Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report 5i3yQOSqTm

Overview

General Information

Sample Name:5i3yQOSqTm (renamed file extension from none to dll)
Analysis ID:532299
MD5:1e3db971ac31b856864c12b55bcc4435
SHA1:8f47d8c2d75df496a20b5ddaec949f9524c60a66
SHA256:df1aec18655ffd091bac7e217ad7334c30d99bd906ec9269d0a38c5c92267fbd
Tags:32dllexetrojan
Infos:

Most interesting Screenshot:

Detection

Emotet
Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Emotet
Sigma detected: Emotet RunDLL32 Process Creation
Changes security center settings (notifications, updates, antivirus, firewall)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
One or more processes crash
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Abnormal high CPU Usage
AV process strings found (often used to terminate AV products)
Tries to load missing DLLs
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Checks if the current process is being debugged
Queries disk information (often used to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 1860 cmdline: loaddll32.exe "C:\Users\user\Desktop\5i3yQOSqTm.dll" MD5: 72FCD8FB0ADC38ED9050569AD673650E)
    • cmd.exe (PID: 4956 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\5i3yQOSqTm.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 4668 cmdline: rundll32.exe "C:\Users\user\Desktop\5i3yQOSqTm.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • rundll32.exe (PID: 844 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\5i3yQOSqTm.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 2892 cmdline: rundll32.exe C:\Users\user\Desktop\5i3yQOSqTm.dll,Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • rundll32.exe (PID: 1748 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Tormivkitze\hbajscvbpn.eld",BvsmkekIa MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • rundll32.exe (PID: 736 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Tormivkitze\hbajscvbpn.eld",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 2952 cmdline: rundll32.exe C:\Users\user\Desktop\5i3yQOSqTm.dll,ajkaibu MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • rundll32.exe (PID: 5840 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\5i3yQOSqTm.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 4548 cmdline: rundll32.exe C:\Users\user\Desktop\5i3yQOSqTm.dll,akyncbgollmj MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • rundll32.exe (PID: 2092 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\5i3yQOSqTm.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • WerFault.exe (PID: 4896 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 304 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • WerFault.exe (PID: 2576 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 348 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • svchost.exe (PID: 988 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5116 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5276 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 4144 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • SgrmBroker.exe (PID: 5044 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)
  • svchost.exe (PID: 3520 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • MpCmdRun.exe (PID: 2932 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: A267555174BFA53844371226F482B86B)
      • conhost.exe (PID: 5028 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • svchost.exe (PID: 1400 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • WerFault.exe (PID: 5004 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1860 -ip 1860 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • WerFault.exe (PID: 4404 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1860 -ip 1860 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • svchost.exe (PID: 1208 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6000 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 2960 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5884 cmdline: C:\Windows\system32\svchost.exe -k wsappx -p -s AppXSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 1568 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000000.568855686.0000000000DA0000.00000040.00000010.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
    00000000.00000000.568855686.0000000000DA0000.00000040.00000010.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
      00000002.00000003.520020229.00000000006CC000.00000004.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
        00000002.00000003.520020229.00000000006CC000.00000004.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
          00000010.00000002.654498844.0000000000F60000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
            Click to see the 35 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            5.2.rundll32.exe.ca21e0.1.raw.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
              5.2.rundll32.exe.ca21e0.1.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                5.2.rundll32.exe.ca21e0.1.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                  5.2.rundll32.exe.ca21e0.1.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                    0.0.loaddll32.exe.f83618.10.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                      Click to see the 75 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Emotet RunDLL32 Process CreationShow sources
                      Source: Process startedAuthor: FPT.EagleEye: Data: Command: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Tormivkitze\hbajscvbpn.eld",Control_RunDLL, CommandLine: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Tormivkitze\hbajscvbpn.eld",Control_RunDLL, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Tormivkitze\hbajscvbpn.eld",BvsmkekIa, ParentImage: C:\Windows\SysWOW64\rundll32.exe, ParentProcessId: 1748, ProcessCommandLine: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Tormivkitze\hbajscvbpn.eld",Control_RunDLL, ProcessId: 736

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: 5i3yQOSqTm.dllVirustotal: Detection: 19%Perma Link
                      Source: 5i3yQOSqTm.dllReversingLabs: Detection: 17%
                      Source: 5i3yQOSqTm.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
                      Source: 5i3yQOSqTm.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000017.00000003.577965989.0000000005071000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.602983454.0000000005251000.00000004.00000001.sdmp
                      Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000017.00000003.577965989.0000000005071000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.602983454.0000000005251000.00000004.00000001.sdmp
                      Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000017.00000003.577965989.0000000005071000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.574975422.0000000004C67000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.602983454.0000000005251000.00000004.00000001.sdmp
                      Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000017.00000003.577965989.0000000005071000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.602983454.0000000005251000.00000004.00000001.sdmp
                      Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000017.00000003.577965989.0000000005071000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.602983454.0000000005251000.00000004.00000001.sdmp
                      Source: Binary string: wimm32.pdb source: WerFault.exe, 00000017.00000003.577965989.0000000005071000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.602983454.0000000005251000.00000004.00000001.sdmp
                      Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000017.00000003.577965989.0000000005071000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.602983454.0000000005251000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdb source: WerFault.exe, 00000017.00000003.577965989.0000000005071000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.597304203.000000000106C000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.602983454.0000000005251000.00000004.00000001.sdmp
                      Source: Binary string: apphelp.pdb source: WerFault.exe, 00000017.00000003.577965989.0000000005071000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.602983454.0000000005251000.00000004.00000001.sdmp
                      Source: Binary string: upwntdll.pdb source: WerFault.exe, 0000001C.00000003.597669330.0000000004ED5000.00000004.00000001.sdmp
                      Source: Binary string: wuser32.pdb source: WerFault.exe, 00000017.00000003.577965989.0000000005071000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.602983454.0000000005251000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdbk source: WerFault.exe, 00000017.00000003.577965989.0000000005071000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.602983454.0000000005251000.00000004.00000001.sdmp
                      Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000017.00000003.577965989.0000000005071000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.602983454.0000000005251000.00000004.00000001.sdmp
                      Source: Binary string: oCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000017.00000002.585364416.0000000000B42000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdb( source: WerFault.exe, 0000001C.00000003.597304203.000000000106C000.00000004.00000001.sdmp
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EE20927 FindFirstFileExW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EE20927 FindFirstFileExW,
                      Source: svchost.exe, 00000025.00000003.738737480.000001E038C03000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","A equals www.facebook.com (Facebook)
                      Source: svchost.exe, 00000025.00000003.738737480.000001E038C03000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","A equals www.twitter.com (Twitter)
                      Source: svchost.exe, 00000025.00000003.738737480.000001E038C03000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-11-26T13:57:30.0386475Z||.||6f0c105d-3db6-47de-894d-fd95973349e2||1152921505694224549||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
                      Source: svchost.exe, 00000025.00000003.738737480.000001E038C03000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-11-26T13:57:30.0386475Z||.||6f0c105d-3db6-47de-894d-fd95973349e2||1152921505694224549||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
                      Source: svchost.exe, 00000004.00000002.622214676.0000019F85E61000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000002.621423158.0000000004F1B000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.619241344.0000000004F1B000.00000004.00000001.sdmp, svchost.exe, 00000025.00000002.765156452.000001E037EE9000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: WerFault.exe, 0000001C.00000003.619241344.0000000004F1B000.00000004.00000001.sdmpString found in binary or memory: http://crl.microsoft
                      Source: svchost.exe, 00000004.00000002.622117475.0000019F85E13000.00000004.00000001.sdmp, svchost.exe, 00000025.00000002.765156452.000001E037EE9000.00000004.00000001.sdmpString found in binary or memory: http://crl.ver)
                      Source: svchost.exe, 00000025.00000003.729111764.000001E03877A000.00000004.00000001.sdmpString found in binary or memory: http://help.disneyplus.com.
                      Source: svchost.exe, 00000004.00000002.621987822.0000019F808B7000.00000004.00000001.sdmp, svchost.exe, 00000004.00000003.621423495.0000019F808B1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/enumera
                      Source: svchost.exe, 00000004.00000002.621987822.0000019F808B7000.00000004.00000001.sdmp, svchost.exe, 00000004.00000003.621423495.0000019F808B1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/enumeration
                      Source: Amcache.hve.23.drString found in binary or memory: http://upx.sf.net
                      Source: svchost.exe, 0000000A.00000002.382112778.0000020610E13000.00000004.00000001.sdmpString found in binary or memory: http://www.bingmapsportal.com
                      Source: svchost.exe, 00000006.00000002.785206676.000001D1BF041000.00000004.00000001.sdmpString found in binary or memory: https://%s.dnet.xboxlive.com
                      Source: svchost.exe, 00000006.00000002.785206676.000001D1BF041000.00000004.00000001.sdmpString found in binary or memory: https://%s.xboxlive.com
                      Source: svchost.exe, 00000006.00000002.785206676.000001D1BF041000.00000004.00000001.sdmpString found in binary or memory: https://activity.windows.com
                      Source: svchost.exe, 0000000A.00000003.379639919.0000020610E63000.00000004.00000001.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
                      Source: svchost.exe, 00000006.00000002.785206676.000001D1BF041000.00000004.00000001.sdmpString found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
                      Source: svchost.exe, 00000006.00000002.785206676.000001D1BF041000.00000004.00000001.sdmpString found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
                      Source: svchost.exe, 0000000A.00000003.379648907.0000020610E5E000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
                      Source: svchost.exe, 0000000A.00000002.382143532.0000020610E56000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
                      Source: svchost.exe, 0000000A.00000003.379639919.0000020610E63000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
                      Source: svchost.exe, 0000000A.00000002.382130004.0000020610E3C000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
                      Source: svchost.exe, 0000000A.00000002.382143532.0000020610E56000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
                      Source: svchost.exe, 0000000A.00000003.379142007.0000020610E69000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.382154384.0000020610E6B000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
                      Source: svchost.exe, 0000000A.00000003.379639919.0000020610E63000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
                      Source: svchost.exe, 0000000A.00000002.382139213.0000020610E4E000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.379684923.0000020610E43000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.379704259.0000020610E46000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.379668711.0000020610E42000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
                      Source: svchost.exe, 0000000A.00000003.341015452.0000020610E30000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.382130004.0000020610E3C000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
                      Source: svchost.exe, 0000000A.00000002.382143532.0000020610E56000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
                      Source: svchost.exe, 0000000A.00000002.382130004.0000020610E3C000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
                      Source: svchost.exe, 0000000A.00000003.379639919.0000020610E63000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
                      Source: svchost.exe, 0000000A.00000003.379639919.0000020610E63000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
                      Source: svchost.exe, 0000000A.00000003.379639919.0000020610E63000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
                      Source: svchost.exe, 0000000A.00000002.382130004.0000020610E3C000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
                      Source: svchost.exe, 0000000A.00000003.379644083.0000020610E60000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.382148880.0000020610E61000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
                      Source: svchost.exe, 0000000A.00000002.382130004.0000020610E3C000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
                      Source: svchost.exe, 0000000A.00000003.379639919.0000020610E63000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
                      Source: svchost.exe, 0000000A.00000003.379657424.0000020610E5A000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.379668711.0000020610E42000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.382146085.0000020610E5B000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
                      Source: svchost.exe, 0000000A.00000003.341015452.0000020610E30000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?entry=
                      Source: svchost.exe, 00000025.00000003.729111764.000001E03877A000.00000004.00000001.sdmpString found in binary or memory: https://disneyplus.com/legal.
                      Source: svchost.exe, 0000000A.00000003.379648907.0000020610E5E000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
                      Source: svchost.exe, 0000000A.00000003.379657424.0000020610E5A000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.382146085.0000020610E5B000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
                      Source: svchost.exe, 0000000A.00000003.379657424.0000020610E5A000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.382146085.0000020610E5B000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
                      Source: svchost.exe, 0000000A.00000003.379668711.0000020610E42000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.379648907.0000020610E5E000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t
                      Source: svchost.exe, 0000000A.00000003.379639919.0000020610E63000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
                      Source: svchost.exe, 0000000A.00000003.341015452.0000020610E30000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.382130004.0000020610E3C000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
                      Source: svchost.exe, 0000000A.00000002.382143532.0000020610E56000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
                      Source: svchost.exe, 0000000A.00000003.341015452.0000020610E30000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/roadshield.ashx?bucket=
                      Source: svchost.exe, 0000000A.00000003.379713180.0000020610E40000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.382133765.0000020610E41000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
                      Source: svchost.exe, 0000000A.00000002.382130004.0000020610E3C000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
                      Source: svchost.exe, 0000000A.00000003.341015452.0000020610E30000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
                      Source: svchost.exe, 0000000A.00000003.341015452.0000020610E30000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
                      Source: svchost.exe, 0000000A.00000003.341015452.0000020610E30000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
                      Source: svchost.exe, 0000000A.00000003.341015452.0000020610E30000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.379694312.0000020610E39000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
                      Source: svchost.exe, 0000000A.00000003.379684923.0000020610E43000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.379704259.0000020610E46000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.379668711.0000020610E42000.00000004.00000001.sdmpString found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen19
                      Source: WerFault.exe, 0000001C.00000002.621402260.0000000004F08000.00000004.00000001.sdmpString found in binary or memory: https://watson.telemetry.micro
                      Source: svchost.exe, 00000025.00000003.729111764.000001E03877A000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
                      Source: svchost.exe, 00000025.00000003.729111764.000001E03877A000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
                      Source: svchost.exe, 00000025.00000003.731786295.000001E03877B000.00000004.00000001.sdmp, svchost.exe, 00000025.00000003.731823212.000001E0387D5000.00000004.00000001.sdmp, svchost.exe, 00000025.00000003.731811576.000001E03879D000.00000004.00000001.sdmp, svchost.exe, 00000025.00000003.731869215.000001E038777000.00000004.00000001.sdmp, svchost.exe, 00000025.00000003.731800691.000001E03878C000.00000004.00000001.sdmp, svchost.exe, 00000025.00000003.731837751.000001E0387D5000.00000004.00000001.sdmp, svchost.exe, 00000025.00000003.731851677.000001E0387BE000.00000004.00000001.sdmpString found in binary or memory: https://www.tiktok.com/legal/report/feedback

