Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report 5i3yQOSqTm.dll

Overview

General Information

Sample Name:5i3yQOSqTm.dll
Analysis ID:532299
MD5:1e3db971ac31b856864c12b55bcc4435
SHA1:8f47d8c2d75df496a20b5ddaec949f9524c60a66
SHA256:df1aec18655ffd091bac7e217ad7334c30d99bd906ec9269d0a38c5c92267fbd
Tags:32dllexetrojan
Infos:

Most interesting Screenshot:

Detection

Emotet
Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Emotet
Sigma detected: Emotet RunDLL32 Process Creation
Changes security center settings (notifications, updates, antivirus, firewall)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses 32bit PE files
One or more processes crash
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Abnormal high CPU Usage
Creates a DirectInput object (often for capturing keystrokes)
AV process strings found (often used to terminate AV products)
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 4340 cmdline: loaddll32.exe "C:\Users\user\Desktop\5i3yQOSqTm.dll" MD5: 72FCD8FB0ADC38ED9050569AD673650E)
    • cmd.exe (PID: 6140 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\5i3yQOSqTm.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 5996 cmdline: rundll32.exe "C:\Users\user\Desktop\5i3yQOSqTm.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • rundll32.exe (PID: 1308 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\5i3yQOSqTm.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 2220 cmdline: rundll32.exe C:\Users\user\Desktop\5i3yQOSqTm.dll,Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • rundll32.exe (PID: 4144 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Pmleysyipg\sjdwpny.iso",qxtrVBTbrIKuSW MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • rundll32.exe (PID: 4784 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Pmleysyipg\sjdwpny.iso",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 4708 cmdline: rundll32.exe C:\Users\user\Desktop\5i3yQOSqTm.dll,ajkaibu MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • rundll32.exe (PID: 336 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\5i3yQOSqTm.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 5724 cmdline: rundll32.exe C:\Users\user\Desktop\5i3yQOSqTm.dll,akyncbgollmj MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • rundll32.exe (PID: 4908 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\5i3yQOSqTm.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • WerFault.exe (PID: 6640 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4340 -s 308 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • WerFault.exe (PID: 476 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4340 -s 316 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • svchost.exe (PID: 6148 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6400 cmdline: c:\windows\system32\svchost.exe -k unistacksvcgroup MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • wermgr.exe (PID: 2016 cmdline: "C:\Windows\system32\wermgr.exe" "-outproc" "0" "572" "2360" "2316" "2356" "0" "0" "2352" "0" "0" "0" "0" "0" MD5: FF214585BF10206E21EA8EBA202FACFD)
  • svchost.exe (PID: 3428 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6320 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • WerFault.exe (PID: 3744 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4340 -ip 4340 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • WerFault.exe (PID: 6704 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4340 -ip 4340 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • svchost.exe (PID: 7144 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • SgrmBroker.exe (PID: 5000 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)
  • svchost.exe (PID: 4840 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6096 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 1756 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 2960 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 3912 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.594385432.0000000000B10000.00000040.00000010.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
    00000000.00000002.594385432.0000000000B10000.00000040.00000010.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
      00000003.00000002.539875956.00000000046D0000.00000040.00000010.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
        00000003.00000002.539875956.00000000046D0000.00000040.00000010.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
          00000000.00000000.546111377.0000000000B10000.00000040.00000010.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
            Click to see the 31 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            6.2.rundll32.exe.940000.1.raw.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
              6.2.rundll32.exe.940000.1.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                0.2.loaddll32.exe.d83b40.1.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                  0.2.loaddll32.exe.d83b40.1.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                    0.2.loaddll32.exe.b10000.0.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                      Click to see the 71 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Emotet RunDLL32 Process CreationShow sources
                      Source: Process startedAuthor: FPT.EagleEye: Data: Command: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Pmleysyipg\sjdwpny.iso",Control_RunDLL, CommandLine: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Pmleysyipg\sjdwpny.iso",Control_RunDLL, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Pmleysyipg\sjdwpny.iso",qxtrVBTbrIKuSW, ParentImage: C:\Windows\SysWOW64\rundll32.exe, ParentProcessId: 4144, ProcessCommandLine: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Pmleysyipg\sjdwpny.iso",Control_RunDLL, ProcessId: 4784

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: 5i3yQOSqTm.dllVirustotal: Detection: 19%Perma Link
                      Source: 5i3yQOSqTm.dllReversingLabs: Detection: 17%
                      Source: 5i3yQOSqTm.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
                      Source: 5i3yQOSqTm.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000016.00000003.553758793.0000000004F71000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.579582842.00000000050F1000.00000004.00000001.sdmp
                      Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000016.00000003.553758793.0000000004F71000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.579582842.00000000050F1000.00000004.00000001.sdmp
                      Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000016.00000003.551496260.0000000004CE0000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.553758793.0000000004F71000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.551418206.0000000004CDB000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.551636970.0000000003136000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.579582842.00000000050F1000.00000004.00000001.sdmp
                      Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000016.00000003.553758793.0000000004F71000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.579582842.00000000050F1000.00000004.00000001.sdmp
                      Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000016.00000003.551523098.000000000313C000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.553758793.0000000004F71000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.579582842.00000000050F1000.00000004.00000001.sdmp
                      Source: Binary string: wimm32.pdb source: WerFault.exe, 00000016.00000003.553758793.0000000004F71000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.579582842.00000000050F1000.00000004.00000001.sdmp
                      Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000016.00000003.551523098.000000000313C000.00000004.00000001.sdmp
                      Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000016.00000003.553758793.0000000004F71000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.579582842.00000000050F1000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdb source: WerFault.exe, 00000016.00000003.553758793.0000000004F71000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.551849737.0000000003130000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.579582842.00000000050F1000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.574550716.0000000002D8B000.00000004.00000001.sdmp
                      Source: Binary string: apphelp.pdb source: WerFault.exe, 00000016.00000003.553758793.0000000004F71000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.579582842.00000000050F1000.00000004.00000001.sdmp
                      Source: Binary string: wuser32.pdb source: WerFault.exe, 00000016.00000003.553758793.0000000004F71000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.579582842.00000000050F1000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdbk source: WerFault.exe, 00000016.00000003.553758793.0000000004F71000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.579582842.00000000050F1000.00000004.00000001.sdmp
                      Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000016.00000003.553758793.0000000004F71000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.579582842.00000000050F1000.00000004.00000001.sdmp
                      Source: Binary string: oCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000016.00000002.561663979.0000000002E32000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdb( source: WerFault.exe, 0000001A.00000003.574550716.0000000002D8B000.00000004.00000001.sdmp
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA20927 FindFirstFileExW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EA20927 FindFirstFileExW,
                      Source: svchost.exe, 0000001D.00000003.656966798.000001B06158D000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","A equals www.facebook.com (Facebook)
                      Source: svchost.exe, 0000001D.00000003.656966798.000001B06158D000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","A equals www.twitter.com (Twitter)
                      Source: svchost.exe, 0000001D.00000003.656966798.000001B06158D000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.656991746.000001B06159E000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-11-26T13:57:30.0386475Z||.||6f0c105d-3db6-47de-894d-fd95973349e2||1152921505694224549||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
                      Source: svchost.exe, 0000001D.00000003.656966798.000001B06158D000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.656991746.000001B06159E000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-11-26T13:57:30.0386475Z||.||6f0c105d-3db6-47de-894d-fd95973349e2||1152921505694224549||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
                      Source: WerFault.exe, 0000001A.00000003.592277871.0000000004DAB000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.593854675.0000000004DBD000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.592359463.0000000004DBC000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000002.671803224.000001B061500000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: svchost.exe, 0000001D.00000002.671610507.000001B060CF0000.00000004.00000001.sdmpString found in binary or memory: http://crl.ver)
                      Source: svchost.exe, 0000001D.00000003.653107268.000001B061559000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.653378746.000001B06157C000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.653146089.000001B0615AD000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.653434051.000001B0615CB000.00000004.00000001.sdmpString found in binary or memory: http://help.disneyplus.com.
                      Source: svchost.exe, 0000000C.00000002.558793668.00000133DC813000.00000004.00000001.sdmpString found in binary or memory: http://www.bingmapsportal.com
                      Source: svchost.exe, 0000000C.00000003.558336643.00000133DC863000.00000004.00000001.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
                      Source: svchost.exe, 0000000C.00000003.558347329.00000133DC84D000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000002.558817901.00000133DC829000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
                      Source: svchost.exe, 0000000C.00000002.558858690.00000133DC844000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.558393707.00000133DC843000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.558382669.00000133DC842000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
                      Source: svchost.exe, 0000000C.00000003.558336643.00000133DC863000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
                      Source: svchost.exe, 0000000C.00000002.558817901.00000133DC829000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
                      Source: svchost.exe, 0000000C.00000002.558858690.00000133DC844000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.558393707.00000133DC843000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.558382669.00000133DC842000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
                      Source: svchost.exe, 0000000C.00000002.558937276.00000133DC86B000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.558300449.00000133DC869000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
                      Source: svchost.exe, 0000000C.00000003.558336643.00000133DC863000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
                      Source: svchost.exe, 0000000C.00000002.558817901.00000133DC829000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
                      Source: svchost.exe, 0000000C.00000002.558858690.00000133DC844000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.558393707.00000133DC843000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.558382669.00000133DC842000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
                      Source: svchost.exe, 0000000C.00000002.558817901.00000133DC829000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
                      Source: svchost.exe, 0000000C.00000003.558336643.00000133DC863000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
                      Source: svchost.exe, 0000000C.00000003.558336643.00000133DC863000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
                      Source: svchost.exe, 0000000C.00000003.558336643.00000133DC863000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
                      Source: svchost.exe, 0000000C.00000002.558817901.00000133DC829000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
                      Source: svchost.exe, 0000000C.00000002.558907657.00000133DC861000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.558341613.00000133DC860000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
                      Source: svchost.exe, 0000000C.00000002.558817901.00000133DC829000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
                      Source: svchost.exe, 0000000C.00000003.558336643.00000133DC863000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
                      Source: svchost.exe, 0000000C.00000003.558365403.00000133DC849000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000002.558876855.00000133DC84A000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.558382669.00000133DC842000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
                      Source: svchost.exe, 0000001D.00000003.653107268.000001B061559000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.653378746.000001B06157C000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.653146089.000001B0615AD000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.653434051.000001B0615CB000.00000004.00000001.sdmpString found in binary or memory: https://disneyplus.com/legal.
                      Source: svchost.exe, 0000000C.00000003.558347329.00000133DC84D000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
                      Source: svchost.exe, 0000000C.00000003.558365403.00000133DC849000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000002.558876855.00000133DC84A000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
                      Source: svchost.exe, 0000000C.00000003.558365403.00000133DC849000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000002.558876855.00000133DC84A000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
                      Source: svchost.exe, 0000000C.00000003.558377257.00000133DC847000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.558341613.00000133DC860000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t
                      Source: svchost.exe, 0000000C.00000003.558336643.00000133DC863000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
                      Source: svchost.exe, 0000000C.00000002.558817901.00000133DC829000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
                      Source: svchost.exe, 0000000C.00000002.558858690.00000133DC844000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.558393707.00000133DC843000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.558382669.00000133DC842000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
                      Source: svchost.exe, 0000000C.00000002.558845183.00000133DC841000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
                      Source: svchost.exe, 0000000C.00000002.558817901.00000133DC829000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
                      Source: svchost.exe, 0000000C.00000003.511519063.00000133DC835000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
                      Source: svchost.exe, 0000000C.00000003.511519063.00000133DC835000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
                      Source: svchost.exe, 0000000C.00000003.511519063.00000133DC835000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
                      Source: svchost.exe, 0000000C.00000003.511519063.00000133DC835000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.558399420.00000133DC83E000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
                      Source: svchost.exe, 0000000C.00000003.558347329.00000133DC84D000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.558405102.00000133DC850000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000002.558891905.00000133DC856000.00000004.00000001.sdmpString found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
                      Source: svchost.exe, 0000001D.00000003.653107268.000001B061559000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.653378746.000001B06157C000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.653146089.000001B0615AD000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.653434051.000001B0615CB000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
                      Source: svchost.exe, 0000001D.00000003.653107268.000001B061559000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.653378746.000001B06157C000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.653146089.000001B0615AD000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.653434051.000001B0615CB000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
                      Source: svchost.exe, 0000001D.00000003.654408703.000001B06158D000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.654457707.000001B0615D6000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.654487337.000001B061A02000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.654472024.000001B0615BF000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.654423954.000001B06159E000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.654435460.000001B0615D6000.00000004.00000001.sdmpString found in binary or memory: https://www.tiktok.com/legal/report/feedback
                      Source: loaddll32.exe, 00000000.00000000.565990716.0000000000D6B000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                      E-Banking Fraud:

                      barindex
                      Yara detected EmotetShow sources
                      Source: Yara matchFile source: 6.2.rundll32.exe.940000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.d83b40.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.b10000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.9e0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.32a2148.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.8320a0.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.dd2160.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.d83b40.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.d83b40.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.d83b40.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.940000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.b10000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.e70000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.32a2148.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.b10000.9.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.d83b40.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.d83b40.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.46d0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.b10000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.4540000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.b10000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.d83b40.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.4540000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.b10000.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.dd2160.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.d83b40.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.d83b40.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.9e0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.d83b40.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.46d0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.b10000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.b10000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.c62468.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.b10000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.8320a0.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.e70000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.b10000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.c62468.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.594385432.0000000000B10000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.539875956.00000000046D0000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.546111377.0000000000B10000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.539257826.00000000009E0000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.544278858.000000000328A000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.566017355.0000000000D7C000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.565844645.0000000000B10000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.544809627.0000000000D7C000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.564089777.0000000000B10000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.539444017.0000000000940000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.564150952.0000000000D7C000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.513866249.0000000000BD5000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.532223099.0000000000DBA000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.539407249.000000000081A000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.661436675.0000000000C4A000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.594452020.0000000000D7C000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.546379647.0000000000D7C000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.543487140.0000000000E70000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.662192713.0000000004540000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.544682886.0000000000B10000.00000040.00000010.sdmp, type: MEMORY

