Loading ...

Play interactive tourEdit tour

Windows Analysis Report 8ozP45Xn3V

Overview

General Information

Sample Name:8ozP45Xn3V (renamed file extension from none to dll)
Analysis ID:553116
MD5:5b1f5dfeb1d63dfad1961f11a1d13ccd
SHA1:140fae6f1e530e994b73b5ccf3d8343aa2c3e94b
SHA256:408e24e34e423d0ee843ee6b153b804765896348e8a046d9aae7b899b3194fb8
Tags:32dllexe
Infos:

Most interesting Screenshot:

Detection

Emotet
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Machine Learning detection for sample
Sigma detected: Suspicious Call by Ordinal
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
PE file contains strange resources
Tries to load missing DLLs
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Connects to several IPs in different countries
Potential key logger detected (key state polling based)
Registers a DLL
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 5716 cmdline: loaddll32.exe "C:\Users\user\Desktop\8ozP45Xn3V.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938)
    • cmd.exe (PID: 5584 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\8ozP45Xn3V.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 6036 cmdline: rundll32.exe "C:\Users\user\Desktop\8ozP45Xn3V.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • rundll32.exe (PID: 6180 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\8ozP45Xn3V.dll",DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • regsvr32.exe (PID: 6048 cmdline: regsvr32.exe /s C:\Users\user\Desktop\8ozP45Xn3V.dll MD5: 426E7499F6A7346F0410DEAD0805586B)
      • rundll32.exe (PID: 5824 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\8ozP45Xn3V.dll",DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 3864 cmdline: rundll32.exe C:\Users\user\Desktop\8ozP45Xn3V.dll,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • rundll32.exe (PID: 7024 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Awmbc\hyrvgwa.iff",ywJlCo MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • rundll32.exe (PID: 6920 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Awmbc\hyrvgwa.iff",DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • svchost.exe (PID: 2860 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5048 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5772 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6520 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6476 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

Threatname: Emotet

{"C2 list": ["45.138.98.34:80", "69.16.218.101:8080", "51.210.242.234:8080", "185.148.168.220:8080", "142.4.219.173:8080", "54.38.242.185:443", "191.252.103.16:80", "104.131.62.48:8080", "62.171.178.147:8080", "217.182.143.207:443", "168.197.250.14:80", "37.44.244.177:8080", "66.42.57.149:443", "210.57.209.142:8080", "159.69.237.188:443", "116.124.128.206:8080", "128.199.192.135:8080", "195.154.146.35:443", "185.148.168.15:8080", "195.77.239.39:8080", "207.148.81.119:8080", "85.214.67.203:8080", "190.90.233.66:443", "78.46.73.125:443", "78.47.204.80:443", "37.59.209.141:8080", "54.37.228.122:443"], "Public Key": ["RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0", "RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.678801674.0000000004EA1000.00000020.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
    00000008.00000002.1193813171.0000000000AD1000.00000020.00000010.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
      00000008.00000002.1196243909.0000000004FD0000.00000040.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
        00000004.00000002.683302750.0000000004581000.00000020.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
          00000008.00000002.1196558056.00000000051D0000.00000040.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
            Click to see the 45 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            8.2.rundll32.exe.ad0000.1.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
              8.2.rundll32.exe.4fd0000.12.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                8.2.rundll32.exe.5530000.22.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                  6.2.rundll32.exe.e80000.0.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                    8.2.rundll32.exe.4f20000.11.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                      Click to see the 70 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Suspicious Call by OrdinalShow sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: rundll32.exe "C:\Users\user\Desktop\8ozP45Xn3V.dll",#1, CommandLine: rundll32.exe "C:\Users\user\Desktop\8ozP45Xn3V.dll",#1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\8ozP45Xn3V.dll",#1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 5584, ProcessCommandLine: rundll32.exe "C:\Users\user\Desktop\8ozP45Xn3V.dll",#1, ProcessId: 6036