                      E-Banking Fraud:

                      barindex
                      Yara detected EmotetShow sources
                      Source: Yara matchFile source: 5.2.rundll32.exe.ca21e0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.ca21e0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.f83618.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.da0000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.f83618.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.da0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.2.rundll32.exe.d60000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.31721e8.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.da0000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.b00000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.rundll32.exe.f60000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.2.rundll32.exe.d60000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.f83618.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.f83618.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.5b0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.da0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.da0000.9.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.da0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.f83618.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.b00000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.f83618.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.rundll32.exe.d12460.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.da0000.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.f83618.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.8d3508.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.rundll32.exe.d12460.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.f83618.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.5b0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.f83618.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.da0000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.e10000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.e10000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.da0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.da0000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.a90000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.rundll32.exe.f60000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.f83618.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.a90000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.8d3508.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.31721e8.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000000.568855686.0000000000DA0000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.520020229.00000000006CC000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.654498844.0000000000F60000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.569090954.0000000000F7C000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000002.784894715.0000000000D60000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.568532914.0000000000C8A000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.570083613.0000000000DA0000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.570281269.0000000000F7C000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000003.772094317.0000000000C4B000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.593746221.0000000000F7C000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.527531884.0000000000A90000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.568102560.0000000000B00000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.567804185.000000000315A000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.547175169.00000000005B0000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.593529130.0000000000DA0000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.592478741.0000000000F7C000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.622171924.0000000000DA0000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.654439419.0000000000CFA000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.622274934.0000000000F7C000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.567601226.0000000000E10000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.527507715.00000000008BA000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.592320940.0000000000DA0000.00000040.00000010.sdmp, type: MEMORY

                      System Summary:

                      barindex
                      Source: 5i3yQOSqTm.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1860 -ip 1860
                      Source: C:\Windows\SysWOW64\rundll32.exeFile deleted: C:\Windows\SysWOW64\Tormivkitze\hbajscvbpn.eld:Zone.IdentifierJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\SysWOW64\Tormivkitze\Jump to behavior
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00DC1291
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00DC1CDB
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00DB52D1
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00DA90D4
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00DB28D5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00DC20CE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00DB10CD
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00DA2CC2
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00DA92C1
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00DA46FA
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00DA1EFB
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00DB40FE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00DA84F0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00DB62F5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00DB4CF5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00DAC0EA
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00DB56E9
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00DA40E2
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00DBA29B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00DB009A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00DBE899
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00DAFE9D
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00DB0A93
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00DBCE90
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00DB0E97
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00DAF48A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00DAA083
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00DACE5A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00DA6453
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00DBEA55
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00DAAA4E
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00DA544C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00DB3043
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00DAAE43
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00DB7445
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00DAFA78
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00DA387F
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00DBB677
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00DA3A6C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00DAEE60
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00DAB464
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00DC261E
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00DA800A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00DBC205
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00DA243F
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00DA3432
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00DA3228
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00DB282D
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00DA9824
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00DA75D2
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00DA19C0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00DBEDED
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00DA51EC
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00DAA3E7
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00DB1591
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00DAB191
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00DA7795
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00DA358B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00DB3782
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00DA8D80
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00DA4B81
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00DBDB87
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00DB85B8
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00DA43BE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00DA59BF
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00DBD7BE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00DBE3B5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00DB89A2
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00DBE5A7
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00DBDDA5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00DB0BA4
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00DB6540
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00DC0370
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00DACF6E
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00DABD61
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00DA4D1E
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00DACB13
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00DB970A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00DBE10A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00DB590E
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00DB3D0C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00DBBF0C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00DAF73B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00DBCD35
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00DAA92F
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00DB9124
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EE077B4
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EE09F10
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EE01DE0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EE0D530
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EE03A90
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EE1E3A1
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EE10380
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EE110C0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EE068B0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EE0A890
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EE0E890
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EE06070
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EE077B4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EE09F10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EE01DE0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EE0D530
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EE03A90
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EE1E3A1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EE10380
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EE110C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EE068B0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EE0A890
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EE0E890
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EE06070
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00AB1291
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00AAEA55
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00A9F48A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00A9A083
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00AA009A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00AAA29B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00AAE899
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00A9FE9D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00AA0A93
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00AACE90
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00AA0E97
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00A9C0EA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00AA56E9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00A940E2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00A91EFB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00A946FA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00AA40FE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00A984F0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00AA62F5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00AA4CF5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00AB20CE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00AA10CD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00A992C1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00A92CC2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00AB1CDB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00AA52D1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00A990D4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00AA28D5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00A93228
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00AA282D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00A99824
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00A9243F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00A93432
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00A9800A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00AAC205
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00AB261E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00A93A6C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00A9EE60
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00A9B464
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00A9FA78
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00A9387F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00AAB677
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00A9544C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00A9AA4E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00AA3043
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00A9AE43
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00AA7445
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00A9CE5A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00A96453
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00AA89A2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00AAE5A7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00AA0BA4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00AADDA5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00AA85B8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00AAD7BE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00A959BF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00A943BE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00AAE3B5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00A9358B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00A94B81
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00AA3782
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00A98D80
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00AADB87
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00A9B191
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00AA1591
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00A97795
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00A951EC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00AAEDED
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00A9A3E7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00A919C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00A975D2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00A9A92F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00AA9124
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00A9F73B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00AACD35
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00AA970A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00AAE10A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00AA590E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00AA3D0C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00AABF0C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00A94D1E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00A9CB13
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00A9CF6E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00A9BD61
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00AB0370
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00AA6540
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_00F81291
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_00F7EA55
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_00F762F5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_00F74CF5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_00F684F0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_00F740FE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_00F646FA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_00F61EFB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_00F640E2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_00F6C0EA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_00F756E9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_00F690D4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_00F728D5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_00F81CDB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_00F752D1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_00F62CC2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_00F820CE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_00F692C1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_00F710CD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_00F70E97
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_00F70A93
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_00F7CE90
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_00F6FE9D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_00F7A29B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_00F7009A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_00F7E899
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_00F6A083
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_00F6F48A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_00F7B677
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_00F6387F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_00F6FA78
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_00F6B464
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_00F6EE60
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_00F63A6C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_00F66453
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_00F6CE5A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_00F77445
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_00F73043
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_00F6AE43
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_00F6AA4E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_00F6544C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_00F63432
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_00F6243F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_00F69824
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_00F7282D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_00F63228
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_00F8261E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_00F7C205
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_00F6800A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_00F6A3E7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_00F7EDED
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_00F651EC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_00F675D2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_00F619C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_00F7E3B5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_00F643BE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_00F659BF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_00F7D7BE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_00F785B8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_00F7E5A7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_00F7DDA5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_00F70BA4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_00F789A2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_00F67795
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_00F71591
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_00F6B191
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_00F7DB87
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_00F73782
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_00F68D80
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_00F64B81
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_00F6358B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_00F80370
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_00F6BD61
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_00F6CF6E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_00F76540
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_00F7CD35
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_00F6F73B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_00F79124
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_00F6A92F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_00F6CB13
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_00F64D1E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_00F7590E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_00F73D0C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_00F7BF0C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_00F7970A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_00F7E10A
                      Source: C:\Windows\System32\loaddll32.exeCode function: String function: 6EE01DE0 appears 97 times
                      Source: C:\Windows\System32\loaddll32.exeCode function: String function: 6EE1AC90 appears 33 times
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6EE01DE0 appears 97 times
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6EE1AC90 appears 33 times
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess Stats: CPU usage > 98%
                      Source: C:\Windows\System32\svchost.exeSection loaded: xboxlivetitleid.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: cdpsgshims.dll
                      Source: 5i3yQOSqTm.dllVirustotal: Detection: 19%
                      Source: 5i3yQOSqTm.dllReversingLabs: Detection: 17%
                      Source: 5i3yQOSqTm.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\5i3yQOSqTm.dll"
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\5i3yQOSqTm.dll",#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\5i3yQOSqTm.dll,Control_RunDLL
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\5i3yQOSqTm.dll",#1
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\5i3yQOSqTm.dll,ajkaibu
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\5i3yQOSqTm.dll,akyncbgollmj
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
                      Source: unknownProcess created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\5i3yQOSqTm.dll",Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Tormivkitze\hbajscvbpn.eld",BvsmkekIa
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\5i3yQOSqTm.dll",Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\5i3yQOSqTm.dll",Control_RunDLL
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1860 -ip 1860
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 304
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
                      Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1860 -ip 1860
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 348
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Tormivkitze\hbajscvbpn.eld",Control_RunDLL
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k wsappx -p -s AppXSvc
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\5i3yQOSqTm.dll",#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\5i3yQOSqTm.dll,Control_RunDLL
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\5i3yQOSqTm.dll,ajkaibu
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\5i3yQOSqTm.dll,akyncbgollmj
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\5i3yQOSqTm.dll",#1
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Tormivkitze\hbajscvbpn.eld",BvsmkekIa
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\5i3yQOSqTm.dll",Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\5i3yQOSqTm.dll",Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\5i3yQOSqTm.dll",Control_RunDLL
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Tormivkitze\hbajscvbpn.eld",Control_RunDLL
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1860 -ip 1860
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 304
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1860 -ip 1860
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 348
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess created: unknown unknown
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess created: unknown unknown
                      Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32
                      Source: C:\Windows\System32\svchost.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERA26E.tmpJump to behavior
                      Source: classification engineClassification label: mal80.troj.evad.winDLL@46/21@0/1
                      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Users\desktop.iniJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\5i3yQOSqTm.dll,Control_RunDLL
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \BaseNamedObjects\Local\SM0:4404:64:WilError_01
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \BaseNamedObjects\Local\SM0:5004:64:WilError_01
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1860
                      Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5028:120:WilError_01
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                      Source: 5i3yQOSqTm.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                      Source: 5i3yQOSqTm.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000017.00000003.577965989.0000000005071000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.602983454.0000000005251000.00000004.00000001.sdmp
                      Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000017.00000003.577965989.0000000005071000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.602983454.0000000005251000.00000004.00000001.sdmp
                      Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000017.00000003.577965989.0000000005071000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.574975422.0000000004C67000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.602983454.0000000005251000.00000004.00000001.sdmp
                      Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000017.00000003.577965989.0000000005071000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.602983454.0000000005251000.00000004.00000001.sdmp
                      Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000017.00000003.577965989.0000000005071000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.602983454.0000000005251000.00000004.00000001.sdmp
                      Source: Binary string: wimm32.pdb source: WerFault.exe, 00000017.00000003.577965989.0000000005071000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.602983454.0000000005251000.00000004.00000001.sdmp
                      Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000017.00000003.577965989.0000000005071000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.602983454.0000000005251000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdb source: WerFault.exe, 00000017.00000003.577965989.0000000005071000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.597304203.000000000106C000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.602983454.0000000005251000.00000004.00000001.sdmp
                      Source: Binary string: apphelp.pdb source: WerFault.exe, 00000017.00000003.577965989.0000000005071000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.602983454.0000000005251000.00000004.00000001.sdmp
                      Source: Binary string: upwntdll.pdb source: WerFault.exe, 0000001C.00000003.597669330.0000000004ED5000.00000004.00000001.sdmp
                      Source: Binary string: wuser32.pdb source: WerFault.exe, 00000017.00000003.577965989.0000000005071000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.602983454.0000000005251000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdbk source: WerFault.exe, 00000017.00000003.577965989.0000000005071000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.602983454.0000000005251000.00000004.00000001.sdmp
                      Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000017.00000003.577965989.0000000005071000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.602983454.0000000005251000.00000004.00000001.sdmp
                      Source: Binary string: oCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000017.00000002.585364416.0000000000B42000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdb( source: WerFault.exe, 0000001C.00000003.597304203.000000000106C000.00000004.00000001.sdmp
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00DA13E7 push esi; retf
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EE26A93 push ecx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EE26A93 push ecx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00A913E7 push esi; retf
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_00F613E7 push esi; retf
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EE0E690 WaitForSingleObjectEx,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,CreateMutexA,CloseHandle,ReleaseMutex,
                      Source: C:\Windows\SysWOW64\rundll32.exePE file moved: C:\Windows\SysWOW64\Tormivkitze\hbajscvbpn.eldJump to behavior

