl.mWerFault.exe, 00000019.00000002.597736196.00000000046F6000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.595782646.00000000046F4000.00000004.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/svchost.exe, 0000000B.00000003.403221693.000002C111842000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.403228395.000002C111843000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000002.437894067.000002C111844000.00000004.00000001.sdmpfalse
                                                                    		high
                                                                    https://dev.virtualearth.net/REST/v1/Transit/Schedules/svchost.exe, 0000000B.00000002.442381647.000002C111861000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.403199024.000002C111860000.00000004.00000001.sdmpfalse
                                                                      		high
                                                                      https://dynamic.tsvchost.exe, 0000000B.00000003.403189842.000002C111865000.00000004.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      https://%s.xboxlive.comlCountsvchost.exe, 00000005.00000002.682659763.0000024A58841000.00000004.00000001.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		low
                                                                      https://%s.dnet.xboxlive.comtsvchost.exe, 00000005.00000002.682659763.0000024A58841000.00000004.00000001.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		low
                                                                      https://dev.virtualearth.net/REST/v1/Routes/Transitsvchost.exe, 0000000B.00000003.403196324.000002C111863000.00000004.00000001.sdmpfalse
                                                                        		high
                                                                        https://disneyplus.com/legal.svchost.exe, 0000001E.00000003.655732792.0000020D89D8D000.00000004.00000001.sdmp, svchost.exe, 0000001E.00000003.655842295.0000020D89D6B000.00000004.00000001.sdmp, svchost.exe, 0000001E.00000003.655765717.0000020D89DCF000.00000004.00000001.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        https://t0.ssl.ak.tiles.virtualearth.net/tiles/gensvchost.exe, 0000000B.00000003.403231939.000002C11183E000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.368982920.000002C111835000.00000004.00000001.sdmpfalse
                                                                          		high
                                                                          https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=svchost.exe, 0000000B.00000003.403212606.000002C111849000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000002.438698204.000002C11184A000.00000004.00000001.sdmpfalse
                                                                            		high
                                                                            https://activity.windows.comsvchost.exe, 00000005.00000002.682659763.0000024A58841000.00000004.00000001.sdmpfalse
                                                                              		high
                                                                              http://www.bingmapsportal.comsvchost.exe, 0000000B.00000002.428918410.000002C111813000.00000004.00000001.sdmpfalse
                                                                                		high
                                                                                https://dev.ditu.live.com/REST/v1/Locationssvchost.exe, 0000000B.00000003.403196324.000002C111863000.00000004.00000001.sdmpfalse
                                                                                  		high
                                                                                  https://dev.virtualearth.net/REST/v1/Imagery/Copyright/svchost.exe, 0000000B.00000002.433607241.000002C111829000.00000004.00000001.sdmpfalse
                                                                                    		high
                                                                                    http://help.disneyplus.com.svchost.exe, 0000001E.00000003.655732792.0000020D89D8D000.00000004.00000001.sdmp, svchost.exe, 0000001E.00000003.655842295.0000020D89D6B000.00000004.00000001.sdmp, svchost.exe, 0000001E.00000003.655765717.0000020D89DCF000.00000004.00000001.sdmpfalse
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/svchost.exe, 0000000B.00000002.433607241.000002C111829000.00000004.00000001.sdmpfalse
                                                                                      		high
                                                                                      https://%s.dnet.xboxlive.comsvchost.exe, 00000005.00000002.682659763.0000024A58841000.00000004.00000001.sdmpfalse
                                                                                      • URL Reputation: safe
                                                                                      		low
                                                                                      https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/svchost.exe, 0000000B.00000003.403221693.000002C111842000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.403228395.000002C111843000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000002.437894067.000002C111844000.00000004.00000001.sdmpfalse
                                                                                        		high
                                                                                        https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=svchost.exe, 0000000B.00000003.403202396.000002C11184D000.00000004.00000001.sdmpfalse
                                                                                          		high

                                                                                          Contacted IPs

                                                                                          No contacted IP infos

                                                                                          General Information

                                                                                          Joe Sandbox Version:34.0.0 Boulder Opal
                                                                                          Analysis ID:532296
                                                                                          Start date:02.12.2021
                                                                                          Start time:00:11:07
                                                                                          Joe Sandbox Product:CloudBasic
                                                                                          Overall analysis duration:0h 10m 24s
                                                                                          Hypervisor based Inspection enabled:false
                                                                                          Report type:light
                                                                                          Sample file name:Zd9TtpY4Kh.dll
                                                                                          Cookbook file name:default.jbs
                                                                                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                          Run name:Run with higher sleep bypass
                                                                                          Number of analysed new started processes analysed:34
                                                                                          Number of new started drivers analysed:0
                                                                                          Number of existing processes analysed:0
                                                                                          Number of existing drivers analysed:0
                                                                                          Number of injected processes analysed:0
                                                                                          Technologies:
                                                                                          • HCA enabled
                                                                                          • EGA enabled
                                                                                          • HDC enabled
                                                                                          • AMSI enabled
                                                                                          Analysis Mode:default
                                                                                          Analysis stop reason:Timeout
                                                                                          Detection:MAL
                                                                                          Classification:mal80.troj.evad.winDLL@45/22@0/0
                                                                                          EGA Information:Failed
                                                                                          HDC Information:
                                                                                          • Successful, ratio: 10.3% (good quality ratio 9.7%)
                                                                                          • Quality average: 71%
                                                                                          • Quality standard deviation: 26.1%
                                                                                          HCA Information:
                                                                                          • Successful, ratio: 78%
                                                                                          • Number of executed functions: 0
                                                                                          • Number of non-executed functions: 0
                                                                                          Cookbook Comments:
                                                                                          • Adjust boot time
                                                                                          • Enable AMSI
                                                                                          • Sleeps bigger than 120000ms are automatically reduced to 1000ms
                                                                                          • Found application associated with file extension: .dll
                                                                                          Warnings:
                                                                                          Show All
                                                                                          • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, backgroundTaskHost.exe, wuapihost.exe
                                                                                          • Excluded IPs from analysis (whitelisted): 20.189.173.22, 20.54.110.249, 52.251.79.25, 80.67.82.235, 80.67.82.211
                                                                                          • Excluded domains from analysis (whitelisted): displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, onedsblobprdwus17.westus.cloudapp.azure.com, consumer-displaycatalogrp-aks2aks-useast.md.mp.microsoft.com.akadns.net, eus2-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ctldl.windowsupdate.com, a1449.dscg2.akamai.net, arc.msn.com, ris.api.iris.microsoft.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, login.live.com, blobcollector.events.data.trafficmanager.net, displaycatalog-rp-useast.md.mp.microsoft.com.akadns.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                                                          • Not all processes where analyzed, report is missing behavior information
                                                                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                          • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                          Simulations

                                                                                          Behavior and APIs

                                                                                          TimeTypeDescription
                                                                                          00:14:31API Interceptor1x Sleep call for process: MpCmdRun.exe modified

