Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report efELSMI5R4.dll

Overview

General Information

Sample Name:efELSMI5R4.dll
Analysis ID:532312
MD5:1ec5996508211a8d174a1a09d6289463
SHA1:ede146abf146c0dfdb88431dfecf5cc80b267335
SHA256:2933137a5e251f44b2e6d2cc919c8a679651a76b900b3b9e2b06edc73b64e5e6
Tags:32dllexetrojan
Infos:

Most interesting Screenshot:

Detection

Emotet
Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected Emotet
Multi AV Scanner detection for submitted file
Hides that the sample has been downloaded from the Internet (zone.identifier)
Changes security center settings (notifications, updates, antivirus, firewall)
Uses 32bit PE files
AV process strings found (often used to terminate AV products)
One or more processes crash
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to read the PEB
Deletes files inside the Windows folder
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Drops PE files to the windows directory (C:\Windows)
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Checks if the current process is being debugged
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 7084 cmdline: loaddll32.exe "C:\Users\user\Desktop\efELSMI5R4.dll" MD5: 72FCD8FB0ADC38ED9050569AD673650E)
    • cmd.exe (PID: 7104 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\efELSMI5R4.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 7140 cmdline: rundll32.exe "C:\Users\user\Desktop\efELSMI5R4.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • rundll32.exe (PID: 6752 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\efELSMI5R4.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
          • rundll32.exe (PID: 4892 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Luvyipkowrkroyzm\ogjmypdycx.tqu",YATH MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 7128 cmdline: rundll32.exe C:\Users\user\Desktop\efELSMI5R4.dll,Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6092 cmdline: rundll32.exe C:\Users\user\Desktop\efELSMI5R4.dll,ajkaibu MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • rundll32.exe (PID: 6956 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\efELSMI5R4.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 5032 cmdline: rundll32.exe C:\Users\user\Desktop\efELSMI5R4.dll,akyncbgollmj MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • rundll32.exe (PID: 6952 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\efELSMI5R4.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • WerFault.exe (PID: 5240 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7084 -s 344 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • svchost.exe (PID: 7152 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5824 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 2336 cmdline: c:\windows\system32\svchost.exe -k unistacksvcgroup MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • wermgr.exe (PID: 5096 cmdline: "C:\Windows\system32\wermgr.exe" "-outproc" "0" "572" "2276" "2168" "2272" "0" "0" "2268" "0" "0" "0" "0" "0" MD5: FF214585BF10206E21EA8EBA202FACFD)
  • svchost.exe (PID: 6524 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6588 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • WerFault.exe (PID: 1244 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 7084 -ip 7084 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • WerFault.exe (PID: 2228 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 7084 -ip 7084 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • svchost.exe (PID: 6692 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • SgrmBroker.exe (PID: 6940 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)
  • svchost.exe (PID: 2884 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.516956813.0000000000600000.00000040.00000010.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
    00000003.00000002.516956813.0000000000600000.00000040.00000010.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
      00000000.00000000.629962254.0000000000CCC000.00000004.00000020.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
        00000000.00000000.629962254.0000000000CCC000.00000004.00000020.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
          00000000.00000000.545400007.0000000000CCC000.00000004.00000020.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
            Click to see the 35 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.0.loaddll32.exe.920000.0.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
              0.0.loaddll32.exe.920000.0.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                0.0.loaddll32.exe.cd3b40.4.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                  0.0.loaddll32.exe.cd3b40.4.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                    0.0.loaddll32.exe.cd3b40.10.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                      Click to see the 71 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: efELSMI5R4.dllVirustotal: Detection: 19%Perma Link
                      Source: efELSMI5R4.dllReversingLabs: Detection: 17%
                      Source: efELSMI5R4.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
                      Source: efELSMI5R4.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: :KiUserCallbackDispatcherRSDSwntdll.pdb source: WerFault.exe, 00000016.00000002.684050713.00000000003A2000.00000004.00000001.sdmp
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA40927 FindFirstFileExW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6EA40927 FindFirstFileExW,
                      Source: WerFault.exe, 00000016.00000002.686615758.000000000474E000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: WerFault.exe, 00000016.00000002.686615758.000000000474E000.00000004.00000001.sdmpString found in binary or memory: http://crl.m
                      Source: svchost.exe, 0000000C.00000002.540969399.00000179FEA13000.00000004.00000001.sdmpString found in binary or memory: http://www.bingmapsportal.com
                      Source: svchost.exe, 0000000C.00000003.537815045.00000179FEA63000.00000004.00000001.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
                      Source: svchost.exe, 0000000C.00000003.537823223.00000179FEA4D000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000002.540979190.00000179FEA29000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
                      Source: svchost.exe, 0000000C.00000002.540992990.00000179FEA44000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.539711087.00000179FEA43000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.539701661.00000179FEA42000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
                      Source: svchost.exe, 0000000C.00000003.537815045.00000179FEA63000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
                      Source: svchost.exe, 0000000C.00000002.540979190.00000179FEA29000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
                      Source: svchost.exe, 0000000C.00000002.540992990.00000179FEA44000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.539711087.00000179FEA43000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.539701661.00000179FEA42000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
                      Source: svchost.exe, 0000000C.00000003.537790536.00000179FEA69000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000002.541016012.00000179FEA6B000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
                      Source: svchost.exe, 0000000C.00000003.537815045.00000179FEA63000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
                      Source: svchost.exe, 0000000C.00000002.540979190.00000179FEA29000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
                      Source: svchost.exe, 0000000C.00000002.540992990.00000179FEA44000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.539711087.00000179FEA43000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.539701661.00000179FEA42000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
                      Source: svchost.exe, 0000000C.00000002.540979190.00000179FEA29000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
                      Source: svchost.exe, 0000000C.00000003.537815045.00000179FEA63000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
                      Source: svchost.exe, 0000000C.00000003.537815045.00000179FEA63000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
                      Source: svchost.exe, 0000000C.00000003.537815045.00000179FEA63000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
                      Source: svchost.exe, 0000000C.00000002.540979190.00000179FEA29000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
                      Source: svchost.exe, 0000000C.00000002.541008566.00000179FEA61000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.537819232.00000179FEA60000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
                      Source: svchost.exe, 0000000C.00000002.540979190.00000179FEA29000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
                      Source: svchost.exe, 0000000C.00000003.537815045.00000179FEA63000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
                      Source: svchost.exe, 0000000C.00000002.540996379.00000179FEA4A000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.539684743.00000179FEA49000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.539701661.00000179FEA42000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
                      Source: svchost.exe, 0000000C.00000003.537823223.00000179FEA4D000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
                      Source: svchost.exe, 0000000C.00000002.540996379.00000179FEA4A000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.539684743.00000179FEA49000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
                      Source: svchost.exe, 0000000C.00000002.540996379.00000179FEA4A000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.539684743.00000179FEA49000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
                      Source: svchost.exe, 0000000C.00000002.541002983.00000179FEA56000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t
                      Source: svchost.exe, 0000000C.00000003.537815045.00000179FEA63000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
                      Source: svchost.exe, 0000000C.00000002.540979190.00000179FEA29000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
                      Source: svchost.exe, 0000000C.00000002.540992990.00000179FEA44000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.539711087.00000179FEA43000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.539701661.00000179FEA42000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
                      Source: svchost.exe, 0000000C.00000002.540989929.00000179FEA41000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
                      Source: svchost.exe, 0000000C.00000002.540979190.00000179FEA29000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
                      Source: svchost.exe, 0000000C.00000003.503882682.00000179FEA35000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
                      Source: svchost.exe, 0000000C.00000003.503882682.00000179FEA35000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
                      Source: svchost.exe, 0000000C.00000003.503882682.00000179FEA35000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
                      Source: svchost.exe, 0000000C.00000003.539715635.00000179FEA3E000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.503882682.00000179FEA35000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
                      Source: svchost.exe, 0000000C.00000003.537823223.00000179FEA4D000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.539719943.00000179FEA50000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000002.541002983.00000179FEA56000.00000004.00000001.sdmpString found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen

                      E-Banking Fraud:

                      barindex
                      Yara detected EmotetShow sources
                      Source: Yara matchFile source: 0.0.loaddll32.exe.920000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.cd3b40.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.cd3b40.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.30a0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.920000.9.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.cd3b40.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.920000.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.32d0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.3472148.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.cd3b40.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.920000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.cd3b40.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.600000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.920000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.cd3b40.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.6d0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.600000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.920000.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.920000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.rundll32.exe.3460000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.920000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.cd3b40.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.cd3b40.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.2fd0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.3472148.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.6d0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.32d0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.30a0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.cd3b40.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.31820a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.6a2160.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.cd3b40.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.rundll32.exe.3460000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.920000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.6a2160.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.2fd0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.31820a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.920000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000002.516956813.0000000000600000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.629962254.0000000000CCC000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.545400007.0000000000CCC000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000003.665545793.00000000008F9000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.497340032.00000000033D2000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.620091364.0000000000920000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.685885620.0000000000920000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.535753712.0000000000920000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.564256085.00000000030A0000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.518881595.00000000032D0000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.518906170.000000000345A000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.516978960.000000000068A000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.667708514.0000000003460000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.605013673.0000000000CCC000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.569478783.000000000316A000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.666094116.0000000000920000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.666680634.0000000000CCC000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000003.665849147.00000000034DA000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.669521657.00000000006D0000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.590946343.0000000000920000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.686580217.0000000000CCC000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.518853652.0000000002FD0000.00000040.00000010.sdmp, type: MEMORY
                      Source: efELSMI5R4.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 7084 -ip 7084
                      Source: C:\Windows\SysWOW64\rundll32.exeFile deleted: C:\Windows\SysWOW64\Luvyipkowrkroyzm\ogjmypdycx.tqu:Zone.IdentifierJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\SysWOW64\Luvyipkowrkroyzm\Jump to behavior
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00941291
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00930A93
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0093CE90
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00930E97
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0093A29B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0093009A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0093E899
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0092FE9D
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0092A083
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0092F48A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_009352D1
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_009290D4
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_009328D5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00941CDB
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00922CC2
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_009292C1
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_009420CE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_009310CD
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_009284F0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_009362F5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00934CF5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_009246FA
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00921EFB
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_009340FE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_009240E2
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0092C0EA
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_009356E9
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0094261E
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0093C205
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0092800A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00923432
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0092243F
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00929824
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00923228
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0093282D
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00926453
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0093EA55
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0092CE5A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00933043
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0092AE43
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00937445
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0092AA4E
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0092544C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0093B677
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0092FA78
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0092387F
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0092EE60
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0092B464
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00926869
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00923A6C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00931591
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0092B191
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00927795
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00933782
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00928D80
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00924B81
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0093DB87
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0092358B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0093E3B5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_009385B8
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_009243BE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_009259BF
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0093D7BE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_009389A2
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0093E5A7
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0093DDA5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00930BA4
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_009275D2
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_009219C0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0092A3E7
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0093EDED
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_009251EC
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0092CB13
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00924D1E
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0093970A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0093E10A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0093590E
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00933D0C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0093BF0C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0093CD35
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0092F73B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00939124
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0092A92F
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00936540
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00940370
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0092BD61
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0092CF6E
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA277B4
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA29F10
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA21DE0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA2D530
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA23A90
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA3E3A1
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA30380
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA268B0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA2A890
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA2E890
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA310C0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA26070
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_032F1291
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_032DA92F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_032E9124
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_032DF73B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_032ECD35
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_032E590E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_032E3D0C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_032EBF0C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_032E970A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_032EE10A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_032D4D1E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_032DCB13
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_032DCF6E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_032DBD61
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_032F0370
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_032E6540
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_032EE5A7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_032E0BA4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_032EDDA5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_032E89A2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_032ED7BE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_032D59BF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_032D43BE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_032E85B8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_032EE3B5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_032D358B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_032EDB87
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_032D4B81
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_032E3782
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_032D8D80
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_032D7795
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_032DB191
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_032E1591
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_032D51EC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_032EEDED
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_032DA3E7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_032D19C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_032D75D2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_032E282D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_032D3228
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_032D9824
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_032D243F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_032D3432
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_032D800A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_032EC205
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_032F261E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_032D3A6C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_032D6869
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_032DB464
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_032DEE60
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_032D387F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_032DFA78
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_032EB677
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_032D544C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_032DAA4E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_032E7445
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_032E3043
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_032DAE43
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_032DCE5A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_032EEA55
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_032D6453
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_032DF48A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_032DA083
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_032DFE9D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_032E009A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_032EA29B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_032EE899
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_032E0E97
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_032E0A93
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_032ECE90
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_032DC0EA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_032E56E9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_032D40E2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_032E40FE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_032D1EFB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_032D46FA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_032E62F5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_032E4CF5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_032D84F0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_032F20CE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_032E10CD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_032D92C1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_032D2CC2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_032F1CDB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_032D90D4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_032E28D5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_032E52D1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6EA277B4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6EA29F10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6EA21DE0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6EA2D530
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6EA23A90
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6EA3E3A1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6EA30380
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6EA268B0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6EA2A890
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6EA2E890
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6EA310C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6EA26070
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02FF1291
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02FEEA55
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02FE40FE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02FD1EFB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02FD46FA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02FE62F5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02FE4CF5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02FD84F0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02FDC0EA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02FE56E9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02FD40E2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02FF1CDB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02FD90D4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02FE28D5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02FE52D1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02FF20CE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02FE10CD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02FD92C1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02FD2CC2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02FDFE9D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02FE009A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02FEA29B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02FEE899
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02FE0E97
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02FE0A93
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02FECE90
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02FDF48A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02FDA083
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02FD387F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02FDFA78
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02FEB677
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02FD3A6C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02FD6869
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02FDB464
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02FDEE60
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02FDCE5A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02FD6453
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02FD544C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02FDAA4E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02FE7445
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02FE3043
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02FDAE43
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02FD243F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02FD3432
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02FE282D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02FD3228
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02FD9824
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02FF261E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02FD800A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02FEC205
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02FD51EC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02FEEDED
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02FDA3E7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02FD75D2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02FD19C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02FED7BE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02FD59BF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02FD43BE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02FE85B8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02FEE3B5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02FEE5A7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02FE0BA4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02FEDDA5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02FE89A2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02FD7795
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02FDB191
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02FE1591
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02FD358B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02FEDB87
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02FD4B81
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02FE3782
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02FD8D80
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02FF0370
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02FDCF6E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02FDBD61
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02FE6540
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02FDF73B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02FECD35
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02FDA92F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02FE9124
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02FD4D1E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02FDCB13
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02FE590E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02FE3D0C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02FEBF0C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02FE970A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02FEE10A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_006DB464
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_006EEA55
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_006D9824
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_006D243F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_006E40FE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_006F20CE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_006E10CD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_006D92C1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_006F1291
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_006DCF6E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_006E9124
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_006E3D0C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_006EDB87
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_006E3782
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_006D3A6C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_006D6869
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_006DEE60
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_006D387F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_006DFA78
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_006EB677
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_006D544C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_006DAA4E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_006E7445
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_006E3043
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_006DAE43
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_006DCE5A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_006D6453
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_006E282D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_006D3228
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_006D3432
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_006D800A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_006EC205
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_006F261E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_006DC0EA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_006E56E9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_006D40E2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_006D1EFB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_006D46FA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_006E62F5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_006E4CF5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_006D84F0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_006D2CC2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_006F1CDB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_006D90D4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_006E28D5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_006E52D1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_006DF48A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_006DA083
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_006DFE9D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_006E009A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_006EA29B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_006EE899
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_006E0E97
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_006E0A93
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_006ECE90
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_006DBD61
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_006F0370
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_006E6540
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_006DA92F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_006DF73B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_006ECD35
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_006E590E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_006EBF0C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_006E970A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_006EE10A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_006D4D1E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_006DCB13
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_006D51EC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_006EEDED
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_006DA3E7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_006D19C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_006D75D2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_006EE5A7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_006E0BA4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_006EDDA5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_006E89A2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_006ED7BE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_006D59BF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_006D43BE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_006E85B8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_006EE3B5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_006D358B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_006D4B81
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_006D8D80
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_006D7795
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_006DB191
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_006E1591
                      Source: C:\Windows\System32\loaddll32.exeCode function: String function: 6EA3AC90 appears 33 times
                      Source: C:\Windows\System32\loaddll32.exeCode function: String function: 6EA21DE0 appears 97 times
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6EA3AC90 appears 33 times
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6EA21DE0 appears 97 times
                      Source: efELSMI5R4.dllVirustotal: Detection: 19%
                      Source: efELSMI5R4.dllReversingLabs: Detection: 17%
                      Source: efELSMI5R4.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\efELSMI5R4.dll,Control_RunDLL
                      Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\efELSMI5R4.dll"
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\efELSMI5R4.dll",#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\efELSMI5R4.dll,Control_RunDLL
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\efELSMI5R4.dll",#1
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k unistacksvcgroup
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\efELSMI5R4.dll,ajkaibu
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\efELSMI5R4.dll,akyncbgollmj
                      Source: unknownProcess created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "572" "2276" "2168" "2272" "0" "0" "2268" "0" "0" "0" "0" "0"
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\efELSMI5R4.dll",Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\efELSMI5R4.dll",Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\efELSMI5R4.dll",Control_RunDLL
                      Source: unknownProcess created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 7084 -ip 7084
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 7084 -ip 7084
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Luvyipkowrkroyzm\ogjmypdycx.tqu",YATH
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7084 -s 344
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\efELSMI5R4.dll",#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\efELSMI5R4.dll,Control_RunDLL
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\efELSMI5R4.dll,ajkaibu
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\efELSMI5R4.dll,akyncbgollmj
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\efELSMI5R4.dll",#1
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\efELSMI5R4.dll",Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\efELSMI5R4.dll",Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\efELSMI5R4.dll",Control_RunDLL
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 7084 -ip 7084
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 7084 -ip 7084
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7084 -s 344
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Luvyipkowrkroyzm\ogjmypdycx.tqu",YATH
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess created: unknown unknown
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess created: unknown unknown
                      Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \BaseNamedObjects\Local\SM0:2228:64:WilError_01
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \BaseNamedObjects\Local\SM0:1244:64:WilError_01
                      Source: C:\Windows\System32\wermgr.exeMutant created: \BaseNamedObjects\Local\SM0:5096:120:WilError_01
                      Source: C:\Windows\System32\svchost.exeFile created: C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etlJump to behavior
                      Source: C:\Windows\System32\wermgr.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERE4A6.tmpJump to behavior
                      Source: classification engineClassification label: mal72.troj.evad.winDLL@37/12@0/0
                      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Users\desktop.iniJump to behavior
                      Source: efELSMI5R4.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                      Source: efELSMI5R4.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: :KiUserCallbackDispatcherRSDSwntdll.pdb source: WerFault.exe, 00000016.00000002.684050713.00000000003A2000.00000004.00000001.sdmp
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_009213E7 push esi; retf
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA46A93 push ecx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_032D13E7 push esi; retf
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6EA46A93 push ecx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02FD13E7 push esi; retf
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_006D13E7 push esi; retf
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA2E690 WaitForSingleObjectEx,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,CreateMutexA,CloseHandle,ReleaseMutex,
                      Source: C:\Windows\SysWOW64\rundll32.exePE file moved: C:\Windows\SysWOW64\Luvyipkowrkroyzm\ogjmypdycx.tquJump to behavior