                      System Summary:

                      barindex
                      Source: 5i3yQOSqTm.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4340 -ip 4340
                      Source: C:\Windows\SysWOW64\rundll32.exeFile deleted: C:\Windows\SysWOW64\Pmleysyipg\sjdwpny.iso:Zone.IdentifierJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\SysWOW64\Pmleysyipg\Jump to behavior
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B31291
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B20A93
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B2CE90
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B20E97
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B2009A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B2A29B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B2E899
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B1FE9D
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B1A083
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B1F48A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B184F0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B262F5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B24CF5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B11EFB
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B146FA
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B240FE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B140E2
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B1C0EA
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B256E9
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B252D1
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B190D4
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B228D5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B31CDB
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B192C1
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B12CC2
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B320CE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B210CD
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B13432
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B1243F
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B19824
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B13228
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B2282D
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B3261E
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B2C205
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B1800A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B2B677
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B1FA78
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B1387F
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B1EE60
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B1B464
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B16869
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B13A6C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B16453
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B2EA55
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B1CE5A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B23043
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B1AE43
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B27445
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B1544C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B1AA4E
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B2E3B5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B285B8
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B2D7BE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B159BF
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B143BE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B289A2
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B2E5A7
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B20BA4
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B2DDA5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B1B191
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B21591
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B17795
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B14B81
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B23782
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B18D80
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B2DB87
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B1358B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B1A3E7
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B151EC
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B2EDED
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B175D2
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B119C0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B2CD35
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B1F73B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B29124
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B1A92F
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B1CB13
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B14D1E
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B2970A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B2E10A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B2590E
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B23D0C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B2BF0C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B30370
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B1BD61
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B1CF6E
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B26540
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA077B4
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA09F10
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA01DE0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA0D530
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA03A90
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA1E3A1
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA10380
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA068B0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA0A890
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA0E890
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA110C0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA06070
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EA077B4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EA09F10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EA01DE0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EA0D530
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EA03A90
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EA1E3A1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EA10380
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EA068B0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EA0A890
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EA0E890
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EA110C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EA06070
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046EEA55
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046F1291
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046D3A6C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046D6869
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046DB464
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046DEE60
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046D387F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046DFA78
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046EB677
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046D544C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046DAA4E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046E7445
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046E3043
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046DAE43
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046DCE5A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046D6453
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046E282D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046D3228
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046D9824
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046D243F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046D3432
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046D800A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046EC205
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046F261E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046DC0EA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046E56E9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046D40E2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046E40FE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046D1EFB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046D46FA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046E62F5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046E4CF5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046D84F0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046F20CE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046E10CD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046D92C1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046D2CC2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046F1CDB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046D90D4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046E28D5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046E52D1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046DF48A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046DA083
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046DFE9D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046E009A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046EA29B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046EE899
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046E0E97
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046E0A93
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046ECE90
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046DCF6E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046DBD61
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046F0370
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046E6540
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046DA92F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046E9124
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046DF73B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046ECD35
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046E590E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046E3D0C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046EBF0C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046E970A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046EE10A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046D4D1E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046DCB13
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046D51EC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046EEDED
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046DA3E7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046D19C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046D75D2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046EE5A7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046E0BA4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046EDDA5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046E89A2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046ED7BE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046D59BF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046D43BE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046E85B8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046EE3B5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046D358B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046EDB87
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046D4B81
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046E3782
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046D8D80
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046D7795
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046DB191
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046E1591
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00961291
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0095EA55
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00950E97
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0095CE90
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00950A93
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0094FE9D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0095E899
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0095A29B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0095009A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0094A083
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0094F48A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_009490D4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_009528D5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_009552D1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00961CDB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_009492C1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00942CC2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_009620CE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_009510CD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_009562F5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00954CF5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_009484F0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_009540FE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_009446FA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00941EFB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_009440E2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_009556E9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0094C0EA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0096261E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0095C205
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0094800A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00943432
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0094243F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00949824
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0095282D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00943228
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00946453
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0094CE5A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00957445
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00953043
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0094AE43
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0094544C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0094AA4E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0095B677
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0094387F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0094FA78
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0094B464
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0094EE60
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00943A6C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00946869
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00947795
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00951591
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0094B191
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0095DB87
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00948D80
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00944B81
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00953782
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0094358B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0095E3B5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_009443BE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_009459BF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0095D7BE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_009585B8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0095DDA5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00950BA4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0095E5A7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_009589A2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_009475D2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_009419C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0094A3E7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0095EDED
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_009451EC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0094CB13
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00944D1E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00953D0C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0095BF0C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0095590E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0095970A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0095E10A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0095CD35
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0094F73B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00959124
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00956540
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00960370
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0094BD61
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0094CF6E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0455EA55
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04561291
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04546453
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0454CE5A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04557445
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04553043
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0454AE43
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0454544C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0454AA4E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0455B677
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0454387F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0454FA78
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0454B464
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0454EE60
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04543A6C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04546869
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0456261E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0455C205
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0454800A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04543432
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0454243F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04549824
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0455282D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04543228
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_045490D4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_045528D5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_045552D1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04561CDB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_045492C1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04542CC2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_045620CE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_045510CD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_045562F5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04554CF5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_045484F0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_045540FE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_045446FA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04541EFB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_045440E2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_045556E9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0454C0EA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04550E97
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0455CE90
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04550A93
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0454FE9D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0455E899
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0455A29B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0455009A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0454A083
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0454F48A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04556540
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04560370
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0454BD61
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0454CF6E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0454CB13
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04544D1E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04553D0C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0455BF0C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0455590E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0455970A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0455E10A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0455CD35
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0454F73B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04559124
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0454A92F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_045475D2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_045419C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0454A3E7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0455EDED
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_045451EC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04547795
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04551591
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0454B191
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0455DB87
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04548D80
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04544B81
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04553782
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0454358B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0455E3B5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_045443BE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_045459BF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0455D7BE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_045585B8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0455DDA5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04550BA4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0455E5A7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_045589A2
                      Source: C:\Windows\System32\loaddll32.exeCode function: String function: 6EA1AC90 appears 33 times
                      Source: C:\Windows\System32\loaddll32.exeCode function: String function: 6EA01DE0 appears 97 times
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6EA1AC90 appears 33 times
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6EA01DE0 appears 97 times
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess Stats: CPU usage > 98%
                      Source: 5i3yQOSqTm.dllVirustotal: Detection: 19%
                      Source: 5i3yQOSqTm.dllReversingLabs: Detection: 17%
                      Source: 5i3yQOSqTm.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\5i3yQOSqTm.dll"
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\5i3yQOSqTm.dll",#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\5i3yQOSqTm.dll,Control_RunDLL
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\5i3yQOSqTm.dll",#1
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k unistacksvcgroup
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\5i3yQOSqTm.dll,ajkaibu
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\5i3yQOSqTm.dll,akyncbgollmj
                      Source: unknownProcess created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "572" "2360" "2316" "2356" "0" "0" "2352" "0" "0" "0" "0" "0"
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\5i3yQOSqTm.dll",Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Pmleysyipg\sjdwpny.iso",qxtrVBTbrIKuSW
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\5i3yQOSqTm.dll",Control_RunDLL
                      Source: unknownProcess created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\5i3yQOSqTm.dll",Control_RunDLL
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4340 -ip 4340
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4340 -s 308
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4340 -ip 4340
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4340 -s 316
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Pmleysyipg\sjdwpny.iso",Control_RunDLL
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\5i3yQOSqTm.dll",#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\5i3yQOSqTm.dll,Control_RunDLL
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\5i3yQOSqTm.dll,ajkaibu
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\5i3yQOSqTm.dll,akyncbgollmj
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\5i3yQOSqTm.dll",#1
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Pmleysyipg\sjdwpny.iso",qxtrVBTbrIKuSW
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\5i3yQOSqTm.dll",Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\5i3yQOSqTm.dll",Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\5i3yQOSqTm.dll",Control_RunDLL
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4340 -ip 4340
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4340 -s 308
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4340 -ip 4340
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4340 -s 316
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Pmleysyipg\sjdwpny.iso",Control_RunDLL
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess created: unknown unknown
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess created: unknown unknown
                      Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32
                      Source: C:\Windows\System32\svchost.exeFile created: C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etlJump to behavior
                      Source: C:\Windows\System32\wermgr.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERD33.tmpJump to behavior
                      Source: classification engineClassification label: mal80.troj.evad.winDLL@43/26@0/1
                      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Users\desktop.iniJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\5i3yQOSqTm.dll,Control_RunDLL
                      Source: C:\Windows\System32\wermgr.exeMutant created: \BaseNamedObjects\Local\SM0:2016:120:WilError_01
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4340
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \BaseNamedObjects\Local\SM0:6704:64:WilError_01
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \BaseNamedObjects\Local\SM0:3744:64:WilError_01
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                      Source: 5i3yQOSqTm.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                      Source: 5i3yQOSqTm.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000016.00000003.553758793.0000000004F71000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.579582842.00000000050F1000.00000004.00000001.sdmp
                      Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000016.00000003.553758793.0000000004F71000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.579582842.00000000050F1000.00000004.00000001.sdmp
                      Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000016.00000003.551496260.0000000004CE0000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.553758793.0000000004F71000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.551418206.0000000004CDB000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.551636970.0000000003136000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.579582842.00000000050F1000.00000004.00000001.sdmp
                      Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000016.00000003.553758793.0000000004F71000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.579582842.00000000050F1000.00000004.00000001.sdmp
                      Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000016.00000003.551523098.000000000313C000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.553758793.0000000004F71000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.579582842.00000000050F1000.00000004.00000001.sdmp
                      Source: Binary string: wimm32.pdb source: WerFault.exe, 00000016.00000003.553758793.0000000004F71000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.579582842.00000000050F1000.00000004.00000001.sdmp
                      Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000016.00000003.551523098.000000000313C000.00000004.00000001.sdmp
                      Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000016.00000003.553758793.0000000004F71000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.579582842.00000000050F1000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdb source: WerFault.exe, 00000016.00000003.553758793.0000000004F71000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.551849737.0000000003130000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.579582842.00000000050F1000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.574550716.0000000002D8B000.00000004.00000001.sdmp
                      Source: Binary string: apphelp.pdb source: WerFault.exe, 00000016.00000003.553758793.0000000004F71000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.579582842.00000000050F1000.00000004.00000001.sdmp
                      Source: Binary string: wuser32.pdb source: WerFault.exe, 00000016.00000003.553758793.0000000004F71000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.579582842.00000000050F1000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdbk source: WerFault.exe, 00000016.00000003.553758793.0000000004F71000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.579582842.00000000050F1000.00000004.00000001.sdmp
                      Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000016.00000003.553758793.0000000004F71000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.579582842.00000000050F1000.00000004.00000001.sdmp
                      Source: Binary string: oCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000016.00000002.561663979.0000000002E32000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdb( source: WerFault.exe, 0000001A.00000003.574550716.0000000002D8B000.00000004.00000001.sdmp
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B113E7 push esi; retf
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA26A93 push ecx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EA26A93 push ecx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046D13E7 push esi; retf
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_009413E7 push esi; retf
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_045413E7 push esi; retf
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA0E690 WaitForSingleObjectEx,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,CreateMutexA,CloseHandle,ReleaseMutex,
                      Source: C:\Windows\SysWOW64\rundll32.exePE file moved: C:\Windows\SysWOW64\Pmleysyipg\sjdwpny.isoJump to behavior