                                                                                          Joe Sandbox View / Context

                                                                                          IPs

                                                                                          No context

                                                                                          Domains

                                                                                          No context

                                                                                          ASN

                                                                                          No context

                                                                                          JA3 Fingerprints

                                                                                          No context

                                                                                          Dropped Files

                                                                                          No context

                                                                                          Created / dropped Files

                                                                                          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_8c5962cbbdb13a8671f1f3c3793157e73bd5d897_d70d8aa6_100270af\Report.wer
                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                          File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):65536
                                                                                          Entropy (8bit):0.6753320867819554
                                                                                          Encrypted:false
                                                                                          SSDEEP:96:wgrTlZZqyHy9hkoyt7JfapXIQcQ5c6A2cE2cw33+a+z+HbHgfVG4rmMOyWZAXGn1:1XB2HnM28jjzq/u7sxS274ItW
                                                                                          MD5:2942AEA7B8AF82EB6ECFF7903CFFF142
                                                                                          SHA1:3712EB77A46D0E9F2D990667AFA57B8D83FECDBF
                                                                                          SHA-256:E662C417B79C01C77F5B029D02D8EA8B7BDB9D38CC268D9927E8F125CD66BEB1
                                                                                          SHA-512:B6889CDABC5E50C87C2B47BC28DC046A3418D9B2F9B76FECE31F3FE42AA57A38BE131C40F002D50A469C56FA3F89828476C805838EF93A135B124BD054299682
                                                                                          Malicious:false
                                                                                          Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.8.2.9.0.6.4.5.0.0.1.6.1.9.6.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.1.4.3.c.a.0.5.-.0.2.6.e.-.4.d.8.c.-.a.b.6.3.-.0.1.7.f.c.f.1.1.e.b.d.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.2.f.4.1.0.8.6.-.8.e.9.4.-.4.c.b.a.-.8.e.c.d.-.1.c.4.0.5.e.f.0.b.7.6.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.l.o.a.d.d.l.l.3.2...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.f.8.-.0.0.0.1.-.0.0.1.c.-.d.e.0.0.-.7.4.4.8.5.4.e.7.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.l.o.a.d.d.l.l.3.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.1././.0.9././.2.8.:.1.1.:.5.3.:.0.5.!.0.!.l.o.a.d.d.l.l.3.2...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.
                                                                                          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_d71d33d652a62c864cb684e881f783bcee8c2df7_d70d8aa6_05aea82a\Report.wer
                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                          File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):65536
                                                                                          Entropy (8bit):0.6787196257300817
                                                                                          Encrypted:false
                                                                                          SSDEEP:96:a1FWsdAlZZqyfy9hk1Dg3fWpXIQcQhc6tcEMcw32+a+z+HbHgfVG4rmMOyWZAXG0:GtdwXBfH/pGojzq/u7sWS274ItW
                                                                                          MD5:8646FF598D4FC06150C2CF7E8EDF33C5
                                                                                          SHA1:2CACDDA84AF3B5E580A8A60284208683B22DAE76
                                                                                          SHA-256:B8480BA00BC4996460F0462BAAA38FD304991DBF6F7C1BF1DE6A90812B02EF01
                                                                                          SHA-512:4E25AA52C4A879DC37C11AA456B42967A08D2DADD6BD5B4AF6974AA2240BF67234311D5C9BD428C5EADCBF23956E857386B1FEF8B0601AECD7EBC61ECFBEBFF1
                                                                                          Malicious:false
                                                                                          Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.8.2.9.0.6.4.5.8.3.1.8.3.4.1.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.8.2.9.0.6.4.6.6.4.7.4.5.4.9.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.d.3.6.d.b.4.3.-.a.9.b.5.-.4.2.3.7.-.8.4.c.9.-.e.c.2.1.d.a.3.9.8.a.f.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.b.0.0.1.f.3.e.-.a.e.5.7.-.4.2.7.3.-.b.3.8.5.-.3.0.c.9.3.8.d.e.7.8.4.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.l.o.a.d.d.l.l.3.2...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.f.8.-.0.0.0.1.-.0.0.1.c.-.d.e.0.0.-.7.4.4.8.5.4.e.7.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.l.o.a.d.d.l.l.3.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.
                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER619B.tmp.dmp
                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                          File Type:Mini DuMP crash report, 15 streams, Thu Dec 2 08:14:10 2021, 0x1205a4 type
                                                                                          Category:dropped
                                                                                          Size (bytes):27296
                                                                                          Entropy (8bit):2.4496135500113585
                                                                                          Encrypted:false
                                                                                          SSDEEP:192:B/uQnOF7sxmwUdC1f4q/2zZqgRV+u/X3nMjL:VOF4xxUzq/IZqgRV+tL
                                                                                          MD5:48BAB300890DD1EF75CD3CC584DF13D2
                                                                                          SHA1:7C7201885E93459325C4E5B3940C563DE8F05058
                                                                                          SHA-256:2B5204A506A8CD877068233DF71590DE7797443342876C3764F48F1A2F2AFB47
                                                                                          SHA-512:4CE15DF79846F4C325D55B9525424C9E213AD6FCDC30533DE365B677D4AA3A696F4EA4B0716165AE7022C442F8F34F0E3F7732CFFB3A020981EACCD936D2794D
                                                                                          Malicious:false
                                                                                          Preview: MDMP....... .......R..a............4...............H.......$...........................`.......8...........T...........h...8^...........................................................................................U...........B......p.......GenuineIntelW...........T..............a+............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER6621.tmp.WERInternalMetadata.xml
                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                          File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):8342
                                                                                          Entropy (8bit):3.7009428538679376
                                                                                          Encrypted:false
                                                                                          SSDEEP:192:Rrl7r3GLNiyg6wF6YFlSUXUogmfsSzrCpBH89b/xsfu1m:RrlsNiV6K6YHSUXUogmfsSz5/qf9
                                                                                          MD5:1D77C71A5367724D9CEB685C9F5CC434
                                                                                          SHA1:3AE81F517F3A3EF16F847303F91D5AEA332EBBB9
                                                                                          SHA-256:95A4D059393BC6FC0A63AFB231B1825654BD5F8A87D31688B3E733190DC71AE2
                                                                                          SHA-512:D899EE2077987092EA9B4986DA129E3470E2623F3BCC942F0AD4505391203DEB3EF31D8DB1A6445F7DC210772A469653AB4042CE0ADB18E991B58DD1D8E6B9E4
                                                                                          Malicious:false
                                                                                          Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.1.6.0.<./.P.i.d.>.......
                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER693F.tmp.xml
                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):4598
                                                                                          Entropy (8bit):4.476303673243138
                                                                                          Encrypted:false
                                                                                          SSDEEP:48:cvIwSD8zskJgtWI9LfrWSC8Bd8fm8M4J2yzZFhqS1+q84WviKcQIcQwQjd:uITfikfaSNcJJNqS1giKkwQjd
                                                                                          MD5:347129E1AB29C723F836D648A022B855
                                                                                          SHA1:97E8F1243FDE920242988D77A8F1B18E97BBEC39
                                                                                          SHA-256:7AD8C4F631EE463D470BE14DAB32A0CA37B441CE4E8FA3B81378416D94C184CB
                                                                                          SHA-512:178DD584E30F8DD7469185BBE5EDF4063311E82757D245B0E5C80D5B1D38C21D975FCC8CD368DACC219D3BA36D161FAECA3312A786DA4236435F23ADEAA96E77
                                                                                          Malicious:false
                                                                                          Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1279764" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER8214.tmp.dmp
                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                          File Type:Mini DuMP crash report, 15 streams, Thu Dec 2 08:14:22 2021, 0x1205a4 type
                                                                                          Category:dropped
                                                                                          Size (bytes):1060392
                                                                                          Entropy (8bit):1.3584266274072105
                                                                                          Encrypted:false
                                                                                          SSDEEP:1536:Ykl8bZzasOdOwq6r+P3wLBAtC1fFlKG4x5PHslEQw2UW6qXxSBnsGZJMRAEAcE4g:YkqY4GStTx5yEQxUW5SxFJDjcv5q
                                                                                          MD5:2E3157B5FAEA804ADA457C35B7025DEB
                                                                                          SHA1:9CF23A66D8083A264727710D6C9953F540DEBF97
                                                                                          SHA-256:CDAABCB34EE2755616A5B2829C6F64AFCBB6A66BC12C95F8FFD730E7794A5EB4
                                                                                          SHA-512:69C5CBD63769AFE71CCC860D6328C07FD370DF1AB3BC88EBAC614B262B004B340A890CFE0130B46D07782F49908F4A10DBF9ED7105DA04D26BD94AE81B0C3F2A
                                                                                          Malicious:false
                                                                                          Preview: MDMP....... .......^..a............4...............H.......$...........................`.......8...........T...........@....!...........................................................................................U...........B......p.......GenuineIntelW...........T..............a+............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER9733.tmp.WERInternalMetadata.xml
                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                          File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):8302
                                                                                          Entropy (8bit):3.6933591103329553
                                                                                          Encrypted:false
                                                                                          SSDEEP:192:Rrl7r3GLNiyU6T6YF/SU5D3ZeLgmfL8GSaCpDa89buxsfw6m:RrlsNiB6T6Y9SU5rZeLgmfLrS5uqfs
                                                                                          MD5:E63F177331952091E6513CB7985728BD
                                                                                          SHA1:68C187A2A2CFBFF03E8A93BD5FFE2CAA529028D4
                                                                                          SHA-256:67127BB111BE435AB9B421A30247504A6DEBD0C9AFCC28A1C57C360E95666C9A
                                                                                          SHA-512:9D965BFC6C13784145D53D96BA2339DC938E41637FDF3B6DD1399A2D1B7019DE50066FD1B67BAD66A4F60D90D6BEC1BC6C99589D946D7712D62AB5A457E56D81
                                                                                          Malicious:false
                                                                                          Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.1.6.0.<./.P.i.d.>.......
                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER99E3.tmp.csv
                                                                                          Process:C:\Windows\System32\svchost.exe
                                                                                          File Type:data
                                                                                          Category:dropped
                                                                                          Size (bytes):52524
                                                                                          Entropy (8bit):3.0562160554441116
                                                                                          Encrypted:false
                                                                                          SSDEEP:1536:I8HQ0ake2NRDoBBlWqUqzSoPKT2gAfbqiqFRFElX8KpHtA:I8HQ0ake2NRDoBBlWqUqzSoPKKgAfbq/
                                                                                          MD5:F86FF9E6E88A1012FE6DFE79E7420048
                                                                                          SHA1:2904DB59CC28796D2CAC4EB8867EF6234C12A2C4
                                                                                          SHA-256:6A3A7CB5D6FCF190D902D69C202CB56DF7C10BFE9CE09285E94AF9BBA10D7715
                                                                                          SHA-512:75C1FB763027766730F3913AD2AF55E3F2157690F85D5DC747EB15E58808BF7E8945D3EB8E0D1DD68E268E6192271D47E945151CE45FB989BAA9838451F2101F