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 8.2.rundll32.exe.5500000.21.unpackMalware Configuration Extractor: Emotet {"C2 list": ["45.138.98.34:80", "69.16.218.101:8080", "51.210.242.234:8080", "185.148.168.220:8080", "142.4.219.173:8080", "54.38.242.185:443", "191.252.103.16:80", "104.131.62.48:8080", "62.171.178.147:8080", "217.182.143.207:443", "168.197.250.14:80", "37.44.244.177:8080", "66.42.57.149:443", "210.57.209.142:8080", "159.69.237.188:443", "116.124.128.206:8080", "128.199.192.135:8080", "195.154.146.35:443", "185.148.168.15:8080", "195.77.239.39:8080", "207.148.81.119:8080", "85.214.67.203:8080", "190.90.233.66:443", "78.46.73.125:443", "78.47.204.80:443", "37.59.209.141:8080", "54.37.228.122:443"], "Public Key": ["RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0", "RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW"]}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: 8ozP45Xn3V.dllVirustotal: Detection: 26%Perma Link
                      Source: 8ozP45Xn3V.dllReversingLabs: Detection: 30%
                      Antivirus detection for URL or domainShow sources
                      Source: https://45.138.98.34/tCAvira URL Cloud: Label: malware
                      Source: https://45.138.98.34:80/kTrIpBlTHDTtgSQyGuAvira URL Cloud: Label: malware
                      Source: https://45.138.98.34:80/kTrIpBlTHDTtgSQyGAvira URL Cloud: Label: malware
                      Source: https://45.138.98.34/BCFAvira URL Cloud: Label: malware
                      Machine Learning detection for sampleShow sources
                      Source: 8ozP45Xn3V.dllJoe Sandbox ML: detected
                      Source: 8ozP45Xn3V.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 2404332 ET CNC Feodo Tracker Reported CnC Server TCP group 17 192.168.2.4:49809 -> 45.138.98.34:80
                      Source: TrafficSnort IDS: 2404338 ET CNC Feodo Tracker Reported CnC Server TCP group 20 192.168.2.4:49810 -> 69.16.218.101:8080
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 69.16.218.101 144
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 45.138.98.34 80
                      C2 URLs / IPs found in malware configurationShow sources
                      Source: Malware configuration extractorIPs: 45.138.98.34:80
                      Source: Malware configuration extractorIPs: 69.16.218.101:8080
                      Source: Malware configuration extractorIPs: 51.210.242.234:8080
                      Source: Malware configuration extractorIPs: 185.148.168.220:8080
                      Source: Malware configuration extractorIPs: 142.4.219.173:8080
                      Source: Malware configuration extractorIPs: 54.38.242.185:443
                      Source: Malware configuration extractorIPs: 191.252.103.16:80
                      Source: Malware configuration extractorIPs: 104.131.62.48:8080
                      Source: Malware configuration extractorIPs: 62.171.178.147:8080
                      Source: Malware configuration extractorIPs: 217.182.143.207:443
                      Source: Malware configuration extractorIPs: 168.197.250.14:80
                      Source: Malware configuration extractorIPs: 37.44.244.177:8080
                      Source: Malware configuration extractorIPs: 66.42.57.149:443
                      Source: Malware configuration extractorIPs: 210.57.209.142:8080
                      Source: Malware configuration extractorIPs: 159.69.237.188:443
                      Source: Malware configuration extractorIPs: 116.124.128.206:8080
                      Source: Malware configuration extractorIPs: 128.199.192.135:8080
                      Source: Malware configuration extractorIPs: 195.154.146.35:443
                      Source: Malware configuration extractorIPs: 185.148.168.15:8080
                      Source: Malware configuration extractorIPs: 195.77.239.39:8080
                      Source: Malware configuration extractorIPs: 207.148.81.119:8080
                      Source: Malware configuration extractorIPs: 85.214.67.203:8080
                      Source: Malware configuration extractorIPs: 190.90.233.66:443
                      Source: Malware configuration extractorIPs: 78.46.73.125:443
                      Source: Malware configuration extractorIPs: 78.47.204.80:443
                      Source: Malware configuration extractorIPs: 37.59.209.141:8080
                      Source: Malware configuration extractorIPs: 54.37.228.122:443
                      Source: Joe Sandbox ViewASN Name: AS-CHOOPAUS AS-CHOOPAUS
                      Source: Joe Sandbox ViewASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
                      Source: Joe Sandbox ViewIP Address: 207.148.81.119 207.148.81.119
                      Source: Joe Sandbox ViewIP Address: 104.131.62.48 104.131.62.48
                      Source: global trafficTCP traffic: 192.168.2.4:49810 -> 69.16.218.101:8080
                      Source: unknownNetwork traffic detected: IP country count 12
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.98.34
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.98.34
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.98.34
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: svchost.exe, 00000017.00000002.1194981678.000002C9BAC34000.00000004.00000001.sdmpString found in binary or memory: http://Passport.NET/tbpose
                      Source: rundll32.exe, 00000008.00000002.1194344146.0000000000E29000.00000004.00000001.sdmp, rundll32.exe, 00000008.00000003.724792772.0000000000E29000.00000004.00000001.sdmp, svchost.exe, 00000014.00000002.834438299.000002AF41B00000.00000004.00000001.sdmp, svchost.exe, 00000017.00000002.1194368719.000002C9B9ED6000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: svchost.exe, 00000017.00000002.1194368719.000002C9B9ED6000.00000004.00000001.sdmpString found in binary or memory: http://crl.ver)
                      Source: rundll32.exe, 00000008.00000002.1194344146.0000000000E29000.00000004.00000001.sdmp, rundll32.exe, 00000008.00000003.724792772.0000000000E29000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
                      Source: rundll32.exe, 00000008.00000003.724792772.0000000000E29000.00000004.00000001.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.8.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                      Source: rundll32.exe, 00000008.00000003.722034838.000000000526D000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?8aa9079227d7d
                      Source: svchost.exe, 00000017.00000002.1193992900.000002C9B9E2A000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                      Source: svchost.exe, 00000017.00000002.1194580462.000002C9BA700000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdUSMiY0
                      Source: svchost.exe, 00000017.00000003.1166171131.000002C9BA75E000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1166149860.000002C9BA75A000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdxmlns:
                      Source: svchost.exe, 00000017.00000002.1193992900.000002C9B9E2A000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                      Source: svchost.exe, 00000017.00000002.1194580462.000002C9BA700000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd5KSBq
                      Source: svchost.exe, 00000017.00000003.1166171131.000002C9BA75E000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1166149860.000002C9BA75A000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdst=
                      Source: svchost.exe, 00000017.00000003.1166081062.000002C9BA729000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/XX/oasis-2004XX-wss-saml-tok
                      Source: svchost.exe, 00000014.00000003.808230171.000002AF41B8E000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.808218416.000002AF41B7D000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.808191366.000002AF41BC0000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.808173476.000002AF41BBF000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.808255276.000002AF41BDE000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.810750105.000002AF41B5B000.00000004.00000001.sdmpString found in binary or memory: http://help.disneyplus.com.
                      Source: svchost.exe, 00000017.00000002.1194171773.000002C9B9E7B000.00000004.00000001.sdmp, svchost.exe, 00000017.00000002.1194073407.000002C9B9E5D000.00000004.00000001.sdmpString found in binary or memory: http://passport.net/tb
                      Source: svchost.exe, 00000017.00000003.1166288410.000002C9BA70F000.00000004.00000001.sdmpString found in binary or memory: http://schemas.mi
                      Source: svchost.exe, 00000017.00000002.1194692154.000002C9BA737000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                      Source: svchost.exe, 00000017.00000002.1193992900.000002C9B9E2A000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
                      Source: svchost.exe, 00000017.00000002.1194692154.000002C9BA737000.00000004.00000001.sdmp, svchost.exe, 00000017.00000002.1194638282.000002C9BA713000.00000004.00000001.sdmp, svchost.exe, 00000017.00000002.1194770983.000002C9BA768000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                      Source: svchost.exe, 00000017.00000002.1194692154.000002C9BA737000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/scTw=
                      Source: svchost.exe, 00000017.00000002.1194692154.000002C9BA737000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/scicy
                      Source: svchost.exe, 00000017.00000002.1194692154.000002C9BA737000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/scsice
                      Source: svchost.exe, 00000017.00000002.1194692154.000002C9BA737000.00000004.00000001.sdmp, svchost.exe, 00000017.00000002.1194770983.000002C9BA768000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                      Source: svchost.exe, 00000017.00000003.1166089900.000002C9BA72F000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
                      Source: svchost.exe, 00000017.00000002.1194692154.000002C9BA737000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                      Source: svchost.exe, 00000017.00000002.1194692154.000002C9BA737000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                      Source: svchost.exe, 00000017.00000002.1194638282.000002C9BA713000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trustn
                      Source: rundll32.exe, 00000008.00000002.1194259270.0000000000E09000.00000004.00000001.sdmp, rundll32.exe, 00000008.00000003.724853392.0000000000E09000.00000004.00000001.sdmpString found in binary or memory: https://45.138.98.34/BCF
                      Source: rundll32.exe, 00000008.00000002.1194259270.0000000000E09000.00000004.00000001.sdmp, rundll32.exe, 00000008.00000003.724853392.0000000000E09000.00000004.00000001.sdmpString found in binary or memory: https://45.138.98.34/tC
                      Source: rundll32.exe, 00000008.00000002.1194259270.0000000000E09000.00000004.00000001.sdmp, rundll32.exe, 00000008.00000003.724853392.0000000000E09000.00000004.00000001.sdmpString found in binary or memory: https://45.138.98.34:80/kTrIpBlTHDTtgSQyG
                      Source: rundll32.exe, 00000008.00000002.1194144589.0000000000DBA000.00000004.00000020.sdmpString found in binary or memory: https://45.138.98.34:80/kTrIpBlTHDTtgSQyGu
                      Source: rundll32.exe, 00000008.00000002.1194259270.0000000000E09000.00000004.00000001.sdmp, rundll32.exe, 00000008.00000003.724853392.0000000000E09000.00000004.00000001.sdmpString found in binary or memory: https://69.16.218.101/
                      Source: rundll32.exe, 00000008.00000002.1194259270.0000000000E09000.00000004.00000001.sdmp, rundll32.exe, 00000008.00000003.724853392.0000000000E09000.00000004.00000001.sdmpString found in binary or memory: https://69.16.218.101/PCH
                      Source: rundll32.exe, 00000008.00000002.1194144589.0000000000DBA000.00000004.00000020.sdmp, rundll32.exe, 00000008.00000003.724853392.0000000000E09000.00000004.00000001.sdmpString found in binary or memory: https://69.16.218.101:8080/mqHphxEnNLNXvTjzpCyiWOKGJsACjqrMZUZsOV
                      Source: rundll32.exe, 00000008.00000002.1194259270.0000000000E09000.00000004.00000001.sdmp, rundll32.exe, 00000008.00000003.724853392.0000000000E09000.00000004.00000001.sdmpString found in binary or memory: https://69.16.218.101:8080/mqHphxEnNLNXvTjzpCyiWOKGJsACjqrMZUZsOVl
                      Source: svchost.exe, 00000017.00000003.1164484627.000002C9BA751000.00000004.00000001.sdmpString found in binary or memory: https://account.live.com/InlineSignup.aspx?iww=1&id=80502
                      Source: svchost.exe, 00000017.00000002.1194009149.000002C9B9E3D000.00000004.00000001.sdmpString found in binary or memory: https://account.live.com/InlineSignup.aspx?iww=1&id=80502ssuer