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Luvyipkowrkroyzm\ogjmypdycx.tqu:Zone.Identifier read attributes | delete
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Oreodoh\rvkuiukjras.enc:Zone.Identifier read attributes | delete
                      Source: C:\Windows\System32\svchost.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information queried: ProcessInformation
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA40927 FindFirstFileExW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6EA40927 FindFirstFileExW,
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: svchost.exe, 00000005.00000002.684453139.000001C99D202000.00000004.00000001.sdmpBinary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
                      Source: WerFault.exe, 00000016.00000002.686514227.000000000473A000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                      Source: WerFault.exe, 00000016.00000002.686184575.0000000004708000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW@Ut
                      Source: svchost.exe, 00000005.00000002.684497000.000001C99D228000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.684366581.000002320DC29000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA40326 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_009307D2 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA39990 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA3EC0B mov ecx, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA402CC mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA39920 mov esi, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA39920 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_032E07D2 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6EA39990 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6EA3EC0B mov ecx, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6EA402CC mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6EA39920 mov esi, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6EA39920 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02FE07D2 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_006E07D2 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\loaddll32.exeProcess queried: DebugPort
                      Source: C:\Windows\System32\loaddll32.exeProcess queried: DebugPort
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA2E690 WaitForSingleObjectEx,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,CreateMutexA,CloseHandle,ReleaseMutex,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA21290 GetProcessHeap,HeapAlloc,RtlAllocateHeap,HeapFree,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_009328D5 LdrInitializeThunk,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA3A462 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA40326 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA3AB0C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6EA3A462 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6EA40326 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6EA3AB0C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\efELSMI5R4.dll",#1
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 7084 -ip 7084
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 7084 -ip 7084
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7084 -s 344
                      Source: loaddll32.exe, 00000000.00000000.642253548.0000000001240000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.666953506.0000000001240000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.612984650.0000000001240000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000002.686964466.0000000001240000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.553538519.0000000001240000.00000002.00020000.sdmp, svchost.exe, 00000006.00000002.684250383.000001980CF90000.00000002.00020000.sdmp, rundll32.exe, 00000015.00000002.686306336.0000000003170000.00000002.00020000.sdmpBinary or memory string: Program Manager
                      Source: loaddll32.exe, 00000000.00000000.642253548.0000000001240000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.666953506.0000000001240000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.612984650.0000000001240000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000002.686964466.0000000001240000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.553538519.0000000001240000.00000002.00020000.sdmp, svchost.exe, 00000006.00000002.684250383.000001980CF90000.00000002.00020000.sdmp, rundll32.exe, 00000015.00000002.686306336.0000000003170000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: loaddll32.exe, 00000000.00000000.642253548.0000000001240000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.666953506.0000000001240000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.612984650.0000000001240000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000002.686964466.0000000001240000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.553538519.0000000001240000.00000002.00020000.sdmp, svchost.exe, 00000006.00000002.684250383.000001980CF90000.00000002.00020000.sdmp, rundll32.exe, 00000015.00000002.686306336.0000000003170000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: loaddll32.exe, 00000000.00000000.642253548.0000000001240000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.666953506.0000000001240000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.612984650.0000000001240000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000002.686964466.0000000001240000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.553538519.0000000001240000.00000002.00020000.sdmp, svchost.exe, 00000006.00000002.684250383.000001980CF90000.00000002.00020000.sdmp, rundll32.exe, 00000015.00000002.686306336.0000000003170000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA3A584 cpuid
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA3A755 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

                      Lowering of HIPS / PFW / Operating System Security Settings:

                      barindex
                      Changes security center settings (notifications, updates, antivirus, firewall)Show sources
                      Source: C:\Windows\System32\svchost.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cvalJump to behavior
                      Source: svchost.exe, 00000013.00000002.685217722.0000018451640000.00000004.00000001.sdmpBinary or memory string: V%ProgramFiles%\Windows Defender\MsMpeng.exe
                      Source: svchost.exe, 00000013.00000002.685038931.0000018451629000.00000004.00000001.sdmp, svchost.exe, 00000013.00000002.685417229.0000018451702000.00000004.00000001.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
                      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
                      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
                      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected EmotetShow sources
                      Source: Yara matchFile source: 0.0.loaddll32.exe.920000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.cd3b40.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.cd3b40.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.30a0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.920000.9.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.cd3b40.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.920000.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.32d0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.3472148.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.cd3b40.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.920000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.cd3b40.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.600000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.920000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.cd3b40.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.6d0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.600000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.920000.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.920000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.rundll32.exe.3460000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.920000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.cd3b40.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.cd3b40.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.2fd0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.3472148.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.6d0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.32d0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.30a0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.cd3b40.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.31820a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.6a2160.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.cd3b40.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.rundll32.exe.3460000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.920000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.6a2160.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.2fd0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.31820a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.920000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000002.516956813.0000000000600000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.629962254.0000000000CCC000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.545400007.0000000000CCC000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000003.665545793.00000000008F9000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.497340032.00000000033D2000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.620091364.0000000000920000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.685885620.0000000000920000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.535753712.0000000000920000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.564256085.00000000030A0000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.518881595.00000000032D0000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.518906170.000000000345A000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.516978960.000000000068A000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.667708514.0000000003460000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.605013673.0000000000CCC000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.569478783.000000000316A000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.666094116.0000000000920000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.666680634.0000000000CCC000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000003.665849147.00000000034DA000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.669521657.00000000006D0000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.590946343.0000000000920000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.686580217.0000000000CCC000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.518853652.0000000002FD0000.00000040.00000010.sdmp, type: MEMORY

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation1Path InterceptionProcess Injection12Masquerading21OS Credential DumpingSystem Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsNative API1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemoryQuery Registry1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion1Security Account ManagerSecurity Software Discovery51SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection12NTDSVirtualization/Sandbox Evasion1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsProcess Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonHidden Files and Directories1Cached Domain CredentialsFile and Directory Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information2DCSyncSystem Information Discovery13Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobRundll321Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)File Deletion1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 532312 Sample: efELSMI5R4.dll Startdate: 02/12/2021 Architecture: WINDOWS Score: 72 44 Multi AV Scanner detection for submitted file 2->44 46 Yara detected Emotet 2->46 9 loaddll32.exe 1 2->9         started        11 svchost.exe 2->11         started        14 svchost.exe 4 2->14         started        16 7 other processes 2->16 process3 signatures4 18 cmd.exe 1 9->18         started        20 rundll32.exe 9->20         started        22 rundll32.exe 9->22         started        28 2 other processes 9->28 50 Changes security center settings (notifications, updates, antivirus, firewall) 11->50 24 WerFault.exe 14->24         started        26 WerFault.exe 14->26         started        process5 process6 30 rundll32.exe 18->30         started        32 rundll32.exe 2 20->32         started        35 rundll32.exe 22->35         started        signatures7 37 rundll32.exe 2 30->37         started        42 Hides that the sample has been downloaded from the Internet (zone.identifier) 32->42 process8 signatures9 48 Hides that the sample has been downloaded from the Internet (zone.identifier) 37->48 40 rundll32.exe 37->40         started        process10

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      efELSMI5R4.dll20%VirustotalBrowse
                      efELSMI5R4.dll18%ReversingLabsWin32.Infostealer.Convagent