                                                                                          Malicious:false
                                                                                          Preview: I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.
                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER9A80.tmp.xml
                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):4558
                                                                                          Entropy (8bit):4.432852489939999
                                                                                          Encrypted:false
                                                                                          SSDEEP:48:cvIwSD8zsHrJgtWI9LfrWSC8BW8fm8M4J2yGtF34+q84tjuKcQIcQwQjd:uITflkfaSNtJE/4xuKkwQjd
                                                                                          MD5:9F71DF08B6FF40D4938B4645A43E11D3
                                                                                          SHA1:46441D798F65ACAA5E3EDABE76438DFE82E7CE70
                                                                                          SHA-256:438B6C622C11262F8E3AB730ED9D0D6C9D9E003FC988A09165A8BB10CEF64049
                                                                                          SHA-512:67E5970DACD8EA0D4C9F1847501FA2994E481FE7A8E1745DF7C1C89AB79AFA2B8FF04B49BEF0B2CA9CEF397035715422EA24E5B8E7D60A79CAE3D90E2EE59075
                                                                                          Malicious:false
                                                                                          Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1279765" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER9E0A.tmp.txt
                                                                                          Process:C:\Windows\System32\svchost.exe
                                                                                          File Type:data
                                                                                          Category:dropped
                                                                                          Size (bytes):13340
                                                                                          Entropy (8bit):2.6959719835051303
                                                                                          Encrypted:false
                                                                                          SSDEEP:96:9GiZYWZX1an5YoYls/WcdiHqUYEZUjCtFiKOYzpw123zAa5PyFGIIMH3:9jZDYv5j7Aca5PyFGvMH3
                                                                                          MD5:7493BE388D7B1361500832A523ECEB35
                                                                                          SHA1:7CEDD802AA324CE0A1275288587E93590EF32ED6
                                                                                          SHA-256:255E49837035B5A12CA74F2DB96A6937FC7C725AFD44BAB7610402145C5F90F0
                                                                                          SHA-512:13D0496625673581E4D4E644CBC3759D27237103287731BEC5AD8E76714E07A0601EF71A21D29182626667A46FC53E1D8327C5F2AB63E3BE293ADF25928B599C
                                                                                          Malicious:false
                                                                                          Preview: B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.1.5.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .
                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERCBB3.tmp.csv
                                                                                          Process:C:\Windows\System32\svchost.exe
                                                                                          File Type:data
                                                                                          Category:dropped
                                                                                          Size (bytes):51736
                                                                                          Entropy (8bit):3.0572069490916234
                                                                                          Encrypted:false
                                                                                          SSDEEP:1536:f8Hmfebm2PRzBBlWquy0SYxT4QC5ZKnfFbkvyxfePYfr:f8Hmfebm2PRzBBlWquy0SYxTlC5ZKnfD
                                                                                          MD5:5A2C103E88C340429F27B7BCBA7F4F2A
                                                                                          SHA1:1E4AB9E888BED85E4C46249C7DF289C4F6AEE50B
                                                                                          SHA-256:F94B19FB0B0624653553F24F20B6BD3E7F1A71178755D5360FBD398A10F41DC8
                                                                                          SHA-512:4C894A5418DC58E0A535C6426567ADAF931F78FD05FBEB103D7D19A94B52F5189C8016175E04A9E783295ECE2E71062EEEB9AE2397F0DB6B1BF72F7F5CB42375
                                                                                          Malicious:false
                                                                                          Preview: I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.
                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERCF9C.tmp.txt
                                                                                          Process:C:\Windows\System32\svchost.exe
                                                                                          File Type:data
                                                                                          Category:modified
                                                                                          Size (bytes):13340
                                                                                          Entropy (8bit):2.695808825745679
                                                                                          Encrypted:false
                                                                                          SSDEEP:96:9GiZYWIUQ1kj4Y9YoemWoywiHAUYEZKqtrinO7zpwZT2awoHf9jxIi+UI3:9jZDIrqPrr6awoHf9juLb3
                                                                                          MD5:C7B504A897028671DB87C540106E01A4
                                                                                          SHA1:D9DF308551597C154A145D9720E577FEC8555F55
                                                                                          SHA-256:F54378E366A7EE979EA6BF8CACB629B85A9885429C4D33F4F26548FD7ECC68F4
                                                                                          SHA-512:060F7834E16080F35FB07F9C21E0E5F60F15485A77A408152523005472AB3A86D372BA011B150761D8C5702BA4822B693752F51466E70219DBFD7F8C91B84DF8
                                                                                          Malicious:false
                                                                                          Preview: B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.1.5.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .
                                                                                          C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\SyncVerbose.etl
                                                                                          Process:C:\Windows\System32\svchost.exe
                                                                                          File Type:data
                                                                                          Category:dropped
                                                                                          Size (bytes):65536
                                                                                          Entropy (8bit):0.1101727836969861
                                                                                          Encrypted:false
                                                                                          SSDEEP:12:26OXm/Ey6q9995wNq3qQ10nMCldimE8eawHjcWY:26bl689LyMCldzE9BHjcWY
                                                                                          MD5:3CE7F38F89EF417650ECF65996A5FEAF
                                                                                          SHA1:E09EE7E0D824A631FC3455C83B8260AEC891F0DB
                                                                                          SHA-256:38903E98E296A605F337345380C3412BEB053B92E851A2E8A93902D33EDC6482
                                                                                          SHA-512:2415752F9A16E1B704CDF1F08CFFC040AF67FEEB472B6C2B1EB7C4CDA8C92DC35B331D538F522DE969D8C2745BF2B1EB98B6934938CD6E9D5B7A45786FD39280
                                                                                          Malicious:false
                                                                                          Preview: ........................................................................................C.&F.....................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1..............................................................*~..... .....o.!\T...........S.y.n.c.V.e.r.b.o.s.e...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.S.y.n.c.V.e.r.b.o.s.e...e.t.l...........P.P...........&F....................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                          C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\UnistackCircular.etl
                                                                                          Process:C:\Windows\System32\svchost.exe
                                                                                          File Type:data
                                                                                          Category:dropped
                                                                                          Size (bytes):65536
                                                                                          Entropy (8bit):0.11282471699365751
                                                                                          Encrypted:false
                                                                                          SSDEEP:12:/jXm/Ey6q9995qL1miM3qQ10nMCldimE8eawHza1miIJiP:yl68U1tMLyMCldzE9BHza1tIJC
                                                                                          MD5:0F00364F438F5B4D13D69737547D320F
                                                                                          SHA1:D28AF2306FE5325E04B78DF47E6D04B80E4A6727
                                                                                          SHA-256:AF0D283BF1284D6752F83B1247E066048BB34E33159C6E26123040AE16E3AB6A
                                                                                          SHA-512:D26DE87258C870EB7DFDF7ECDC20F5D43BC444F1BB7E60A9C016FDDE90573DE52B4515425D9B9A2889E656F3A8567479EC3C05F2CB81F4BC407D5530EB258EA5
                                                                                          Malicious:false
                                                                                          Preview: ..........................................................................................!F.....................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1..............................................................*~..... .......\T...........U.n.i.s.t.a.c.k.C.i.r.c.u.l.a.r...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.U.n.i.s.t.a.c.k.C.i.r.c.u.l.a.r...e.t.l.......P.P...........!F....................................................................................................................................................................................................................................................................................................................................................................................
                                                                                          C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl
                                                                                          Process:C:\Windows\System32\svchost.exe
                                                                                          File Type:data
                                                                                          Category:dropped
                                                                                          Size (bytes):65536
                                                                                          Entropy (8bit):0.11276288886055777
                                                                                          Encrypted:false
                                                                                          SSDEEP:12:E6jXm/Ey6q9995s1mK2P3qQ10nMCldimE8eawHza1mKwVP:E/l68K1iPLyMCldzE9BHza1Et
                                                                                          MD5:053D031988020BD2FDC75BBB73C241F5
                                                                                          SHA1:12BECAE5329157EA3F42CE1CD28D35FC777FFDB2
                                                                                          SHA-256:DA5E6DEF835D0B360ACDD0416C828251C2404BE2A97490BF30C6247A62647F03
                                                                                          SHA-512:C4C1242685B183DD9CB62E86E33E08D6BAE045BDB95E87E45B6E24317CEF889A9F58DC00CA9B9A9F36F40EBC480BA41AB5B2566CD9F0E8C48C75925268D3B20D
                                                                                          Malicious:false
                                                                                          Preview: .........................................................................................c.F.....................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1..............................................................*~..... ......[.[T...........U.n.i.s.t.a.c.k.C.r.i.t.i.c.a.l...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.U.n.i.s.t.a.c.k.C.r.i.t.i.c.a.l...e.t.l.......P.P..........j.F....................................................................................................................................................................................................................................................................................................................................................................................
                                                                                          C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\SyncVerbose.etl.0001.@ (copy)
                                                                                          Process:C:\Windows\System32\svchost.exe
                                                                                          File Type:data
                                                                                          Category:dropped
                                                                                          Size (bytes):65536
                                                                                          Entropy (8bit):0.1101727836969861
                                                                                          Encrypted:false
                                                                                          SSDEEP:12:26OXm/Ey6q9995wNq3qQ10nMCldimE8eawHjcWY:26bl689LyMCldzE9BHjcWY
                                                                                          MD5:3CE7F38F89EF417650ECF65996A5FEAF
                                                                                          SHA1:E09EE7E0D824A631FC3455C83B8260AEC891F0DB