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Tormivkitze\hbajscvbpn.eld:Zone.Identifier read attributes | delete
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exe TID: 5624Thread sleep time: -30000s >= -30000s
                      Source: C:\Windows\System32\svchost.exe TID: 5624Thread sleep time: -30000s >= -30000s
                      Source: C:\Windows\System32\svchost.exe TID: 844Thread sleep time: -30000s >= -30000s
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
                      Source: C:\Windows\System32\svchost.exeProcess information queried: ProcessInformation
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EE20927 FindFirstFileExW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EE20927 FindFirstFileExW,
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: svchost.exe, 00000025.00000002.765014279.000001E037E80000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW@@
                      Source: Amcache.hve.23.drBinary or memory string: VMware
                      Source: Amcache.hve.23.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
                      Source: Amcache.hve.23.drBinary or memory string: VMware Virtual USB Mouse
                      Source: WerFault.exe, 0000001C.00000002.621402260.0000000004F08000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.619138830.0000000004F06000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWz
                      Source: Amcache.hve.23.drBinary or memory string: VMware, Inc.
                      Source: Amcache.hve.23.drBinary or memory string: VMware Virtual disk SCSI Disk Devicehbin
                      Source: svchost.exe, 00000004.00000002.622198085.0000019F85E54000.00000004.00000001.sdmp, svchost.exe, 00000004.00000002.621830885.0000019F80829000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000002.621402260.0000000004F08000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.619138830.0000000004F06000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000002.621333511.0000000004ED0000.00000004.00000001.sdmp, svchost.exe, 00000025.00000002.765156452.000001E037EE9000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                      Source: Amcache.hve.23.drBinary or memory string: VMware, Inc.me
                      Source: svchost.exe, 00000006.00000002.785206676.000001D1BF041000.00000004.00000001.sdmp, svchost.exe, 00000009.00000002.784694135.000002163DC29000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: Amcache.hve.23.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
                      Source: Amcache.hve.23.drBinary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
                      Source: svchost.exe, 00000004.00000002.622214676.0000019F85E61000.00000004.00000001.sdmpBinary or memory string: @Hyper-V RAW
                      Source: svchost.exe, 00000025.00000002.765145830.000001E037EE1000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWSYSTEM\C
                      Source: Amcache.hve.23.drBinary or memory string: Microsoft Hyper-V Generation Counter
                      Source: Amcache.hve.23.drBinary or memory string: VMware7,1
                      Source: Amcache.hve.23.drBinary or memory string: NECVMWar VMware SATA CD00
                      Source: Amcache.hve.23.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                      Source: Amcache.hve.23.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                      Source: Amcache.hve.23.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                      Source: Amcache.hve.23.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                      Source: rundll32.exe, 00000002.00000003.520260330.00000000006E8000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}8"P
                      Source: Amcache.hve.23.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
                      Source: Amcache.hve.23.drBinary or memory string: VMware-42 35 bb 32 33 75 d2 27-52 00 3c e2 4b d4 32 71
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EE20326 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EE0E690 WaitForSingleObjectEx,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,CreateMutexA,CloseHandle,ReleaseMutex,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EE01290 GetProcessHeap,HeapAlloc,RtlAllocateHeap,HeapFree,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00DB07D2 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EE19990 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EE1EC0B mov ecx, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EE202CC mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EE19920 mov esi, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EE19920 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EE19990 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EE1EC0B mov ecx, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EE202CC mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EE19920 mov esi, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EE19920 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00AA07D2 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_00F707D2 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\loaddll32.exeProcess queried: DebugPort
                      Source: C:\Windows\System32\loaddll32.exeProcess queried: DebugPort
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00DA2ADB LdrInitializeThunk,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EE1A462 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EE20326 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EE1AB0C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EE1A462 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EE20326 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EE1AB0C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\5i3yQOSqTm.dll",#1
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1860 -ip 1860
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 304
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1860 -ip 1860
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 348
                      Source: loaddll32.exe, 00000000.00000000.593834961.0000000001680000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.569183968.0000000001680000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.570462325.0000000001680000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.592597065.0000000001680000.00000002.00020000.sdmp, rundll32.exe, 0000001F.00000002.787160929.0000000003370000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: loaddll32.exe, 00000000.00000000.593834961.0000000001680000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.569183968.0000000001680000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.570462325.0000000001680000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.592597065.0000000001680000.00000002.00020000.sdmp, rundll32.exe, 0000001F.00000002.787160929.0000000003370000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: loaddll32.exe, 00000000.00000000.593834961.0000000001680000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.569183968.0000000001680000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.570462325.0000000001680000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.592597065.0000000001680000.00000002.00020000.sdmp, rundll32.exe, 0000001F.00000002.787160929.0000000003370000.00000002.00020000.sdmpBinary or memory string: SProgram Managerl
                      Source: loaddll32.exe, 00000000.00000000.593834961.0000000001680000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.569183968.0000000001680000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.570462325.0000000001680000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.592597065.0000000001680000.00000002.00020000.sdmp, rundll32.exe, 0000001F.00000002.787160929.0000000003370000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd,
                      Source: loaddll32.exe, 00000000.00000000.593834961.0000000001680000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.569183968.0000000001680000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.570462325.0000000001680000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.592597065.0000000001680000.00000002.00020000.sdmp, rundll32.exe, 0000001F.00000002.787160929.0000000003370000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EE1A584 cpuid
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EE1A755 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

                      Lowering of HIPS / PFW / Operating System Security Settings:

                      barindex
                      Changes security center settings (notifications, updates, antivirus, firewall)Show sources
                      Source: C:\Windows\System32\svchost.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cvalJump to behavior
                      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
                      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
                      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
                      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct
                      Source: Amcache.hve.23.drBinary or memory string: msmpeng.exe
                      Source: Amcache.hve.23.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                      Source: svchost.exe, 0000000E.00000002.784867873.0000022063C3D000.00000004.00000001.sdmpBinary or memory string: (@V%ProgramFiles%\Windows Defender\MsMpeng.exe
                      Source: svchost.exe, 0000000E.00000002.785225679.0000022063D02000.00000004.00000001.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected EmotetShow sources
                      Source: Yara matchFile source: 5.2.rundll32.exe.ca21e0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.ca21e0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.f83618.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.da0000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.f83618.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.da0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.2.rundll32.exe.d60000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.31721e8.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.da0000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.b00000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.rundll32.exe.f60000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.2.rundll32.exe.d60000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.f83618.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.f83618.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.5b0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.da0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.da0000.9.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.da0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.f83618.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.b00000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.f83618.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.rundll32.exe.d12460.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.da0000.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.f83618.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.8d3508.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.rundll32.exe.d12460.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.f83618.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.5b0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.f83618.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.da0000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.e10000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.e10000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.da0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.da0000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.a90000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.rundll32.exe.f60000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.f83618.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.a90000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.8d3508.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.31721e8.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000000.568855686.0000000000DA0000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.520020229.00000000006CC000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.654498844.0000000000F60000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.569090954.0000000000F7C000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000002.784894715.0000000000D60000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.568532914.0000000000C8A000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.570083613.0000000000DA0000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.570281269.0000000000F7C000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000003.772094317.0000000000C4B000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.593746221.0000000000F7C000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.527531884.0000000000A90000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.568102560.0000000000B00000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.567804185.000000000315A000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.547175169.00000000005B0000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.593529130.0000000000DA0000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.592478741.0000000000F7C000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.622171924.0000000000DA0000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.654439419.0000000000CFA000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.622274934.0000000000F7C000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.567601226.0000000000E10000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.527507715.00000000008BA000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.592320940.0000000000DA0000.00000040.00000010.sdmp, type: MEMORY

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation1DLL Side-Loading1Process Injection12Masquerading2OS Credential DumpingSystem Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsNative API1Boot or Logon Initialization ScriptsDLL Side-Loading1Disable or Modify Tools1LSASS MemorySecurity Software Discovery61Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion3Security Account ManagerVirtualization/Sandbox Evasion3SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection12NTDSProcess Discovery2Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonHidden Files and Directories1Cached Domain CredentialsFile and Directory Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information2DCSyncSystem Information Discovery33Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobRundll321Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)DLL Side-Loading1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                      Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)File Deletion1Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 532299 Sample: 5i3yQOSqTm Startdate: 02/12/2021 Architecture: WINDOWS Score: 80 49 Sigma detected: Emotet RunDLL32 Process Creation 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 Yara detected Emotet 2->53 8 loaddll32.exe 1 2->8         started        10 svchost.exe 2->10         started        13 svchost.exe 3 8 2->13         started        15 10 other processes 2->15 process3 dnsIp4 18 rundll32.exe 2 8->18         started        21 cmd.exe 1 8->21         started        23 rundll32.exe 8->23         started        31 3 other processes 8->31 57 Changes security center settings (notifications, updates, antivirus, firewall) 10->57 25 MpCmdRun.exe 1 10->25         started        27 WerFault.exe 13->27         started        29 WerFault.exe 13->29         started        47 127.0.0.1 unknown unknown 15->47 signatures5 process6 signatures7 55 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->55 33 rundll32.exe 18->33         started        35 rundll32.exe 21->35         started        37 rundll32.exe 23->37         started        39 conhost.exe 25->39         started        41 rundll32.exe 31->41         started        process8 process9 43 rundll32.exe 33->43         started        45 rundll32.exe 35->45         started       

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      5i3yQOSqTm.dll20%VirustotalBrowse
                      5i3yQOSqTm.dll18%ReversingLabsWin32.Infostealer.Convagent