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      3.2.rundll32.exe.600000.0.unpack100%AviraHEUR/AGEN.1110387Download File
                      0.0.loaddll32.exe.920000.0.unpack100%AviraHEUR/AGEN.1110387Download File
                      13.2.rundll32.exe.6d0000.0.unpack100%AviraHEUR/AGEN.1110387Download File
                      0.0.loaddll32.exe.920000.5.unpack100%AviraHEUR/AGEN.1110387Download File
                      0.2.loaddll32.exe.920000.0.unpack100%AviraHEUR/AGEN.1110387Download File
                      0.0.loaddll32.exe.920000.9.unpack100%AviraHEUR/AGEN.1110387Download File
                      8.2.rundll32.exe.2fd0000.0.unpack100%AviraHEUR/AGEN.1110387Download File
                      2.2.rundll32.exe.32d0000.0.unpack100%AviraHEUR/AGEN.1110387Download File
                      7.2.rundll32.exe.30a0000.0.unpack100%AviraHEUR/AGEN.1110387Download File
                      0.0.loaddll32.exe.920000.3.unpack100%AviraHEUR/AGEN.1110387Download File
                      15.2.rundll32.exe.3460000.0.unpack100%AviraHEUR/AGEN.1110387Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://crl.m0%URL Reputationsafe
                      https://dynamic.t0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashxsvchost.exe, 0000000C.00000003.537815045.00000179FEA63000.00000004.00000001.sdmpfalse
                        		high
                        https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=svchost.exe, 0000000C.00000003.503882682.00000179FEA35000.00000004.00000001.sdmpfalse
                          		high
                          https://dev.ditu.live.com/REST/v1/Routes/svchost.exe, 0000000C.00000002.540979190.00000179FEA29000.00000004.00000001.sdmpfalse
                            		high
                            https://dev.virtualearth.net/REST/v1/Routes/Drivingsvchost.exe, 0000000C.00000003.537815045.00000179FEA63000.00000004.00000001.sdmpfalse
                              		high
                              https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashxsvchost.exe, 0000000C.00000002.540989929.00000179FEA41000.00000004.00000001.sdmpfalse
                                		high
                                https://dev.ditu.live.com/REST/v1/Traffic/Incidents/svchost.exe, 0000000C.00000002.540992990.00000179FEA44000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.539711087.00000179FEA43000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.539701661.00000179FEA42000.00000004.00000001.sdmpfalse
                                  		high
                                  https://dev.ditu.live.com/REST/v1/Transit/Stops/svchost.exe, 0000000C.00000003.537790536.00000179FEA69000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000002.541016012.00000179FEA6B000.00000004.00000001.sdmpfalse
                                    		high
                                    https://t0.tiles.ditu.live.com/tiles/gensvchost.exe, 0000000C.00000003.537823223.00000179FEA4D000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.539719943.00000179FEA50000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000002.541002983.00000179FEA56000.00000004.00000001.sdmpfalse
                                      		high
                                      https://dev.virtualearth.net/REST/v1/Routes/svchost.exe, 0000000C.00000002.540979190.00000179FEA29000.00000004.00000001.sdmpfalse
                                        		high
                                        https://dev.virtualearth.net/REST/v1/Traffic/Incidents/svchost.exe, 0000000C.00000002.540979190.00000179FEA29000.00000004.00000001.sdmpfalse
                                          		high
                                          https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=svchost.exe, 0000000C.00000003.503882682.00000179FEA35000.00000004.00000001.sdmpfalse
                                            		high
                                            https://dev.virtualearth.net/REST/v1/Routes/Walkingsvchost.exe, 0000000C.00000003.537815045.00000179FEA63000.00000004.00000001.sdmpfalse
                                              		high
                                              https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?svchost.exe, 0000000C.00000002.540996379.00000179FEA4A000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.539684743.00000179FEA49000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.539701661.00000179FEA42000.00000004.00000001.sdmpfalse
                                                		high
                                                https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=svchost.exe, 0000000C.00000002.540979190.00000179FEA29000.00000004.00000001.sdmpfalse
                                                  		high
                                                  https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=svchost.exe, 0000000C.00000002.540979190.00000179FEA29000.00000004.00000001.sdmpfalse
                                                    		high
                                                    https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=svchost.exe, 0000000C.00000002.540992990.00000179FEA44000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.539711087.00000179FEA43000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.539701661.00000179FEA42000.00000004.00000001.sdmpfalse
                                                      		high
                                                      https://dev.virtualearth.net/mapcontrol/logging.ashxsvchost.exe, 0000000C.00000003.537815045.00000179FEA63000.00000004.00000001.sdmpfalse
                                                        		high
                                                        https://dev.ditu.live.com/mapcontrol/logging.ashxsvchost.exe, 0000000C.00000003.537815045.00000179FEA63000.00000004.00000001.sdmpfalse
                                                          		high
                                                          https://dev.ditu.live.com/REST/v1/Imagery/Copyright/svchost.exe, 0000000C.00000003.537823223.00000179FEA4D000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000002.540979190.00000179FEA29000.00000004.00000001.sdmpfalse
                                                            		high
                                                            https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=svchost.exe, 0000000C.00000003.503882682.00000179FEA35000.00000004.00000001.sdmpfalse
                                                              		high
                                                              https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=svchost.exe, 0000000C.00000002.540996379.00000179FEA4A000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.539684743.00000179FEA49000.00000004.00000001.sdmpfalse
                                                                		high
                                                                http://crl.mWerFault.exe, 00000016.00000002.686615758.000000000474E000.00000004.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/svchost.exe, 0000000C.00000002.540992990.00000179FEA44000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.539711087.00000179FEA43000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.539701661.00000179FEA42000.00000004.00000001.sdmpfalse
                                                                  		high
                                                                  https://dev.virtualearth.net/REST/v1/Transit/Schedules/svchost.exe, 0000000C.00000002.541008566.00000179FEA61000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.537819232.00000179FEA60000.00000004.00000001.sdmpfalse
                                                                    		high
                                                                    https://dynamic.tsvchost.exe, 0000000C.00000002.541002983.00000179FEA56000.00000004.00000001.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    https://dev.virtualearth.net/REST/v1/Routes/Transitsvchost.exe, 0000000C.00000003.537815045.00000179FEA63000.00000004.00000001.sdmpfalse
                                                                      		high
                                                                      https://t0.ssl.ak.tiles.virtualearth.net/tiles/gensvchost.exe, 0000000C.00000003.539715635.00000179FEA3E000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.503882682.00000179FEA35000.00000004.00000001.sdmpfalse
                                                                        		high
                                                                        https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=svchost.exe, 0000000C.00000002.540996379.00000179FEA4A000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.539684743.00000179FEA49000.00000004.00000001.sdmpfalse
                                                                          		high
                                                                          http://www.bingmapsportal.comsvchost.exe, 0000000C.00000002.540969399.00000179FEA13000.00000004.00000001.sdmpfalse
                                                                            		high
                                                                            https://dev.ditu.live.com/REST/v1/Locationssvchost.exe, 0000000C.00000003.537815045.00000179FEA63000.00000004.00000001.sdmpfalse
                                                                              		high
                                                                              https://dev.virtualearth.net/REST/v1/Imagery/Copyright/svchost.exe, 0000000C.00000002.540979190.00000179FEA29000.00000004.00000001.sdmpfalse
                                                                                		high
                                                                                https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/svchost.exe, 0000000C.00000002.540979190.00000179FEA29000.00000004.00000001.sdmpfalse
                                                                                  		high
                                                                                  https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/svchost.exe, 0000000C.00000002.540992990.00000179FEA44000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.539711087.00000179FEA43000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.539701661.00000179FEA42000.00000004.00000001.sdmpfalse
                                                                                    		high
                                                                                    https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=svchost.exe, 0000000C.00000003.537823223.00000179FEA4D000.00000004.00000001.sdmpfalse
                                                                                      		high

                                                                                      Contacted IPs

                                                                                      No contacted IP infos

                                                                                      General Information

                                                                                      Joe Sandbox Version:34.0.0 Boulder Opal
                                                                                      Analysis ID:532312
                                                                                      Start date:02.12.2021
                                                                                      Start time:00:55:55
                                                                                      Joe Sandbox Product:CloudBasic
                                                                                      Overall analysis duration:0h 10m 26s
                                                                                      Hypervisor based Inspection enabled:false
                                                                                      Report type:light
                                                                                      Sample file name:efELSMI5R4.dll
                                                                                      Cookbook file name:default.jbs
                                                                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                      Run name:Run with higher sleep bypass
                                                                                      Number of analysed new started processes analysed:23
                                                                                      Number of new started drivers analysed:0
                                                                                      Number of existing processes analysed:0
                                                                                      Number of existing drivers analysed:0
                                                                                      Number of injected processes analysed:0
                                                                                      Technologies:
                                                                                      • HCA enabled
                                                                                      • EGA enabled
                                                                                      • HDC enabled
                                                                                      • AMSI enabled
                                                                                      Analysis Mode:default
                                                                                      Analysis stop reason:Timeout
                                                                                      Detection:MAL
                                                                                      Classification:mal72.troj.evad.winDLL@37/12@0/0
                                                                                      EGA Information:Failed
                                                                                      HDC Information:
                                                                                      • Successful, ratio: 25.3% (good quality ratio 23.6%)
                                                                                      • Quality average: 72.6%
                                                                                      • Quality standard deviation: 27.2%
                                                                                      HCA Information:
                                                                                      • Successful, ratio: 77%
                                                                                      • Number of executed functions: 0
                                                                                      • Number of non-executed functions: 0
                                                                                      Cookbook Comments:
                                                                                      • Adjust boot time
                                                                                      • Enable AMSI
                                                                                      • Sleeps bigger than 120000ms are automatically reduced to 1000ms
                                                                                      • Found application associated with file extension: .dll
                                                                                      Warnings:
                                                                                      Show All
                                                                                      • Exclude process from analysis (whitelisted): WMIADAP.exe
                                                                                      • Excluded IPs from analysis (whitelisted): 20.190.159.137, 40.126.31.138, 20.190.159.133, 40.126.31.9, 40.126.31.2, 20.190.159.135, 20.190.159.131, 40.126.31.140, 20.42.65.92
                                                                                      • Excluded domains from analysis (whitelisted): onedsblobprdeus17.eastus.cloudapp.azure.com, login.live.com, blobcollector.events.data.trafficmanager.net, www.tm.lg.prod.aadmsa.akadns.net, ctldl.windowsupdate.com, watson.telemetry.microsoft.com, arc.msn.com, login.msa.msidentity.com, www.tm.a.prd.aadg.trafficmanager.net
                                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                      • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                      Simulations