                                                                                          SHA-256:38903E98E296A605F337345380C3412BEB053B92E851A2E8A93902D33EDC6482
                                                                                          SHA-512:2415752F9A16E1B704CDF1F08CFFC040AF67FEEB472B6C2B1EB7C4CDA8C92DC35B331D538F522DE969D8C2745BF2B1EB98B6934938CD6E9D5B7A45786FD39280
                                                                                          Malicious:false
                                                                                          Preview: ........................................................................................C.&F.....................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1..............................................................*~..... .....o.!\T...........S.y.n.c.V.e.r.b.o.s.e...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.S.y.n.c.V.e.r.b.o.s.e...e.t.l...........P.P...........&F....................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                          C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\UnistackCircular.etl.0001 (copy)
                                                                                          Process:C:\Windows\System32\svchost.exe
                                                                                          File Type:data
                                                                                          Category:dropped
                                                                                          Size (bytes):65536
                                                                                          Entropy (8bit):0.11282471699365751
                                                                                          Encrypted:false
                                                                                          SSDEEP:12:/jXm/Ey6q9995qL1miM3qQ10nMCldimE8eawHza1miIJiP:yl68U1tMLyMCldzE9BHza1tIJC
                                                                                          MD5:0F00364F438F5B4D13D69737547D320F
                                                                                          SHA1:D28AF2306FE5325E04B78DF47E6D04B80E4A6727
                                                                                          SHA-256:AF0D283BF1284D6752F83B1247E066048BB34E33159C6E26123040AE16E3AB6A
                                                                                          SHA-512:D26DE87258C870EB7DFDF7ECDC20F5D43BC444F1BB7E60A9C016FDDE90573DE52B4515425D9B9A2889E656F3A8567479EC3C05F2CB81F4BC407D5530EB258EA5
                                                                                          Malicious:false
                                                                                          Preview: ..........................................................................................!F.....................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1..............................................................*~..... .......\T...........U.n.i.s.t.a.c.k.C.i.r.c.u.l.a.r...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.U.n.i.s.t.a.c.k.C.i.r.c.u.l.a.r...e.t.l.......P.P...........!F....................................................................................................................................................................................................................................................................................................................................................................................
                                                                                          C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl.0001 (copy)
                                                                                          Process:C:\Windows\System32\svchost.exe
                                                                                          File Type:data
                                                                                          Category:dropped
                                                                                          Size (bytes):65536
                                                                                          Entropy (8bit):0.11276288886055777
                                                                                          Encrypted:false
                                                                                          SSDEEP:12:E6jXm/Ey6q9995s1mK2P3qQ10nMCldimE8eawHza1mKwVP:E/l68K1iPLyMCldzE9BHza1Et
                                                                                          MD5:053D031988020BD2FDC75BBB73C241F5
                                                                                          SHA1:12BECAE5329157EA3F42CE1CD28D35FC777FFDB2
                                                                                          SHA-256:DA5E6DEF835D0B360ACDD0416C828251C2404BE2A97490BF30C6247A62647F03
                                                                                          SHA-512:C4C1242685B183DD9CB62E86E33E08D6BAE045BDB95E87E45B6E24317CEF889A9F58DC00CA9B9A9F36F40EBC480BA41AB5B2566CD9F0E8C48C75925268D3B20D
                                                                                          Malicious:false
                                                                                          Preview: .........................................................................................c.F.....................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1..............................................................*~..... ......[.[T...........U.n.i.s.t.a.c.k.C.r.i.t.i.c.a.l...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.U.n.i.s.t.a.c.k.C.r.i.t.i.c.a.l...e.t.l.......P.P..........j.F....................................................................................................................................................................................................................................................................................................................................................................................
                                                                                          C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log
                                                                                          Process:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                          File Type:Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
                                                                                          Category:modified
                                                                                          Size (bytes):9062
                                                                                          Entropy (8bit):3.1622931047337053
                                                                                          Encrypted:false
                                                                                          SSDEEP:192:cY+38+DJl+ibJ6+ioJJ+i3N+WtT+E9tD+Ett3d+E3zN+C:j+s+v+b+P+m+0+Q+q+W+C
                                                                                          MD5:FC3AFFCF97A1A5733C72E7F0DC6F1AD0
                                                                                          SHA1:7D6B5F184B0276AF67E2879629FB1AD21E1AFC7A
                                                                                          SHA-256:FEBCA5E4725467FB260B0F828509F83926E3C2A5614772C0885135229862404F
                                                                                          SHA-512:4DEBB3A0F3B9EC42D3C15E2E362905EFD3D3A53306B19D21468D79A7EA566593E06D163F91B0B8A1CEAC1D52050CC252FFFD6A422D7089F7E4F16B57F9DE39C9
                                                                                          Malicious:false
                                                                                          Preview: ..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. T.h.u. .. J.u.n. .. 2.7. .. 2.0.1.9. .0.1.:.2.9.:.4.9.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e.....E.R.R.O.R.:. .M.p.W.D.E.n.a.b.l.e.(.T.R.U.E.). .f.a.i.l.e.d. .(.8.0.0.7.0.4.E.C.).....M.p.C.m.d.R.u.n.:. .E.n.d. .T.i.m.e.:. .. T.h.u. .. J.u.n. .. 2.7. .. 2.0.1.9. .0.1.:.2.9.:.4.9.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.............-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.
                                                                                          C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Logs\dosvc.20211202_081236_088.etl
                                                                                          Process:C:\Windows\System32\svchost.exe
                                                                                          File Type:data
                                                                                          Category:dropped
                                                                                          Size (bytes):12288
                                                                                          Entropy (8bit):3.812286787040644
                                                                                          Encrypted:false
                                                                                          SSDEEP:96:eClL/o+JY5D09X/Y3QChII2la1kjO4Q8T2ojFzfNMCxdJRBj5DvJNMC+j5KNMCEj:dxDP8N2urZCVyCACdCdCHCZ
                                                                                          MD5:EFEE713F3ACA51F7ED7129B8E4F6FC18
                                                                                          SHA1:2BA88756ADD0CB0D3953EE56C1B2E4236250655E
                                                                                          SHA-256:745C4C76F9C660FA985E9ABB55A39F4CECAADB9300D32D95B0BB72AD2639DACA
                                                                                          SHA-512:97CA3203AF07516908CE86ED4906F0C925A183FAF2EE885E53D926BDA1AAB1975F7C1F681CA2F730E84554F052C2D4C7BC960CF9BFE80C68FF7CF017C3F33BEC
                                                                                          Malicious:false
                                                                                          Preview: .... ... ....................................... ...!...................................S.7......................B..............Zb... ... ..........................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1..................................................................... .......j]T...........8.6.9.6.E.A.C.4.-.1.2.8.8.-.4.2.8.8.-.A.4.E.E.-.4.9.E.E.4.3.1.B.0.A.D.9...C.:.\.W.i.n.d.o.w.s.\.S.e.r.v.i.c.e.P.r.o.f.i.l.e.s.\.N.e.t.w.o.r.k.S.e.r.v.i.c.e.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.D.e.l.i.v.e.r.y.O.p.t.i.m.i.z.a.t.i.o.n.\.L.o.g.s.\.d.o.s.v.c...2.0.2.1.1.2.0.2._.0.8.1.2.3.6._.0.8.8...e.t.l.........P.P.........S.7.....................................................................................................................................................................................................................................................................
                                                                                          C:\Windows\appcompat\Programs\Amcache.hve
                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                          File Type:MS Windows registry file, NT/2000 or above
                                                                                          Category:dropped
                                                                                          Size (bytes):1572864
                                                                                          Entropy (8bit):4.274090843410231
                                                                                          Encrypted:false
                                                                                          SSDEEP:12288:ILoa5fBuPHoEyz8F0TokuhNNblFkoZyuQCWHLeIO/Nn3qGc1wRhmg:0oa5fBuPHoEyz8XY
                                                                                          MD5:B456D5F1DC4A07CE35BCAAD0ABD74B5F
                                                                                          SHA1:AEC31AF5685FD9FA0DCB94CD7FD673CC60CD1685
                                                                                          SHA-256:EB2B7FAE1AAD7513B2E03518CE9FBB2D4E9B0937E0F1ACB85B449225567B1264
                                                                                          SHA-512:B5EB675086BC8162C8EBDCE659162ADF5C3AAD1D3C79FAA5C1A3C0F9451BC5B9268867075264069CA17089D4477E3ADC79D0C5C0E299777E8E2651B73FBF8099
                                                                                          Malicious:false
                                                                                          Preview: regf[...[...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm....T...............................................................................................................................................................................................................................................................................................................................................:...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                          C:\Windows\appcompat\Programs\Amcache.hve.LOG1
                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                          File Type:MS Windows registry file, NT/2000 or above
                                                                                          Category:dropped
                                                                                          Size (bytes):16384
                                                                                          Entropy (8bit):3.4022660043043857
                                                                                          Encrypted:false
                                                                                          SSDEEP:192:RdUMc1G2e9XiUYq5FSEsWftx18xgoJ4X7aJNSdkyFn6yvRrsftWfYjdsiDoXzC5:P7p5Rftx18PJ4X77FFn7WZd1DoXzC5
                                                                                          MD5:33571DE23356636B568AB4C7C2EB62CF
                                                                                          SHA1:7A2C34637F41F28753839E8218ECB3E68ED666EF
                                                                                          SHA-256:9303B44A797C6A567D519B8A57C0B41F292A5CCDDD90BB7DBF8017DA5E808E28
                                                                                          SHA-512:5A399F2A564E4A8EC7833F4E48A81D1EB97D5872BC5CC3D0B482CCC956ABE08BB4AD25CC166C5AAC0479C30A4AC536D1BB088847DDBF4CE1D7536790E1C825C3
                                                                                          Malicious:false
                                                                                          Preview: regfZ...Z...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm....T...............................................................................................................................................................................................................................................................................................................................................<...HvLE.>......Z............P.<w..-.bd.L.........0..............hbin................p.\..,..........nk,.....T................................... ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk .....T....... ........................... .......Z.......................Root........lf......Root....nk .....T....................}.............. ...............*...............DeviceCensus.......................vk..................WritePermissionsCheck.......p...