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      2.2.rundll32.exe.5b0000.0.unpack100%AviraHEUR/AGEN.1110387Download File
                      31.2.rundll32.exe.d60000.0.unpack100%AviraHEUR/AGEN.1110387Download File
                      5.2.rundll32.exe.b00000.0.unpack100%AviraHEUR/AGEN.1110387Download File
                      0.2.loaddll32.exe.da0000.0.unpack100%AviraHEUR/AGEN.1110387Download File
                      0.0.loaddll32.exe.da0000.9.unpack100%AviraHEUR/AGEN.1110387Download File
                      7.2.rundll32.exe.e10000.0.unpack100%AviraHEUR/AGEN.1110387Download File
                      0.0.loaddll32.exe.da0000.6.unpack100%AviraHEUR/AGEN.1110387Download File
                      0.0.loaddll32.exe.da0000.0.unpack100%AviraHEUR/AGEN.1110387Download File
                      3.2.rundll32.exe.a90000.1.unpack100%AviraHEUR/AGEN.1110387Download File
                      0.0.loaddll32.exe.da0000.3.unpack100%AviraHEUR/AGEN.1110387Download File
                      16.2.rundll32.exe.f60000.1.unpack100%AviraHEUR/AGEN.1110387Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      https://watson.telemetry.micro0%URL Reputationsafe
                      http://crl.microsoft0%URL Reputationsafe
                      https://www.disneyplus.com/legal/your-california-privacy-rights0%URL Reputationsafe
                      http://crl.ver)0%Avira URL Cloudsafe
                      https://www.tiktok.com/legal/report/feedback0%URL Reputationsafe
                      https://%s.xboxlive.com0%URL Reputationsafe
                      https://www.disneyplus.com/legal/privacy-policy0%URL Reputationsafe
                      https://dynamic.t0%URL Reputationsafe
                      https://disneyplus.com/legal.0%URL Reputationsafe
                      http://help.disneyplus.com.0%URL Reputationsafe
                      https://%s.dnet.xboxlive.com0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      https://t0.tiles.ditu.live.com/tiles/gen19svchost.exe, 0000000A.00000003.379684923.0000020610E43000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.379704259.0000020610E46000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.379668711.0000020610E42000.00000004.00000001.sdmpfalse
                        		high
                        https://watson.telemetry.microWerFault.exe, 0000001C.00000002.621402260.0000000004F08000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://dev.ditu.live.com/REST/v1/Routes/svchost.exe, 0000000A.00000002.382130004.0000020610E3C000.00000004.00000001.sdmpfalse
                          		high
                          https://dev.virtualearth.net/REST/v1/Routes/Drivingsvchost.exe, 0000000A.00000003.379639919.0000020610E63000.00000004.00000001.sdmpfalse
                            		high
                            http://crl.microsoftWerFault.exe, 0000001C.00000003.619241344.0000000004F1B000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashxsvchost.exe, 0000000A.00000003.379713180.0000020610E40000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.382133765.0000020610E41000.00000004.00000001.sdmpfalse
                              		high
                              https://dev.ditu.live.com/REST/v1/Traffic/Incidents/svchost.exe, 0000000A.00000002.382143532.0000020610E56000.00000004.00000001.sdmpfalse
                                		high
                                https://dev.virtualearth.net/REST/v1/Routes/Walkingsvchost.exe, 0000000A.00000003.379639919.0000020610E63000.00000004.00000001.sdmpfalse
                                  		high
                                  https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=svchost.exe, 0000000A.00000002.382130004.0000020610E3C000.00000004.00000001.sdmpfalse
                                    		high
                                    https://dev.ditu.live.com/mapcontrol/logging.ashxsvchost.exe, 0000000A.00000003.379639919.0000020610E63000.00000004.00000001.sdmpfalse
                                      		high
                                      https://dev.ditu.live.com/REST/v1/Imagery/Copyright/svchost.exe, 0000000A.00000003.379648907.0000020610E5E000.00000004.00000001.sdmpfalse
                                        		high
                                        https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?entry=svchost.exe, 0000000A.00000003.341015452.0000020610E30000.00000004.00000001.sdmpfalse
                                          		high
                                          https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=svchost.exe, 0000000A.00000003.341015452.0000020610E30000.00000004.00000001.sdmpfalse
                                            		high
                                            https://dev.virtualearth.net/REST/v1/Transit/Schedules/svchost.exe, 0000000A.00000003.379644083.0000020610E60000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.382148880.0000020610E61000.00000004.00000001.sdmpfalse
                                              		high
                                              http://schemas.xmlsoap.org/ws/2004/09/enumerationsvchost.exe, 00000004.00000002.621987822.0000019F808B7000.00000004.00000001.sdmp, svchost.exe, 00000004.00000003.621423495.0000019F808B1000.00000004.00000001.sdmpfalse
                                                		high
                                                http://schemas.xmlsoap.org/ws/2004/09/enumerasvchost.exe, 00000004.00000002.621987822.0000019F808B7000.00000004.00000001.sdmp, svchost.exe, 00000004.00000003.621423495.0000019F808B1000.00000004.00000001.sdmpfalse
                                                  		high
                                                  https://ecn.dev.virtualearth.net/mapcontrol/roadshield.ashx?bucket=svchost.exe, 0000000A.00000003.341015452.0000020610E30000.00000004.00000001.sdmpfalse
                                                    		high
                                                    http://www.bingmapsportal.comsvchost.exe, 0000000A.00000002.382112778.0000020610E13000.00000004.00000001.sdmpfalse
                                                      		high
                                                      https://dev.virtualearth.net/REST/v1/Imagery/Copyright/svchost.exe, 0000000A.00000003.341015452.0000020610E30000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.382130004.0000020610E3C000.00000004.00000001.sdmpfalse
                                                        		high
                                                        https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/svchost.exe, 0000000A.00000003.341015452.0000020610E30000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.382130004.0000020610E3C000.00000004.00000001.sdmpfalse
                                                          		high
                                                          https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashxsvchost.exe, 0000000A.00000003.379639919.0000020610E63000.00000004.00000001.sdmpfalse
                                                            		high
                                                            https://www.disneyplus.com/legal/your-california-privacy-rightssvchost.exe, 00000025.00000003.729111764.000001E03877A000.00000004.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=svchost.exe, 0000000A.00000003.341015452.0000020610E30000.00000004.00000001.sdmpfalse
                                                              		high
                                                              https://dev.ditu.live.com/REST/v1/Transit/Stops/svchost.exe, 0000000A.00000003.379142007.0000020610E69000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.382154384.0000020610E6B000.00000004.00000001.sdmpfalse
                                                                		high
                                                                https://dev.virtualearth.net/REST/v1/Routes/svchost.exe, 0000000A.00000002.382130004.0000020610E3C000.00000004.00000001.sdmpfalse
                                                                  		high
                                                                  https://dev.virtualearth.net/REST/v1/Traffic/Incidents/svchost.exe, 0000000A.00000002.382130004.0000020610E3C000.00000004.00000001.sdmpfalse
                                                                    		high
                                                                    https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=svchost.exe, 0000000A.00000003.341015452.0000020610E30000.00000004.00000001.sdmpfalse
                                                                      		high
                                                                      http://crl.ver)svchost.exe, 00000004.00000002.622117475.0000019F85E13000.00000004.00000001.sdmp, svchost.exe, 00000025.00000002.765156452.000001E037EE9000.00000004.00000001.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		low
                                                                      https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?svchost.exe, 0000000A.00000003.379657424.0000020610E5A000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.379668711.0000020610E42000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.382146085.0000020610E5B000.00000004.00000001.sdmpfalse
                                                                        		high
                                                                        http://upx.sf.netAmcache.hve.23.drfalse
                                                                          		high
                                                                          https://www.tiktok.com/legal/report/feedbacksvchost.exe, 00000025.00000003.731786295.000001E03877B000.00000004.00000001.sdmp, svchost.exe, 00000025.00000003.731823212.000001E0387D5000.00000004.00000001.sdmp, svchost.exe, 00000025.00000003.731811576.000001E03879D000.00000004.00000001.sdmp, svchost.exe, 00000025.00000003.731869215.000001E038777000.00000004.00000001.sdmp, svchost.exe, 00000025.00000003.731800691.000001E03878C000.00000004.00000001.sdmp, svchost.exe, 00000025.00000003.731837751.000001E0387D5000.00000004.00000001.sdmp, svchost.exe, 00000025.00000003.731851677.000001E0387BE000.00000004.00000001.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=svchost.exe, 0000000A.00000002.382130004.0000020610E3C000.00000004.00000001.sdmpfalse
                                                                            		high
                                                                            https://%s.xboxlive.comsvchost.exe, 00000006.00000002.785206676.000001D1BF041000.00000004.00000001.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            		low
                                                                            https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=svchost.exe, 0000000A.00000002.382139213.0000020610E4E000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.379684923.0000020610E43000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.379704259.0000020610E46000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.379668711.0000020610E42000.00000004.00000001.sdmpfalse
                                                                              		high
                                                                              https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=svchost.exe, 0000000A.00000002.382143532.0000020610E56000.00000004.00000001.sdmpfalse
                                                                                		high
                                                                                https://dev.virtualearth.net/mapcontrol/logging.ashxsvchost.exe, 0000000A.00000003.379639919.0000020610E63000.00000004.00000001.sdmpfalse
                                                                                  		high
                                                                                  https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=svchost.exe, 0000000A.00000003.379657424.0000020610E5A000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.382146085.0000020610E5B000.00000004.00000001.sdmpfalse
                                                                                    		high
                                                                                    https://www.disneyplus.com/legal/privacy-policysvchost.exe, 00000025.00000003.729111764.000001E03877A000.00000004.00000001.sdmpfalse
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/svchost.exe, 0000000A.00000002.382143532.0000020610E56000.00000004.00000001.sdmpfalse
                                                                                      		high
                                                                                      https://dynamic.tsvchost.exe, 0000000A.00000003.379668711.0000020610E42000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.379648907.0000020610E5E000.00000004.00000001.sdmpfalse
                                                                                      • URL Reputation: safe
                                                                                      		unknown
                                                                                      https://dev.virtualearth.net/REST/v1/Routes/Transitsvchost.exe, 0000000A.00000003.379639919.0000020610E63000.00000004.00000001.sdmpfalse
                                                                                        		high
                                                                                        https://disneyplus.com/legal.svchost.exe, 00000025.00000003.729111764.000001E03877A000.00000004.00000001.sdmpfalse
                                                                                        • URL Reputation: safe
                                                                                        		unknown
                                                                                        https://t0.ssl.ak.tiles.virtualearth.net/tiles/gensvchost.exe, 0000000A.00000003.341015452.0000020610E30000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.379694312.0000020610E39000.00000004.00000001.sdmpfalse
                                                                                          		high
                                                                                          https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=svchost.exe, 0000000A.00000003.379657424.0000020610E5A000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.382146085.0000020610E5B000.00000004.00000001.sdmpfalse
                                                                                            		high
                                                                                            https://activity.windows.comsvchost.exe, 00000006.00000002.785206676.000001D1BF041000.00000004.00000001.sdmpfalse
                                                                                              		high
                                                                                              https://dev.ditu.live.com/REST/v1/Locationssvchost.exe, 0000000A.00000003.379639919.0000020610E63000.00000004.00000001.sdmpfalse
                                                                                                		high
                                                                                                http://help.disneyplus.com.svchost.exe, 00000025.00000003.729111764.000001E03877A000.00000004.00000001.sdmpfalse
                                                                                                • URL Reputation: safe
                                                                                                		unknown
                                                                                                https://%s.dnet.xboxlive.comsvchost.exe, 00000006.00000002.785206676.000001D1BF041000.00000004.00000001.sdmpfalse
                                                                                                • URL Reputation: safe
                                                                                                		low
                                                                                                https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/svchost.exe, 0000000A.00000002.382143532.0000020610E56000.00000004.00000001.sdmpfalse
                                                                                                  		high
                                                                                                  https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=svchost.exe, 0000000A.00000003.379648907.0000020610E5E000.00000004.00000001.sdmpfalse
                                                                                                    		high

                                                                                                    Contacted IPs

                                                                                                    • No. of IPs < 25%
                                                                                                    • 25% < No. of IPs < 50%
                                                                                                    • 50% < No. of IPs < 75%
                                                                                                    • 75% < No. of IPs

                                                                                                    Public

                                                                                                    IPDomainCountryFlagASNASN NameMalicious

                                                                                                    Private

                                                                                                    IP
                                                                                                    127.0.0.1

                                                                                                    General Information

                                                                                                    Joe Sandbox Version:34.0.0 Boulder Opal
                                                                                                    Analysis ID:532299
                                                                                                    Start date:02.12.2021
                                                                                                    Start time:00:03:12
                                                                                                    Joe Sandbox Product:CloudBasic
                                                                                                    Overall analysis duration:0h 12m 34s
                                                                                                    Hypervisor based Inspection enabled:false
                                                                                                    Report type:light
                                                                                                    Sample file name:5i3yQOSqTm (renamed file extension from none to dll)
                                                                                                    Cookbook file name:default.jbs
                                                                                                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                    Number of analysed new started processes analysed:40
                                                                                                    Number of new started drivers analysed:0
                                                                                                    Number of existing processes analysed:0
                                                                                                    Number of existing drivers analysed:0
                                                                                                    Number of injected processes analysed:0
                                                                                                    Technologies:
                                                                                                    • HCA enabled
                                                                                                    • EGA enabled
                                                                                                    • HDC enabled
                                                                                                    • AMSI enabled
                                                                                                    Analysis Mode:default
                                                                                                    Analysis stop reason:Timeout
                                                                                                    Detection:MAL
                                                                                                    Classification:mal80.troj.evad.winDLL@46/21@0/1
                                                                                                    EGA Information:Failed
                                                                                                    HDC Information:
                                                                                                    • Successful, ratio: 22.2% (good quality ratio 20.6%)
                                                                                                    • Quality average: 72.9%
                                                                                                    • Quality standard deviation: 27.5%
                                                                                                    HCA Information:
                                                                                                    • Successful, ratio: 72%
                                                                                                    • Number of executed functions: 0
                                                                                                    • Number of non-executed functions: 0
                                                                                                    Cookbook Comments:
                                                                                                    • Adjust boot time
                                                                                                    • Enable AMSI
                                                                                                    • Override analysis time to 240s for rundll32
                                                                                                    Warnings:
                                                                                                    Show All
                                                                                                    • Exclude process from analysis (whitelisted): taskhostw.exe, audiodg.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, UpdateNotificationMgr.exe, WMIADAP.exe, backgroundTaskHost.exe, wuapihost.exe
                                                                                                    • Excluded IPs from analysis (whitelisted): 23.211.4.86, 104.208.16.94, 20.54.110.249
                                                                                                    • Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ctldl.windowsupdate.com, settings-win.data.microsoft.com, e1723.g.akamaiedge.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, ris.api.iris.microsoft.com, go.microsoft.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, blobcollector.events.data.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, prod.fs.microsoft.com.akadns.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, onedsblobprdcus16.centralus.cloudapp.azure.com
                                                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                    • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                    Simulations

                                                                                                    Behavior and APIs

                                                                                                    TimeTypeDescription
                                                                                                    00:04:18API Interceptor10x Sleep call for process: svchost.exe modified
                                                                                                    00:06:46API Interceptor1x Sleep call for process: MpCmdRun.exe modified
                                                                                                    00:07:05API Interceptor1x Sleep call for process: WerFault.exe modified