                      Source: svchost.exe, 00000017.00000002.1194009149.000002C9B9E3D000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164345799.000002C9BA72C000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164484627.000002C9BA751000.00000004.00000001.sdmpString found in binary or memory: https://account.live.com/Wizard/Password/Change?id=80601
                      Source: svchost.exe, 00000017.00000003.1164345799.000002C9BA72C000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164475418.000002C9BA72C000.00000004.00000001.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80603
                      Source: svchost.exe, 00000017.00000003.1164345799.000002C9BA72C000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164475418.000002C9BA72C000.00000004.00000001.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80604
                      Source: svchost.exe, 00000017.00000003.1164345799.000002C9BA72C000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164338085.000002C9BA729000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164475418.000002C9BA72C000.00000004.00000001.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80605
                      Source: svchost.exe, 00000017.00000003.1164484627.000002C9BA751000.00000004.00000001.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80600
                      Source: svchost.exe, 00000017.00000002.1194009149.000002C9B9E3D000.00000004.00000001.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80600ssuer
                      Source: svchost.exe, 00000017.00000002.1194009149.000002C9B9E3D000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164484627.000002C9BA751000.00000004.00000001.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80601
                      Source: svchost.exe, 00000017.00000002.1194009149.000002C9B9E3D000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164345799.000002C9BA72C000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164484627.000002C9BA751000.00000004.00000001.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80603
                      Source: svchost.exe, 00000017.00000002.1194073407.000002C9B9E5D000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164484627.000002C9BA751000.00000004.00000001.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80604
                      Source: svchost.exe, 00000017.00000002.1194073407.000002C9B9E5D000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164484627.000002C9BA751000.00000004.00000001.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80605
                      Source: svchost.exe, 00000017.00000003.1164466007.000002C9BA729000.00000004.00000001.sdmp, svchost.exe, 00000017.00000002.1194009149.000002C9B9E3D000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164570052.000002C9BA73B000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164345799.000002C9BA72C000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164493083.000002C9BA73B000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164735346.000002C9BA741000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164338085.000002C9BA729000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164674528.000002C9BA740000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164475418.000002C9BA72C000.00000004.00000001.sdmpString found in binary or memory: https://account.live.com/msangcwam
                      Source: svchost.exe, 00000014.00000003.808230171.000002AF41B8E000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.808218416.000002AF41B7D000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.808191366.000002AF41BC0000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.808173476.000002AF41BBF000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.808255276.000002AF41BDE000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.810750105.000002AF41B5B000.00000004.00000001.sdmpString found in binary or memory: https://disneyplus.com/legal.
                      Source: svchost.exe, 00000017.00000002.1194073407.000002C9B9E5D000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/
                      Source: svchost.exe, 00000017.00000003.1164466007.000002C9BA729000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164390378.000002C9BA755000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164570052.000002C9BA73B000.00000004.00000001.sdmp, svchost.exe, 00000017.00000002.1194073407.000002C9B9E5D000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164493083.000002C9BA73B000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164735346.000002C9BA741000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164674528.000002C9BA740000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ApproveSession.srf
                      Source: svchost.exe, 00000017.00000003.1164539050.000002C9BA70E000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164412004.000002C9BA76B000.00000004.00000001.sdmp, svchost.exe, 00000017.00000002.1194073407.000002C9B9E5D000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164766169.000002C9BA76D000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80502
                      Source: svchost.exe, 00000017.00000003.1164539050.000002C9BA70E000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164412004.000002C9BA76B000.00000004.00000001.sdmp, svchost.exe, 00000017.00000002.1194073407.000002C9B9E5D000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164552038.000002C9BA70E000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164766169.000002C9BA76D000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80600
                      Source: svchost.exe, 00000017.00000003.1164539050.000002C9BA70E000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164412004.000002C9BA76B000.00000004.00000001.sdmp, svchost.exe, 00000017.00000002.1194073407.000002C9B9E5D000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164552038.000002C9BA70E000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164766169.000002C9BA76D000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80601
                      Source: svchost.exe, 00000017.00000003.1164466007.000002C9BA729000.00000004.00000001.sdmp, svchost.exe, 00000017.00000002.1194009149.000002C9B9E3D000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164570052.000002C9BA73B000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164493083.000002C9BA73B000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164735346.000002C9BA741000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164674528.000002C9BA740000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ListSessions.srf
                      Source: svchost.exe, 00000017.00000003.1164466007.000002C9BA729000.00000004.00000001.sdmp, svchost.exe, 00000017.00000002.1194073407.000002C9B9E5D000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ManageApprover.srf
                      Source: svchost.exe, 00000017.00000003.1164570052.000002C9BA73B000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164493083.000002C9BA73B000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164735346.000002C9BA741000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164674528.000002C9BA740000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ManageApprover.srfn.srf?
                      Source: svchost.exe, 00000017.00000003.1164570052.000002C9BA73B000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164493083.000002C9BA73B000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164674528.000002C9BA740000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ManageLog0
                      Source: svchost.exe, 00000017.00000003.1164466007.000002C9BA729000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164390378.000002C9BA755000.00000004.00000001.sdmp, svchost.exe, 00000017.00000002.1194073407.000002C9B9E5D000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164493083.000002C9BA73B000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ManageLoginKeys.srf
                      Source: svchost.exe, 00000017.00000002.1194171773.000002C9B9E7B000.00000004.00000001.sdmp, svchost.exe, 00000017.00000002.1194009149.000002C9B9E3D000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164570052.000002C9BA73B000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164493083.000002C9BA73B000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164735346.000002C9BA741000.00000004.00000001.sdmp, svchost.exe, 00000017.00000002.1194250007.000002C9B9EB6000.00000004.00000001.sdmp, svchost.exe, 00000017.00000002.1194411587.000002C9B9F02000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164674528.000002C9BA740000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/RST2.srf
                      Source: svchost.exe, 00000017.00000002.1194073407.000002C9B9E5D000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/RST2.srfHV
                      Source: svchost.exe, 00000017.00000002.1194009149.000002C9B9E3D000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164570052.000002C9BA73B000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164493083.000002C9BA73B000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164735346.000002C9BA741000.00000004.00000001.sdmp, svchost.exe, 00000017.00000002.1194411587.000002C9B9F02000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164674528.000002C9BA740000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/didtou.srf
                      Source: svchost.exe, 00000017.00000002.1194009149.000002C9B9E3D000.00000004.00000001.sdmp, svchost.exe, 00000017.00000002.1194692154.000002C9BA737000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/getrealminfo.srf
                      Source: svchost.exe, 00000017.00000002.1194009149.000002C9B9E3D000.00000004.00000001.sdmp, svchost.exe, 00000017.00000002.1194692154.000002C9BA737000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/getuserrealm.srf
                      Source: svchost.exe, 00000017.00000002.1194009149.000002C9B9E3D000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsec
                      Source: svchost.exe, 00000017.00000002.1194009149.000002C9B9E3D000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecientAuth.srf
                      Source: svchost.exe, 00000017.00000003.1164493083.000002C9BA73B000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/
                      Source: svchost.exe, 00000017.00000003.1164766169.000002C9BA76D000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/8
                      Source: svchost.exe, 00000017.00000002.1194411587.000002C9B9F02000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/Device
                      Source: svchost.exe, 00000017.00000002.1194009149.000002C9B9E3D000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164412004.000002C9BA76B000.00000004.00000001.sdmp, svchost.exe, 00000017.00000002.1194411587.000002C9B9F02000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164766169.000002C9BA76D000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceAssociate.srf
                      Source: svchost.exe, 00000017.00000003.1164766169.000002C9BA76D000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceDisassocia8
                      Source: svchost.exe, 00000017.00000002.1194009149.000002C9B9E3D000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164412004.000002C9BA76B000.00000004.00000001.sdmp, svchost.exe, 00000017.00000002.1194411587.000002C9B9F02000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceDisassociate.srf
                      Source: svchost.exe, 00000017.00000003.1164390378.000002C9BA755000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164570052.000002C9BA73B000.00000004.00000001.sdmp, svchost.exe, 00000017.00000002.1194073407.000002C9B9E5D000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164493083.000002C9BA73B000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164735346.000002C9BA741000.00000004.00000001.sdmp, svchost.exe, 00000017.00000002.1194411587.000002C9B9F02000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164674528.000002C9BA740000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceQuery.srf
                      Source: svchost.exe, 00000017.00000003.1164412004.000002C9BA76B000.00000004.00000001.sdmp, svchost.exe, 00000017.00000002.1194073407.000002C9B9E5D000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceUpdate.srf
                      Source: svchost.exe, 00000017.00000003.1164412004.000002C9BA76B000.00000004.00000001.sdmp, svchost.exe, 00000017.00000002.1194073407.000002C9B9E5D000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/EnumerateDevices.srf
                      Source: svchost.exe, 00000017.00000003.1164466007.000002C9BA729000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164390378.000002C9BA755000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164570052.000002C9BA73B000.00000004.00000001.sdmp, svchost.exe, 00000017.00000002.1194073407.000002C9B9E5D000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164493083.000002C9BA73B000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164735346.000002C9BA741000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164674528.000002C9BA740000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/GetAppData.srf