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Pmleysyipg\sjdwpny.iso:Zone.Identifier read attributes | delete
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exe TID: 4640Thread sleep time: -30000s >= -30000s
                      Source: C:\Windows\System32\svchost.exeProcess information queried: ProcessInformation
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA20927 FindFirstFileExW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EA20927 FindFirstFileExW,
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: svchost.exe, 00000004.00000002.678237792.000001482C802000.00000004.00000001.sdmpBinary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
                      Source: WerFault.exe, 0000001A.00000002.593843723.0000000004DAB000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.592277871.0000000004DAB000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.593796820.0000000004D70000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000002.671610507.000001B060CF0000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000002.671434122.000001B060C68000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.670841279.000001B060C66000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                      Source: svchost.exe, 00000004.00000002.678490827.000001482C828000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.677844152.00000225C4229000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA20326 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA0E690 WaitForSingleObjectEx,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,CreateMutexA,CloseHandle,ReleaseMutex,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA01290 GetProcessHeap,HeapAlloc,RtlAllocateHeap,HeapFree,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B207D2 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA19990 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA1EC0B mov ecx, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA202CC mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA19920 mov esi, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA19920 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EA19990 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EA1EC0B mov ecx, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EA202CC mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EA19920 mov esi, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EA19920 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046E07D2 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_009507D2 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_045507D2 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\loaddll32.exeProcess queried: DebugPort
                      Source: C:\Windows\System32\loaddll32.exeProcess queried: DebugPort
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B228D5 LdrInitializeThunk,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA1A462 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA20326 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA1AB0C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EA1A462 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EA20326 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EA1AB0C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\5i3yQOSqTm.dll",#1
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4340 -ip 4340
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4340 -s 308
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4340 -ip 4340
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4340 -s 316
                      Source: loaddll32.exe, 00000000.00000000.544973056.0000000001550000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.566158477.0000000001550000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.564329433.0000000001550000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.546596729.0000000001550000.00000002.00020000.sdmp, svchost.exe, 00000005.00000002.679513205.000001C803660000.00000002.00020000.sdmp, rundll32.exe, 0000001F.00000002.678697817.0000000003860000.00000002.00020000.sdmpBinary or memory string: Program Manager
                      Source: loaddll32.exe, 00000000.00000000.544973056.0000000001550000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.566158477.0000000001550000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.564329433.0000000001550000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.546596729.0000000001550000.00000002.00020000.sdmp, svchost.exe, 00000005.00000002.679513205.000001C803660000.00000002.00020000.sdmp, rundll32.exe, 0000001F.00000002.678697817.0000000003860000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: loaddll32.exe, 00000000.00000000.544973056.0000000001550000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.566158477.0000000001550000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.564329433.0000000001550000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.546596729.0000000001550000.00000002.00020000.sdmp, svchost.exe, 00000005.00000002.679513205.000001C803660000.00000002.00020000.sdmp, rundll32.exe, 0000001F.00000002.678697817.0000000003860000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: loaddll32.exe, 00000000.00000000.544973056.0000000001550000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.566158477.0000000001550000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.564329433.0000000001550000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.546596729.0000000001550000.00000002.00020000.sdmp, svchost.exe, 00000005.00000002.679513205.000001C803660000.00000002.00020000.sdmp, rundll32.exe, 0000001F.00000002.678697817.0000000003860000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA1A584 cpuid
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA1A755 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

                      Lowering of HIPS / PFW / Operating System Security Settings:

                      barindex
                      Changes security center settings (notifications, updates, antivirus, firewall)Show sources
                      Source: C:\Windows\System32\svchost.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cvalJump to behavior
                      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA &apos;AntiVirusProduct&apos; OR TargetInstance ISA &apos;FirewallProduct&apos; OR TargetInstance ISA &apos;AntiSpywareProduct&apos;
                      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
                      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
                      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct
                      Source: svchost.exe, 00000014.00000002.678780295.000001E05B03D000.00000004.00000001.sdmpBinary or memory string: $@\REGISTRY\USER\S-1-5-19ws Defender\MsMpeng.exe
                      Source: svchost.exe, 00000014.00000002.678929916.000001E05B102000.00000004.00000001.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected EmotetShow sources
                      Source: Yara matchFile source: 6.2.rundll32.exe.940000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.d83b40.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.b10000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.9e0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.32a2148.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.8320a0.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.dd2160.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.d83b40.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.d83b40.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.d83b40.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.940000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.b10000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.e70000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.32a2148.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.b10000.9.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.d83b40.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.d83b40.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.46d0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.b10000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.4540000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.b10000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.d83b40.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.4540000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.b10000.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.dd2160.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.d83b40.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.d83b40.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.9e0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.d83b40.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.46d0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.b10000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.b10000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.c62468.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.b10000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.8320a0.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.e70000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.b10000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.c62468.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.594385432.0000000000B10000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.539875956.00000000046D0000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.546111377.0000000000B10000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.539257826.00000000009E0000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.544278858.000000000328A000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.566017355.0000000000D7C000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.565844645.0000000000B10000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.544809627.0000000000D7C000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.564089777.0000000000B10000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.539444017.0000000000940000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.564150952.0000000000D7C000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.513866249.0000000000BD5000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.532223099.0000000000DBA000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.539407249.000000000081A000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.661436675.0000000000C4A000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.594452020.0000000000D7C000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.546379647.0000000000D7C000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.543487140.0000000000E70000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.662192713.0000000004540000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.544682886.0000000000B10000.00000040.00000010.sdmp, type: MEMORY

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation1Path InterceptionProcess Injection12Masquerading21Input Capture1System Time Discovery1Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsNative API1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemorySecurity Software Discovery51Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion2Security Account ManagerVirtualization/Sandbox Evasion2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection12NTDSProcess Discovery2Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonHidden Files and Directories1Cached Domain CredentialsFile and Directory Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information2DCSyncSystem Information Discovery13Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobRundll321Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)File Deletion1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 532299 Sample: 5i3yQOSqTm.dll Startdate: 02/12/2021 Architecture: WINDOWS Score: 80 47 Sigma detected: Emotet RunDLL32 Process Creation 2->47 49 Multi AV Scanner detection for submitted file 2->49 51 Yara detected Emotet 2->51 8 loaddll32.exe 1 2->8         started        10 svchost.exe 2->10         started        13 svchost.exe 3 12 2->13         started        15 10 other processes 2->15 process3 signatures4 17 rundll32.exe 2 8->17         started        20 cmd.exe 1 8->20         started        22 WerFault.exe 3 9 8->22         started        29 3 other processes 8->29 53 Changes security center settings (notifications, updates, antivirus, firewall) 10->53 25 WerFault.exe 13->25         started        27 WerFault.exe 13->27         started        process5 dnsIp6 45 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->45 31 rundll32.exe 17->31         started        33 rundll32.exe 20->33         started        43 192.168.2.1 unknown unknown 22->43 35 rundll32.exe 29->35         started        37 rundll32.exe 29->37         started        signatures7 process8 process9 39 rundll32.exe 31->39         started        41 rundll32.exe 33->41         started       

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      5i3yQOSqTm.dll20%VirustotalBrowse
                      5i3yQOSqTm.dll18%ReversingLabsWin32.Infostealer.Convagent

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      0.2.loaddll32.exe.b10000.0.unpack100%AviraHEUR/AGEN.1110387Download File
                      6.2.rundll32.exe.940000.1.unpack100%AviraHEUR/AGEN.1110387Download File
                      7.2.rundll32.exe.e70000.0.unpack100%AviraHEUR/AGEN.1110387Download File
                      14.2.rundll32.exe.4540000.1.unpack100%AviraHEUR/AGEN.1110387Download File
                      0.0.loaddll32.exe.b10000.6.unpack100%AviraHEUR/AGEN.1110387Download File
                      0.0.loaddll32.exe.b10000.9.unpack100%AviraHEUR/AGEN.1110387Download File
                      2.2.rundll32.exe.9e0000.0.unpack100%AviraHEUR/AGEN.1110387Download File
                      0.0.loaddll32.exe.b10000.3.unpack100%AviraHEUR/AGEN.1110387Download File
                      3.2.rundll32.exe.46d0000.1.unpack100%AviraHEUR/AGEN.1110387Download File
                      0.0.loaddll32.exe.b10000.0.unpack100%AviraHEUR/AGEN.1110387Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      https://www.disneyplus.com/legal/your-california-privacy-rights0%URL Reputationsafe
                      http://crl.ver)0%Avira URL Cloudsafe
                      https://www.tiktok.com/legal/report/feedback0%URL Reputationsafe
                      https://www.disneyplus.com/legal/privacy-policy0%URL Reputationsafe
                      https://dynamic.t0%URL Reputationsafe
                      https://disneyplus.com/legal.0%URL Reputationsafe
                      http://help.disneyplus.com.0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashxsvchost.exe, 0000000C.00000003.558336643.00000133DC863000.00000004.00000001.sdmpfalse
                        		high
                        https://www.disneyplus.com/legal/your-california-privacy-rightssvchost.exe, 0000001D.00000003.653107268.000001B061559000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.653378746.000001B06157C000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.653146089.000001B0615AD000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.653434051.000001B0615CB000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=svchost.exe, 0000000C.00000003.511519063.00000133DC835000.00000004.00000001.sdmpfalse
                          		high
                          https://dev.ditu.live.com/REST/v1/Routes/svchost.exe, 0000000C.00000002.558817901.00000133DC829000.00000004.00000001.sdmpfalse
                            		high
                            https://dev.virtualearth.net/REST/v1/Routes/Drivingsvchost.exe, 0000000C.00000003.558336643.00000133DC863000.00000004.00000001.sdmpfalse
                              		high
                              https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashxsvchost.exe, 0000000C.00000002.558845183.00000133DC841000.00000004.00000001.sdmpfalse
                                		high
                                https://dev.ditu.live.com/REST/v1/Traffic/Incidents/svchost.exe, 0000000C.00000002.558858690.00000133DC844000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.558393707.00000133DC843000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.558382669.00000133DC842000.00000004.00000001.sdmpfalse
                                  		high
                                  https://dev.ditu.live.com/REST/v1/Transit/Stops/svchost.exe, 0000000C.00000002.558937276.00000133DC86B000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.558300449.00000133DC869000.00000004.00000001.sdmpfalse
                                    		high
                                    https://t0.tiles.ditu.live.com/tiles/gensvchost.exe, 0000000C.00000003.558347329.00000133DC84D000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.558405102.00000133DC850000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000002.558891905.00000133DC856000.00000004.00000001.sdmpfalse
                                      		high
                                      https://dev.virtualearth.net/REST/v1/Routes/svchost.exe, 0000000C.00000002.558817901.00000133DC829000.00000004.00000001.sdmpfalse
                                        		high
                                        https://dev.virtualearth.net/REST/v1/Traffic/Incidents/svchost.exe, 0000000C.00000002.558817901.00000133DC829000.00000004.00000001.sdmpfalse
                                          		high
                                          https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=svchost.exe, 0000000C.00000003.511519063.00000133DC835000.00000004.00000001.sdmpfalse
                                            		high
                                            https://dev.virtualearth.net/REST/v1/Routes/Walkingsvchost.exe, 0000000C.00000003.558336643.00000133DC863000.00000004.00000001.sdmpfalse
                                              		high
                                              http://crl.ver)svchost.exe, 0000001D.00000002.671610507.000001B060CF0000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		low
                                              https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?svchost.exe, 0000000C.00000003.558365403.00000133DC849000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000002.558876855.00000133DC84A000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.558382669.00000133DC842000.00000004.00000001.sdmpfalse
                                                		high
                                                https://www.tiktok.com/legal/report/feedbacksvchost.exe, 0000001D.00000003.654408703.000001B06158D000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.654457707.000001B0615D6000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.654487337.000001B061A02000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.654472024.000001B0615BF000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.654423954.000001B06159E000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.654435460.000001B0615D6000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=svchost.exe, 0000000C.00000002.558817901.00000133DC829000.00000004.00000001.sdmpfalse
                                                  		high
                                                  https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=svchost.exe, 0000000C.00000002.558817901.00000133DC829000.00000004.00000001.sdmpfalse
                                                    		high
                                                    https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=svchost.exe, 0000000C.00000002.558858690.00000133DC844000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.558393707.00000133DC843000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.558382669.00000133DC842000.00000004.00000001.sdmpfalse
                                                      		high
                                                      https://dev.virtualearth.net/mapcontrol/logging.ashxsvchost.exe, 0000000C.00000003.558336643.00000133DC863000.00000004.00000001.sdmpfalse
                                                        		high
                                                        https://dev.ditu.live.com/mapcontrol/logging.ashxsvchost.exe, 0000000C.00000003.558336643.00000133DC863000.00000004.00000001.sdmpfalse
                                                          		high
                                                          https://dev.ditu.live.com/REST/v1/Imagery/Copyright/svchost.exe, 0000000C.00000003.558347329.00000133DC84D000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000002.558817901.00000133DC829000.00000004.00000001.sdmpfalse
                                                            		high
                                                            https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=svchost.exe, 0000000C.00000003.511519063.00000133DC835000.00000004.00000001.sdmpfalse
                                                              		high
                                                              https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=svchost.exe, 0000000C.00000003.558365403.00000133DC849000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000002.558876855.00000133DC84A000.00000004.00000001.sdmpfalse
                                                                		high
                                                                https://www.disneyplus.com/legal/privacy-policysvchost.exe, 0000001D.00000003.653107268.000001B061559000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.653378746.000001B06157C000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.653146089.000001B0615AD000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.653434051.000001B0615CB000.00000004.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/svchost.exe, 0000000C.00000002.558858690.00000133DC844000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.558393707.00000133DC843000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.558382669.00000133DC842000.00000004.00000001.sdmpfalse
                                                                  		high
                                                                  https://dev.virtualearth.net/REST/v1/Transit/Schedules/svchost.exe, 0000000C.00000002.558907657.00000133DC861000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.558341613.00000133DC860000.00000004.00000001.sdmpfalse
                                                                    		high
                                                                    https://dynamic.tsvchost.exe, 0000000C.00000003.558377257.00000133DC847000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.558341613.00000133DC860000.00000004.00000001.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    https://dev.virtualearth.net/REST/v1/Routes/Transitsvchost.exe, 0000000C.00000003.558336643.00000133DC863000.00000004.00000001.sdmpfalse
                                                                      		high
                                                                      https://disneyplus.com/legal.svchost.exe, 0000001D.00000003.653107268.000001B061559000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.653378746.000001B06157C000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.653146089.000001B0615AD000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.653434051.000001B0615CB000.00000004.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      https://t0.ssl.ak.tiles.virtualearth.net/tiles/gensvchost.exe, 0000000C.00000003.511519063.00000133DC835000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.558399420.00000133DC83E000.00000004.00000001.sdmpfalse
                                                                        		high
                                                                        https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=svchost.exe, 0000000C.00000003.558365403.00000133DC849000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000002.558876855.00000133DC84A000.00000004.00000001.sdmpfalse
                                                                          		high
                                                                          http://www.bingmapsportal.comsvchost.exe, 0000000C.00000002.558793668.00000133DC813000.00000004.00000001.sdmpfalse
                                                                            		high
                                                                            https://dev.ditu.live.com/REST/v1/Locationssvchost.exe, 0000000C.00000003.558336643.00000133DC863000.00000004.00000001.sdmpfalse
                                                                              		high
                                                                              https://dev.virtualearth.net/REST/v1/Imagery/Copyright/svchost.exe, 0000000C.00000002.558817901.00000133DC829000.00000004.00000001.sdmpfalse
                                                                                		high
                                                                                http://help.disneyplus.com.svchost.exe, 0000001D.00000003.653107268.000001B061559000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.653378746.000001B06157C000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.653146089.000001B0615AD000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.653434051.000001B0615CB000.00000004.00000001.sdmpfalse
                                                                                • URL Reputation: safe
                                                                                		unknown
                                                                                https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/svchost.exe, 0000000C.00000002.558817901.00000133DC829000.00000004.00000001.sdmpfalse
                                                                                  		high
                                                                                  https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/svchost.exe, 0000000C.00000002.558858690.00000133DC844000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.558393707.00000133DC843000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.558382669.00000133DC842000.00000004.00000001.sdmpfalse
                                                                                    		high
                                                                                    https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=svchost.exe, 0000000C.00000003.558347329.00000133DC84D000.00000004.00000001.sdmpfalse
                                                                                      		high