                                                                                      Behavior and APIs

                                                                                      No simulations

                                                                                      Joe Sandbox View / Context

                                                                                      IPs

                                                                                      No context

                                                                                      Domains

                                                                                      No context

                                                                                      ASN

                                                                                      No context

                                                                                      JA3 Fingerprints

                                                                                      No context

                                                                                      Dropped Files

                                                                                      No context

                                                                                      Created / dropped Files

                                                                                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppHang_NcbService_c3fd3c3f830283a6ba0c7e839e220c16a1c8146_00000000_138b2837\Report.wer
                                                                                      Process:C:\Windows\System32\wermgr.exe
                                                                                      File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):65536
                                                                                      Entropy (8bit):0.8231951723067327
                                                                                      Encrypted:false
                                                                                      SSDEEP:96:H1MrC1MYSgGgkgOpXItJ+HbHgS3gePnMXh88WAfbNkqKjibkUDvLgWRN1mDjTcuo:OrCStgY1jwHggN/u7siS274ltB
                                                                                      MD5:369DDD6A00F461839364CE0A5618C350
                                                                                      SHA1:47A3F4FF7AE18ED07FFEDDB6570C3B3C681D0225
                                                                                      SHA-256:1794860678438E4CDDC19A5F9CD6F85CA20FEFD3107FC9656CC4F2C07313AE78
                                                                                      SHA-512:AEA5D45B3601BABFA6A5F8012A57D404B69CE0A69B8863369860A97BBECB099675000DB6EE58C4B5B0A4F91DC1EDD7E45D06B33FB2A06FF7993A5D9399E0D1F7
                                                                                      Malicious:false
                                                                                      Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.S.e.r.v.i.c.e.H.a.n.g.....E.v.e.n.t.T.i.m.e.=.1.3.2.8.2.9.0.9.0.8.8.7.7.2.1.3.8.8.....R.e.p.o.r.t.T.y.p.e.=.3.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.9.b.8.1.d.f.0.-.3.7.2.1.-.4.3.5.b.-.9.5.b.9.-.0.7.5.8.e.4.a.3.e.b.a.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.6.c.0.-.0.0.0.0.-.0.0.1.c.-.3.f.e.5.-.0.f.8.a.5.a.e.7.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.6.6.0.b.7.6.b.6.f.b.8.0.2.4.1.7.d.5.1.3.a.d.c.9.6.7.c.5.c.a.f.7.7.f.c.2.b.a.c.6.!.s.v.c.h.o.s.t...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.5.6././.1.2././.1.2.:.0.8.:.2.8.:.3.4.!.1.7.e.f.9.!.s.v.c.h.o.s.t...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....T.a.r.g.e.t.A.s.I.d.=.3.9.0.....I.s.F.a.t.a.l.=.4.2.9.4.9.6.7.2.9.5.....R.e.s.p.o.n.s.e...t.y.p.e.=.4.....S.i.g.[.0.]...N.a.m.e.=.S.e.r.v.i.c.e. .N.a.m.e.....S.i.g.[.0.]...V.a.l.u.e.=.N.c.b.
                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER1D8A.tmp.txt
                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):13340
                                                                                      Entropy (8bit):2.6949263738165645
                                                                                      Encrypted:false
                                                                                      SSDEEP:96:9GiZYWVlM3JRGcYMYJWdHJYEZCytk0ikOffawrRrcaO1Oeq6IOV3:9jZDXArAZtcaO1OeqtOV3
                                                                                      MD5:3CFC69CBB869D5499841608AE3588E17
                                                                                      SHA1:DA00EC700D01F00D344000EE51ABC2A49C1A814A
                                                                                      SHA-256:E4FA4612A40EF26E4F177E82AD82519E610B5BC429D829AA5460EEBFAA5E2FFA
                                                                                      SHA-512:77ADBA72D5757AB4AD5922DC042684C5F87A375AEE3C1A6347419CD0F412EAAFA3975B47F75421FD3BC2B304FBE514B0D5E6A1EDCA3E48EF905B8804DB5CB51A
                                                                                      Malicious:false
                                                                                      Preview: B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.1.5.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .
                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERE4A6.tmp.WERInternalMetadata.xml
                                                                                      Process:C:\Windows\System32\wermgr.exe
                                                                                      File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):4890
                                                                                      Entropy (8bit):3.7073303275852574
                                                                                      Encrypted:false
                                                                                      SSDEEP:96:RtIU6o7r3GLt3i0phGtGxDtYr74SfV4dKggBCaMEt4Lm:Rrl7r3GLNi0phGtGvYr74SfCpk6m
                                                                                      MD5:34BE64BCB8B363705C9C4DA551D47538
                                                                                      SHA1:4A81A84910CE26D211E115DBEFDA3FED99CAD71F
                                                                                      SHA-256:D5B7EFB56A60F985FFACE77BD8A454D652B99C91E9C4110082326AA7F5EC5DC1
                                                                                      SHA-512:01B2DB0AF928200AFAD8F970EBE00585EE7869F1F5664C31FC71878EA26C0248A0A0E8CC876F820561A6506AD920B5B934649F8D3A305B7621410722ED0FDCA2
                                                                                      Malicious:false
                                                                                      Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.8.2.4.<./.P.i.d.>.......
                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERE7F3.tmp.xml
                                                                                      Process:C:\Windows\System32\wermgr.exe
                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):4310
                                                                                      Entropy (8bit):4.423803269239469
                                                                                      Encrypted:false
                                                                                      SSDEEP:48:cvIwSD8zsjJgtBI9NZWSC8BD8fm8M4JFKfY2xAFPdyq8veY2xqhO8OPd:uITf9roSNCJFKf/0dWe/qk8OPd
                                                                                      MD5:469C4FEC7B84FC0C4E04F5CC72603CA6
                                                                                      SHA1:B5F92BD7A45D92CAB8CBF0D17605A89B19B7C9FB
                                                                                      SHA-256:78A1F6800DAA14B8195C02AA14ACC00A670D22D595FCCDF800073D50C2EB4A96
                                                                                      SHA-512:E1265916EA8FFC9D8A780F0FE14B2C006CDC062719F5C413CE4CA30B01278341B604BC09E36700A9865FE8605E3656AAF4580F31F57A903DF6C9A43064F7C1BD
                                                                                      Malicious:false
                                                                                      Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1279808" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERECA5.tmp.csv
                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):49232
                                                                                      Entropy (8bit):3.0460235056418297
                                                                                      Encrypted:false
                                                                                      SSDEEP:1536:TQH7IpGvba/ceMGHPHnfGqFzRqpxeyR0KUSKO1Xkz9:TQH7IpGvba/ceMGHPHnfGqFzRKxeyR0f
                                                                                      MD5:21C83691B1D67BB0E7EE91722BE9C739
                                                                                      SHA1:54ADC2702FC200682B0DF13D9B04FA71CB94471E
                                                                                      SHA-256:A064274F9A1F1DDAAE130873BE491779757288A60EED61772FBEC169B8D80D78
                                                                                      SHA-512:C6D8BEDAAEB84AD2A039611E142B39D567FDC83603B73920040D62F92C52AFC3B1DF2784EDC48929C86327850BD6652300A2EAECDF5978A4804D18A9BA7FD2F9
                                                                                      Malicious:false
                                                                                      Preview: I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.
                                                                                      C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\SyncVerbose.etl
                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):65536
                                                                                      Entropy (8bit):0.10999621725422179
                                                                                      Encrypted:false
                                                                                      SSDEEP:12:264Xm/Ey6q9995rIq3qQ10nMCldimE8eawHjc8:26pl68tdLyMCldzE9BHjc8
                                                                                      MD5:0D823330F13DC97B3087A389FF22002E
                                                                                      SHA1:32863EB78B7F1D10B2A84461FB8C0ADB84DA3F08
                                                                                      SHA-256:0592EAFC505C7D769310FBDEB1B6C9C6AF219DC2DEE4581457043C34A6BC23CB
                                                                                      SHA-512:E33E3CE122758118CFF21895A8A3D1413738CAB848E8339CC92803983F73C8D99A2ADE902DE09F8D3A8EAEC93950D58D92352C01B998F1D9189D58034385B653
                                                                                      Malicious:false
                                                                                      Preview: .................................................................................... ...B..6.....................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1............................................................o]v~..... ......w .Z...........S.y.n.c.V.e.r.b.o.s.e...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.S.y.n.c.V.e.r.b.o.s.e...e.t.l...........P.P..... ......6....................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                      C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\UnistackCircular.etl
                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):65536
                                                                                      Entropy (8bit):0.112605537514197
                                                                                      Encrypted:false
                                                                                      SSDEEP:12:zXm/Ey6q9995rO1miM3qQ10nMCldimE8eawHza1miII:ql68tO1tMLyMCldzE9BHza1tII
                                                                                      MD5:B6D8B32C8DB818530C88B7D70C0CB6F1
                                                                                      SHA1:B23B13C8B617E1B654566F8E41B503D411336994
                                                                                      SHA-256:385AA4B4EF7E08F867863C0B783ED41C1A219294EC0CB616DF8CFFA49C69CCE9
                                                                                      SHA-512:E7235B8FA40600D48518ABDC3D80E6B8725C6B45EB4F73D96CF36613EE3184CEB0ADA14DD52ED3BF8EB8C572B7080310BEF385FB57EA7E647FC630C8529CF4BE
                                                                                      Malicious:false
                                                                                      Preview: .................................................................................... ......6.....................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1............................................................o]v~..... ......w .Z...........U.n.i.s.t.a.c.k.C.i.r.c.u.l.a.r...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.U.n.i.s.t.a.c.k.C.i.r.c.u.l.a.r...e.t.l.......P.P..... ...j..6....................................................................................................................................................................................................................................................................................................................................................................................
                                                                                      C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl
                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):65536
                                                                                      Entropy (8bit):0.11253967095173796
                                                                                      Encrypted:false
                                                                                      SSDEEP:12:aW9Xm/Ey6q9995F1mK2P3qQ10nMCldimE8eawHza1mKuWV:a3l68T1iPLyMCldzE9BHza1n
                                                                                      MD5:53DF375759499AE134F652CD4E2DD71B
                                                                                      SHA1:F891C9950130540C1A5AF7A290F400D48261C4A1
                                                                                      SHA-256:74011A237DF2625DCFDBA0D7A9266CE9B0CEF34C89A57DC327D22C685E22042D
                                                                                      SHA-512:75EEEA9AD6DB0A2E96C85A089EC07B763AD725536FF7F52C450FA3199703647A33B9F11C6CCD73010947DBD22C709D17BB06CE1F673B9849C55BD86D6F79431D
                                                                                      Malicious:false
                                                                                      Preview: .................................................................................... ....=.6.....................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1............................................................o]v~..... ......P..Z...........U.n.i.s.t.a.c.k.C.r.i.t.i.c.a.l...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.U.n.i.s.t.a.c.k.C.r.i.t.i.c.a.l...e.t.l.......P.P..... ...LE.6....................................................................................................................................................................................................................................................................................................................................................................................
                                                                                      C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\SyncVerbose.etl.0001 (copy)
                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):65536
                                                                                      Entropy (8bit):0.10999621725422179
                                                                                      Encrypted:false
                                                                                      SSDEEP:12:264Xm/Ey6q9995rIq3qQ10nMCldimE8eawHjc8:26pl68tdLyMCldzE9BHjc8
                                                                                      MD5:0D823330F13DC97B3087A389FF22002E
                                                                                      SHA1:32863EB78B7F1D10B2A84461FB8C0ADB84DA3F08
                                                                                      SHA-256:0592EAFC505C7D769310FBDEB1B6C9C6AF219DC2DEE4581457043C34A6BC23CB
                                                                                      SHA-512:E33E3CE122758118CFF21895A8A3D1413738CAB848E8339CC92803983F73C8D99A2ADE902DE09F8D3A8EAEC93950D58D92352C01B998F1D9189D58034385B653
                                                                                      Malicious:false
                                                                                      Preview: .................................................................................... ...B..6.....................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1............................................................o]v~..... ......w .Z...........S.y.n.c.V.e.r.b.o.s.e...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.S.y.n.c.V.e.r.b.o.s.e...e.t.l...........P.P..... ......6....................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                      C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\UnistackCircular.etl.0001 (copy)
                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):65536
                                                                                      Entropy (8bit):0.112605537514197
                                                                                      Encrypted:false
                                                                                      SSDEEP:12:zXm/Ey6q9995rO1miM3qQ10nMCldimE8eawHza1miII:ql68tO1tMLyMCldzE9BHza1tII
                                                                                      MD5:B6D8B32C8DB818530C88B7D70C0CB6F1
                                                                                      SHA1:B23B13C8B617E1B654566F8E41B503D411336994
                                                                                      SHA-256:385AA4B4EF7E08F867863C0B783ED41C1A219294EC0CB616DF8CFFA49C69CCE9
                                                                                      SHA-512:E7235B8FA40600D48518ABDC3D80E6B8725C6B45EB4F73D96CF36613EE3184CEB0ADA14DD52ED3BF8EB8C572B7080310BEF385FB57EA7E647FC630C8529CF4BE
                                                                                      Malicious:false
                                                                                      Preview: .................................................................................... ......6.....................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1............................................................o]v~..... ......w .Z...........U.n.i.s.t.a.c.k.C.i.r.c.u.l.a.r...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.U.n.i.s.t.a.c.k.C.i.r.c.u.l.a.r...e.t.l.......P.P..... ...j..6....................................................................................................................................................................................................................................................................................................................................................................................
                                                                                      C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl.0001mo (copy)
                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):65536
                                                                                      Entropy (8bit):0.11253967095173796
                                                                                      Encrypted:false
                                                                                      SSDEEP:12:aW9Xm/Ey6q9995F1mK2P3qQ10nMCldimE8eawHza1mKuWV:a3l68T1iPLyMCldzE9BHza1n
                                                                                      MD5:53DF375759499AE134F652CD4E2DD71B
                                                                                      SHA1:F891C9950130540C1A5AF7A290F400D48261C4A1
                                                                                      SHA-256:74011A237DF2625DCFDBA0D7A9266CE9B0CEF34C89A57DC327D22C685E22042D
                                                                                      SHA-512:75EEEA9AD6DB0A2E96C85A089EC07B763AD725536FF7F52C450FA3199703647A33B9F11C6CCD73010947DBD22C709D17BB06CE1F673B9849C55BD86D6F79431D
                                                                                      Malicious:false
                                                                                      Preview: .................................................................................... ....=.6.....................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1............................................................o]v~..... ......P..Z...........U.n.i.s.t.a.c.k.C.r.i.t.i.c.a.l...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.U.n.i.s.t.a.c.k.C.r.i.t.i.c.a.l...e.t.l.......P.P..... ...LE.6....................................................................................................................................................................................................................................................................................................................................................................................
                                                                                      C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Logs\dosvc.20211202_085826_059.etl
                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):8192
                                                                                      Entropy (8bit):3.3895914623692858
                                                                                      Encrypted:false
                                                                                      SSDEEP:96:IgCOpmo+mU5UY94/YYECYxI2ltskUt4aXT2cjFzYNMCBdJRDhj5H:ix3evZ2wRZCFx
                                                                                      MD5:2777080E9DDA6D90C01649DEBFC9F6CE
                                                                                      SHA1:C6C64DA7B78A79C073BB6BB7858E3C7BA4C75441
                                                                                      SHA-256:4247C9B65C9C97A08786505773A25991F44D73F6AC64EEE7389658F9906AA2C4
                                                                                      SHA-512:F9BF6AB9B69D7FD163FADF0D5DB3988F6BC8B45573C4AA454DC34E56128EA28737090B956E6DDA18AE1555A2954D6CA7358A1BB055DA3F3897E38D881D55B525
                                                                                      Malicious:false
                                                                                      Preview: .... ... ....................................... ...!...............................|...?0B......................B..............Zb... ... ..........................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1..................................................................... ........Z...........8.6.9.6.E.A.C.4.-.1.2.8.8.-.4.2.8.8.-.A.4.E.E.-.4.9.E.E.4.3.1.B.0.A.D.9...C.:.\.W.i.n.d.o.w.s.\.S.e.r.v.i.c.e.P.r.o.f.i.l.e.s.\.N.e.t.w.o.r.k.S.e.r.v.i.c.e.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.D.e.l.i.v.e.r.y.O.p.t.i.m.i.z.a.t.i.o.n.\.L.o.g.s.\.d.o.s.v.c...2.0.2.1.1.2.0.2._.0.8.5.8.2.6._.0.5.9...e.t.l.........P.P.....|...?0B.....................................................................................................................................................................................................................................................................