                      Source: svchost.exe, 00000017.00000002.1194009149.000002C9B9E3D000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/GetAppData.srfrfrf6085fid=cplive.com
                      Source: svchost.exe, 00000017.00000003.1164412004.000002C9BA76B000.00000004.00000001.sdmp, svchost.exe, 00000017.00000002.1194073407.000002C9B9E5D000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164766169.000002C9BA76D000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/GetUserKeyData.srf
                      Source: svchost.exe, 00000017.00000003.1164345799.000002C9BA72C000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164412004.000002C9BA76B000.00000004.00000001.sdmp, svchost.exe, 00000017.00000002.1194073407.000002C9B9E5D000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164766169.000002C9BA76D000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineClientAuth.srf
                      Source: svchost.exe, 00000017.00000003.1164539050.000002C9BA70E000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164552038.000002C9BA70E000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineClientAuth.srfq
                      Source: svchost.exe, 00000017.00000002.1194009149.000002C9B9E3D000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164484627.000002C9BA751000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80600
                      Source: svchost.exe, 00000017.00000003.1164345799.000002C9BA72C000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164484627.000002C9BA751000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164475418.000002C9BA72C000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80601
                      Source: svchost.exe, 00000017.00000003.1164345799.000002C9BA72C000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164484627.000002C9BA751000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164475418.000002C9BA72C000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80603
                      Source: svchost.exe, 00000017.00000003.1164345799.000002C9BA72C000.00000004.00000001.sdmp, svchost.exe, 00000017.00000002.1194073407.000002C9B9E5D000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164338085.000002C9BA729000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164484627.000002C9BA751000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164475418.000002C9BA72C000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80604
                      Source: svchost.exe, 00000017.00000003.1164539050.000002C9BA70E000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164412004.000002C9BA76B000.00000004.00000001.sdmp, svchost.exe, 00000017.00000002.1194073407.000002C9B9E5D000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164552038.000002C9BA70E000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srf
                      Source: svchost.exe, 00000017.00000003.1164345799.000002C9BA72C000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srfm
                      Source: svchost.exe, 00000017.00000003.1164484627.000002C9BA751000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80502
                      Source: svchost.exe, 00000017.00000002.1194009149.000002C9B9E3D000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80502Issuer
                      Source: svchost.exe, 00000017.00000002.1194009149.000002C9B9E3D000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164484627.000002C9BA751000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80600
                      Source: svchost.exe, 00000017.00000002.1194009149.000002C9B9E3D000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164484627.000002C9BA751000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80601
                      Source: svchost.exe, 00000017.00000003.1164345799.000002C9BA72C000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164484627.000002C9BA751000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164475418.000002C9BA72C000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80603
                      Source: svchost.exe, 00000017.00000002.1194009149.000002C9B9E3D000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80603Issuer
                      Source: svchost.exe, 00000017.00000003.1164475418.000002C9BA72C000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80604
                      Source: svchost.exe, 00000017.00000003.1164345799.000002C9BA72C000.00000004.00000001.sdmp, svchost.exe, 00000017.00000002.1194073407.000002C9B9E5D000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164338085.000002C9BA729000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164484627.000002C9BA751000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164475418.000002C9BA72C000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80605
                      Source: svchost.exe, 00000017.00000003.1164345799.000002C9BA72C000.00000004.00000001.sdmp, svchost.exe, 00000017.00000002.1194073407.000002C9B9E5D000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164338085.000002C9BA729000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164484627.000002C9BA751000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164475418.000002C9BA72C000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80606
                      Source: svchost.exe, 00000017.00000003.1164345799.000002C9BA72C000.00000004.00000001.sdmp, svchost.exe, 00000017.00000002.1194073407.000002C9B9E5D000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164338085.000002C9BA729000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164484627.000002C9BA751000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164475418.000002C9BA72C000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80607
                      Source: svchost.exe, 00000017.00000003.1164345799.000002C9BA72C000.00000004.00000001.sdmp, svchost.exe, 00000017.00000002.1194073407.000002C9B9E5D000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164338085.000002C9BA729000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164484627.000002C9BA751000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164475418.000002C9BA72C000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80608
                      Source: svchost.exe, 00000017.00000003.1164345799.000002C9BA72C000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164475418.000002C9BA72C000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cp
                      Source: svchost.exe, 00000017.00000003.1164539050.000002C9BA70E000.00000004.00000001.sdmp, svchost.exe, 00000017.00000002.1194009149.000002C9B9E3D000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164345799.000002C9BA72C000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164552038.000002C9BA70E000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cp
                      Source: svchost.exe, 00000017.00000003.1164345799.000002C9BA72C000.00000004.00000001.sdmp, svchost.exe, 00000017.00000002.1194073407.000002C9B9E5D000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164338085.000002C9BA729000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164484627.000002C9BA751000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164475418.000002C9BA72C000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80605
                      Source: svchost.exe, 00000017.00000003.1164390378.000002C9BA755000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164570052.000002C9BA73B000.00000004.00000001.sdmp, svchost.exe, 00000017.00000002.1194073407.000002C9B9E5D000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164493083.000002C9BA73B000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164735346.000002C9BA741000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164674528.000002C9BA740000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/ResolveUser.srf
                      Source: svchost.exe, 00000017.00000003.1164390378.000002C9BA755000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164570052.000002C9BA73B000.00000004.00000001.sdmp, svchost.exe, 00000017.00000002.1194073407.000002C9B9E5D000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164493083.000002C9BA73B000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164735346.000002C9BA741000.00000004.00000001.sdmp, svchost.exe, 00000017.00000002.1194411587.000002C9B9F02000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164674528.000002C9BA740000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/SHA1Auth.srf
                      Source: svchost.exe, 00000017.00000002.1194009149.000002C9B9E3D000.00000004.00000001.sdmp, svchost.exe, 00000017.00000002.1194411587.000002C9B9F02000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/deviceaddcredential.srf
                      Source: svchost.exe, 00000017.00000002.1194411587.000002C9B9F02000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164484627.000002C9BA751000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/devicechangecredential.srf
                      Source: svchost.exe, 00000017.00000002.1194009149.000002C9B9E3D000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/devicechangecredential.srfsuer
                      Source: svchost.exe, 00000017.00000002.1194009149.000002C9B9E3D000.00000004.00000001.sdmp, svchost.exe, 00000017.00000002.1194411587.000002C9B9F02000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164484627.000002C9BA751000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/deviceremovecredential.srf
                      Source: svchost.exe, 00000017.00000002.1194009149.000002C9B9E3D000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164570052.000002C9BA73B000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164493083.000002C9BA73B000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164735346.000002C9BA741000.00000004.00000001.sdmp, svchost.exe, 00000017.00000002.1194411587.000002C9B9F02000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164674528.000002C9BA740000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/resetpw.srf
                      Source: svchost.exe, 00000017.00000002.1194692154.000002C9BA737000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/resetpw.srf.srf
                      Source: svchost.exe, 00000017.00000002.1194009149.000002C9B9E3D000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164570052.000002C9BA73B000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164493083.000002C9BA73B000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164735346.000002C9BA741000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164674528.000002C9BA740000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/retention.srf
                      Source: svchost.exe, 00000017.00000002.1194009149.000002C9B9E3D000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164570052.000002C9BA73B000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164493083.000002C9BA73B000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164735346.000002C9BA741000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164674528.000002C9BA740000.00000004.00000001.sdmpString found in binary or memory: https://signup.live.com/signup.aspx
                      Source: svchost.exe, 00000014.00000003.808230171.000002AF41B8E000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.808218416.000002AF41B7D000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.808191366.000002AF41BC0000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.808173476.000002AF41BBF000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.808255276.000002AF41BDE000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.810750105.000002AF41B5B000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
                      Source: svchost.exe, 00000014.00000003.808230171.000002AF41B8E000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.808218416.000002AF41B7D000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.808191366.000002AF41BC0000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.808173476.000002AF41BBF000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.808255276.000002AF41BDE000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.810750105.000002AF41B5B000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
                      Source: svchost.exe, 00000014.00000003.810766937.000002AF41BD6000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.810797201.000002AF41BD6000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.811421758.000002AF41B95000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.810823224.000002AF41BBF000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.810847190.000002AF42002000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.810750105.000002AF41B5B000.00000004.00000001.sdmpString found in binary or memory: https://www.tiktok.com/legal/report/feedback
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_100012D0 recvfrom,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1000FF59 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1000FF59 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,