                                                                                      Contacted IPs

                                                                                      • No. of IPs < 25%
                                                                                      • 25% < No. of IPs < 50%
                                                                                      • 50% < No. of IPs < 75%
                                                                                      • 75% < No. of IPs

                                                                                      Public

                                                                                      IPDomainCountryFlagASNASN NameMalicious

                                                                                      Private

                                                                                      IP
                                                                                      192.168.2.1

                                                                                      General Information

                                                                                      Joe Sandbox Version:34.0.0 Boulder Opal
                                                                                      Analysis ID:532299
                                                                                      Start date:02.12.2021
                                                                                      Start time:00:16:52
                                                                                      Joe Sandbox Product:CloudBasic
                                                                                      Overall analysis duration:0h 11m 35s
                                                                                      Hypervisor based Inspection enabled:false
                                                                                      Report type:light
                                                                                      Sample file name:5i3yQOSqTm.dll
                                                                                      Cookbook file name:default.jbs
                                                                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                      Run name:Run with higher sleep bypass
                                                                                      Number of analysed new started processes analysed:33
                                                                                      Number of new started drivers analysed:0
                                                                                      Number of existing processes analysed:0
                                                                                      Number of existing drivers analysed:0
                                                                                      Number of injected processes analysed:0
                                                                                      Technologies:
                                                                                      • HCA enabled
                                                                                      • EGA enabled
                                                                                      • HDC enabled
                                                                                      • AMSI enabled
                                                                                      Analysis Mode:default
                                                                                      Analysis stop reason:Timeout
                                                                                      Detection:MAL
                                                                                      Classification:mal80.troj.evad.winDLL@43/26@0/1
                                                                                      EGA Information:Failed
                                                                                      HDC Information:
                                                                                      • Successful, ratio: 26.1% (good quality ratio 24.2%)
                                                                                      • Quality average: 72.4%
                                                                                      • Quality standard deviation: 27.5%
                                                                                      HCA Information:
                                                                                      • Successful, ratio: 73%
                                                                                      • Number of executed functions: 0
                                                                                      • Number of non-executed functions: 0
                                                                                      Cookbook Comments:
                                                                                      • Adjust boot time
                                                                                      • Enable AMSI
                                                                                      • Sleeps bigger than 120000ms are automatically reduced to 1000ms
                                                                                      • Found application associated with file extension: .dll
                                                                                      Warnings:
                                                                                      Show All
                                                                                      • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, backgroundTaskHost.exe, wuapihost.exe
                                                                                      • Excluded IPs from analysis (whitelisted): 20.189.173.20, 20.54.110.249, 80.67.82.211, 80.67.82.235
                                                                                      • Excluded domains from analysis (whitelisted): displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, onedsblobprdwus15.westus.cloudapp.azure.com, ctldl.windowsupdate.com, a1449.dscg2.akamai.net, arc.msn.com, ris.api.iris.microsoft.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, login.live.com, blobcollector.events.data.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                      • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                      Simulations