                                                                                                    Joe Sandbox View / Context

                                                                                                    IPs

                                                                                                    No context

                                                                                                    Domains

                                                                                                    No context

                                                                                                    ASN

                                                                                                    No context

                                                                                                    JA3 Fingerprints

                                                                                                    No context

                                                                                                    Dropped Files

                                                                                                    No context

                                                                                                    Created / dropped Files

                                                                                                    C:\ProgramData\Microsoft\Network\Downloader\edb.chk
                                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):8192
                                                                                                    Entropy (8bit):0.3593198815979092
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:12:SnaaD0JcaaD0JwQQU2naaD0JcaaD0JwQQU:4tgJctgJw/tgJctgJw
                                                                                                    MD5:BF1DC7D5D8DAD7478F426DF8B3F8BAA6
                                                                                                    SHA1:C6B0BDE788F553F865D65F773D8F6A3546887E42
                                                                                                    SHA-256:BE47C764C38CA7A90A345BE183F5261E89B98743B5E35989E9A8BE0DA498C0F2
                                                                                                    SHA-512:00F2412AA04E09EA19A8315D80BE66D2727C713FC0F5AE6A9334BABA539817F568A98CA3A45B2673282BDD325B8B0E2840A393A4DCFADCB16473F5EAF2AF3180
                                                                                                    Malicious:false
                                                                                                    Preview: .............*..........3...w..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@......................................................*.............................................................................................................................................................................................................................................................................................................................................................
                                                                                                    C:\ProgramData\Microsoft\Network\Downloader\edb.log
                                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                                    File Type:MPEG-4 LOAS
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1310720
                                                                                                    Entropy (8bit):0.24943230285109033
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:1536:BJiRdfVzkZm3lyf49uyc0ga04PdHS9LrM/oVMUdSRU4c:BJiRdwfu2SRU4c
                                                                                                    MD5:F8278FB6F0FAD83F958977C17923316B
                                                                                                    SHA1:FE8CB5839B2093F8A5317A75C069BD6245F3CF18
                                                                                                    SHA-256:8C9BC794CF48BD82D4623952C2CE7515EE1550C7882E444203E78C3D1479332C
                                                                                                    SHA-512:02C98ED96223F753B1FA6D63C34ACB02B0D528CA6ED658376F6F22714340B60E6EFE95D2235B380BD2B45F2C5DAF3166309FEE5F11A74EAECFE6A3EDE02DC96C
                                                                                                    Malicious:false
                                                                                                    Preview: V.d.........@..@.3...w...........................3...w..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@.........................................d#.................................................................................................................................................................................................................................................................................................................................................
                                                                                                    C:\ProgramData\Microsoft\Network\Downloader\qmgr.db
                                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                                    File Type:Extensible storage engine DataBase, version 0x620, checksum 0x2896c4f4, page size 16384, Windows version 10.0
                                                                                                    Category:dropped
                                                                                                    Size (bytes):786432
                                                                                                    Entropy (8bit):0.2506497898872072
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:384:JTq+W0StseCJ48EApW0StseCJ48E2rTSjlK/ebmLerYSRSY1J2:JTFSB2nSB2RSjlK/+mLesOj1J2
                                                                                                    MD5:1530FAF726F6F710DDB030432232F4CD
                                                                                                    SHA1:32DF13656F3BF34E9260D1ACBD6F4558B6455DE0
                                                                                                    SHA-256:5D1FD4301EE259117F9B5C3630E5D224672D731C41316409E0AA360CD06216C0
                                                                                                    SHA-512:DFA69D72075DDDEEF73529533B39EA8135A12384976D826F3EC841255CD899D0B3C31154C96E6FCC86D98EA0F8FF711997BF04B615EF93B1E2ED41263071DEC7
                                                                                                    Malicious:false
                                                                                                    Preview: (...... ................e.f.3...w........................)....."....yY......y..h.(....."....yY...)..............3...w...........................................................................................................B...........@...................................................................................................... .....................................................................................................................................................................................................................................................]."....yY..................[.."....yY.........................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                    C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm
                                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):16384
                                                                                                    Entropy (8bit):0.07672165611230795
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:0fr7v3JuxlXSpc4HF4j/IpcYkl+D7lXall3Vkttlmlnl:0jr5elKc4HF4j/IpcYz7le3
                                                                                                    MD5:E1DF4B0C131268DF0CC7C40FA2D76440
                                                                                                    SHA1:0A41A9A9F05BC5C0FF818EFF2D38B80EB90E08F2
                                                                                                    SHA-256:091C13E9203F05B3EBBDA0BD13FE6DB8D34E63A0A2112A9D5BFD043EF67F5664
                                                                                                    SHA-512:A6B31FC36A2584E54AE22D2B720F0D9B9B65DD48F7697A2A9F0B11639BF11E1A5FD22CB884536895CA4FB33C603B12D3672177688A25285FDE385E5C8C935F29
                                                                                                    Malicious:false
                                                                                                    Preview: Q(.z.....................................3...w.......y.."....yY........."....yY."....yY.F.E."....y}..................[.."....yY.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_747b3d3843a661accc8c92924ccfd5a2e2d128_d70d8aa6_12aa26b5\Report.wer
                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                    File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):65536
                                                                                                    Entropy (8bit):0.6754306180786143
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:o2+JPZqyXy9hkoyt7JfqpXIQcQ5c6A2cE2cw33+a+z+HbHgQ2VG4rmMOyWZAXGnd:oHB2HnM28jjX9q/u7sZS274ItW
                                                                                                    MD5:EF07A93E9C6F43E4254FB502F910B953
                                                                                                    SHA1:CFE89B53CF44DF6CD2D77F1ADB52E9268E58B13F
                                                                                                    SHA-256:3D1E873CC14934D8159F62E8B98FE7B2B2A8B93195D406D0F19875A6BA23D83F
                                                                                                    SHA-512:32D13E1D700FCEF635418461D8B531028ECB484296880EFBF2216C3E6B168DFA1B120B7F7FA8607AD041012D6C631AFF079ADC252C6BE0ADE2F980522F7E1CBA
                                                                                                    Malicious:false
                                                                                                    Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.8.2.9.0.6.0.0.5.8.8.4.5.6.7.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.1.d.0.d.d.8.b.-.a.6.e.b.-.4.a.5.d.-.8.6.4.1.-.5.3.0.7.5.9.3.0.b.4.b.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.f.9.4.8.b.d.d.-.a.e.3.b.-.4.c.3.6.-.a.2.1.1.-.2.4.7.0.c.9.5.c.c.d.3.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.l.o.a.d.d.l.l.3.2...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.7.4.4.-.0.0.0.1.-.0.0.1.6.-.e.9.0.c.-.a.e.3.2.5.3.e.7.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.l.o.a.d.d.l.l.3.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.1././.0.9././.2.8.:.1.1.:.5.3.:.0.5.!.0.!.l.o.a.d.d.l.l.3.2...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.
                                                                                                    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_d71d33d652a62c864cb684e881f783bcee8c2df7_d70d8aa6_0b9adb6f\Report.wer
                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                    File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):65536
                                                                                                    Entropy (8bit):0.678887484512025
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:etgF7PZqyzy9hk1Dg3fWpXIQcQYc6ZcEKcw3u+a+z+HbHgQ2VG4rmMOyWZAXGngt:hfBDHWdQAjX9q/u7scS274ItW
                                                                                                    MD5:A81BF43CB7A3237E273539D143738BE5
                                                                                                    SHA1:633AF7CA87F63EBE6DFEE0D600C325C6FB3CA12C
                                                                                                    SHA-256:A310110AC5DFC5AFEF9E91FBCDF7A8BD575E73CB0127A974BA4DE22AA215B33F
                                                                                                    SHA-512:90A4698D36E426662429D6FFF735FFB40AD754ECE47E991006F5E2156E0A31484F0D255FBE0E76647B4AE87EE36310EC91352D6BF306613EF50CD6AC1E7287E6
                                                                                                    Malicious:false
                                                                                                    Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.8.2.9.0.6.0.1.6.4.4.7.6.2.9.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.8.2.9.0.6.0.2.4.4.0.0.7.4.7.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.c.a.3.3.9.8.a.-.7.8.e.6.-.4.a.9.6.-.b.e.c.0.-.b.4.b.4.2.4.a.5.6.e.4.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.3.5.9.1.5.4.4.-.4.0.8.b.-.4.e.9.4.-.b.9.d.5.-.8.c.d.4.d.b.c.8.0.1.8.c.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.l.o.a.d.d.l.l.3.2...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.7.4.4.-.0.0.0.1.-.0.0.1.6.-.e.9.0.c.-.a.e.3.2.5.3.e.7.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.l.o.a.d.d.l.l.3.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.
                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER180F.tmp.dmp
                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                    File Type:Mini DuMP crash report, 15 streams, Thu Dec 2 08:06:46 2021, 0x1205a4 type
                                                                                                    Category:dropped
                                                                                                    Size (bytes):26528
                                                                                                    Entropy (8bit):2.5120002974365048
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:192:XpF8O3Z7pOLpAB9ACw0kSIfaq8JW2HSZ7TDVe:8YZ7sdABfwqOaq8JW2Hj
                                                                                                    MD5:77C146715D33B8B4F4707E29B0C51982
                                                                                                    SHA1:C6F9F4EFAF91D4930A0C7637FACCDE460B8E7339
                                                                                                    SHA-256:A91B1B701E47CBB5B1DC7ABEFBEEF31B9C7FB726A63DEC5A6CB9402BC9916740
                                                                                                    SHA-512:DD5FEA27B73EFF3644DC99BBC91D60AE4052F258C12E6590802E2C3140D6265E0DF674849758D07F78051E49BAFB77FEDF72B40B9BA27B1EBFD47FD099008183
                                                                                                    Malicious:false
                                                                                                    Preview: MDMP....... ........~.a............4...............H.......$...........................`.......8...........T...........h...8[...........................................................................................U...........B......p.......GenuineIntelW...........T.......D....}.a.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER1BF8.tmp.WERInternalMetadata.xml
                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                    File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):8340
                                                                                                    Entropy (8bit):3.699389225248728
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:192:Rrl7r3GLNit76z6YImSU3LgmfcSzfCpBw89b32sfH9m:RrlsNix6z6YpSU3LgmfcSzo3VfA
                                                                                                    MD5:DD5AE7B00C56C07184EB78FA77415001
                                                                                                    SHA1:F455C82320513D23BD5FDC741C8FBB4C704FF88D
                                                                                                    SHA-256:2F100CDCD4FBC8EECDD37890BCCD386F08DAB9B42418C9427953933A0C68CB60
                                                                                                    SHA-512:9CC012ACDD774F25D6659B79C3ABB1BA5AB38CF60CA832D89C851D179FDB00C8767C998582525C47FB68A3E129484C2FF1275667F5E368D17DDFF5BBB95B3FC0
                                                                                                    Malicious:false
                                                                                                    Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.8.6.0.<./.P.i.d.>.......
                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER1FE1.tmp.xml
                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4598
                                                                                                    Entropy (8bit):4.47174106724153
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:48:cvIwSD8zsuJgtWI9bLWSC8Bu8fm8M4J2ynZF2+q84WDoKcQIcQwQvd:uITfk46SNRJ1aYoKkwQvd
                                                                                                    MD5:75004B30D6FF99B8C8CDF729653A1C92
                                                                                                    SHA1:1BCD871E983772132482515F60E87D280D23C8F2
                                                                                                    SHA-256:9C0FACEB54E46D41642A83F5AB8B22C88E0FA1BC83F58360D79F0DFCCE54A1CB
                                                                                                    SHA-512:C49C25D4EB5A3F8AE5A4A86D9E5B29ADEAD0C245429212988C88FA8A3FCBB665ABB726D0AE143D569239F2A8ED4A5E22C819C3074A86C12ED556F3EAA26D625A
                                                                                                    Malicious:false
                                                                                                    Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1279757" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER4152.tmp.dmp
                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                    File Type:Mini DuMP crash report, 15 streams, Thu Dec 2 08:06:57 2021, 0x1205a4 type
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1059544
                                                                                                    Entropy (8bit):1.3696560040117185
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3072:WGIvIUKEWsK/VFlJIALbKvhQ0mS+sqMIzdd7hRua1FK3mP90VtITLICs5eww27qp:hjlx+uCf7mkv2
                                                                                                    MD5:FBE4CFA5E26BAB7AB2CCE8D3EFF0ACEF
                                                                                                    SHA1:55E0B876345E96A903E314829B20EB8EB7384E6B
                                                                                                    SHA-256:C1E8B52B35A825FE35A91E2D354F312034BB6A8C5E732172C93088E2B38ADB77
                                                                                                    SHA-512:81FE2EB6238DDB6468CC60E96E6E44561542466853C3D1F973A8A466981099EC8C7C86B77584B148ADCD41D185EA7C1BC41F658AEB8E219603C47E217C62A20E
                                                                                                    Malicious:false
                                                                                                    Preview: MDMP....... ........~.a............4...............H.......$...........................`.......8...........T...........@................................................................................................U...........B......p.......GenuineIntelW...........T.......D....}.a.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER4A2C.tmp.WERInternalMetadata.xml
                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                    File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):8298
                                                                                                    Entropy (8bit):3.6930371653252183
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:192:Rrl7r3GLNitv6W6YIySU5gmfL8GSdCpDP89bB2sf07rm:RrlsNiV6W6YtSU5gmfLrS9BVfj
                                                                                                    MD5:943EEFFC79A98B6E757CE48D6565E2A7
                                                                                                    SHA1:6D0FDA51A899B8DA9DD7D9502D16F94CD6657208
                                                                                                    SHA-256:E951051CF3995E2F913D162EEC3A1B387C5273F2EC063399D75ABB5382071B29
                                                                                                    SHA-512:56B9A010325813A05445ADACA1BF4A4B9A7C963B2BA8F42D9884A81557165B9EA297BC65908D2F596E4476BBFA7B548BE621E23C4A35EF44E2D1E2EE7C729DC2
                                                                                                    Malicious:false
                                                                                                    Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.8.6.0.<./.P.i.d.>.......
                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER4D4A.tmp.xml
                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4558
                                                                                                    Entropy (8bit):4.428483588419375
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:48:cvIwSD8zsuJgtWI9bLWSC8BJ8fm8M4J2yGtFvIG+q84tjsKcQIcQwQvd:uITfk46SNMJEn/xsKkwQvd
                                                                                                    MD5:FE22CC33AE1C993EAC130D1C7BEB3126
                                                                                                    SHA1:084592D6FA7945F8D0C0E59B2DCE5A42B1F79851
                                                                                                    SHA-256:C8BAC1492F4A450A4D73175C9E96615CDB8A2661D63BAA7D5DAB4A18251CDF5D
                                                                                                    SHA-512:03A2CB0E18B84EFEDD16A95A86B18DBCACDE1BC0D33EFF77ABBEF39049395622421E791D680ADF5D9C7AEC0FAE2A21137D5B0F7F5AE8D4175B1B357E372AC63E
                                                                                                    Malicious:false
                                                                                                    Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1279757" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERA26E.tmp.csv
                                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):49378
                                                                                                    Entropy (8bit):3.0511470645915133
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:1536:cJHL2R822reJXHInsZsVxIUPxXNsGGJYUPu8SvAlv8Cu2fvwP6+iEpYFXiFvoh:cJHL2R822reJXHInsZsVxIUPxXNvGWLs
                                                                                                    MD5:DBE5DCA698DEDE74DDCE2561BC5EC011
                                                                                                    SHA1:E01D7EF9CA7CAD3DBBC8759CE8EA2402DBEDA6AA
                                                                                                    SHA-256:4907C8CBA96877B72CBAADFE2975C8D66AFB6AB762F810E35D9FE7FB93A059E4
                                                                                                    SHA-512:95F40FCB06C72BC214D07D2F80006528596D83C0FBAA1A4C22803CDD6FA5EF571623727277D3CD6546F1C99E72A274DB94D9FFB357BDE0DB67FCE95912F164F6
                                                                                                    Malicious:false
                                                                                                    Preview: I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.
                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERA686.tmp.txt
                                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):13340
                                                                                                    Entropy (8bit):2.6936467116346887
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:9GiZYWjEnRhvIYGYHOWhpH8YEZl0t8iyZwow8wPDaaP/i0u/kIcc3:9jZD3RJ6GaP/pu/Tcc3
                                                                                                    MD5:02CC4555D4076B2561FFAF2402BEADA4
                                                                                                    SHA1:72991E38FE5CA63E91344F18EC141FEA3539F7B8
                                                                                                    SHA-256:5FC8923EE6CE6EE3476A77681C769297B12ACCF8B8B5805E550DCEAF67E14FE0
                                                                                                    SHA-512:7F3558855CA25450509466CDBF661AAE4B48F907C1992A0577012FA9FC126F2DE2FEEE6D6B0724E58520BC80559B78AE158E7C175ACD913F4C962057CDB3CA2F
                                                                                                    Malicious:false
                                                                                                    Preview: B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.1.5.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .
                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERCFF9.tmp.csv
                                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):49504
                                                                                                    Entropy (8bit):3.051206324644155
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:1536:RdH8h/422deJczInsZfyxvPxXNsO9zYp50rIDA0FaeosU8wNkJcEBdKf:RdH8h/422deJczInsZfyxvPxXNn9U7Ts
                                                                                                    MD5:EF3F085EDE7002C660EFA32DD6212C3F
                                                                                                    SHA1:73D67037A2DE85977BC34573E067E938516DD8A9
                                                                                                    SHA-256:1A1193CDCE1E9AE0A69FB900016B9F6FDE79161D4E976CF6C4EAB7CAC9CF39B2
                                                                                                    SHA-512:F2582A8656DBCFCB9FBB1586E343F278DDF4DBDE3B028336B6F4850E8C0825F55B1A22DDBC8C65FE1A36EA7561A261376D58BD057C4495A550114A7BF516507D
                                                                                                    Malicious:false
                                                                                                    Preview: I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.
                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERD410.tmp.txt
                                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):13340
                                                                                                    Entropy (8bit):2.6943056660058997
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:9GiZYWU59ovyYZYDWgwhHQVYEZUvtriBIZQKoi8wgh2fgaXgqAN7Ivr3:9jZDo+nyEkthGgaXgqAN0vr3
                                                                                                    MD5:F92759062A0F6E1CA57BFFFDDDBF4D27
                                                                                                    SHA1:43EF626ED3601ACAC280BDA7C1244163FBB28B83
                                                                                                    SHA-256:3DA9A14BD37D23C810F20B36517E5F60B59B0C20605A797270F13BB69D3903FD
                                                                                                    SHA-512:2F0A9BB83A01F69D49D1E5C541B646BB42E1D6BD2C3F6B2A096E5C5B7AE1682CF3E6304829A931B08069925DE3B5274C99DD97109FCA2AAF4D4D8EFDCB222E43
                                                                                                    Malicious:false
                                                                                                    Preview: B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.1.5.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .
                                                                                                    C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
                                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):55
                                                                                                    Entropy (8bit):4.306461250274409
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                                                    MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                                                    SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                                                    SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                                                    SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                                                    Malicious:false
                                                                                                    Preview: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}
                                                                                                    C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log
                                                                                                    Process:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                                    File Type:Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
                                                                                                    Category:modified
                                                                                                    Size (bytes):7250
                                                                                                    Entropy (8bit):3.1655472251388366
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cEj+AbCEH+AbuEAc+AbhGEA+AbNEe+Ab/Ee+AbPE6w9+Ab1wTE6+Aby:cY+38+DJc+iGr+MZ+65+6tg+ECV+v
                                                                                                    MD5:C9E5773BFBBFBF5BF211AC9EAEFC2C37
                                                                                                    SHA1:5F8266E69272284DF7BD609F20F995A7FFC01221
                                                                                                    SHA-256:4BC5CFF69044A20C22EC1B65DE02042C5A6FB5B968F8319094047CF20A89E513
                                                                                                    SHA-512:14248A940984CC2D96F4A1A5FEAE5103F3EFE355BEEBB21810177D6713985E50C77152BC2D64DC4F705B04405BE064F2D7B182ECB1BE3C3B94DAB3D1C927CBC5
                                                                                                    Malicious:false
                                                                                                    Preview: ..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. T.h.u. .. J.u.n. .. 2.7. .. 2.0.1.9. .0.1.:.2.9.:.4.9.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e.....E.R.R.O.R.:. .M.p.W.D.E.n.a.b.l.e.(.T.R.U.E.). .f.a.i.l.e.d. .(.8.0.0.7.0.4.E.C.).....M.p.C.m.d.R.u.n.:. .E.n.d. .T.i.m.e.:. .. T.h.u. .. J.u.n. .. 2.7. .. 2.0.1.9. .0.1.:.2.9.:.4.9.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.............-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.
                                                                                                    C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Logs\dosvc.20211202_080449_032.etl
                                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):12288
                                                                                                    Entropy (8bit):3.8265123990755723
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:PCOU/o+RV5T59G2YCXCv4I2lzlkCe4isT2/YFzxUMCy6JRTY5NEUMCWY5GUMCfl+:KJHFsD2XMECtRCkCeC4OC9Cs
                                                                                                    MD5:AEADFFF9416C65D6239813A510D345EE
                                                                                                    SHA1:1CED2893980CC958158B72FD3CA598BA1162F084
                                                                                                    SHA-256:204B04665534F5497E88C076489CF9B052DF25E80A1EFFD5DC7666AE300D3B54
                                                                                                    SHA-512:D1A55EEF7A66A1C62891AF0ED9EA2C2BBE6EA7AD9348638804BB26C6BDB8B93FFCDB1FCB74A48CE51C42235263FC4ABC72BCE890F77AE90654CB121D890F5EAA
                                                                                                    Malicious:false
                                                                                                    Preview: .... ... ....................................... ...!....................................mk......................B..............Zb... ... ..........................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1............................................................./_8..... ......f.GS...........8.6.9.6.E.A.C.4.-.1.2.8.8.-.4.2.8.8.-.A.4.E.E.-.4.9.E.E.4.3.1.B.0.A.D.9...C.:.\.W.i.n.d.o.w.s.\.S.e.r.v.i.c.e.P.r.o.f.i.l.e.s.\.N.e.t.w.o.r.k.S.e.r.v.i.c.e.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.D.e.l.i.v.e.r.y.O.p.t.i.m.i.z.a.t.i.o.n.\.L.o.g.s.\.d.o.s.v.c...2.0.2.1.1.2.0.2._.0.8.0.4.4.9._.0.3.2...e.t.l.........P.P..........mk.....................................................................................................................................................................................................................................................................
                                                                                                    C:\Windows\appcompat\Programs\Amcache.hve
                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                    File Type:MS Windows registry file, NT/2000 or above
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1572864
                                                                                                    Entropy (8bit):4.264930724718149
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:12288:UU8NAfh3anj7OLUrkgt4sP7vz1nGgXFbiFdA1RG+fm0PGjbk4FDjmBZt:j8NAfh3anj7OLUrWAFBt
                                                                                                    MD5:BBDCB8D777F9BFDBFEAF086ADF129A6E
                                                                                                    SHA1:9DBCAAB60636EBD6A7509263D65DD4EC78D5D756
                                                                                                    SHA-256:6FEC9121A69815D374B284A7DA85901775086091B2FB173845F6529A7F443166
                                                                                                    SHA-512:EA03D139C5D0CB98768E2D60286E29C9CFCC058E65ABFC41E70A68895F348AB8FC36E663770D331FEEEA8478FC4BF5ECA5935ECE77E8C066F4D9583EB4E575E9
                                                                                                    Malicious:false
                                                                                                    Preview: regfR...R...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm...S...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                    C:\Windows\appcompat\Programs\Amcache.hve.LOG1
                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                    File Type:MS Windows registry file, NT/2000 or above
                                                                                                    Category:dropped
                                                                                                    Size (bytes):16384
                                                                                                    Entropy (8bit):3.05442335548835
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:192:ClY2Y1oxkbRpbZhYb5FSE9lMqXyQVWnxuYW2oaKqe8mxwpeuN5X:UtbCk5TXQnxuf2oaPmxwpeuN5X
                                                                                                    MD5:99D2EFABDBC2BAFB543A7C624892087D
                                                                                                    SHA1:87B3DB69B85989D8A1DCD92CB529EAEB0D893290
                                                                                                    SHA-256:7F2C869A40CC4ED4D7F9006470DCE72122DA0B5CB2AB6249A5441C541756987A
                                                                                                    SHA-512:C7691CF00BE2FC711D669C24A7A2416093D00A46FCAA0E3CE8FB60A15378D505209527ECE1879504976A38C1EBF0B47949A0BE5D8CBF5CD87AA6A18EA6458C3A
                                                                                                    Malicious:false
                                                                                                    Preview: regfQ...Q...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm...S..................................................................................................................................................................................................................................................................................................................................................HvLE.>......Q...............}.....]..#........................hbin................p.\..,..........nk,..[.S.......p........................... ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk ..[.S....... ...........P............... .......Z.......................Root........lf......Root....nk ..[.S....................}.............. ...............*...............DeviceCensus.......................vk..................WritePermissionsCheck.......p...