                      E-Banking Fraud:

                      barindex
                      Yara detected EmotetShow sources
                      Source: Yara matchFile source: 8.2.rundll32.exe.ad0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.4fd0000.12.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.5530000.22.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.e80000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.4f20000.11.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.regsvr32.exe.3490000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.510000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.5500000.21.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.4a80000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.regsvr32.exe.3490000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.4e90000.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.51d0000.16.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.e80000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.4a80000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.50e0000.15.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.49d0000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.51d0000.16.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.4c80000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.bb0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.4c10000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.54d0000.20.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.4d30000.11.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.4a00000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.b30000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.4c10000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.4d30000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.4fd0000.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.4b80000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.4d30000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.4dc0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.4dc0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.5530000.22.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.4ab0000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.4ef0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.4bb0000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.4d00000.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.53d0000.18.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.4b50000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.5400000.19.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.53d0000.18.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.4e90000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.5560000.23.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.4be0000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.510000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.4580000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.45f0000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.50b0000.14.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.5000000.13.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.790000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.4bb0000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.4550000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.4550000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.4ec0000.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.a00000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.4c40000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.54d0000.20.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.4ef0000.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.regsvr32.exe.4ea0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.4c50000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.790000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.790000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.4d00000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.49d0000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.4be0000.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.4bb0000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.4c50000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.4580000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.5200000.17.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.4d60000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.4bb0000.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.bb0000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.4ef0000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.50b0000.14.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.a00000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.4b50000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000002.00000002.678801674.0000000004EA1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1193813171.0000000000AD1000.00000020.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1196243909.0000000004FD0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.683302750.0000000004581000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1196558056.00000000051D0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1196279550.0000000005001000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1196152272.0000000004EF0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.681011389.0000000004BE1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1196337731.00000000050B0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1196188150.0000000004F21000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1197175277.0000000005530000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1193980230.0000000000BB0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.683437410.0000000004A01000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1195901433.0000000004C81000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.683851852.0000000004BB0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1196376857.00000000050E1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.681810027.0000000000A00000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1196877858.00000000053D0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1196081984.0000000004E90000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.680753650.0000000004A80000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1197104038.0000000005501000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.680819179.0000000004AB1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.683913602.0000000000791000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.683253680.0000000004550000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1197250321.0000000005561000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.681140235.0000000004C41000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1195970114.0000000004D30000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1193635496.0000000000790000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.684072161.0000000004D31000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.681069343.0000000004C10000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.684008424.0000000004D00000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1196596448.0000000005201000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.683386584.00000000049D0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.679189508.0000000004DC0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.683941130.0000000004BE1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1196982602.0000000005401000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.680200574.0000000000E80000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.680952916.0000000004BB0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.683690737.0000000004B81000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1195866286.0000000004C50000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1195525525.00000000045F1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1197067981.00000000054D0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.679337426.0000000004EF1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.680607350.0000000004581000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.678402531.0000000003490000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1196117652.0000000004EC1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.683812885.0000000000510000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1196009130.0000000004D61000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.681945178.0000000000B31000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.683628620.0000000004B50000.00000040.00000001.sdmp, type: MEMORY