                                                                                      Behavior and APIs

                                                                                      No simulations

                                                                                      Joe Sandbox View / Context

                                                                                      IPs

                                                                                      No context

                                                                                      Domains

                                                                                      No context

                                                                                      ASN

                                                                                      No context

                                                                                      JA3 Fingerprints

                                                                                      No context

                                                                                      Dropped Files

                                                                                      No context

                                                                                      Created / dropped Files

                                                                                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_8c5962cbbdb13a8671f1f3c3793157e73bd5d897_d70d8aa6_187b1da8\Report.wer
                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                      File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):65536
                                                                                      Entropy (8bit):0.6754479704396386
                                                                                      Encrypted:false
                                                                                      SSDEEP:96:cX7tZqysy9hkoyt7JfapXIQcQ5c6A2cE2cw33+a+z+HbHgE2VG4rmMOyWZAXGngH:CvB1HnM28jjr9q/u7saS274ItW
                                                                                      MD5:2AEE5E78EF26D162307A1F1E0ABBA548
                                                                                      SHA1:2B758841F1E73ECDFAC5B7F9F91F81D57A2667D7
                                                                                      SHA-256:1A130F4F2EF4420AE091604B05B2B4E3408CF1AA5909DC63495B094A56406495
                                                                                      SHA-512:BDC4968FC52FA057CDDED8F9933313481F91FE10C1D2D17DDDC174B4AE8CF4422F2CE916892701D23F017C6935C5391C4BC37851EA4F6A0611E97F90BBB3BEC4
                                                                                      Malicious:false
                                                                                      Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.8.2.9.0.6.7.9.1.7.2.1.6.9.4.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.d.c.0.8.e.f.f.-.7.8.8.e.-.4.8.0.5.-.8.b.e.2.-.4.b.6.b.4.c.6.f.e.c.b.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.0.6.f.0.9.3.7.-.e.e.7.e.-.4.4.a.2.-.a.8.3.7.-.1.5.6.4.5.3.6.8.f.c.1.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.l.o.a.d.d.l.l.3.2...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.0.f.4.-.0.0.0.1.-.0.0.1.c.-.3.a.0.2.-.c.1.1.4.5.5.e.7.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.l.o.a.d.d.l.l.3.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.1././.0.9././.2.8.:.1.1.:.5.3.:.0.5.!.0.!.l.o.a.d.d.l.l.3.2...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.
                                                                                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_d71d33d652a62c864cb684e881f783bcee8c2df7_d70d8aa6_005759e6\Report.wer
                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                      File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):65536
                                                                                      Entropy (8bit):0.6791193075663844
                                                                                      Encrypted:false
                                                                                      SSDEEP:96:a2GCFz8dtZqyoy9hk1Dg3fWpXIQcQYc6ZcEKcw3u+a+z+HbHgE2VG4rmMOyWZAXR:agp8pBAHWdQAjr9q/u7saS274ItW
                                                                                      MD5:8A4E68599049AF186936C4F0E82ABFCF
                                                                                      SHA1:5CC56A10E379DB01F48D55FB5CBBC0E01975C69D
                                                                                      SHA-256:0C97CF83364AF973017E966E9F35985D8F85532529E06201790B55C404ECE325
                                                                                      SHA-512:73A221BD598B133EA781436FD7963485B6570BD7E9863EB73D82030C48E44317AF4A25C9AEE591649226D94E7D90C2F57673A8234DAEF9B0A5E4BD9CE22385AE
                                                                                      Malicious:false
                                                                                      Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.8.2.9.0.6.8.0.2.5.3.2.4.2.4.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.8.2.9.0.6.8.0.7.6.4.1.7.2.0.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.3.f.b.d.2.a.7.-.b.7.f.3.-.4.3.5.3.-.8.2.7.0.-.a.d.a.0.6.8.a.a.7.c.3.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.3.d.0.a.4.5.0.-.8.7.d.2.-.4.f.4.c.-.b.4.6.c.-.b.7.3.1.f.d.0.9.4.1.7.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.l.o.a.d.d.l.l.3.2...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.0.f.4.-.0.0.0.1.-.0.0.1.c.-.3.a.0.2.-.c.1.1.4.5.5.e.7.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.l.o.a.d.d.l.l.3.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.
                                                                                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppHang_NcbService_c3fd3c3f830283a6ba0c7e839e220c16a1c8146_00000000_0785595f\Report.wer
                                                                                      Process:C:\Windows\System32\wermgr.exe
                                                                                      File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):65536
                                                                                      Entropy (8bit):0.8231203080410965
                                                                                      Encrypted:false
                                                                                      SSDEEP:96:8Ydrw1MYSgGgkgOpXItJ+HbHgS3gePnMXh88WAfbNkqKjibkUDvLgWRN1mDjTcuI:brwStgY1jwHggN/u7s6S274lt
                                                                                      MD5:EBD588E2B8A8F058E9FAA84704C0432A
                                                                                      SHA1:2226A68A179C2E493958F76EFE20218CE0E1B390
                                                                                      SHA-256:CD3344AC650DF1EA6E26B1AF3CD0E3068306A2F292FE22C3FD6B5C49687E7357
                                                                                      SHA-512:205A317981953ACC3842D4C8C1492B0764EA9AC2217FEDAFB848EFB934A3426FEA2A207EECF6F4AE611E68002E8097D50BC400662B3BE718BE990B5C06B3C0FE
                                                                                      Malicious:false
                                                                                      Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.S.e.r.v.i.c.e.H.a.n.g.....E.v.e.n.t.T.i.m.e.=.1.3.2.8.2.9.0.6.7.4.5.7.8.3.2.9.2.7.....R.e.p.o.r.t.T.y.p.e.=.3.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.8.1.3.5.6.2.a.-.5.a.9.a.-.4.7.d.5.-.a.d.a.a.-.d.5.5.3.6.8.6.f.4.2.0.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.8.0.4.-.0.0.0.0.-.0.0.1.c.-.e.3.c.f.-.8.5.1.5.5.5.e.7.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.6.6.0.b.7.6.b.6.f.b.8.0.2.4.1.7.d.5.1.3.a.d.c.9.6.7.c.5.c.a.f.7.7.f.c.2.b.a.c.6.!.s.v.c.h.o.s.t...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.5.6././.1.2././.1.2.:.0.8.:.2.8.:.3.4.!.1.7.e.f.9.!.s.v.c.h.o.s.t...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....T.a.r.g.e.t.A.s.I.d.=.4.0.4.....I.s.F.a.t.a.l.=.4.2.9.4.9.6.7.2.9.5.....R.e.s.p.o.n.s.e...t.y.p.e.=.4.....S.i.g.[.0.]...N.a.m.e.=.S.e.r.v.i.c.e. .N.a.m.e.....S.i.g.[.0.]...V.a.l.u.e.=.N.c.b.
                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER10C7.tmp.dmp
                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                      File Type:Mini DuMP crash report, 15 streams, Thu Dec 2 08:19:52 2021, 0x1205a4 type
                                                                                      Category:dropped
                                                                                      Size (bytes):26832
                                                                                      Entropy (8bit):2.487781029339773
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:tuewMH95S6OTNrKuC9FHBsqNfL8jWxytHbdb2mmriy2v:FP5SFTNuuvqNfL8aIHbdb2m/
                                                                                      MD5:C142CF5441B5FD095938D19BFA67B29C
                                                                                      SHA1:3226AEE79DA2177FEFCD20A9A712DFDBC09ACD43
                                                                                      SHA-256:3AB114C2A8305EED101A1B215F6DEC3B0A0E33EF52938E075ECCF5D78CCBD43D
                                                                                      SHA-512:6C5667C62E17E9264185E47646D9FCD8C936AEF9F6E5F9C6412C62255DFF6087A64E01847ABAD81F287B71FC8F38353A3E9C3140DB0ACFEF0E0348ED51569F20
                                                                                      Malicious:false
                                                                                      Preview: MDMP....... ..........a............4...............H.......$...........................`.......8...........T...........h...h\...........................................................................................U...........B......p.......GenuineIntelW...........T...........'..a+............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER11D8.tmp.xml
                                                                                      Process:C:\Windows\System32\wermgr.exe
                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):4310
                                                                                      Entropy (8bit):4.428102891708425
                                                                                      Encrypted:false
                                                                                      SSDEEP:48:cvIwSD8zsnJgtBI9nHWSC8B/s8fm8M4JFKfY2xAF8Lyq8veY2xVvhO8OTd:uITfJJ2SNVRJFKf/lWe/Vvk8OTd
                                                                                      MD5:3768772510C55D2D721DCD8415F2E981
                                                                                      SHA1:D8D82E31565ECD17DA1C16C5C6ED91760D472F0A
                                                                                      SHA-256:62FD9372B0E6591C441A65D944DB2AEDC8D03960D88E660A5FEF5AEABAAD690C
                                                                                      SHA-512:AAB7BFEDDD81A874F25E30C3725173C48CF9BA6DA64FA517B6B9FFA0E19FDF987987DC19670792A12C6CB285044769BC01D9F491F73BFF85BB65CC4452CA25BD
                                                                                      Malicious:false
                                                                                      Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1279769" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER14DF.tmp.WERInternalMetadata.xml
                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                      File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):8342
                                                                                      Entropy (8bit):3.7009426535664662
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:Rrl7r3GLNiZf6eh6YFaSUGngmfsSzaCpBg89bkjN5sfL0vsm:RrlsNih6w6YYSUGngmfsSzdkjNSf6
                                                                                      MD5:BD6D06D778585343D22E866C7E3CD76D
                                                                                      SHA1:3E74E82462445437B6B1F8A1B3C5B00511AC258F
                                                                                      SHA-256:B9375ACC1C8BEA51DD2CDAAEA1D784945163D6ABD3A0C51CDA774BB86238E1F8
                                                                                      SHA-512:3DF19C390E692A5268F851A93A02F8CAA8A78B42993FD389EF1E5B79D812DAB22F97ED54AFE8BAD3CAA6B57BF3A69416CDAD5704E11C63DC2C24F3AEB476E191
                                                                                      Malicious:false
                                                                                      Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.3.4.0.<./.P.i.d.>.......
                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER167A.tmp.csv
                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):51904
                                                                                      Entropy (8bit):3.063864127660923
                                                                                      Encrypted:false
                                                                                      SSDEEP:768:CXHpHD1EnoZWM5yzDd5Gx47Iq5+CelaWikDIRP9JpmnH:CXHpHbD8zDd5Gx47Iq7elaWv0RPLpmnH
                                                                                      MD5:77D811B50E4D1C8618A5D6333D89D833
                                                                                      SHA1:1E36599108D5C49FCFCDE2EE2F18510F8F0B1908
                                                                                      SHA-256:52199A0254D6DA0502DADBAC38073F872A5267D9EC41548AF342141E305895CC
                                                                                      SHA-512:30FF6599C619C23392C17C13A97291A97C6FA2FFE508ABDFA27A45447A7B2CD3154A241CA330452C72CCA2DCFBDF6D2229556EE0E11FD6A64DEA6DE68F146055
                                                                                      Malicious:false
                                                                                      Preview: I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.
                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER17FD.tmp.xml
                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):4598
                                                                                      Entropy (8bit):4.47213070071042
                                                                                      Encrypted:false
                                                                                      SSDEEP:48:cvIwSD8zsBJgtWI9nHWSC8Bu8fm8M4J2yzZFU+q84WvQFKcQIcQwQkd:uITfTw2SNdJJggQFKkwQkd
                                                                                      MD5:A5D2DE991E9C4181F7D87E6BF34EAC8E
                                                                                      SHA1:9AF1CFE85BBD332B0275D49AA6679936753A5693
                                                                                      SHA-256:D6FB1783411A9C7BDA6E5F3B89EE8CF1ED276604E31D6C8223B5F69E71684554
                                                                                      SHA-512:844E4CF6A237ECBB7E643F6AE214900823EE28D71F6C05FBB3E8299E6C0558C4155E938C41E95A3E3A1D1628648D3C29028F7A4BD6EBED0FCEDF16C8B1546939
                                                                                      Malicious:false
                                                                                      Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1279770" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER3AF4.tmp.dmp
                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                      File Type:Mini DuMP crash report, 15 streams, Thu Dec 2 08:20:03 2021, 0x1205a4 type
                                                                                      Category:dropped
                                                                                      Size (bytes):1059828
                                                                                      Entropy (8bit):1.3530089983506397
                                                                                      Encrypted:false
                                                                                      SSDEEP:1536:ZXFdb/P6k0tLmleDlPqwIXMena99UVLkJ/R9GuMDkUfaeF82c:p36k0tPDkTnO9UVLkJ59IkUfaeq2c
                                                                                      MD5:B1F94BE55C0F42F0FF2A5F6C415429E2
                                                                                      SHA1:169E355D35EBCBFD8EFD6BEF2C5862A228FA80E9
                                                                                      SHA-256:97EC25DAF5EB2B1409BE0089BFFB84A97CB554E97383EC68A2D0AB91900A1124
                                                                                      SHA-512:E9D35D52703FF5D7D38FCF0D82F2DB1725D916DFBB021A6A706D1537B0A0EE43B4754BC3F45BF2AD229FBB514144D075C33B37988D963D1C4228771C672993BA
                                                                                      Malicious:false
                                                                                      Preview: MDMP....... ..........a............4...............H.......$...........................`.......8...........T...........@................................................................................................U...........B......p.......GenuineIntelW...........T...........'..a+............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER440D.tmp.WERInternalMetadata.xml
                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                      File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):8302
                                                                                      Entropy (8bit):3.6937685783150376
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:Rrl7r3GLNiZA6Gd6YFgSUCpbHgmfL8GS4CpDi89bVjN5sfOnm:RrlsNie6s6YiSUCp7gmfLrSDVjNSfv
                                                                                      MD5:8CF24AADB1EBEF2ECF8A54DE5292AE6A
                                                                                      SHA1:F595A62079FDE24CFE7B887406F197797D16C579
                                                                                      SHA-256:DD5BA2150BFA3633D0CEC4C22DCF9B16A2B89721C4EDD2527F4048205847AC20
                                                                                      SHA-512:C22F29B1C543495BC05492FBD50C97F5CD0D310324EF07CCB7FA4A7C9BEABAC4AFFAA0B0EF1B00925593E4334DCAE01B1E966DF7F7591F6D2583EB817671F4C1
                                                                                      Malicious:false
                                                                                      Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.3.4.0.<./.P.i.d.>.......
                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER46BE.tmp.xml
                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):4558
                                                                                      Entropy (8bit):4.4287797177293715
                                                                                      Encrypted:false
                                                                                      SSDEEP:48:cvIwSD8zsBJgtWI9nHWSC8BC8fm8M4J2yGtFUoz0+q84tjMFKcQIcQwQkd:uITfTw2SNJJEUxMFKkwQkd
                                                                                      MD5:E2F1593D590DD7D7233246C6B96BD3AA
                                                                                      SHA1:B334DA2557D588DAD21FFB43D266B81FCFA21458
                                                                                      SHA-256:99EBB65789E8E4CCB18E5ACDB6AD5470D866A736073E99213DE36CA6857E1C24
                                                                                      SHA-512:26F986D3D7649BF152DC90D8D881C72426C597973897B0B0CC7575902959D275DD430D4549A9CB2928C8BA5B99620E22A17C138F803F0EE5442F9D2A0707E93A
                                                                                      Malicious:false
                                                                                      Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1279770" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER5113.tmp.txt
                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):13340
                                                                                      Entropy (8bit):2.6948692578008937
                                                                                      Encrypted:false
                                                                                      SSDEEP:96:9GiZYWV+y8TkUYiY5TWDH0YEZdiustk0i9OIfJw/dTA0a5AiB5QIA+23:9jZDV+flczcHa5AiB5np23
                                                                                      MD5:F7C9BE7A47B6A71082ABBD44886C9A97
                                                                                      SHA1:5D68824C3D0A78BBE40BBFB2F21B396BDDA4276E
                                                                                      SHA-256:DBB6EBBFDBEF42D2C79A2C7C2712DA604823D4CFB92ACA804C0376731CA5F008
                                                                                      SHA-512:37FF05D6A815EBC29409A90D8AC5E17E1CF375B85A36E19EE6CECEC149BB02B1400AE4B0B64F34208B6EDD632E6B846835E67C3C8D656D3A6F407A02A80ADC19
                                                                                      Malicious:false
                                                                                      Preview: B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.1.5.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .
                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERBEA3.tmp.csv
                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):52858
                                                                                      Entropy (8bit):3.0647172817979955
                                                                                      Encrypted:false
                                                                                      SSDEEP:1536:pjHAfL68HDtn1xN7IqxkjyL0NlIq6LUAdBcb:pjHAfL68HDtn1xN7IqxkjyL0Niq6LUA6
                                                                                      MD5:2296EEC040E24DE2405EEEB285C75D8A
                                                                                      SHA1:ACD989DDB11DBDCBBA3F268A5D70039BA8968D92
                                                                                      SHA-256:81805A10ACC2D67F498E0C0AF9620110689E2E48603F4BE48CB4B77BDD603B3C
                                                                                      SHA-512:113C92F943A4A26D0B18223AB66A35D27FDAB807EB80E4F8A555D0FFD46110DED6AB3D39E47C888BE208FE9560FA51B0688F7A2CE9D193C7BA5C8FC4B16990E4
                                                                                      Malicious:false
                                                                                      Preview: I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.
                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERC22E.tmp.txt
                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):13340
                                                                                      Entropy (8bit):2.6952272931168184
                                                                                      Encrypted:false
                                                                                      SSDEEP:96:9GiZYWVgn3eoeA/txYGYbWz0H7YEZSytk0iiO5fNw8QwNZaTnAneAIAp3:9jZDVgnxBxz7zaTnAneXAp3
                                                                                      MD5:5591AF2B641FA11B50CFFFE0DE4BE472
                                                                                      SHA1:40B75FAC1DDEB4E11772940F89A74C649177C273