                                                                                          Static File Info

                                                                                          General

                                                                                          File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                          Entropy (8bit):7.0673548336573475
                                                                                          TrID:
                                                                                          • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
                                                                                          • Generic Win/DOS Executable (2004/3) 0.20%
                                                                                          • DOS Executable Generic (2002/1) 0.20%
                                                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                          File name:Zd9TtpY4Kh.dll
                                                                                          File size:372736
                                                                                          MD5:71eea35f36f3642fdbb94d9310e87747
                                                                                          SHA1:25bcd5a134df55a5465ebe39f57bf758d5672197
                                                                                          SHA256:bbadafe48d63d23d3a2ebb4a4103e32646d314d5ffb8e2551d62270f8b3ec352
                                                                                          SHA512:c6d3628bc45cd0cf237d82f31b170dbffd117e13b6f9ba22f51c81ad91eeb6e992cd253b7b27c0d868078e8686c3b21e6f03ecbe9f8ef9c9725b920eb9f462d0
                                                                                          SSDEEP:6144:qRsMh9YQWtcgA70wgF7nJyk6CQK+kIVDRjudJMrt32fFcRmXIeJXjWMmAD:cvm9Y0HFLFRQKqV4epRmxAvAD
                                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........0...Q...Q...Q..E#...Q..E#...Q..E#...Q../$...Q...$...Q...$...Q...$...Q..E#...Q...Q...Q...Q...Q../$...Q../$...Q..Rich.Q.........

                                                                                          File Icon

                                                                                          Icon Hash:74f0e4ecccdce0e4

                                                                                          Static PE Info

                                                                                          General

                                                                                          Entrypoint:0x1001a401
                                                                                          Entrypoint Section:.text
                                                                                          Digitally signed:false
                                                                                          Imagebase:0x10000000
                                                                                          Subsystem:windows gui
                                                                                          Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
                                                                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT
                                                                                          Time Stamp:0x61A7100E [Wed Dec 1 06:02:54 2021 UTC]
                                                                                          TLS Callbacks:0x1000c500
                                                                                          CLR (.Net) Version:
                                                                                          OS Version Major:6
                                                                                          OS Version Minor:0
                                                                                          File Version Major:6
                                                                                          File Version Minor:0
                                                                                          Subsystem Version Major:6
                                                                                          Subsystem Version Minor:0
                                                                                          Import Hash:609402ef170a35cc0e660d7d95ac10ce