                      System Summary:

                      barindex
                      Source: 8ozP45Xn3V.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: C:\Windows\SysWOW64\rundll32.exeFile deleted: C:\Windows\SysWOW64\Awmbc\hyrvgwa.iff:Zone.IdentifierJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\SysWOW64\Awmbc\Jump to behavior
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_10020011
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_100181CA
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1001929D
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1002542D
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_100274AE
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_10026575
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1001869D
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1001178A
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_10016860
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1002596F
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_10022A5C
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_10018A71
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1001AAB7
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1001CB16
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_10018E7D
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_10025EB1
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EB85FF
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EBEFDD
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EBE4E5
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EBCCD9
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EA1CA1
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EBDC71
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EBA474
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EA7442
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EAA445
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EA3431
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EA55FF
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EB9DF5
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EAC5D8
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EBC5D5
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EB3D85
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EB654A
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EB7D5B
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EC2D53
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EB8D3D
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EBAD08
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EB5515
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EC3EE9
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EBBEFD
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EB3EAA
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EC36AA
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EC46BD
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EAC6B8
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EB0EBC
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EB567B
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EA7E79
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EADE74
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EAE640
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EB2E5D
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EA8636
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EB67E6
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EB27F9
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EB07F4
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EAE7DE
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EB8FAE
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EC07AA
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EA77A3
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EC17BD
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EA57B8
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EABFBE
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EB0F86
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EB5779
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EB4F74
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EB9774
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EBFF58
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EA1F38
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EA670B
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EAEF0C
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EAF0E9
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EC00EF
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EA80C0
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EBD8DB
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EA7078
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EAA871
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EBF840
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EAB820
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EC2009
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EB8806
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EBE1F8
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EBD1BC
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EB6187
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EA2194
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EB017B
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EAD14C
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EB2142
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EBE955
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10020011
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100181CA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1001929D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1002542D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100274AE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10026575
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1001869D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1001178A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10016860
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1002596F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10022A5C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10018A71
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1001AAB7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1001CB16
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10018E7D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10025EB1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04F085FF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04F0EFDD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04F0E4E5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04F0CCD9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04EF1CA1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04F0DC71
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04F0A474
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04EFA445
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04EF7442
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04EF3431
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04F09DF5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04EF55FF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04F0C5D5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04EFC5D8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04F03D85
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04F12D53
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04F07D5B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04F0654A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04F08D3D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04F05515
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04F0AD08
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04F0BEFD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04F13EE9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04F00EBC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04F146BD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04EFC6B8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04F03EAA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04F136AA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04F0567B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04EF7E79
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04EFDE74
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04F02E5D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04EFE640
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04EF8636
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04F007F4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04F027F9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04F067E6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04EFE7DE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04F117BD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04EF77A3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04EFBFBE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04EF57B8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04F107AA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04F08FAE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04F00F86
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04F04F74
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04F09774
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04F05779
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04F0FF58
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04EF1F38
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04EFEF0C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04EF670B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04EFF0E9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04F100EF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04F0D8DB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04EF80C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04EF7078
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04EFA871
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04F0F840
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04EFB820
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04F08806
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04F12009
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04F0E1F8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04F0D1BC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04F06187
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04EF2194
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04F0017B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04EFD14C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04F0E955
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04F02142
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04F0CAD5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04EFBAA9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04F00ABA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04F0A2A5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04F13263
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04F10A64
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04F04A66
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04F0B257
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04F04244
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04F09A01
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04F07A0F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04EF4BFC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04F0FBDE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04EFFB8E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04EF238C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04EFF369
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04F0437A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04EF6B7A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04F05333
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04F12B09
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00B38636
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00B47A0F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00B52009
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00B3DE74
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00B44A66
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00B4B257
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00B517BD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00B485FF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00B4EFDD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00B3C5D8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00B3670B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00B4AD08
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00B4E955
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00B4FF58
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00B42142
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00B4654A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00B546BD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00B40EBC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00B3C6B8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00B40ABA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00B4A2A5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00B31CA1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00B3BAA9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00B43EAA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00B536AA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00B4BEFD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00B4E4E5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00B3F0E9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00B500EF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00B53EE9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00B4CAD5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00B4CCD9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00B4D8DB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00B380C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00B33431
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00B3B820
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00B48806
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00B49A01
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00B4A474
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00B3A871
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00B4DC71
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00B37E79
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00B37078
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00B4567B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00B50A64
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00B53263
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00B42E5D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00B44244
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00B37442
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00B3E640
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00B4F840
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00B3A445
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00B4D1BC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00B357B8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00B3BFBE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00B377A3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00B48FAE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00B507AA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00B32194
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00B43D85
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00B40F86
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00B46187
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00B3FB8E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00B3238C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00B407F4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00B49DF5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00B4E1F8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00B355FF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00B427F9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00B34BFC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00B467E6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00B4C5D5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00B4FBDE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00B3E7DE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00B45333
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00B48D3D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00B31F38
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00B45515
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00B52B09
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00B3EF0C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00B44F74
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00B49774
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00B36B7A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00B45779
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00B4437A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00B4017B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00B3F369
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00B52D53
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00B47D5B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00B3D14C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0458A445
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0458DE74
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04594A66
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_045A2009
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04597A0F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04588636
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0459FF58
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0459654A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04592142
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0459AD08
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0458670B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0458C5D8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0459EFDD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04592E5D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0459B257
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0458E640
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0459F840
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04587442
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04594244
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04587078
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04587E79
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0459567B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0459DC71
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0458A871
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0459A474
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_045A3263
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_045A0A64
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04599A01
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04598806
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04583431
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0458B820
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0459CCD9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0459D8DB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0459CAD5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_045880C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0459BEFD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0458F0E9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_045A3EE9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_045A00EF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0459E4E5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0458C6B8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04590ABA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04590EBC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_045A46BD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_045A36AA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0458BAA9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04593EAA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04581CA1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0459A2A5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04597D5B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_045A2D53
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0459E955
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0458D14C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04595779
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04586B7A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0459017B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0459437A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04594F74
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04599774
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0458F369
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04595515
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_045A2B09
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0458EF0C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04581F38
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04598D3D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04595333
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0458E7DE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0459FBDE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0459C5D5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_045927F9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0459E1F8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04584BFC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_045985FF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_045855FF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04599DF5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_045907F4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_045967E6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04582194
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0458238C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0458FB8E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04593D85
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04596187
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04590F86
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_045857B8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0459D1BC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0458BFBE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_045A17BD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_045A07AA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04598FAE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_045877A3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_007A85FF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_007AEFDD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00797E79
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00797078
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_007A567B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0079A871
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_007ADC71
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0079DE74
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_007AA474
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_007B3263
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_007A4A66
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_007B0A64
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_007A2E5D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_007AB257
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0079E640
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_007AF840
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00797442
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0079A445
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_007A4244
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00793431
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00798636
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0079B820
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_007B2009
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_007A7A0F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_007A9A01
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_007A8806
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_007ABEFD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0079F0E9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_007B3EE9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_007B00EF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_007AE4E5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_007AD8DB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_007ACCD9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_007ACAD5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_007980C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_007A0ABA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0079C6B8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_007B46BD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_007A0EBC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_007A3EAA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0079BAA9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_007B36AA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00791CA1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_007AA2A5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_007A437A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_007A017B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_007A5779
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00796B7A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_007A4F74
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_007A9774
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0079F369
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_007A7D5B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_007AFF58
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_007B2D53
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_007AE955
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_007A654A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0079D14C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_007A2142
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00791F38
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_007A8D3D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_007A5333
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_007A5515
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_007B2B09
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0079670B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_007AAD08
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0079EF0C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_007AE1F8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_007A27F9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00794BFC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_007955FF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_007A07F4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_007A9DF5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_007A67E6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0079C5D8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_007AFBDE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0079E7DE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_007AC5D5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_007957B8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_007AD1BC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_007B17BD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0079BFBE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_007B07AA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_007A8FAE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_007977A3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00792194
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0079238C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0079FB8E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_007A0F86
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_007A6187
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_007A3D85
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: String function: 10017BC1 appears 68 times
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: String function: 1001984C appears 48 times
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 10017BC1 appears 68 times
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 1001984C appears 48 times
                      Source: 8ozP45Xn3V.dllBinary or memory string: OriginalFilenameUDPTool.EXE: vs 8ozP45Xn3V.dll
                      Source: 8ozP45Xn3V.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dll
                      Source: 8ozP45Xn3V.dllVirustotal: Detection: 26%
                      Source: 8ozP45Xn3V.dllReversingLabs: Detection: 30%
                      Source: 8ozP45Xn3V.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\8ozP45Xn3V.dll"
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\8ozP45Xn3V.dll",#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\8ozP45Xn3V.dll
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\8ozP45Xn3V.dll",#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\8ozP45Xn3V.dll,DllRegisterServer
                      Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\8ozP45Xn3V.dll",DllRegisterServer
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\8ozP45Xn3V.dll",DllRegisterServer
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Awmbc\hyrvgwa.iff",ywJlCo
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Awmbc\hyrvgwa.iff",DllRegisterServer
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\8ozP45Xn3V.dll",#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\8ozP45Xn3V.dll
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\8ozP45Xn3V.dll,DllRegisterServer
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\8ozP45Xn3V.dll",#1
                      Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\8ozP45Xn3V.dll",DllRegisterServer
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\8ozP45Xn3V.dll",DllRegisterServer
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Awmbc\hyrvgwa.iff",ywJlCo
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Awmbc\hyrvgwa.iff",DllRegisterServer
                      Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32
                      Source: classification engineClassification label: mal100.troj.evad.winDLL@22/2@0/28
                      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Users\desktop.iniJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\8ozP45Xn3V.dll",#1
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_100126F9 FindResourceA,LoadResource,LockResource,FreeResource,
                      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: 8ozP45Xn3V.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                      Source: 8ozP45Xn3V.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                      Source: 8ozP45Xn3V.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                      Source: 8ozP45Xn3V.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                      Source: 8ozP45Xn3V.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_10019891 push ecx; ret
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_10017C60 push ecx; ret
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EA1195 push cs; iretd
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10019891 push ecx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10017C60 push ecx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04EF1195 push cs; iretd
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00B31195 push cs; iretd
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04581195 push cs; iretd
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00791195 push cs; iretd
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_10023A79 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__invoke_watson,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__invoke_watson,__decode_pointer,__decode_pointer,__decode_pointer,
                      Source: 8ozP45Xn3V.dllStatic PE information: real checksum: 0x66354 should be: 0x6b630
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\8ozP45Xn3V.dll
                      Source: C:\Windows\SysWOW64\rundll32.exePE file moved: C:\Windows\SysWOW64\Awmbc\hyrvgwa.iffJump to behavior