                                                                                                    Static File Info

                                                                                                    General

                                                                                                    File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                    Entropy (8bit):7.067333612631272
                                                                                                    TrID:
                                                                                                    • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
                                                                                                    • Generic Win/DOS Executable (2004/3) 0.20%
                                                                                                    • DOS Executable Generic (2002/1) 0.20%
                                                                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                    File name:5i3yQOSqTm.dll
                                                                                                    File size:372736
                                                                                                    MD5:1e3db971ac31b856864c12b55bcc4435
                                                                                                    SHA1:8f47d8c2d75df496a20b5ddaec949f9524c60a66
                                                                                                    SHA256:df1aec18655ffd091bac7e217ad7334c30d99bd906ec9269d0a38c5c92267fbd
                                                                                                    SHA512:66f9cf44cc85cba27c2194ae0803bd3914926763455a3871b5c452720a5815bf04aba4753dde4ffa274e7abb98f259fac24543201bcc74ce2485805ac9352c99
                                                                                                    SSDEEP:6144:qRsMh9YQWtcgA70wgF7nJyq6CQK+kIVDRjudJMrt32fFcRmXIeJXjWMmAD:cvm9Y0HFLPRQKqV4epRmxAvAD
                                                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........0...Q...Q...Q..E#...Q..E#...Q..E#...Q../$...Q...$...Q...$...Q...$...Q..E#...Q...Q...Q...Q...Q../$...Q../$...Q..Rich.Q.........