                                                                                          Entrypoint Preview

                                                                                          Instruction
                                                                                          push ebp
                                                                                          mov ebp, esp
                                                                                          cmp dword ptr [ebp+0Ch], 01h
                                                                                          jne 00007FC12072E877h
                                                                                          call 00007FC12072EC08h
                                                                                          push dword ptr [ebp+10h]
                                                                                          push dword ptr [ebp+0Ch]
                                                                                          push dword ptr [ebp+08h]
                                                                                          call 00007FC12072E723h
                                                                                          add esp, 0Ch
                                                                                          pop ebp
                                                                                          retn 000Ch
                                                                                          push ebp
                                                                                          mov ebp, esp
                                                                                          push dword ptr [ebp+08h]
                                                                                          call 00007FC12072F11Eh
                                                                                          pop ecx
                                                                                          pop ebp
                                                                                          ret
                                                                                          push ebp
                                                                                          mov ebp, esp
                                                                                          jmp 00007FC12072E87Fh
                                                                                          push dword ptr [ebp+08h]
                                                                                          call 00007FC120732C04h
                                                                                          pop ecx
                                                                                          test eax, eax
                                                                                          je 00007FC12072E881h
                                                                                          push dword ptr [ebp+08h]
                                                                                          call 00007FC120732C80h
                                                                                          pop ecx
                                                                                          test eax, eax
                                                                                          je 00007FC12072E858h
                                                                                          pop ebp
                                                                                          ret
                                                                                          cmp dword ptr [ebp+08h], FFFFFFFFh
                                                                                          je 00007FC12072F1E3h
                                                                                          jmp 00007FC12072F1C0h
                                                                                          push ebp
                                                                                          mov ebp, esp
                                                                                          push 00000000h
                                                                                          call dword ptr [1002808Ch]
                                                                                          push dword ptr [ebp+08h]
                                                                                          call dword ptr [10028088h]
                                                                                          push C0000409h
                                                                                          call dword ptr [10028040h]
                                                                                          push eax
                                                                                          call dword ptr [10028090h]
                                                                                          pop ebp
                                                                                          ret
                                                                                          push ebp
                                                                                          mov ebp, esp
                                                                                          sub esp, 00000324h
                                                                                          push 00000017h
                                                                                          call dword ptr [10028094h]
                                                                                          test eax, eax
                                                                                          je 00007FC12072E877h
                                                                                          push 00000002h
                                                                                          pop ecx
                                                                                          int 29h
                                                                                          mov dword ptr [1005AF18h], eax
                                                                                          mov dword ptr [1005AF14h], ecx
                                                                                          mov dword ptr [1005AF10h], edx
                                                                                          mov dword ptr [1005AF0Ch], ebx
                                                                                          mov dword ptr [1005AF08h], esi
                                                                                          mov dword ptr [1005AF04h], edi
                                                                                          mov word ptr [eax], es

                                                                                          Data Directories

                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x583900x8ac.rdata
                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x58c3c0x3c.rdata
                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x5d0000x1bb0.reloc
                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x56fdc0x54.rdata
                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x571000x18.rdata
                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x570300x40.rdata
                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x280000x154.rdata
                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                          Sections

                                                                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                          .text0x10000x264f40x26600False0.546620521173data6.29652715831IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                          .rdata0x280000x313fa0x31400False0.822468868972data7.43227552322IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                          .data0x5a0000x18440xe00False0.270647321429data2.60881097454IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                          .pdata0x5c0000x66c0x800False0.3583984375data2.21689595795IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                          .reloc0x5d0000x1bb00x1c00False0.784598214286data6.62358237634IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                          Imports

                                                                                          DLLImport
                                                                                          KERNEL32.dllHeapFree, HeapReAlloc, GetProcessHeap, HeapAlloc, GetModuleHandleA, GetProcAddress, TlsGetValue, TlsSetValue, AcquireSRWLockExclusive, ReleaseSRWLockExclusive, AcquireSRWLockShared, ReleaseSRWLockShared, SetLastError, GetEnvironmentVariableW, GetLastError, GetCurrentDirectoryW, GetCurrentProcess, GetCurrentThread, RtlCaptureContext, ReleaseMutex, WaitForSingleObjectEx, LoadLibraryA, CreateMutexA, CloseHandle, GetStdHandle, GetConsoleMode, WriteFile, WriteConsoleW, TlsAlloc, GetCommandLineW, CreateFileA, GetTickCount64, CreateFileW, SetFilePointerEx, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, RaiseException, RtlUnwind, InterlockedFlushSList, EncodePointer, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsFree, FreeLibrary, LoadLibraryExW, ExitProcess, GetModuleHandleExW, GetModuleFileNameW, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetCommandLineA, MultiByteToWideChar, WideCharToMultiByte, GetEnvironmentStringsW, FreeEnvironmentStringsW, LCMapStringW, GetFileType, GetStringTypeW, HeapSize, SetStdHandle, FlushFileBuffers, GetConsoleOutputCP, DecodePointer
                                                                                          USER32.dllGetDC, ReleaseDC, GetWindowRect

                                                                                          Exports

                                                                                          NameOrdinalAddress
                                                                                          Control_RunDLL10x100010a0
                                                                                          ajkaibu20x100016c0
                                                                                          akyncbgollmj30x10001480
                                                                                          alrcidxljxybdggs40x10001860
                                                                                          bgmotrriehds50x10001820
                                                                                          bojkfvynhhupnooyb60x100019f0
                                                                                          bujuoqldqlzaod70x10001800
                                                                                          bunsahctogxzts80x100019e0
                                                                                          cjogbtafwukesw90x10001830
                                                                                          csbbcaopuok100x100016a0
                                                                                          cyqrjpaeorjur110x100015f0
                                                                                          dlrzuyaeqj120x10001840
                                                                                          egiimrq130x10001850
                                                                                          evhgyts140x100014f0
                                                                                          fdqpjjjyuw150x100017e0
                                                                                          finabzjyxhxnnuuv160x10001510
                                                                                          fkeacqpbbfw170x10001910
                                                                                          fuwsgzf180x10001790
                                                                                          fzbmpailk190x10001980
                                                                                          gamsrhauvgl200x10001810
                                                                                          gjfqgtgk210x10001a10
                                                                                          gwsmfxfmekkyr220x100018b0
                                                                                          haymuvtatadeydqmk230x10001530
                                                                                          hqruohhkvpdalhq240x10001620
                                                                                          htdaydfvtjlujwcaj250x10001660
                                                                                          hzyrvjtx260x100017c0
                                                                                          ifnsupqhxkwj270x10001870
                                                                                          ijhgowlpmypocg280x10001720
                                                                                          ispjhrqaxnyflnn290x100015a0
                                                                                          iszvcqv300x100017a0
                                                                                          ixgucop310x100018d0
                                                                                          jcdvrhrguqtjpkc320x100016b0
                                                                                          jkfyadsdpoks330x100019c0
                                                                                          kfzgxmljkwaqy340x10001730
                                                                                          kzfvroxozxufciczm350x10001740
                                                                                          lpstjqa360x10001900
                                                                                          ltkoyvzovzkqemyw370x10001630
                                                                                          mdigcwjymnzvgaql380x100014d0
                                                                                          mefathlzguuhqodfx390x10001950
                                                                                          mgsrmfbja400x10001500
                                                                                          mrxhcceopg410x100014a0
                                                                                          nafhmuoq420x100018f0
                                                                                          nefxgpc430x100018a0
                                                                                          nrehxpiznrppeu440x10001690
                                                                                          nucocnvjyqp450x100018e0
                                                                                          obxoxtcbntaxofr460x10001890
                                                                                          ofrzojd470x100016e0
                                                                                          oofbctfc480x10001550
                                                                                          opzpazspbecyjojf490x100015b0
                                                                                          oqoigff500x10001a00
                                                                                          oujlzhzvhjh510x100016f0
                                                                                          ovpsanbypajv520x100015e0
                                                                                          pblpcaadqbdxyb530x10001680
                                                                                          ragwdgnyohftj540x100017d0
                                                                                          rfosmac550x10001710
                                                                                          rgymbuetvifqjqdlo560x10001930
                                                                                          rmoxbxbbgidnbds570x10001970
                                                                                          rxnkmfbycdcc580x10001560
                                                                                          sefltbc590x10001880
                                                                                          sgieprcsphl600x100019a0
                                                                                          shpcmnqzvyltgdt610x100016d0
                                                                                          slktbekupvmdbt620x100015c0
                                                                                          sormivnk630x10001570
                                                                                          tdblkstlyin640x10001600
                                                                                          tkllyrc650x10001650
                                                                                          tkwpnvfqnbpbdqe660x10001a20
                                                                                          tnhtgnjrabqakgeke670x10001700
                                                                                          tzpmcwwig680x10001520
                                                                                          uceklmggjof690x10001610
                                                                                          ukwdddyj700x10001640
                                                                                          uwnaptydgur710x10001940
                                                                                          vjusqoeo720x10001580
                                                                                          vnyufpq730x10001590
                                                                                          vsrwmkhzkrtlexxb740x100014e0
                                                                                          wermsdfzb750x10001770
                                                                                          wkhpfdjkypy760x100014c0
                                                                                          wksndtayhfm770x100015d0
                                                                                          wnjvxspilxpchq780x10001670
                                                                                          wuqwfssiddrcl790x10001570
                                                                                          wyyhtqptznbrknitg800x100017f0
                                                                                          wzkcijdvadq810x10001540
                                                                                          wzxlvxuyy820x100019b0
                                                                                          xhtxeilfgsghxik830x10001780
                                                                                          xvdijhconoukll840x100014b0
                                                                                          ybbwnezvxfafm850x10001750
                                                                                          yeylpreasnzamgac860x100019d0
                                                                                          ypkidshxgzkkehc870x100018c0
                                                                                          ypzvmpfbgai880x10001760
                                                                                          zbrzizodycg890x10001990
                                                                                          zdiuqcnzg900x10001920
                                                                                          zfkwwtxd910x10001490
                                                                                          zktykfwmaehxg920x10001600
                                                                                          zmkbqvofdhermov930x10001960
                                                                                          zvtqmkitgmzgo940x100017b0