                                                                                      Static File Info

                                                                                      General

                                                                                      File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                      Entropy (8bit):7.0673433889863775
                                                                                      TrID:
                                                                                      • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
                                                                                      • Generic Win/DOS Executable (2004/3) 0.20%
                                                                                      • DOS Executable Generic (2002/1) 0.20%
                                                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                      File name:efELSMI5R4.dll
                                                                                      File size:372736
                                                                                      MD5:1ec5996508211a8d174a1a09d6289463
                                                                                      SHA1:ede146abf146c0dfdb88431dfecf5cc80b267335
                                                                                      SHA256:2933137a5e251f44b2e6d2cc919c8a679651a76b900b3b9e2b06edc73b64e5e6
                                                                                      SHA512:796194f3fa1b90a732fd2e567f6b3acd2443282e5c3c1d69db3f619b2285f5526e2059ac5ecfb47467cdec1539e3a0d936d83679677e67b87ee7573406f720bd
                                                                                      SSDEEP:6144:qRsMh9YQWtcgA70wgF7nJye6CQK+kIVDRjudJMrt32fFcRmXIeJXjWMmAD:cvm9Y0HFLTRQKqV4epRmxAvAD
                                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........0...Q...Q...Q..E#...Q..E#...Q..E#...Q../$...Q...$...Q...$...Q...$...Q..E#...Q...Q...Q...Q...Q../$...Q../$...Q..Rich.Q.........

                                                                                      File Icon

                                                                                      Icon Hash:74f0e4ecccdce0e4

                                                                                      Static PE Info

                                                                                      General

                                                                                      Entrypoint:0x1001a401
                                                                                      Entrypoint Section:.text
                                                                                      Digitally signed:false
                                                                                      Imagebase:0x10000000
                                                                                      Subsystem:windows gui
                                                                                      Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
                                                                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT
                                                                                      Time Stamp:0x61A7100E [Wed Dec 1 06:02:54 2021 UTC]
                                                                                      TLS Callbacks:0x1000c500
                                                                                      CLR (.Net) Version:
                                                                                      OS Version Major:6
                                                                                      OS Version Minor:0
                                                                                      File Version Major:6
                                                                                      File Version Minor:0
                                                                                      Subsystem Version Major:6
                                                                                      Subsystem Version Minor:0
                                                                                      Import Hash:609402ef170a35cc0e660d7d95ac10ce

                                                                                      Entrypoint Preview

                                                                                      Instruction
                                                                                      push ebp
                                                                                      mov ebp, esp
                                                                                      cmp dword ptr [ebp+0Ch], 01h
                                                                                      jne 00007F6948C5EF17h
                                                                                      call 00007F6948C5F2A8h
                                                                                      push dword ptr [ebp+10h]
                                                                                      push dword ptr [ebp+0Ch]
                                                                                      push dword ptr [ebp+08h]
                                                                                      call 00007F6948C5EDC3h
                                                                                      add esp, 0Ch
                                                                                      pop ebp
                                                                                      retn 000Ch
                                                                                      push ebp
                                                                                      mov ebp, esp
                                                                                      push dword ptr [ebp+08h]
                                                                                      call 00007F6948C5F7BEh
                                                                                      pop ecx
                                                                                      pop ebp
                                                                                      ret
                                                                                      push ebp
                                                                                      mov ebp, esp
                                                                                      jmp 00007F6948C5EF1Fh
                                                                                      push dword ptr [ebp+08h]
                                                                                      call 00007F6948C632A4h
                                                                                      pop ecx
                                                                                      test eax, eax
                                                                                      je 00007F6948C5EF21h
                                                                                      push dword ptr [ebp+08h]
                                                                                      call 00007F6948C63320h
                                                                                      pop ecx
                                                                                      test eax, eax
                                                                                      je 00007F6948C5EEF8h
                                                                                      pop ebp
                                                                                      ret
                                                                                      cmp dword ptr [ebp+08h], FFFFFFFFh
                                                                                      je 00007F6948C5F883h
                                                                                      jmp 00007F6948C5F860h
                                                                                      push ebp
                                                                                      mov ebp, esp
                                                                                      push 00000000h
                                                                                      call dword ptr [1002808Ch]
                                                                                      push dword ptr [ebp+08h]
                                                                                      call dword ptr [10028088h]
                                                                                      push C0000409h
                                                                                      call dword ptr [10028040h]
                                                                                      push eax
                                                                                      call dword ptr [10028090h]
                                                                                      pop ebp
                                                                                      ret
                                                                                      push ebp
                                                                                      mov ebp, esp
                                                                                      sub esp, 00000324h
                                                                                      push 00000017h
                                                                                      call dword ptr [10028094h]
                                                                                      test eax, eax
                                                                                      je 00007F6948C5EF17h
                                                                                      push 00000002h
                                                                                      pop ecx
                                                                                      int 29h
                                                                                      mov dword ptr [1005AF18h], eax
                                                                                      mov dword ptr [1005AF14h], ecx
                                                                                      mov dword ptr [1005AF10h], edx
                                                                                      mov dword ptr [1005AF0Ch], ebx
                                                                                      mov dword ptr [1005AF08h], esi
                                                                                      mov dword ptr [1005AF04h], edi
                                                                                      mov word ptr [eax], es