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Awmbc\hyrvgwa.iff:Zone.Identifier read attributes | delete
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Kynlkizj\bwjooblcv.eon:Zone.Identifier read attributes | delete
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1000D804 IsIconic,GetWindowPlacement,GetWindowRect,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_10008B90 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1000D804 IsIconic,GetWindowPlacement,GetWindowRect,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10008B90 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,
                      Source: C:\Windows\SysWOW64\rundll32.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exe TID: 4588Thread sleep time: -150000s >= -30000s
                      Source: C:\Windows\System32\loaddll32.exeLast function: Thread delayed
                      Source: C:\Windows\SysWOW64\regsvr32.exeAPI coverage: 4.6 %
                      Source: C:\Windows\SysWOW64\rundll32.exeAPI coverage: 4.9 %
                      Source: C:\Windows\SysWOW64\regsvr32.exeAPI call chain: ExitProcess graph end node
                      Source: C:\Windows\SysWOW64\rundll32.exeAPI call chain: ExitProcess graph end node
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: svchost.exe, 00000014.00000002.834167095.000002AF41280000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWp
                      Source: rundll32.exe, 00000008.00000002.1194259270.0000000000E09000.00000004.00000001.sdmp, rundll32.exe, 00000008.00000003.724853392.0000000000E09000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWrg
                      Source: rundll32.exe, 00000008.00000002.1194259270.0000000000E09000.00000004.00000001.sdmp, rundll32.exe, 00000008.00000003.724853392.0000000000E09000.00000004.00000001.sdmp, rundll32.exe, 00000008.00000002.1194217965.0000000000DE5000.00000004.00000001.sdmp, rundll32.exe, 00000008.00000003.941333292.0000000000DE5000.00000004.00000001.sdmp, svchost.exe, 00000014.00000002.834275657.000002AF412EE000.00000004.00000001.sdmp, svchost.exe, 00000017.00000002.1194073407.000002C9B9E5D000.00000004.00000001.sdmp, svchost.exe, 00000017.00000002.1194321279.000002C9B9ECF000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1001C49A _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_10023A79 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__invoke_watson,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__invoke_watson,__decode_pointer,__decode_pointer,__decode_pointer,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_100178B6 GetProcessHeap,GetProcessHeap,HeapAlloc,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,__heap_term,__RTC_Initialize,GetCommandLineA,___crtGetEnvironmentStringsA,__ioinit,__mtterm,__setargv,__setenvp,__cinit,__ioterm,__ioterm,__mtterm,__heap_term,___set_flsgetvalue,__calloc_crt,__decode_pointer,__initptd,GetCurrentThreadId,__freeptd,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EAF7F7 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04EFF7F7 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00B3F7F7 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0458F7F7 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0079F7F7 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\loaddll32.exeProcess queried: DebugPort
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1001C49A _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_10021743 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_100167D5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1001FC21 SetUnhandledExceptionFilter,__encode_pointer,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1001FC43 __decode_pointer,SetUnhandledExceptionFilter,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1001C49A _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10021743 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100167D5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1001FC21 SetUnhandledExceptionFilter,__encode_pointer,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1001FC43 __decode_pointer,SetUnhandledExceptionFilter,