                                                                                          Network Behavior

                                                                                          No network behavior found

                                                                                          Code Manipulations

                                                                                          Statistics

                                                                                          Behavior

                                                                                          Click to jump to process

                                                                                          System Behavior

                                                                                          Analysis Process: loaddll32.exe PID: 7160 Parent PID: 4620

                                                                                          General

                                                                                          Start time:00:12:01
                                                                                          Start date:02/12/2021
                                                                                          Path:C:\Windows\System32\loaddll32.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:loaddll32.exe "C:\Users\user\Desktop\Zd9TtpY4Kh.dll"
                                                                                          Imagebase:0x1150000
                                                                                          File size:893440 bytes
                                                                                          MD5 hash:72FCD8FB0ADC38ED9050569AD673650E
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Yara matches:
                                                                                          • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000000.551258636.0000000000C3C000.00000004.00000020.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.551258636.0000000000C3C000.00000004.00000020.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000000.552293543.0000000000AF0000.00000040.00000010.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.552293543.0000000000AF0000.00000040.00000010.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000000.568744360.0000000000AF0000.00000040.00000010.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.568744360.0000000000AF0000.00000040.00000010.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000000.552423599.0000000000C3C000.00000004.00000020.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.552423599.0000000000C3C000.00000004.00000020.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000000.569816044.0000000000AF0000.00000040.00000010.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.569816044.0000000000AF0000.00000040.00000010.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000000.569948888.0000000000C3C000.00000004.00000020.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.569948888.0000000000C3C000.00000004.00000020.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000000.568827402.0000000000C3C000.00000004.00000020.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.568827402.0000000000C3C000.00000004.00000020.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000002.598491073.0000000000AF0000.00000040.00000010.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000002.598491073.0000000000AF0000.00000040.00000010.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000000.551169265.0000000000AF0000.00000040.00000010.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.551169265.0000000000AF0000.00000040.00000010.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000002.598587675.0000000000C3C000.00000004.00000020.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000002.598587675.0000000000C3C000.00000004.00000020.sdmp, Author: Joe Security
                                                                                          Reputation:high

                                                                                          Analysis Process: svchost.exe PID: 6160 Parent PID: 572

                                                                                          General

                                                                                          Start time:00:12:01
                                                                                          Start date:02/12/2021
                                                                                          Path:C:\Windows\System32\svchost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                                                                                          Imagebase:0x7ff70d6e0000
                                                                                          File size:51288 bytes
                                                                                          MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high

                                                                                          Analysis Process: cmd.exe PID: 5704 Parent PID: 7160

                                                                                          General

                                                                                          Start time:00:12:01
                                                                                          Start date:02/12/2021
                                                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Zd9TtpY4Kh.dll",#1
                                                                                          Imagebase:0xd80000
                                                                                          File size:232960 bytes
                                                                                          MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high

                                                                                          Analysis Process: rundll32.exe PID: 5688 Parent PID: 7160

                                                                                          General

                                                                                          Start time:00:12:01
                                                                                          Start date:02/12/2021
                                                                                          Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:rundll32.exe C:\Users\user\Desktop\Zd9TtpY4Kh.dll,Control_RunDLL
                                                                                          Imagebase:0xba0000
                                                                                          File size:61952 bytes
                                                                                          MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Yara matches:
                                                                                          • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000003.00000002.549497176.0000000002F70000.00000040.00000010.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.549497176.0000000002F70000.00000040.00000010.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000003.00000003.518552205.00000000030C5000.00000004.00000001.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000003.518552205.00000000030C5000.00000004.00000001.sdmp, Author: Joe Security
                                                                                          Reputation:high

                                                                                          Analysis Process: rundll32.exe PID: 3648 Parent PID: 5704

                                                                                          General

                                                                                          Start time:00:12:01
                                                                                          Start date:02/12/2021
                                                                                          Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:rundll32.exe "C:\Users\user\Desktop\Zd9TtpY4Kh.dll",#1
                                                                                          Imagebase:0xba0000
                                                                                          File size:61952 bytes
                                                                                          MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Yara matches:
                                                                                          • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000004.00000002.548909255.0000000002F80000.00000040.00000010.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.548909255.0000000002F80000.00000040.00000010.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.549093887.000000000313A000.00000004.00000020.sdmp, Author: Joe Security
                                                                                          Reputation:high

                                                                                          Analysis Process: svchost.exe PID: 4072 Parent PID: 572

                                                                                          General

                                                                                          Start time:00:12:01
                                                                                          Start date:02/12/2021
                                                                                          Path:C:\Windows\System32\svchost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
                                                                                          Imagebase:0x7ff70d6e0000
                                                                                          File size:51288 bytes
                                                                                          MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:false
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high

                                                                                          Analysis Process: svchost.exe PID: 5780 Parent PID: 572

                                                                                          General

                                                                                          Start time:00:12:02
                                                                                          Start date:02/12/2021
                                                                                          Path:C:\Windows\System32\svchost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:c:\windows\system32\svchost.exe -k unistacksvcgroup
                                                                                          Imagebase:0x7ff70d6e0000
                                                                                          File size:51288 bytes
                                                                                          MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                          Has elevated privileges:false
                                                                                          Has administrator privileges:false
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high

                                                                                          Analysis Process: rundll32.exe PID: 3180 Parent PID: 7160

                                                                                          General

                                                                                          Start time:00:12:05
                                                                                          Start date:02/12/2021
                                                                                          Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:rundll32.exe C:\Users\user\Desktop\Zd9TtpY4Kh.dll,ajkaibu
                                                                                          Imagebase:0xba0000
                                                                                          File size:61952 bytes
                                                                                          MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Yara matches:
                                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.547372307.000000000340A000.00000004.00000020.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000007.00000002.547342704.0000000003370000.00000040.00000010.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.547342704.0000000003370000.00000040.00000010.sdmp, Author: Joe Security
                                                                                          Reputation:high

                                                                                          Analysis Process: rundll32.exe PID: 2960 Parent PID: 7160

                                                                                          General

                                                                                          Start time:00:12:10
                                                                                          Start date:02/12/2021
                                                                                          Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:rundll32.exe C:\Users\user\Desktop\Zd9TtpY4Kh.dll,akyncbgollmj
                                                                                          Imagebase:0xba0000
                                                                                          File size:61952 bytes
                                                                                          MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Yara matches:
                                                                                          • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000008.00000002.547349453.0000000002E40000.00000040.00000001.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000008.00000002.547349453.0000000002E40000.00000040.00000001.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000008.00000002.547377185.0000000002E7A000.00000004.00000020.sdmp, Author: Joe Security
                                                                                          Reputation:high