                                                                                      SHA-256:E12FB5AD22036B0CD38D72EB717B29D55C762EDBBAECA859717D701FA885B51C
                                                                                      SHA-512:46AB30ED89B573B5FF385F591AE969004B8B906F7157F5ABFBFFE67C20FF10EC70FB7E09D8EF15C5CA9DE37867CA2B6BCBDB6DAE8FF06DB2AD028719047F4FAB
                                                                                      Malicious:false
                                                                                      Preview: B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.1.5.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .
                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERD33.tmp.WERInternalMetadata.xml
                                                                                      Process:C:\Windows\System32\wermgr.exe
                                                                                      File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):4890
                                                                                      Entropy (8bit):3.708335392466497
                                                                                      Encrypted:false
                                                                                      SSDEEP:96:RtIU6o7r3GLt3iMBj9XjDPYr74SfEGg0BCaMrZ4vm:Rrl7r3GLNiMBj9XPYr74STCp1Gm
                                                                                      MD5:3915722ED951A0333D6C67A268A26E2B
                                                                                      SHA1:4C2D32D9B8B8221D684F58DEF3EBE59F604E4837
                                                                                      SHA-256:4A100A7D28DEF0B4A491111F502D4EFC8B32320FBAAB355174F8BA0B012574BF
                                                                                      SHA-512:A2B24310BB7481FCFE698983A7087A7273076B6A487EFEE01C07C38E364BBABCE97D543557336165680A5B6AF0B6C7DF7F298698ACBA8BE9FED9EEC86ABF50D3
                                                                                      Malicious:false
                                                                                      Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.1.4.8.<./.P.i.d.>.......
                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERED85.tmp.csv
                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):52488
                                                                                      Entropy (8bit):3.0649859459697737
                                                                                      Encrypted:false
                                                                                      SSDEEP:1536:t/HTp9n6FyxtsaxN7IqSrJiyk0y9y/LVdxw:t/HTp9n6FyxtsaxN7IqSrJiyk0yA/LVU
                                                                                      MD5:A8B96200EC520AF834608F1B814A6738
                                                                                      SHA1:09AD85BF48A9B0DC4FAF29120DD48A2BAD28513A
                                                                                      SHA-256:10E85ACF226EEBA554B709909874D841C9A5E84BD7D2117D2E9159CEC5973137
                                                                                      SHA-512:9485F6B625D239A099A0F65191B3B2AA57A936415335DC23FF3C950BF4823A34E9C6A43461760AD3615436DEA08D347CFDD96946CEDA730CB0205B8B3FA1794D
                                                                                      Malicious:false
                                                                                      Preview: I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.
                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERF1DB.tmp.txt
                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):13340
                                                                                      Entropy (8bit):2.695644144475772
                                                                                      Encrypted:false
                                                                                      SSDEEP:96:9GiZYWVYI9IxQVYRzYoTWxHBYEZbotCigONfaw4qni0XakQtmTUIVl+l3:9jZDVYsSS54akQtmTDVUl3
                                                                                      MD5:FDB1472D617482A4A58854E7DA268C2F
                                                                                      SHA1:C64A71DE2CD2532A9E69C427CB32E109914FB3DD
                                                                                      SHA-256:E12463D10E1AACEF100F458D67B307E61EEBFDF846CCC1A372016CB325122DFB
                                                                                      SHA-512:1B82B04C6A9F7CD622AF326D3DD1B33579396A76C7D332F52D0153B14650025ECB92BD1FFEF0B08D9835B5113A39D67C43BD0FB9BEEBD57E203A5302AA71030C
                                                                                      Malicious:false
                                                                                      Preview: B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.1.5.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .
                                                                                      C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\SyncVerbose.etl
                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):65536
                                                                                      Entropy (8bit):0.10989502196543777
                                                                                      Encrypted:false
                                                                                      SSDEEP:12:26HjXm/Ey6q9995vq3qQ10nMCldimE8eawHjcof:266l68kLyMCldzE9BHjcI
                                                                                      MD5:9A7463FA7D66CACD641F6DF3F1DEF198
                                                                                      SHA1:83BD27E517A0BC26DDF16EB4DFBABE666147BBF6
                                                                                      SHA-256:857B7E228D1417CB8450DEFEB211F9979A2788903FEFD70755724454C1021CAD
                                                                                      SHA-512:2EB9E48CB47CF28C201B37AB2821550A9129F8C22E3235DA235FBE0C174579E18D4FD931ADEFA94D658060FD169E185CD5E48C17DFD1318E5C09100C0DD4E4DA
                                                                                      Malicious:false
                                                                                      Preview: ................................................................................`.......7..F.....................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1...........................................................s..#~..... .....J..$U...........S.y.n.c.V.e.r.b.o.s.e...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.S.y.n.c.V.e.r.b.o.s.e...e.t.l...........P.P.`.......g..F....................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                      C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\UnistackCircular.etl
                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):65536
                                                                                      Entropy (8bit):0.11241126566489497
                                                                                      Encrypted:false
                                                                                      SSDEEP:12:D/sjXm/Ey6q9995F1miM3qQ10nMCldimE8eawHza1miImP:D/Jl68v1tMLyMCldzE9BHza1tIm
                                                                                      MD5:2FAF61572736CAEC65422E0233E7E1CA
                                                                                      SHA1:243D9DDD93F2460606AB8F30A91B7C1C10E1ED6F
                                                                                      SHA-256:7B10FE6044B8E71E7E1212752918657E5B7506938E03FF85E2F14B31EAB6852D
                                                                                      SHA-512:A53C65E0F11053466763A06741B22412EB655BF26A9873FA57CAA5DA0A87B630D4ABBE5F1572E7487B9C4B10151DC20BEA00CAF7738E5E56CA32ACD70D7618EE
                                                                                      Malicious:false
                                                                                      Preview: ................................................................................`........|.F.....................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1...........................................................s..#~..... .....{..$U...........U.n.i.s.t.a.c.k.C.i.r.c.u.l.a.r...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.U.n.i.s.t.a.c.k.C.i.r.c.u.l.a.r...e.t.l.......P.P.`.......-..F....................................................................................................................................................................................................................................................................................................................................................................................
                                                                                      C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl
                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):65536
                                                                                      Entropy (8bit):0.11234943753179523
                                                                                      Encrypted:false
                                                                                      SSDEEP:12:pjXm/Ey6q9995F1mK2P3qQ10nMCldimE8eawHza1mKoEP:El68v1iPLyMCldzE9BHza1/
                                                                                      MD5:F8B7A841CDC339DBEF411695D08A049E
                                                                                      SHA1:98058BC75A5BBB3BFED13D52696B45B8E9E432D3
                                                                                      SHA-256:E978E51B32E584C41D72B5056454F03D79FC41F99728D2B805266570D59BA171
                                                                                      SHA-512:A863159ED8D05D6C7373E010CF1F53A3598B7A858788DE91C0E08A4650AD79FA8842EA25E4B3EC4D01A4180DBA7BC23F17F3A91B08FC7049CCF7AB0DE7B77152
                                                                                      Malicious:false
                                                                                      Preview: ................................................................................`..........F.....................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1...........................................................s..#~..... .....{..$U...........U.n.i.s.t.a.c.k.C.r.i.t.i.c.a.l...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.U.n.i.s.t.a.c.k.C.r.i.t.i.c.a.l...e.t.l.......P.P.`.......Y..F....................................................................................................................................................................................................................................................................................................................................................................................
                                                                                      C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\SyncVerbose.etl.0001 (copy)
                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):65536
                                                                                      Entropy (8bit):0.10989502196543777
                                                                                      Encrypted:false
                                                                                      SSDEEP:12:26HjXm/Ey6q9995vq3qQ10nMCldimE8eawHjcof:266l68kLyMCldzE9BHjcI
                                                                                      MD5:9A7463FA7D66CACD641F6DF3F1DEF198
                                                                                      SHA1:83BD27E517A0BC26DDF16EB4DFBABE666147BBF6
                                                                                      SHA-256:857B7E228D1417CB8450DEFEB211F9979A2788903FEFD70755724454C1021CAD
                                                                                      SHA-512:2EB9E48CB47CF28C201B37AB2821550A9129F8C22E3235DA235FBE0C174579E18D4FD931ADEFA94D658060FD169E185CD5E48C17DFD1318E5C09100C0DD4E4DA
                                                                                      Malicious:false
                                                                                      Preview: ................................................................................`.......7..F.....................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1...........................................................s..#~..... .....J..$U...........S.y.n.c.V.e.r.b.o.s.e...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.S.y.n.c.V.e.r.b.o.s.e...e.t.l...........P.P.`.......g..F....................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                      C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\UnistackCircular.etl.0001 (copy)
                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):65536
                                                                                      Entropy (8bit):0.11241126566489497
                                                                                      Encrypted:false
                                                                                      SSDEEP:12:D/sjXm/Ey6q9995F1miM3qQ10nMCldimE8eawHza1miImP:D/Jl68v1tMLyMCldzE9BHza1tIm
                                                                                      MD5:2FAF61572736CAEC65422E0233E7E1CA
                                                                                      SHA1:243D9DDD93F2460606AB8F30A91B7C1C10E1ED6F
                                                                                      SHA-256:7B10FE6044B8E71E7E1212752918657E5B7506938E03FF85E2F14B31EAB6852D
                                                                                      SHA-512:A53C65E0F11053466763A06741B22412EB655BF26A9873FA57CAA5DA0A87B630D4ABBE5F1572E7487B9C4B10151DC20BEA00CAF7738E5E56CA32ACD70D7618EE
                                                                                      Malicious:false
                                                                                      Preview: ................................................................................`........|.F.....................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1...........................................................s..#~..... .....{..$U...........U.n.i.s.t.a.c.k.C.i.r.c.u.l.a.r...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.U.n.i.s.t.a.c.k.C.i.r.c.u.l.a.r...e.t.l.......P.P.`.......-..F....................................................................................................................................................................................................................................................................................................................................................................................
                                                                                      C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl.0001Fa (copy)
                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):65536
                                                                                      Entropy (8bit):0.11234943753179523
                                                                                      Encrypted:false
                                                                                      SSDEEP:12:pjXm/Ey6q9995F1mK2P3qQ10nMCldimE8eawHza1mKoEP:El68v1iPLyMCldzE9BHza1/
                                                                                      MD5:F8B7A841CDC339DBEF411695D08A049E
                                                                                      SHA1:98058BC75A5BBB3BFED13D52696B45B8E9E432D3
                                                                                      SHA-256:E978E51B32E584C41D72B5056454F03D79FC41F99728D2B805266570D59BA171
                                                                                      SHA-512:A863159ED8D05D6C7373E010CF1F53A3598B7A858788DE91C0E08A4650AD79FA8842EA25E4B3EC4D01A4180DBA7BC23F17F3A91B08FC7049CCF7AB0DE7B77152
                                                                                      Malicious:false
                                                                                      Preview: ................................................................................`..........F.....................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1...........................................................s..#~..... .....{..$U...........U.n.i.s.t.a.c.k.C.r.i.t.i.c.a.l...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.U.n.i.s.t.a.c.k.C.r.i.t.i.c.a.l...e.t.l.......P.P.`.......Y..F....................................................................................................................................................................................................................................................................................................................................................................................
                                                                                      C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Logs\dosvc.20211202_081926_566.etl
                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):8192
                                                                                      Entropy (8bit):3.392411013136536
                                                                                      Encrypted:false
                                                                                      SSDEEP:96:0ClYZomo+ga5s+9ob/YMWCb/I2l2ikf/4u1T2IjFztNMCQ6JRcY5H:vinReNc2xqoCDf
                                                                                      MD5:35326629B94BFF5EFA849C4406350B4B
                                                                                      SHA1:9DA233CB6A8286DBF88BF47BB7D6285F30BD51EC
                                                                                      SHA-256:1B339F2DEFCD9E6AD171084A72EC80546D89690485D305F02223C9DD9DBD8DE0
                                                                                      SHA-512:37BE82619C80333FF821A8E61CB9667075BEE6944EBF148352E264A2D072E237B5F0BD6DF16B3E1DF8BFB2DC2107A4E579D8BBAC9C8BB3FE494F2AB0373BA858
                                                                                      Malicious:false
                                                                                      Preview: .... ... ....................................... ...!...............................d...........................B..............Zb... ... ..........................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1..................................................................... ......I.RU...........8.6.9.6.E.A.C.4.-.1.2.8.8.-.4.2.8.8.-.A.4.E.E.-.4.9.E.E.4.3.1.B.0.A.D.9...C.:.\.W.i.n.d.o.w.s.\.S.e.r.v.i.c.e.P.r.o.f.i.l.e.s.\.N.e.t.w.o.r.k.S.e.r.v.i.c.e.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.D.e.l.i.v.e.r.y.O.p.t.i.m.i.z.a.t.i.o.n.\.L.o.g.s.\.d.o.s.v.c...2.0.2.1.1.2.0.2._.0.8.1.9.2.6._.5.6.6...e.t.l.........P.P.....d..........................................................................................................................................................................................................................................................................
                                                                                      C:\Windows\appcompat\Programs\Amcache.hve.tmp
                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                      File Type:MS Windows registry file, NT/2000 or above
                                                                                      Category:dropped
                                                                                      Size (bytes):8192
                                                                                      Entropy (8bit):0.8462688003400152
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:JNuHVKJW1XUlE74AHslPoDdXw4ib3S82p0F+/uq:eHVKJW1XQEkAkYdAeT
                                                                                      MD5:5339AB43691DF25CCD427698835019D2
                                                                                      SHA1:DFBE02B060AB414AB9BB05ECF6C9C8C747D11684
                                                                                      SHA-256:EB9B417EE8C3DE1245324EF335500CDB5853FCE285E5870CF7F711792D5C7EF9
                                                                                      SHA-512:8F7D8C99FDA21D0241B745250CF349184AF8F848C9A5C56260C23A84A753067AFA47AFE61B21FC354069D83478D1FF2A1C6491004BF74CACCC74838BE214F853
                                                                                      Malicious:false
                                                                                      Preview: regf..........-`U................... ...........C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...t.m.p...9..M..........-.9..M..........-.....:..M..........-.rmtm.y.`U.................................................................................................................................................................................................................................................................................................................................................N........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                      C:\Windows\appcompat\Programs\Amcache.hve.tmp.LOG1
                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                      File Type:MS Windows registry file, NT/2000 or above
                                                                                      Category:dropped
                                                                                      Size (bytes):8192
                                                                                      Entropy (8bit):0.8842972054145841
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:BuHVKJW1XUl9CuO74AHslPoDdXw4ib3S82p0F+/uq:IHVKJW1XQLOkAkYdAeT
                                                                                      MD5:E323EFAD3A271A1F157ED6C649AA8812
                                                                                      SHA1:DEB76FC77B61F584A7489FAF103ADC758F3573B9
                                                                                      SHA-256:5FE5C57E34487315469A6B6E54D7BA885E5E5C91F7A74683E12F28A2CF99FDFB
                                                                                      SHA-512:7BEE939F8CCBCFFC2C1198EB901561272DECD1F6336284FDEEA9A8039341997C6A3E663D6D2D1A5C3B5A922509BCDF3989A185EF90EAB8DC6C7B86B61F117884
                                                                                      Malicious:false
                                                                                      Preview: regf..........-`U................... ...........C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...t.m.p...9..M..........-.9..M..........-.....:..M..........-.rmtm.y.`U.................................................................................................................................................................................................................................................................................................................................................NHvLE......................._..tF.2u$.j..........hbin..................-`U...........nk,..y.`U...................0...........................................&...{11517B7C-E79D-4e20-961B-75A811715ADD}......sk..............(.................................................................................8......................1.?l.cL<.P...b....~z...........8......................1.?l.cL<.P...b....~z.............?...................?...................?........... ... ........... ...