                                                                                      Data Directories

                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x583900x8ac.rdata
                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x58c3c0x3c.rdata
                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x5d0000x1bb0.reloc
                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x56fdc0x54.rdata
                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x571000x18.rdata
                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x570300x40.rdata
                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x280000x154.rdata
                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                      Sections

                                                                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                      .text0x10000x264f40x26600False0.546620521173data6.29652715831IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                      .rdata0x280000x313fa0x31400False0.822468868972data7.4322686519IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                      .data0x5a0000x18440xe00False0.270647321429data2.60881097454IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                      .pdata0x5c0000x66c0x800False0.3583984375data2.21689595795IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                      .reloc0x5d0000x1bb00x1c00False0.784598214286data6.62358237634IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                      Imports

                                                                                      DLLImport
                                                                                      KERNEL32.dllHeapFree, HeapReAlloc, GetProcessHeap, HeapAlloc, GetModuleHandleA, GetProcAddress, TlsGetValue, TlsSetValue, AcquireSRWLockExclusive, ReleaseSRWLockExclusive, AcquireSRWLockShared, ReleaseSRWLockShared, SetLastError, GetEnvironmentVariableW, GetLastError, GetCurrentDirectoryW, GetCurrentProcess, GetCurrentThread, RtlCaptureContext, ReleaseMutex, WaitForSingleObjectEx, LoadLibraryA, CreateMutexA, CloseHandle, GetStdHandle, GetConsoleMode, WriteFile, WriteConsoleW, TlsAlloc, GetCommandLineW, CreateFileA, GetTickCount64, CreateFileW, SetFilePointerEx, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, RaiseException, RtlUnwind, InterlockedFlushSList, EncodePointer, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsFree, FreeLibrary, LoadLibraryExW, ExitProcess, GetModuleHandleExW, GetModuleFileNameW, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetCommandLineA, MultiByteToWideChar, WideCharToMultiByte, GetEnvironmentStringsW, FreeEnvironmentStringsW, LCMapStringW, GetFileType, GetStringTypeW, HeapSize, SetStdHandle, FlushFileBuffers, GetConsoleOutputCP, DecodePointer
                                                                                      USER32.dllGetDC, ReleaseDC, GetWindowRect

                                                                                      Exports

                                                                                      NameOrdinalAddress
                                                                                      Control_RunDLL10x100010a0
                                                                                      ajkaibu20x100016c0
                                                                                      akyncbgollmj30x10001480
                                                                                      alrcidxljxybdggs40x10001860
                                                                                      bgmotrriehds50x10001820
                                                                                      bojkfvynhhupnooyb60x100019f0
                                                                                      bujuoqldqlzaod70x10001800
                                                                                      bunsahctogxzts80x100019e0
                                                                                      cjogbtafwukesw90x10001830
                                                                                      csbbcaopuok100x100016a0
                                                                                      cyqrjpaeorjur110x100015f0
                                                                                      dlrzuyaeqj120x10001840
                                                                                      egiimrq130x10001850
                                                                                      evhgyts140x100014f0
                                                                                      fdqpjjjyuw150x100017e0
                                                                                      finabzjyxhxnnuuv160x10001510
                                                                                      fkeacqpbbfw170x10001910
                                                                                      fuwsgzf180x10001790
                                                                                      fzbmpailk190x10001980
                                                                                      gamsrhauvgl200x10001810
                                                                                      gjfqgtgk210x10001a10
                                                                                      gwsmfxfmekkyr220x100018b0
                                                                                      haymuvtatadeydqmk230x10001530
                                                                                      hqruohhkvpdalhq240x10001620
                                                                                      htdaydfvtjlujwcaj250x10001660
                                                                                      hzyrvjtx260x100017c0
                                                                                      ifnsupqhxkwj270x10001870
                                                                                      ijhgowlpmypocg280x10001720
                                                                                      ispjhrqaxnyflnn290x100015a0
                                                                                      iszvcqv300x100017a0
                                                                                      ixgucop310x100018d0
                                                                                      jcdvrhrguqtjpkc320x100016b0
                                                                                      jkfyadsdpoks330x100019c0
                                                                                      kfzgxmljkwaqy340x10001730
                                                                                      kzfvroxozxufciczm350x10001740
                                                                                      lpstjqa360x10001900
                                                                                      ltkoyvzovzkqemyw370x10001630
                                                                                      mdigcwjymnzvgaql380x100014d0
                                                                                      mefathlzguuhqodfx390x10001950
                                                                                      mgsrmfbja400x10001500
                                                                                      mrxhcceopg410x100014a0
                                                                                      nafhmuoq420x100018f0
                                                                                      nefxgpc430x100018a0
                                                                                      nrehxpiznrppeu440x10001690
                                                                                      nucocnvjyqp450x100018e0
                                                                                      obxoxtcbntaxofr460x10001890
                                                                                      ofrzojd470x100016e0
                                                                                      oofbctfc480x10001550
                                                                                      opzpazspbecyjojf490x100015b0
                                                                                      oqoigff500x10001a00
                                                                                      oujlzhzvhjh510x100016f0
                                                                                      ovpsanbypajv520x100015e0
                                                                                      pblpcaadqbdxyb530x10001680
                                                                                      ragwdgnyohftj540x100017d0
                                                                                      rfosmac550x10001710
                                                                                      rgymbuetvifqjqdlo560x10001930
                                                                                      rmoxbxbbgidnbds570x10001970
                                                                                      rxnkmfbycdcc580x10001560
                                                                                      sefltbc590x10001880
                                                                                      sgieprcsphl600x100019a0
                                                                                      shpcmnqzvyltgdt610x100016d0
                                                                                      slktbekupvmdbt620x100015c0
                                                                                      sormivnk630x10001570
                                                                                      tdblkstlyin640x10001600
                                                                                      tkllyrc650x10001650
                                                                                      tkwpnvfqnbpbdqe660x10001a20
                                                                                      tnhtgnjrabqakgeke670x10001700
                                                                                      tzpmcwwig680x10001520
                                                                                      uceklmggjof690x10001610
                                                                                      ukwdddyj700x10001640
                                                                                      uwnaptydgur710x10001940
                                                                                      vjusqoeo720x10001580
                                                                                      vnyufpq730x10001590
                                                                                      vsrwmkhzkrtlexxb740x100014e0
                                                                                      wermsdfzb750x10001770
                                                                                      wkhpfdjkypy760x100014c0
                                                                                      wksndtayhfm770x100015d0
                                                                                      wnjvxspilxpchq780x10001670
                                                                                      wuqwfssiddrcl790x10001570
                                                                                      wyyhtqptznbrknitg800x100017f0
                                                                                      wzkcijdvadq810x10001540
                                                                                      wzxlvxuyy820x100019b0
                                                                                      xhtxeilfgsghxik830x10001780
                                                                                      xvdijhconoukll840x100014b0
                                                                                      ybbwnezvxfafm850x10001750
                                                                                      yeylpreasnzamgac860x100019d0
                                                                                      ypkidshxgzkkehc870x100018c0
                                                                                      ypzvmpfbgai880x10001760
                                                                                      zbrzizodycg890x10001990
                                                                                      zdiuqcnzg900x10001920
                                                                                      zfkwwtxd910x10001490
                                                                                      zktykfwmaehxg920x10001600
                                                                                      zmkbqvofdhermov930x10001960
                                                                                      zvtqmkitgmzgo940x100017b0

                                                                                      Network Behavior

                                                                                      No network behavior found

                                                                                      Code Manipulations

                                                                                      Statistics

                                                                                      Behavior

                                                                                      Click to jump to process

                                                                                      System Behavior

                                                                                      Analysis Process: loaddll32.exe PID: 7084 Parent PID: 5316

                                                                                      General

                                                                                      Start time:00:56:46
                                                                                      Start date:02/12/2021
                                                                                      Path:C:\Windows\System32\loaddll32.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:loaddll32.exe "C:\Users\user\Desktop\efELSMI5R4.dll"
                                                                                      Imagebase:0x9b0000
                                                                                      File size:893440 bytes
                                                                                      MD5 hash:72FCD8FB0ADC38ED9050569AD673650E
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000000.629962254.0000000000CCC000.00000004.00000020.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.629962254.0000000000CCC000.00000004.00000020.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000000.545400007.0000000000CCC000.00000004.00000020.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.545400007.0000000000CCC000.00000004.00000020.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000000.620091364.0000000000920000.00000040.00000010.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.620091364.0000000000920000.00000040.00000010.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000002.685885620.0000000000920000.00000040.00000010.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000002.685885620.0000000000920000.00000040.00000010.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000000.535753712.0000000000920000.00000040.00000010.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.535753712.0000000000920000.00000040.00000010.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000000.605013673.0000000000CCC000.00000004.00000020.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.605013673.0000000000CCC000.00000004.00000020.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000000.666094116.0000000000920000.00000040.00000010.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.666094116.0000000000920000.00000040.00000010.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000000.666680634.0000000000CCC000.00000004.00000020.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.666680634.0000000000CCC000.00000004.00000020.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000000.590946343.0000000000920000.00000040.00000010.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.590946343.0000000000920000.00000040.00000010.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000002.686580217.0000000000CCC000.00000004.00000020.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000002.686580217.0000000000CCC000.00000004.00000020.sdmp, Author: Joe Security
                                                                                      Reputation:high