                                                                                          Analysis Process: svchost.exe PID: 6120 Parent PID: 572

                                                                                          General

                                                                                          Start time:00:12:19
                                                                                          Start date:02/12/2021
                                                                                          Path:C:\Windows\System32\svchost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
                                                                                          Imagebase:0x7ff70d6e0000
                                                                                          File size:51288 bytes
                                                                                          MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:false
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high

                                                                                          Analysis Process: svchost.exe PID: 6668 Parent PID: 572

                                                                                          General

                                                                                          Start time:00:12:36
                                                                                          Start date:02/12/2021
                                                                                          Path:C:\Windows\System32\svchost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\System32\svchost.exe -k NetworkService -p
                                                                                          Imagebase:0x7ff70d6e0000
                                                                                          File size:51288 bytes
                                                                                          MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:false
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high

                                                                                          Analysis Process: SgrmBroker.exe PID: 5348 Parent PID: 572

                                                                                          General

                                                                                          Start time:00:12:55
                                                                                          Start date:02/12/2021
                                                                                          Path:C:\Windows\System32\SgrmBroker.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\SgrmBroker.exe
                                                                                          Imagebase:0x7ff62f470000
                                                                                          File size:163336 bytes
                                                                                          MD5 hash:D3170A3F3A9626597EEE1888686E3EA6
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high

                                                                                          Analysis Process: svchost.exe PID: 4020 Parent PID: 572

                                                                                          General

                                                                                          Start time:00:13:13
                                                                                          Start date:02/12/2021
                                                                                          Path:C:\Windows\System32\svchost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
                                                                                          Imagebase:0x7ff70d6e0000
                                                                                          File size:51288 bytes
                                                                                          MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:false
                                                                                          Programmed in:C, C++ or other language

                                                                                          Analysis Process: rundll32.exe PID: 7080 Parent PID: 3648

                                                                                          General

                                                                                          Start time:00:13:50
                                                                                          Start date:02/12/2021
                                                                                          Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\Zd9TtpY4Kh.dll",Control_RunDLL
                                                                                          Imagebase:0xba0000
                                                                                          File size:61952 bytes
                                                                                          MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language

                                                                                          Analysis Process: rundll32.exe PID: 3024 Parent PID: 5688

                                                                                          General

                                                                                          Start time:00:13:53
                                                                                          Start date:02/12/2021
                                                                                          Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Lklkgjuftglvvvqq\zogfgblopvxymh.tnq",YYthscLHd
                                                                                          Imagebase:0xba0000
                                                                                          File size:61952 bytes
                                                                                          MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Yara matches:
                                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000F.00000002.662460484.00000000032CA000.00000004.00000020.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000F.00000002.662344438.0000000003210000.00000040.00000010.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000F.00000002.662344438.0000000003210000.00000040.00000010.sdmp, Author: Joe Security

                                                                                          Analysis Process: rundll32.exe PID: 2316 Parent PID: 3180

                                                                                          General

                                                                                          Start time:00:13:59
                                                                                          Start date:02/12/2021
                                                                                          Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\Zd9TtpY4Kh.dll",Control_RunDLL
                                                                                          Imagebase:0xba0000
                                                                                          File size:61952 bytes
                                                                                          MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language

                                                                                          Analysis Process: rundll32.exe PID: 3156 Parent PID: 2960

                                                                                          General

                                                                                          Start time:00:14:04
                                                                                          Start date:02/12/2021
                                                                                          Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\Zd9TtpY4Kh.dll",Control_RunDLL
                                                                                          Imagebase:0xba0000
                                                                                          File size:61952 bytes
                                                                                          MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language

                                                                                          Analysis Process: svchost.exe PID: 5676 Parent PID: 572

                                                                                          General

                                                                                          Start time:00:14:06
                                                                                          Start date:02/12/2021
                                                                                          Path:C:\Windows\System32\svchost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\System32\svchost.exe -k WerSvcGroup
                                                                                          Imagebase:0x7ff70d6e0000
                                                                                          File size:51288 bytes
                                                                                          MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language

                                                                                          Analysis Process: WerFault.exe PID: 5672 Parent PID: 5676

                                                                                          General

                                                                                          Start time:00:14:06
                                                                                          Start date:02/12/2021
                                                                                          Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 7160 -ip 7160
                                                                                          Imagebase:0xa70000
                                                                                          File size:434592 bytes
                                                                                          MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language

                                                                                          Analysis Process: WerFault.exe PID: 4488 Parent PID: 7160

                                                                                          General

                                                                                          Start time:00:14:08
                                                                                          Start date:02/12/2021
                                                                                          Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7160 -s 320
                                                                                          Imagebase:0xa70000
                                                                                          File size:434592 bytes
                                                                                          MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language

                                                                                          Analysis Process: svchost.exe PID: 6640 Parent PID: 572

                                                                                          General

                                                                                          Start time:00:14:11
                                                                                          Start date:02/12/2021
                                                                                          Path:C:\Windows\System32\svchost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                          Imagebase:0x7ff70d6e0000
                                                                                          File size:51288 bytes
                                                                                          MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language

                                                                                          Analysis Process: WerFault.exe PID: 3544 Parent PID: 5676

                                                                                          General

                                                                                          Start time:00:14:14
                                                                                          Start date:02/12/2021
                                                                                          Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 7160 -ip 7160
                                                                                          Imagebase:0xa70000
                                                                                          File size:434592 bytes
                                                                                          MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language

                                                                                          Analysis Process: WerFault.exe PID: 1060 Parent PID: 7160

                                                                                          General

                                                                                          Start time:00:14:16
                                                                                          Start date:02/12/2021
                                                                                          Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7160 -s 328
                                                                                          Imagebase:0xa70000
                                                                                          File size:434592 bytes
                                                                                          MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language

                                                                                          Analysis Process: MpCmdRun.exe PID: 3088 Parent PID: 4020

                                                                                          General

                                                                                          Start time:00:14:31
                                                                                          Start date:02/12/2021
                                                                                          Path:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:"C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
                                                                                          Imagebase:0x7ff6cdb30000
                                                                                          File size:455656 bytes
                                                                                          MD5 hash:A267555174BFA53844371226F482B86B
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:false
                                                                                          Programmed in:C, C++ or other language

                                                                                          Analysis Process: conhost.exe PID: 5216 Parent PID: 3088

                                                                                          General

                                                                                          Start time:00:14:31
                                                                                          Start date:02/12/2021
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff7f20f0000
                                                                                          File size:625664 bytes
                                                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:false
                                                                                          Programmed in:C, C++ or other language

                                                                                          Analysis Process: svchost.exe PID: 5696 Parent PID: 572

                                                                                          General

                                                                                          Start time:00:14:40
                                                                                          Start date:02/12/2021
                                                                                          Path:C:\Windows\System32\svchost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                          Imagebase:0x7ff70d6e0000
                                                                                          File size:51288 bytes
                                                                                          MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language

                                                                                          Analysis Process: svchost.exe PID: 4888 Parent PID: 572

                                                                                          General

                                                                                          Start time:00:14:53
                                                                                          Start date:02/12/2021
                                                                                          Path:C:\Windows\System32\svchost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                          Imagebase:0x7ff70d6e0000
                                                                                          File size:51288 bytes
                                                                                          MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language

                                                                                          Analysis Process: rundll32.exe PID: 6956 Parent PID: 3024

                                                                                          General

                                                                                          Start time:00:14:55
                                                                                          Start date:02/12/2021
                                                                                          Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Lklkgjuftglvvvqq\zogfgblopvxymh.tnq",Control_RunDLL
                                                                                          Imagebase:0xba0000
                                                                                          File size:61952 bytes
                                                                                          MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language

                                                                                          Disassembly

                                                                                          Code Analysis

                                                                                          Reset < >