                                                                                      Static File Info

                                                                                      General

                                                                                      File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                      Entropy (8bit):7.067333612631272
                                                                                      TrID:
                                                                                      • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
                                                                                      • Generic Win/DOS Executable (2004/3) 0.20%
                                                                                      • DOS Executable Generic (2002/1) 0.20%
                                                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                      File name:5i3yQOSqTm.dll
                                                                                      File size:372736
                                                                                      MD5:1e3db971ac31b856864c12b55bcc4435
                                                                                      SHA1:8f47d8c2d75df496a20b5ddaec949f9524c60a66
                                                                                      SHA256:df1aec18655ffd091bac7e217ad7334c30d99bd906ec9269d0a38c5c92267fbd
                                                                                      SHA512:66f9cf44cc85cba27c2194ae0803bd3914926763455a3871b5c452720a5815bf04aba4753dde4ffa274e7abb98f259fac24543201bcc74ce2485805ac9352c99
                                                                                      SSDEEP:6144:qRsMh9YQWtcgA70wgF7nJyq6CQK+kIVDRjudJMrt32fFcRmXIeJXjWMmAD:cvm9Y0HFLPRQKqV4epRmxAvAD
                                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........0...Q...Q...Q..E#...Q..E#...Q..E#...Q../$...Q...$...Q...$...Q...$...Q..E#...Q...Q...Q...Q...Q../$...Q../$...Q..Rich.Q.........

                                                                                      File Icon

                                                                                      Icon Hash:74f0e4ecccdce0e4

                                                                                      Static PE Info

                                                                                      General

                                                                                      Entrypoint:0x1001a401
                                                                                      Entrypoint Section:.text
                                                                                      Digitally signed:false
                                                                                      Imagebase:0x10000000
                                                                                      Subsystem:windows gui
                                                                                      Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
                                                                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT
                                                                                      Time Stamp:0x61A7100E [Wed Dec 1 06:02:54 2021 UTC]
                                                                                      TLS Callbacks:0x1000c500
                                                                                      CLR (.Net) Version:
                                                                                      OS Version Major:6
                                                                                      OS Version Minor:0
                                                                                      File Version Major:6
                                                                                      File Version Minor:0
                                                                                      Subsystem Version Major:6
                                                                                      Subsystem Version Minor:0
                                                                                      Import Hash:609402ef170a35cc0e660d7d95ac10ce

                                                                                      Entrypoint Preview

                                                                                      Instruction
                                                                                      push ebp
                                                                                      mov ebp, esp
                                                                                      cmp dword ptr [ebp+0Ch], 01h
                                                                                      jne 00007FC2B07E88E7h
                                                                                      call 00007FC2B07E8C78h
                                                                                      push dword ptr [ebp+10h]
                                                                                      push dword ptr [ebp+0Ch]
                                                                                      push dword ptr [ebp+08h]
                                                                                      call 00007FC2B07E8793h
                                                                                      add esp, 0Ch
                                                                                      pop ebp
                                                                                      retn 000Ch
                                                                                      push ebp
                                                                                      mov ebp, esp
                                                                                      push dword ptr [ebp+08h]
                                                                                      call 00007FC2B07E918Eh
                                                                                      pop ecx
                                                                                      pop ebp
                                                                                      ret
                                                                                      push ebp
                                                                                      mov ebp, esp
                                                                                      jmp 00007FC2B07E88EFh
                                                                                      push dword ptr [ebp+08h]
                                                                                      call 00007FC2B07ECC74h
                                                                                      pop ecx
                                                                                      test eax, eax
                                                                                      je 00007FC2B07E88F1h
                                                                                      push dword ptr [ebp+08h]
                                                                                      call 00007FC2B07ECCF0h
                                                                                      pop ecx
                                                                                      test eax, eax
                                                                                      je 00007FC2B07E88C8h
                                                                                      pop ebp
                                                                                      ret
                                                                                      cmp dword ptr [ebp+08h], FFFFFFFFh
                                                                                      je 00007FC2B07E9253h
                                                                                      jmp 00007FC2B07E9230h
                                                                                      push ebp
                                                                                      mov ebp, esp
                                                                                      push 00000000h
                                                                                      call dword ptr [1002808Ch]
                                                                                      push dword ptr [ebp+08h]
                                                                                      call dword ptr [10028088h]
                                                                                      push C0000409h
                                                                                      call dword ptr [10028040h]
                                                                                      push eax
                                                                                      call dword ptr [10028090h]
                                                                                      pop ebp
                                                                                      ret
                                                                                      push ebp
                                                                                      mov ebp, esp
                                                                                      sub esp, 00000324h
                                                                                      push 00000017h
                                                                                      call dword ptr [10028094h]
                                                                                      test eax, eax
                                                                                      je 00007FC2B07E88E7h
                                                                                      push 00000002h
                                                                                      pop ecx
                                                                                      int 29h
                                                                                      mov dword ptr [1005AF18h], eax
                                                                                      mov dword ptr [1005AF14h], ecx
                                                                                      mov dword ptr [1005AF10h], edx
                                                                                      mov dword ptr [1005AF0Ch], ebx
                                                                                      mov dword ptr [1005AF08h], esi
                                                                                      mov dword ptr [1005AF04h], edi
                                                                                      mov word ptr [eax], es

                                                                                      Data Directories

                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x583900x8ac.rdata
                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x58c3c0x3c.rdata
                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x5d0000x1bb0.reloc
                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x56fdc0x54.rdata
                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x571000x18.rdata
                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x570300x40.rdata
                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x280000x154.rdata
                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                      Sections

                                                                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                      .text0x10000x264f40x26600False0.546620521173data6.29652715831IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                      .rdata0x280000x313fa0x31400False0.822468868972data7.43224405131IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                      .data0x5a0000x18440xe00False0.270647321429data2.60881097454IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                      .pdata0x5c0000x66c0x800False0.3583984375data2.21689595795IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                      .reloc0x5d0000x1bb00x1c00False0.784598214286data6.62358237634IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                      Imports

                                                                                      DLLImport
                                                                                      KERNEL32.dllHeapFree, HeapReAlloc, GetProcessHeap, HeapAlloc, GetModuleHandleA, GetProcAddress, TlsGetValue, TlsSetValue, AcquireSRWLockExclusive, ReleaseSRWLockExclusive, AcquireSRWLockShared, ReleaseSRWLockShared, SetLastError, GetEnvironmentVariableW, GetLastError, GetCurrentDirectoryW, GetCurrentProcess, GetCurrentThread, RtlCaptureContext, ReleaseMutex, WaitForSingleObjectEx, LoadLibraryA, CreateMutexA, CloseHandle, GetStdHandle, GetConsoleMode, WriteFile, WriteConsoleW, TlsAlloc, GetCommandLineW, CreateFileA, GetTickCount64, CreateFileW, SetFilePointerEx, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, RaiseException, RtlUnwind, InterlockedFlushSList, EncodePointer, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsFree, FreeLibrary, LoadLibraryExW, ExitProcess, GetModuleHandleExW, GetModuleFileNameW, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetCommandLineA, MultiByteToWideChar, WideCharToMultiByte, GetEnvironmentStringsW, FreeEnvironmentStringsW, LCMapStringW, GetFileType, GetStringTypeW, HeapSize, SetStdHandle, FlushFileBuffers, GetConsoleOutputCP, DecodePointer
                                                                                      USER32.dllGetDC, ReleaseDC, GetWindowRect

                                                                                      Exports

                                                                                      NameOrdinalAddress
                                                                                      Control_RunDLL10x100010a0
                                                                                      ajkaibu20x100016c0
                                                                                      akyncbgollmj30x10001480
                                                                                      alrcidxljxybdggs40x10001860
                                                                                      bgmotrriehds50x10001820
                                                                                      bojkfvynhhupnooyb60x100019f0
                                                                                      bujuoqldqlzaod70x10001800
                                                                                      bunsahctogxzts80x100019e0
                                                                                      cjogbtafwukesw90x10001830
                                                                                      csbbcaopuok100x100016a0
                                                                                      cyqrjpaeorjur110x100015f0
                                                                                      dlrzuyaeqj120x10001840
                                                                                      egiimrq130x10001850
                                                                                      evhgyts140x100014f0
                                                                                      fdqpjjjyuw150x100017e0
                                                                                      finabzjyxhxnnuuv160x10001510
                                                                                      fkeacqpbbfw170x10001910
                                                                                      fuwsgzf180x10001790
                                                                                      fzbmpailk190x10001980
                                                                                      gamsrhauvgl200x10001810
                                                                                      gjfqgtgk210x10001a10
                                                                                      gwsmfxfmekkyr220x100018b0
                                                                                      haymuvtatadeydqmk230x10001530
                                                                                      hqruohhkvpdalhq240x10001620
                                                                                      htdaydfvtjlujwcaj250x10001660
                                                                                      hzyrvjtx260x100017c0
                                                                                      ifnsupqhxkwj270x10001870
                                                                                      ijhgowlpmypocg280x10001720
                                                                                      ispjhrqaxnyflnn290x100015a0
                                                                                      iszvcqv300x100017a0
                                                                                      ixgucop310x100018d0
                                                                                      jcdvrhrguqtjpkc320x100016b0
                                                                                      jkfyadsdpoks330x100019c0
                                                                                      kfzgxmljkwaqy340x10001730
                                                                                      kzfvroxozxufciczm350x10001740
                                                                                      lpstjqa360x10001900
                                                                                      ltkoyvzovzkqemyw370x10001630
                                                                                      mdigcwjymnzvgaql380x100014d0
                                                                                      mefathlzguuhqodfx390x10001950
                                                                                      mgsrmfbja400x10001500
                                                                                      mrxhcceopg410x100014a0
                                                                                      nafhmuoq420x100018f0
                                                                                      nefxgpc430x100018a0
                                                                                      nrehxpiznrppeu440x10001690
                                                                                      nucocnvjyqp450x100018e0
                                                                                      obxoxtcbntaxofr460x10001890
                                                                                      ofrzojd470x100016e0
                                                                                      oofbctfc480x10001550
                                                                                      opzpazspbecyjojf490x100015b0
                                                                                      oqoigff500x10001a00
                                                                                      oujlzhzvhjh510x100016f0
                                                                                      ovpsanbypajv520x100015e0
                                                                                      pblpcaadqbdxyb530x10001680
                                                                                      ragwdgnyohftj540x100017d0
                                                                                      rfosmac550x10001710
                                                                                      rgymbuetvifqjqdlo560x10001930
                                                                                      rmoxbxbbgidnbds570x10001970
                                                                                      rxnkmfbycdcc580x10001560
                                                                                      sefltbc590x10001880
                                                                                      sgieprcsphl600x100019a0
                                                                                      shpcmnqzvyltgdt610x100016d0
                                                                                      slktbekupvmdbt620x100015c0
                                                                                      sormivnk630x10001570
                                                                                      tdblkstlyin640x10001600
                                                                                      tkllyrc650x10001650
                                                                                      tkwpnvfqnbpbdqe660x10001a20
                                                                                      tnhtgnjrabqakgeke670x10001700
                                                                                      tzpmcwwig680x10001520
                                                                                      uceklmggjof690x10001610
                                                                                      ukwdddyj700x10001640
                                                                                      uwnaptydgur710x10001940
                                                                                      vjusqoeo720x10001580
                                                                                      vnyufpq730x10001590
                                                                                      vsrwmkhzkrtlexxb740x100014e0
                                                                                      wermsdfzb750x10001770
                                                                                      wkhpfdjkypy760x100014c0
                                                                                      wksndtayhfm770x100015d0
                                                                                      wnjvxspilxpchq780x10001670
                                                                                      wuqwfssiddrcl790x10001570
                                                                                      wyyhtqptznbrknitg800x100017f0
                                                                                      wzkcijdvadq810x10001540
                                                                                      wzxlvxuyy820x100019b0
                                                                                      xhtxeilfgsghxik830x10001780
                                                                                      xvdijhconoukll840x100014b0
                                                                                      ybbwnezvxfafm850x10001750
                                                                                      yeylpreasnzamgac860x100019d0
                                                                                      ypkidshxgzkkehc870x100018c0
                                                                                      ypzvmpfbgai880x10001760
                                                                                      zbrzizodycg890x10001990
                                                                                      zdiuqcnzg900x10001920
                                                                                      zfkwwtxd910x10001490
                                                                                      zktykfwmaehxg920x10001600
                                                                                      zmkbqvofdhermov930x10001960
                                                                                      zvtqmkitgmzgo940x100017b0