                                                                                      Analysis Process: cmd.exe PID: 7104 Parent PID: 7084

                                                                                      General

                                                                                      Start time:00:56:46
                                                                                      Start date:02/12/2021
                                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\efELSMI5R4.dll",#1
                                                                                      Imagebase:0xd80000
                                                                                      File size:232960 bytes
                                                                                      MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high

                                                                                      Analysis Process: rundll32.exe PID: 7128 Parent PID: 7084

                                                                                      General

                                                                                      Start time:00:56:47
                                                                                      Start date:02/12/2021
                                                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:rundll32.exe C:\Users\user\Desktop\efELSMI5R4.dll,Control_RunDLL
                                                                                      Imagebase:0xce0000
                                                                                      File size:61952 bytes
                                                                                      MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000002.00000003.497340032.00000000033D2000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000002.00000002.518881595.00000000032D0000.00000040.00000010.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000002.00000002.518881595.00000000032D0000.00000040.00000010.sdmp, Author: Joe Security
                                                                                      Reputation:high

                                                                                      Analysis Process: rundll32.exe PID: 7140 Parent PID: 7104

                                                                                      General

                                                                                      Start time:00:56:47
                                                                                      Start date:02/12/2021
                                                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:rundll32.exe "C:\Users\user\Desktop\efELSMI5R4.dll",#1
                                                                                      Imagebase:0xce0000
                                                                                      File size:61952 bytes
                                                                                      MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000003.00000002.516956813.0000000000600000.00000040.00000010.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.516956813.0000000000600000.00000040.00000010.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.516978960.000000000068A000.00000004.00000020.sdmp, Author: Joe Security
                                                                                      Reputation:high

                                                                                      Analysis Process: svchost.exe PID: 7152 Parent PID: 572

                                                                                      General

                                                                                      Start time:00:56:47
                                                                                      Start date:02/12/2021
                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                      Imagebase:0x7ff70d6e0000
                                                                                      File size:51288 bytes
                                                                                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high

                                                                                      Analysis Process: svchost.exe PID: 5824 Parent PID: 572

                                                                                      General

                                                                                      Start time:00:56:48
                                                                                      Start date:02/12/2021
                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                                                                                      Imagebase:0x7ff70d6e0000
                                                                                      File size:51288 bytes
                                                                                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high

                                                                                      Analysis Process: svchost.exe PID: 2336 Parent PID: 572

                                                                                      General

                                                                                      Start time:00:56:49
                                                                                      Start date:02/12/2021
                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:c:\windows\system32\svchost.exe -k unistacksvcgroup
                                                                                      Imagebase:0x7ff70d6e0000
                                                                                      File size:51288 bytes
                                                                                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high

                                                                                      Analysis Process: rundll32.exe PID: 6092 Parent PID: 7084

                                                                                      General

                                                                                      Start time:00:56:51
                                                                                      Start date:02/12/2021
                                                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:rundll32.exe C:\Users\user\Desktop\efELSMI5R4.dll,ajkaibu
                                                                                      Imagebase:0xce0000
                                                                                      File size:61952 bytes
                                                                                      MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000007.00000002.564256085.00000000030A0000.00000040.00000010.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.564256085.00000000030A0000.00000040.00000010.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.569478783.000000000316A000.00000004.00000020.sdmp, Author: Joe Security
                                                                                      Reputation:high

                                                                                      Analysis Process: rundll32.exe PID: 5032 Parent PID: 7084

                                                                                      General

                                                                                      Start time:00:56:55
                                                                                      Start date:02/12/2021
                                                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:rundll32.exe C:\Users\user\Desktop\efELSMI5R4.dll,akyncbgollmj
                                                                                      Imagebase:0xce0000
                                                                                      File size:61952 bytes
                                                                                      MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000008.00000002.518906170.000000000345A000.00000004.00000020.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000008.00000002.518853652.0000000002FD0000.00000040.00000010.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000008.00000002.518853652.0000000002FD0000.00000040.00000010.sdmp, Author: Joe Security
                                                                                      Reputation:high

                                                                                      Analysis Process: wermgr.exe PID: 5096 Parent PID: 572

                                                                                      General

                                                                                      Start time:00:58:08
                                                                                      Start date:02/12/2021
                                                                                      Path:C:\Windows\System32\wermgr.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:"C:\Windows\system32\wermgr.exe" "-outproc" "0" "572" "2276" "2168" "2272" "0" "0" "2268" "0" "0" "0" "0" "0"
                                                                                      Imagebase:0x7ff73afe0000
                                                                                      File size:209312 bytes
                                                                                      MD5 hash:FF214585BF10206E21EA8EBA202FACFD
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high

                                                                                      Analysis Process: svchost.exe PID: 6524 Parent PID: 572

                                                                                      General

                                                                                      Start time:00:58:09
                                                                                      Start date:02/12/2021
                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
                                                                                      Imagebase:0x7ff70d6e0000
                                                                                      File size:51288 bytes
                                                                                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high

                                                                                      Analysis Process: svchost.exe PID: 6588 Parent PID: 572

                                                                                      General

                                                                                      Start time:00:58:10
                                                                                      Start date:02/12/2021
                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\System32\svchost.exe -k WerSvcGroup
                                                                                      Imagebase:0x7ff70d6e0000
                                                                                      File size:51288 bytes
                                                                                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language

                                                                                      Analysis Process: svchost.exe PID: 6692 Parent PID: 572

                                                                                      General

                                                                                      Start time:00:58:26
                                                                                      Start date:02/12/2021
                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\System32\svchost.exe -k NetworkService -p
                                                                                      Imagebase:0x7ff70d6e0000
                                                                                      File size:51288 bytes
                                                                                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language

                                                                                      Analysis Process: rundll32.exe PID: 6752 Parent PID: 7140

                                                                                      General

                                                                                      Start time:00:58:30
                                                                                      Start date:02/12/2021
                                                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\efELSMI5R4.dll",Control_RunDLL
                                                                                      Imagebase:0xce0000
                                                                                      File size:61952 bytes
                                                                                      MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000D.00000003.665545793.00000000008F9000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000D.00000003.665545793.00000000008F9000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000D.00000002.669521657.00000000006D0000.00000040.00000010.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000D.00000002.669521657.00000000006D0000.00000040.00000010.sdmp, Author: Joe Security

                                                                                      Analysis Process: rundll32.exe PID: 6956 Parent PID: 6092

                                                                                      General

                                                                                      Start time:00:58:34
                                                                                      Start date:02/12/2021
                                                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\efELSMI5R4.dll",Control_RunDLL
                                                                                      Imagebase:0xce0000
                                                                                      File size:61952 bytes
                                                                                      MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language

                                                                                      Analysis Process: rundll32.exe PID: 6952 Parent PID: 5032

                                                                                      General

                                                                                      Start time:00:58:37
                                                                                      Start date:02/12/2021
                                                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\efELSMI5R4.dll",Control_RunDLL
                                                                                      Imagebase:0xce0000
                                                                                      File size:61952 bytes
                                                                                      MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000F.00000002.667708514.0000000003460000.00000040.00000010.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000F.00000002.667708514.0000000003460000.00000040.00000010.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000F.00000003.665849147.00000000034DA000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000F.00000003.665849147.00000000034DA000.00000004.00000001.sdmp, Author: Joe Security

                                                                                      Analysis Process: SgrmBroker.exe PID: 6940 Parent PID: 572

                                                                                      General

                                                                                      Start time:00:58:38
                                                                                      Start date:02/12/2021
                                                                                      Path:C:\Windows\System32\SgrmBroker.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\SgrmBroker.exe
                                                                                      Imagebase:0x7ff6211b0000
                                                                                      File size:163336 bytes
                                                                                      MD5 hash:D3170A3F3A9626597EEE1888686E3EA6
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language

                                                                                      Analysis Process: WerFault.exe PID: 1244 Parent PID: 6588

                                                                                      General

                                                                                      Start time:00:58:42
                                                                                      Start date:02/12/2021
                                                                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 7084 -ip 7084
                                                                                      Imagebase:0x8e0000
                                                                                      File size:434592 bytes
                                                                                      MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language

                                                                                      Analysis Process: svchost.exe PID: 2884 Parent PID: 572

                                                                                      General

                                                                                      Start time:00:58:50
                                                                                      Start date:02/12/2021
                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
                                                                                      Imagebase:0x7ff70d6e0000
                                                                                      File size:51288 bytes
                                                                                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language

                                                                                      Analysis Process: WerFault.exe PID: 2228 Parent PID: 6588

                                                                                      General

                                                                                      Start time:00:58:53
                                                                                      Start date:02/12/2021
                                                                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 7084 -ip 7084
                                                                                      Imagebase:0x8e0000
                                                                                      File size:434592 bytes
                                                                                      MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language

                                                                                      Analysis Process: rundll32.exe PID: 4892 Parent PID: 6752

                                                                                      General

                                                                                      Start time:00:59:48
                                                                                      Start date:02/12/2021
                                                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Luvyipkowrkroyzm\ogjmypdycx.tqu",YATH
                                                                                      Imagebase:0xce0000
                                                                                      File size:61952 bytes
                                                                                      MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language

                                                                                      Analysis Process: WerFault.exe PID: 5240 Parent PID: 7084

                                                                                      General

                                                                                      Start time:00:59:48
                                                                                      Start date:02/12/2021
                                                                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                      Wow64 process (32bit):
                                                                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7084 -s 344
                                                                                      Imagebase:
                                                                                      File size:434592 bytes
                                                                                      MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language

                                                                                      Disassembly

                                                                                      Code Analysis

                                                                                      Reset < >