                                                                                                    File Icon

                                                                                                    Icon Hash:74f0e4ecccdce0e4

                                                                                                    Static PE Info

                                                                                                    General

                                                                                                    Entrypoint:0x1001a401
                                                                                                    Entrypoint Section:.text
                                                                                                    Digitally signed:false
                                                                                                    Imagebase:0x10000000
                                                                                                    Subsystem:windows gui
                                                                                                    Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
                                                                                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT
                                                                                                    Time Stamp:0x61A7100E [Wed Dec 1 06:02:54 2021 UTC]
                                                                                                    TLS Callbacks:0x1000c500
                                                                                                    CLR (.Net) Version:
                                                                                                    OS Version Major:6
                                                                                                    OS Version Minor:0
                                                                                                    File Version Major:6
                                                                                                    File Version Minor:0
                                                                                                    Subsystem Version Major:6
                                                                                                    Subsystem Version Minor:0
                                                                                                    Import Hash:609402ef170a35cc0e660d7d95ac10ce

                                                                                                    Entrypoint Preview

                                                                                                    Instruction
                                                                                                    push ebp
                                                                                                    mov ebp, esp
                                                                                                    cmp dword ptr [ebp+0Ch], 01h
                                                                                                    jne 00007F10D0B59707h
                                                                                                    call 00007F10D0B59A98h
                                                                                                    push dword ptr [ebp+10h]
                                                                                                    push dword ptr [ebp+0Ch]
                                                                                                    push dword ptr [ebp+08h]
                                                                                                    call 00007F10D0B595B3h
                                                                                                    add esp, 0Ch
                                                                                                    pop ebp
                                                                                                    retn 000Ch
                                                                                                    push ebp
                                                                                                    mov ebp, esp
                                                                                                    push dword ptr [ebp+08h]
                                                                                                    call 00007F10D0B59FAEh
                                                                                                    pop ecx
                                                                                                    pop ebp
                                                                                                    ret
                                                                                                    push ebp
                                                                                                    mov ebp, esp
                                                                                                    jmp 00007F10D0B5970Fh
                                                                                                    push dword ptr [ebp+08h]
                                                                                                    call 00007F10D0B5DA94h
                                                                                                    pop ecx
                                                                                                    test eax, eax
                                                                                                    je 00007F10D0B59711h
                                                                                                    push dword ptr [ebp+08h]
                                                                                                    call 00007F10D0B5DB10h
                                                                                                    pop ecx
                                                                                                    test eax, eax
                                                                                                    je 00007F10D0B596E8h
                                                                                                    pop ebp
                                                                                                    ret
                                                                                                    cmp dword ptr [ebp+08h], FFFFFFFFh
                                                                                                    je 00007F10D0B5A073h
                                                                                                    jmp 00007F10D0B5A050h
                                                                                                    push ebp
                                                                                                    mov ebp, esp
                                                                                                    push 00000000h
                                                                                                    call dword ptr [1002808Ch]
                                                                                                    push dword ptr [ebp+08h]
                                                                                                    call dword ptr [10028088h]
                                                                                                    push C0000409h
                                                                                                    call dword ptr [10028040h]
                                                                                                    push eax
                                                                                                    call dword ptr [10028090h]
                                                                                                    pop ebp
                                                                                                    ret
                                                                                                    push ebp
                                                                                                    mov ebp, esp
                                                                                                    sub esp, 00000324h
                                                                                                    push 00000017h
                                                                                                    call dword ptr [10028094h]
                                                                                                    test eax, eax
                                                                                                    je 00007F10D0B59707h
                                                                                                    push 00000002h
                                                                                                    pop ecx
                                                                                                    int 29h
                                                                                                    mov dword ptr [1005AF18h], eax
                                                                                                    mov dword ptr [1005AF14h], ecx
                                                                                                    mov dword ptr [1005AF10h], edx
                                                                                                    mov dword ptr [1005AF0Ch], ebx
                                                                                                    mov dword ptr [1005AF08h], esi
                                                                                                    mov dword ptr [1005AF04h], edi
                                                                                                    mov word ptr [eax], es

                                                                                                    Data Directories

                                                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x583900x8ac.rdata
                                                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x58c3c0x3c.rdata
                                                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x5d0000x1bb0.reloc
                                                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x56fdc0x54.rdata
                                                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x571000x18.rdata
                                                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x570300x40.rdata
                                                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x280000x154.rdata
                                                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                    Sections

                                                                                                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                    .text0x10000x264f40x26600False0.546620521173data6.29652715831IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                    .rdata0x280000x313fa0x31400False0.822468868972data7.43224405131IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                    .data0x5a0000x18440xe00False0.270647321429data2.60881097454IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                    .pdata0x5c0000x66c0x800False0.3583984375data2.21689595795IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                    .reloc0x5d0000x1bb00x1c00False0.784598214286data6.62358237634IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                    Imports

                                                                                                    DLLImport
                                                                                                    KERNEL32.dllHeapFree, HeapReAlloc, GetProcessHeap, HeapAlloc, GetModuleHandleA, GetProcAddress, TlsGetValue, TlsSetValue, AcquireSRWLockExclusive, ReleaseSRWLockExclusive, AcquireSRWLockShared, ReleaseSRWLockShared, SetLastError, GetEnvironmentVariableW, GetLastError, GetCurrentDirectoryW, GetCurrentProcess, GetCurrentThread, RtlCaptureContext, ReleaseMutex, WaitForSingleObjectEx, LoadLibraryA, CreateMutexA, CloseHandle, GetStdHandle, GetConsoleMode, WriteFile, WriteConsoleW, TlsAlloc, GetCommandLineW, CreateFileA, GetTickCount64, CreateFileW, SetFilePointerEx, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, RaiseException, RtlUnwind, InterlockedFlushSList, EncodePointer, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsFree, FreeLibrary, LoadLibraryExW, ExitProcess, GetModuleHandleExW, GetModuleFileNameW, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetCommandLineA, MultiByteToWideChar, WideCharToMultiByte, GetEnvironmentStringsW, FreeEnvironmentStringsW, LCMapStringW, GetFileType, GetStringTypeW, HeapSize, SetStdHandle, FlushFileBuffers, GetConsoleOutputCP, DecodePointer
                                                                                                    USER32.dllGetDC, ReleaseDC, GetWindowRect

                                                                                                    Exports

                                                                                                    NameOrdinalAddress
                                                                                                    Control_RunDLL10x100010a0
                                                                                                    ajkaibu20x100016c0
                                                                                                    akyncbgollmj30x10001480
                                                                                                    alrcidxljxybdggs40x10001860
                                                                                                    bgmotrriehds50x10001820
                                                                                                    bojkfvynhhupnooyb60x100019f0
                                                                                                    bujuoqldqlzaod70x10001800
                                                                                                    bunsahctogxzts80x100019e0
                                                                                                    cjogbtafwukesw90x10001830
                                                                                                    csbbcaopuok100x100016a0
                                                                                                    cyqrjpaeorjur110x100015f0
                                                                                                    dlrzuyaeqj120x10001840
                                                                                                    egiimrq130x10001850
                                                                                                    evhgyts140x100014f0
                                                                                                    fdqpjjjyuw150x100017e0
                                                                                                    finabzjyxhxnnuuv160x10001510
                                                                                                    fkeacqpbbfw170x10001910
                                                                                                    fuwsgzf180x10001790
                                                                                                    fzbmpailk190x10001980
                                                                                                    gamsrhauvgl200x10001810
                                                                                                    gjfqgtgk210x10001a10
                                                                                                    gwsmfxfmekkyr220x100018b0
                                                                                                    haymuvtatadeydqmk230x10001530
                                                                                                    hqruohhkvpdalhq240x10001620
                                                                                                    htdaydfvtjlujwcaj250x10001660
                                                                                                    hzyrvjtx260x100017c0
                                                                                                    ifnsupqhxkwj270x10001870
                                                                                                    ijhgowlpmypocg280x10001720
                                                                                                    ispjhrqaxnyflnn290x100015a0
                                                                                                    iszvcqv300x100017a0
                                                                                                    ixgucop310x100018d0
                                                                                                    jcdvrhrguqtjpkc320x100016b0
                                                                                                    jkfyadsdpoks330x100019c0
                                                                                                    kfzgxmljkwaqy340x10001730
                                                                                                    kzfvroxozxufciczm350x10001740
                                                                                                    lpstjqa360x10001900
                                                                                                    ltkoyvzovzkqemyw370x10001630
                                                                                                    mdigcwjymnzvgaql380x100014d0
                                                                                                    mefathlzguuhqodfx390x10001950
                                                                                                    mgsrmfbja400x10001500
                                                                                                    mrxhcceopg410x100014a0
                                                                                                    nafhmuoq420x100018f0
                                                                                                    nefxgpc430x100018a0
                                                                                                    nrehxpiznrppeu440x10001690
                                                                                                    nucocnvjyqp450x100018e0
                                                                                                    obxoxtcbntaxofr460x10001890
                                                                                                    ofrzojd470x100016e0
                                                                                                    oofbctfc480x10001550
                                                                                                    opzpazspbecyjojf490x100015b0
                                                                                                    oqoigff500x10001a00
                                                                                                    oujlzhzvhjh510x100016f0
                                                                                                    ovpsanbypajv520x100015e0
                                                                                                    pblpcaadqbdxyb530x10001680
                                                                                                    ragwdgnyohftj540x100017d0
                                                                                                    rfosmac550x10001710
                                                                                                    rgymbuetvifqjqdlo560x10001930
                                                                                                    rmoxbxbbgidnbds570x10001970
                                                                                                    rxnkmfbycdcc580x10001560
                                                                                                    sefltbc590x10001880
                                                                                                    sgieprcsphl600x100019a0
                                                                                                    shpcmnqzvyltgdt610x100016d0
                                                                                                    slktbekupvmdbt620x100015c0
                                                                                                    sormivnk630x10001570
                                                                                                    tdblkstlyin640x10001600
                                                                                                    tkllyrc650x10001650
                                                                                                    tkwpnvfqnbpbdqe660x10001a20
                                                                                                    tnhtgnjrabqakgeke670x10001700
                                                                                                    tzpmcwwig680x10001520
                                                                                                    uceklmggjof690x10001610
                                                                                                    ukwdddyj700x10001640
                                                                                                    uwnaptydgur710x10001940
                                                                                                    vjusqoeo720x10001580
                                                                                                    vnyufpq730x10001590
                                                                                                    vsrwmkhzkrtlexxb740x100014e0
                                                                                                    wermsdfzb750x10001770
                                                                                                    wkhpfdjkypy760x100014c0
                                                                                                    wksndtayhfm770x100015d0
                                                                                                    wnjvxspilxpchq780x10001670
                                                                                                    wuqwfssiddrcl790x10001570
                                                                                                    wyyhtqptznbrknitg800x100017f0
                                                                                                    wzkcijdvadq810x10001540
                                                                                                    wzxlvxuyy820x100019b0
                                                                                                    xhtxeilfgsghxik830x10001780
                                                                                                    xvdijhconoukll840x100014b0
                                                                                                    ybbwnezvxfafm850x10001750
                                                                                                    yeylpreasnzamgac860x100019d0
                                                                                                    ypkidshxgzkkehc870x100018c0
                                                                                                    ypzvmpfbgai880x10001760
                                                                                                    zbrzizodycg890x10001990
                                                                                                    zdiuqcnzg900x10001920
                                                                                                    zfkwwtxd910x10001490
                                                                                                    zktykfwmaehxg920x10001600
                                                                                                    zmkbqvofdhermov930x10001960
                                                                                                    zvtqmkitgmzgo940x100017b0

                                                                                                    Network Behavior

                                                                                                    No network behavior found

                                                                                                    Code Manipulations

                                                                                                    Statistics

                                                                                                    Behavior

                                                                                                    Click to jump to process

                                                                                                    System Behavior

                                                                                                    Analysis Process: loaddll32.exe PID: 1860 Parent PID: 6116

                                                                                                    General

                                                                                                    Start time:00:04:15
                                                                                                    Start date:02/12/2021
                                                                                                    Path:C:\Windows\System32\loaddll32.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:loaddll32.exe "C:\Users\user\Desktop\5i3yQOSqTm.dll"
                                                                                                    Imagebase:0x11c0000
                                                                                                    File size:893440 bytes
                                                                                                    MD5 hash:72FCD8FB0ADC38ED9050569AD673650E
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Yara matches:
                                                                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000000.568855686.0000000000DA0000.00000040.00000010.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.568855686.0000000000DA0000.00000040.00000010.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000000.569090954.0000000000F7C000.00000004.00000020.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.569090954.0000000000F7C000.00000004.00000020.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000000.570083613.0000000000DA0000.00000040.00000010.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.570083613.0000000000DA0000.00000040.00000010.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000000.570281269.0000000000F7C000.00000004.00000020.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.570281269.0000000000F7C000.00000004.00000020.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000000.593746221.0000000000F7C000.00000004.00000020.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.593746221.0000000000F7C000.00000004.00000020.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000000.593529130.0000000000DA0000.00000040.00000010.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.593529130.0000000000DA0000.00000040.00000010.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000000.592478741.0000000000F7C000.00000004.00000020.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.592478741.0000000000F7C000.00000004.00000020.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000002.622171924.0000000000DA0000.00000040.00000010.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000002.622171924.0000000000DA0000.00000040.00000010.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000002.622274934.0000000000F7C000.00000004.00000020.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000002.622274934.0000000000F7C000.00000004.00000020.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000000.592320940.0000000000DA0000.00000040.00000010.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.592320940.0000000000DA0000.00000040.00000010.sdmp, Author: Joe Security
                                                                                                    Reputation:high