                                                                                      Network Behavior

                                                                                      No network behavior found

                                                                                      Code Manipulations

                                                                                      Statistics

                                                                                      Behavior

                                                                                      Click to jump to process

                                                                                      System Behavior

                                                                                      Analysis Process: loaddll32.exe PID: 4340 Parent PID: 2976

                                                                                      General

                                                                                      Start time:00:17:43
                                                                                      Start date:02/12/2021
                                                                                      Path:C:\Windows\System32\loaddll32.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:loaddll32.exe "C:\Users\user\Desktop\5i3yQOSqTm.dll"
                                                                                      Imagebase:0x1290000
                                                                                      File size:893440 bytes
                                                                                      MD5 hash:72FCD8FB0ADC38ED9050569AD673650E
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000002.594385432.0000000000B10000.00000040.00000010.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000002.594385432.0000000000B10000.00000040.00000010.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000000.546111377.0000000000B10000.00000040.00000010.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.546111377.0000000000B10000.00000040.00000010.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000000.566017355.0000000000D7C000.00000004.00000020.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.566017355.0000000000D7C000.00000004.00000020.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000000.565844645.0000000000B10000.00000040.00000010.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.565844645.0000000000B10000.00000040.00000010.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000000.544809627.0000000000D7C000.00000004.00000020.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.544809627.0000000000D7C000.00000004.00000020.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000000.564089777.0000000000B10000.00000040.00000010.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.564089777.0000000000B10000.00000040.00000010.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000000.564150952.0000000000D7C000.00000004.00000020.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.564150952.0000000000D7C000.00000004.00000020.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000002.594452020.0000000000D7C000.00000004.00000020.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000002.594452020.0000000000D7C000.00000004.00000020.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000000.546379647.0000000000D7C000.00000004.00000020.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.546379647.0000000000D7C000.00000004.00000020.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000000.544682886.0000000000B10000.00000040.00000010.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.544682886.0000000000B10000.00000040.00000010.sdmp, Author: Joe Security
                                                                                      Reputation:high

                                                                                      Analysis Process: cmd.exe PID: 6140 Parent PID: 4340

                                                                                      General

                                                                                      Start time:00:17:44
                                                                                      Start date:02/12/2021
                                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\5i3yQOSqTm.dll",#1
                                                                                      Imagebase:0xd80000
                                                                                      File size:232960 bytes
                                                                                      MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high

                                                                                      Analysis Process: rundll32.exe PID: 2220 Parent PID: 4340

                                                                                      General

                                                                                      Start time:00:17:44
                                                                                      Start date:02/12/2021
                                                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:rundll32.exe C:\Users\user\Desktop\5i3yQOSqTm.dll,Control_RunDLL
                                                                                      Imagebase:0xf10000
                                                                                      File size:61952 bytes
                                                                                      MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000002.00000002.539257826.00000000009E0000.00000040.00000010.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000002.00000002.539257826.00000000009E0000.00000040.00000010.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000002.00000003.513866249.0000000000BD5000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000002.00000003.513866249.0000000000BD5000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      Reputation:high

                                                                                      Analysis Process: rundll32.exe PID: 5996 Parent PID: 6140

                                                                                      General

                                                                                      Start time:00:17:44
                                                                                      Start date:02/12/2021
                                                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:rundll32.exe "C:\Users\user\Desktop\5i3yQOSqTm.dll",#1
                                                                                      Imagebase:0xf10000
                                                                                      File size:61952 bytes
                                                                                      MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000003.00000002.539875956.00000000046D0000.00000040.00000010.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.539875956.00000000046D0000.00000040.00000010.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.532223099.0000000000DBA000.00000004.00000020.sdmp, Author: Joe Security
                                                                                      Reputation:high

                                                                                      Analysis Process: svchost.exe PID: 6148 Parent PID: 572

                                                                                      General

                                                                                      Start time:00:17:45
                                                                                      Start date:02/12/2021
                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                                                                                      Imagebase:0x7ff70d6e0000
                                                                                      File size:51288 bytes
                                                                                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high

                                                                                      Analysis Process: svchost.exe PID: 6400 Parent PID: 572

                                                                                      General

                                                                                      Start time:00:17:46
                                                                                      Start date:02/12/2021
                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:c:\windows\system32\svchost.exe -k unistacksvcgroup
                                                                                      Imagebase:0x7ff70d6e0000
                                                                                      File size:51288 bytes
                                                                                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high

                                                                                      Analysis Process: rundll32.exe PID: 4708 Parent PID: 4340

                                                                                      General

                                                                                      Start time:00:17:48
                                                                                      Start date:02/12/2021
                                                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:rundll32.exe C:\Users\user\Desktop\5i3yQOSqTm.dll,ajkaibu
                                                                                      Imagebase:0xf10000
                                                                                      File size:61952 bytes
                                                                                      MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000006.00000002.539444017.0000000000940000.00000040.00000010.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.539444017.0000000000940000.00000040.00000010.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.539407249.000000000081A000.00000004.00000020.sdmp, Author: Joe Security
                                                                                      Reputation:high

                                                                                      Analysis Process: rundll32.exe PID: 5724 Parent PID: 4340

                                                                                      General

                                                                                      Start time:00:17:53
                                                                                      Start date:02/12/2021
                                                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:rundll32.exe C:\Users\user\Desktop\5i3yQOSqTm.dll,akyncbgollmj
                                                                                      Imagebase:0xf10000
                                                                                      File size:61952 bytes
                                                                                      MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.544278858.000000000328A000.00000004.00000020.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000007.00000002.543487140.0000000000E70000.00000040.00000010.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.543487140.0000000000E70000.00000040.00000010.sdmp, Author: Joe Security
                                                                                      Reputation:high

                                                                                      Analysis Process: wermgr.exe PID: 2016 Parent PID: 572

                                                                                      General

                                                                                      Start time:00:19:05
                                                                                      Start date:02/12/2021
                                                                                      Path:C:\Windows\System32\wermgr.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:"C:\Windows\system32\wermgr.exe" "-outproc" "0" "572" "2360" "2316" "2356" "0" "0" "2352" "0" "0" "0" "0" "0"
                                                                                      Imagebase:0x7ff7f36b0000
                                                                                      File size:209312 bytes
                                                                                      MD5 hash:FF214585BF10206E21EA8EBA202FACFD
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high

                                                                                      Analysis Process: svchost.exe PID: 3428 Parent PID: 572

                                                                                      General

                                                                                      Start time:00:19:06
                                                                                      Start date:02/12/2021
                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
                                                                                      Imagebase:0x7ff70d6e0000
                                                                                      File size:51288 bytes
                                                                                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high

                                                                                      Analysis Process: svchost.exe PID: 6320 Parent PID: 572

                                                                                      General

                                                                                      Start time:00:19:09
                                                                                      Start date:02/12/2021
                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\System32\svchost.exe -k WerSvcGroup
                                                                                      Imagebase:0x7ff70d6e0000
                                                                                      File size:51288 bytes
                                                                                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high

                                                                                      Analysis Process: svchost.exe PID: 7144 Parent PID: 572

                                                                                      General

                                                                                      Start time:00:19:26
                                                                                      Start date:02/12/2021
                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\System32\svchost.exe -k NetworkService -p
                                                                                      Imagebase:0x7ff70d6e0000
                                                                                      File size:51288 bytes
                                                                                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language

                                                                                      Analysis Process: rundll32.exe PID: 1308 Parent PID: 5996

                                                                                      General

                                                                                      Start time:00:19:32
                                                                                      Start date:02/12/2021
                                                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\5i3yQOSqTm.dll",Control_RunDLL
                                                                                      Imagebase:0xf10000
                                                                                      File size:61952 bytes
                                                                                      MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language

                                                                                      Analysis Process: rundll32.exe PID: 4144 Parent PID: 2220

                                                                                      General

                                                                                      Start time:00:19:36
                                                                                      Start date:02/12/2021
                                                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Pmleysyipg\sjdwpny.iso",qxtrVBTbrIKuSW
                                                                                      Imagebase:0xf10000
                                                                                      File size:61952 bytes
                                                                                      MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000E.00000002.661436675.0000000000C4A000.00000004.00000020.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000E.00000002.662192713.0000000004540000.00000040.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000E.00000002.662192713.0000000004540000.00000040.00000001.sdmp, Author: Joe Security

                                                                                      Analysis Process: rundll32.exe PID: 336 Parent PID: 4708

                                                                                      General

                                                                                      Start time:00:19:40
                                                                                      Start date:02/12/2021
                                                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\5i3yQOSqTm.dll",Control_RunDLL
                                                                                      Imagebase:0xf10000
                                                                                      File size:61952 bytes
                                                                                      MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language

                                                                                      Analysis Process: SgrmBroker.exe PID: 5000 Parent PID: 572

                                                                                      General

                                                                                      Start time:00:19:45
                                                                                      Start date:02/12/2021
                                                                                      Path:C:\Windows\System32\SgrmBroker.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\SgrmBroker.exe
                                                                                      Imagebase:0x7ff612b70000
                                                                                      File size:163336 bytes
                                                                                      MD5 hash:D3170A3F3A9626597EEE1888686E3EA6
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language

                                                                                      Analysis Process: rundll32.exe PID: 4908 Parent PID: 5724

                                                                                      General

                                                                                      Start time:00:19:45
                                                                                      Start date:02/12/2021
                                                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\5i3yQOSqTm.dll",Control_RunDLL
                                                                                      Imagebase:0xf10000
                                                                                      File size:61952 bytes
                                                                                      MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language

                                                                                      Analysis Process: WerFault.exe PID: 3744 Parent PID: 6320

                                                                                      General

                                                                                      Start time:00:19:47
                                                                                      Start date:02/12/2021
                                                                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4340 -ip 4340
                                                                                      Imagebase:0x280000
                                                                                      File size:434592 bytes
                                                                                      MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language

                                                                                      Analysis Process: svchost.exe PID: 4840 Parent PID: 572

                                                                                      General

                                                                                      Start time:00:19:48
                                                                                      Start date:02/12/2021
                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
                                                                                      Imagebase:0x7ff70d6e0000
                                                                                      File size:51288 bytes
                                                                                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language

                                                                                      Analysis Process: WerFault.exe PID: 6640 Parent PID: 4340

                                                                                      General

                                                                                      Start time:00:19:49
                                                                                      Start date:02/12/2021
                                                                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 4340 -s 308
                                                                                      Imagebase:0x280000
                                                                                      File size:434592 bytes
                                                                                      MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language

                                                                                      Analysis Process: svchost.exe PID: 6096 Parent PID: 572

                                                                                      General

                                                                                      Start time:00:19:50
                                                                                      Start date:02/12/2021
                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                      Imagebase:0x7ff70d6e0000
                                                                                      File size:51288 bytes
                                                                                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language

                                                                                      Analysis Process: WerFault.exe PID: 6704 Parent PID: 6320

                                                                                      General

                                                                                      Start time:00:19:56
                                                                                      Start date:02/12/2021
                                                                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4340 -ip 4340
                                                                                      Imagebase:0x280000
                                                                                      File size:434592 bytes
                                                                                      MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language

                                                                                      Analysis Process: svchost.exe PID: 1756 Parent PID: 572

                                                                                      General

                                                                                      Start time:00:19:58
                                                                                      Start date:02/12/2021
                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                      Imagebase:0x7ff70d6e0000
                                                                                      File size:51288 bytes
                                                                                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language

                                                                                      Analysis Process: WerFault.exe PID: 476 Parent PID: 4340

                                                                                      General

                                                                                      Start time:00:19:58
                                                                                      Start date:02/12/2021
                                                                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 4340 -s 316
                                                                                      Imagebase:0x280000
                                                                                      File size:434592 bytes
                                                                                      MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language

                                                                                      Analysis Process: svchost.exe PID: 2960 Parent PID: 572

                                                                                      General

                                                                                      Start time:00:20:22
                                                                                      Start date:02/12/2021
                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                      Imagebase:0x7ff70d6e0000
                                                                                      File size:51288 bytes
                                                                                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language

                                                                                      Analysis Process: svchost.exe PID: 3912 Parent PID: 572

                                                                                      General

                                                                                      Start time:00:20:34
                                                                                      Start date:02/12/2021
                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                      Imagebase:0x7ff70d6e0000
                                                                                      File size:51288 bytes
                                                                                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language

                                                                                      Analysis Process: rundll32.exe PID: 4784 Parent PID: 4144

                                                                                      General

                                                                                      Start time:00:20:41
                                                                                      Start date:02/12/2021
                                                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Pmleysyipg\sjdwpny.iso",Control_RunDLL
                                                                                      Imagebase:0xf10000
                                                                                      File size:61952 bytes
                                                                                      MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language

                                                                                      Disassembly

                                                                                      Code Analysis

                                                                                      Reset < >