                                                                                                    Analysis Process: cmd.exe PID: 4956 Parent PID: 1860

                                                                                                    General

                                                                                                    Start time:00:04:15
                                                                                                    Start date:02/12/2021
                                                                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\5i3yQOSqTm.dll",#1
                                                                                                    Imagebase:0x150000
                                                                                                    File size:232960 bytes
                                                                                                    MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high

                                                                                                    Analysis Process: rundll32.exe PID: 2892 Parent PID: 1860

                                                                                                    General

                                                                                                    Start time:00:04:15
                                                                                                    Start date:02/12/2021
                                                                                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:rundll32.exe C:\Users\user\Desktop\5i3yQOSqTm.dll,Control_RunDLL
                                                                                                    Imagebase:0xfc0000
                                                                                                    File size:61952 bytes
                                                                                                    MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Yara matches:
                                                                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000002.00000003.520020229.00000000006CC000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000002.00000003.520020229.00000000006CC000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000002.00000002.547175169.00000000005B0000.00000040.00000010.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000002.00000002.547175169.00000000005B0000.00000040.00000010.sdmp, Author: Joe Security
                                                                                                    Reputation:high

                                                                                                    Analysis Process: rundll32.exe PID: 4668 Parent PID: 4956

                                                                                                    General

                                                                                                    Start time:00:04:15
                                                                                                    Start date:02/12/2021
                                                                                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:rundll32.exe "C:\Users\user\Desktop\5i3yQOSqTm.dll",#1
                                                                                                    Imagebase:0xfc0000
                                                                                                    File size:61952 bytes
                                                                                                    MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Yara matches:
                                                                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000003.00000002.527531884.0000000000A90000.00000040.00000010.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.527531884.0000000000A90000.00000040.00000010.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.527507715.00000000008BA000.00000004.00000020.sdmp, Author: Joe Security
                                                                                                    Reputation:high

                                                                                                    Analysis Process: svchost.exe PID: 988 Parent PID: 556

                                                                                                    General

                                                                                                    Start time:00:04:17
                                                                                                    Start date:02/12/2021
                                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                                    Imagebase:0x7ff797770000
                                                                                                    File size:51288 bytes
                                                                                                    MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high

                                                                                                    Analysis Process: rundll32.exe PID: 2952 Parent PID: 1860

                                                                                                    General

                                                                                                    Start time:00:04:20
                                                                                                    Start date:02/12/2021
                                                                                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:rundll32.exe C:\Users\user\Desktop\5i3yQOSqTm.dll,ajkaibu
                                                                                                    Imagebase:0xfc0000
                                                                                                    File size:61952 bytes
                                                                                                    MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Yara matches:
                                                                                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.568532914.0000000000C8A000.00000004.00000020.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000005.00000002.568102560.0000000000B00000.00000040.00000010.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.568102560.0000000000B00000.00000040.00000010.sdmp, Author: Joe Security
                                                                                                    Reputation:high

                                                                                                    Analysis Process: svchost.exe PID: 5116 Parent PID: 556

                                                                                                    General

                                                                                                    Start time:00:04:27
                                                                                                    Start date:02/12/2021
                                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
                                                                                                    Imagebase:0x7ff797770000
                                                                                                    File size:51288 bytes
                                                                                                    MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:false
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high

                                                                                                    Analysis Process: rundll32.exe PID: 4548 Parent PID: 1860

                                                                                                    General

                                                                                                    Start time:00:04:28
                                                                                                    Start date:02/12/2021
                                                                                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:rundll32.exe C:\Users\user\Desktop\5i3yQOSqTm.dll,akyncbgollmj
                                                                                                    Imagebase:0xfc0000
                                                                                                    File size:61952 bytes
                                                                                                    MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Yara matches:
                                                                                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.567804185.000000000315A000.00000004.00000020.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000007.00000002.567601226.0000000000E10000.00000040.00000010.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.567601226.0000000000E10000.00000040.00000010.sdmp, Author: Joe Security
                                                                                                    Reputation:high

                                                                                                    Analysis Process: svchost.exe PID: 5276 Parent PID: 556

                                                                                                    General

                                                                                                    Start time:00:04:42
                                                                                                    Start date:02/12/2021
                                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
                                                                                                    Imagebase:0x7ff797770000
                                                                                                    File size:51288 bytes
                                                                                                    MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:false
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high

                                                                                                    Analysis Process: svchost.exe PID: 4144 Parent PID: 556

                                                                                                    General

                                                                                                    Start time:00:04:50
                                                                                                    Start date:02/12/2021
                                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\System32\svchost.exe -k NetworkService -p
                                                                                                    Imagebase:0x7ff797770000
                                                                                                    File size:51288 bytes
                                                                                                    MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:false
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high

                                                                                                    Analysis Process: SgrmBroker.exe PID: 5044 Parent PID: 556

                                                                                                    General

                                                                                                    Start time:00:05:14
                                                                                                    Start date:02/12/2021
                                                                                                    Path:C:\Windows\System32\SgrmBroker.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\SgrmBroker.exe
                                                                                                    Imagebase:0x7ff7024e0000
                                                                                                    File size:163336 bytes
                                                                                                    MD5 hash:D3170A3F3A9626597EEE1888686E3EA6
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high

                                                                                                    Analysis Process: svchost.exe PID: 3520 Parent PID: 556

                                                                                                    General

                                                                                                    Start time:00:05:33
                                                                                                    Start date:02/12/2021
                                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
                                                                                                    Imagebase:0x7ff797770000
                                                                                                    File size:51288 bytes
                                                                                                    MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:false
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high

                                                                                                    Analysis Process: rundll32.exe PID: 844 Parent PID: 4668

                                                                                                    General

                                                                                                    Start time:00:06:20
                                                                                                    Start date:02/12/2021
                                                                                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\5i3yQOSqTm.dll",Control_RunDLL
                                                                                                    Imagebase:0xfc0000
                                                                                                    File size:61952 bytes
                                                                                                    MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language

                                                                                                    Analysis Process: rundll32.exe PID: 1748 Parent PID: 2892

                                                                                                    General

                                                                                                    Start time:00:06:21
                                                                                                    Start date:02/12/2021
                                                                                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Tormivkitze\hbajscvbpn.eld",BvsmkekIa
                                                                                                    Imagebase:0xfc0000
                                                                                                    File size:61952 bytes
                                                                                                    MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Yara matches:
                                                                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000010.00000002.654498844.0000000000F60000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000010.00000002.654498844.0000000000F60000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000010.00000002.654439419.0000000000CFA000.00000004.00000020.sdmp, Author: Joe Security

                                                                                                    Analysis Process: rundll32.exe PID: 5840 Parent PID: 2952

                                                                                                    General

                                                                                                    Start time:00:06:35
                                                                                                    Start date:02/12/2021
                                                                                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\5i3yQOSqTm.dll",Control_RunDLL
                                                                                                    Imagebase:0x7ff64e5e0000
                                                                                                    File size:61952 bytes
                                                                                                    MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language

                                                                                                    Analysis Process: rundll32.exe PID: 2092 Parent PID: 4548

                                                                                                    General

                                                                                                    Start time:00:06:39
                                                                                                    Start date:02/12/2021
                                                                                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\5i3yQOSqTm.dll",Control_RunDLL
                                                                                                    Imagebase:0xfc0000
                                                                                                    File size:61952 bytes
                                                                                                    MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language

                                                                                                    Analysis Process: svchost.exe PID: 1400 Parent PID: 556

                                                                                                    General

                                                                                                    Start time:00:06:41
                                                                                                    Start date:02/12/2021
                                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\System32\svchost.exe -k WerSvcGroup
                                                                                                    Imagebase:0x7ff797770000
                                                                                                    File size:51288 bytes
                                                                                                    MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language

                                                                                                    Analysis Process: WerFault.exe PID: 5004 Parent PID: 1400

                                                                                                    General

                                                                                                    Start time:00:06:41
                                                                                                    Start date:02/12/2021
                                                                                                    Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1860 -ip 1860
                                                                                                    Imagebase:0x10e0000
                                                                                                    File size:434592 bytes
                                                                                                    MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language

                                                                                                    Analysis Process: WerFault.exe PID: 4896 Parent PID: 1860

                                                                                                    General

                                                                                                    Start time:00:06:43
                                                                                                    Start date:02/12/2021
                                                                                                    Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 304
                                                                                                    Imagebase:0x10e0000
                                                                                                    File size:434592 bytes
                                                                                                    MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language

                                                                                                    Analysis Process: MpCmdRun.exe PID: 2932 Parent PID: 3520

                                                                                                    General

                                                                                                    Start time:00:06:45
                                                                                                    Start date:02/12/2021
                                                                                                    Path:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:"C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
                                                                                                    Imagebase:0x7ff7189b0000
                                                                                                    File size:455656 bytes
                                                                                                    MD5 hash:A267555174BFA53844371226F482B86B
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:false
                                                                                                    Programmed in:C, C++ or other language

                                                                                                    Analysis Process: conhost.exe PID: 5028 Parent PID: 2932

                                                                                                    General

                                                                                                    Start time:00:06:45
                                                                                                    Start date:02/12/2021
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff7ecfc0000
                                                                                                    File size:625664 bytes
                                                                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:false
                                                                                                    Programmed in:C, C++ or other language

                                                                                                    Analysis Process: svchost.exe PID: 1208 Parent PID: 556

                                                                                                    General

                                                                                                    Start time:00:06:48
                                                                                                    Start date:02/12/2021
                                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                    Imagebase:0x7ff797770000
                                                                                                    File size:51288 bytes
                                                                                                    MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language

                                                                                                    Analysis Process: WerFault.exe PID: 4404 Parent PID: 1400

                                                                                                    General

                                                                                                    Start time:00:06:52
                                                                                                    Start date:02/12/2021
                                                                                                    Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1860 -ip 1860
                                                                                                    Imagebase:0x10e0000
                                                                                                    File size:434592 bytes
                                                                                                    MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language

                                                                                                    Analysis Process: WerFault.exe PID: 2576 Parent PID: 1860

                                                                                                    General

                                                                                                    Start time:00:06:54
                                                                                                    Start date:02/12/2021
                                                                                                    Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 348
                                                                                                    Imagebase:0x10e0000
                                                                                                    File size:434592 bytes
                                                                                                    MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language

                                                                                                    Analysis Process: svchost.exe PID: 6000 Parent PID: 556

                                                                                                    General

                                                                                                    Start time:00:06:55
                                                                                                    Start date:02/12/2021
                                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                    Imagebase:0x7ff797770000
                                                                                                    File size:51288 bytes
                                                                                                    MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language

                                                                                                    Analysis Process: rundll32.exe PID: 736 Parent PID: 1748

                                                                                                    General

                                                                                                    Start time:00:07:21
                                                                                                    Start date:02/12/2021
                                                                                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Tormivkitze\hbajscvbpn.eld",Control_RunDLL
                                                                                                    Imagebase:0xfc0000
                                                                                                    File size:61952 bytes
                                                                                                    MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Yara matches:
                                                                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000001F.00000002.784894715.0000000000D60000.00000040.00000010.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000001F.00000002.784894715.0000000000D60000.00000040.00000010.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000001F.00000003.772094317.0000000000C4B000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000001F.00000003.772094317.0000000000C4B000.00000004.00000001.sdmp, Author: Joe Security

                                                                                                    Analysis Process: svchost.exe PID: 2960 Parent PID: 556

                                                                                                    General

                                                                                                    Start time:00:07:23
                                                                                                    Start date:02/12/2021
                                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                    Imagebase:0x7ff797770000
                                                                                                    File size:51288 bytes
                                                                                                    MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language

                                                                                                    Analysis Process: svchost.exe PID: 5884 Parent PID: 556

                                                                                                    General

                                                                                                    Start time:00:07:47
                                                                                                    Start date:02/12/2021
                                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\svchost.exe -k wsappx -p -s AppXSvc
                                                                                                    Imagebase:0x7ff797770000
                                                                                                    File size:51288 bytes
                                                                                                    MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language

                                                                                                    Analysis Process: svchost.exe PID: 1568 Parent PID: 556

                                                                                                    General

                                                                                                    Start time:00:07:54
                                                                                                    Start date:02/12/2021
                                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                    Imagebase:0x7ff797770000
                                                                                                    File size:51288 bytes
                                                                                                    MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language

                                                                                                    Disassembly

                                                                                                    Code Analysis

                                                                                                    Reset < >