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 69.16.218.101 144
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 45.138.98.34 80
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\8ozP45Xn3V.dll",#1
                      Source: rundll32.exe, 00000008.00000002.1195106078.00000000030E0000.00000002.00020000.sdmpBinary or memory string: Program Manager
                      Source: rundll32.exe, 00000008.00000002.1195106078.00000000030E0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: rundll32.exe, 00000008.00000002.1195106078.00000000030E0000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: rundll32.exe, 00000008.00000002.1195106078.00000000030E0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: GetThreadLocale,GetLocaleInfoA,GetACP,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: _strcpy_s,__snprintf_s,GetLocaleInfoA,LoadLibraryA,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: GetLocaleInfoA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetThreadLocale,GetLocaleInfoA,GetACP,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: _strcpy_s,__snprintf_s,GetLocaleInfoA,LoadLibraryA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_10022853 cpuid
                      Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1001F914 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_100178B6 GetProcessHeap,GetProcessHeap,HeapAlloc,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,__heap_term,__RTC_Initialize,GetCommandLineA,___crtGetEnvironmentStringsA,__ioinit,__mtterm,__setargv,__setenvp,__cinit,__ioterm,__ioterm,__mtterm,__heap_term,___set_flsgetvalue,__calloc_crt,__decode_pointer,__initptd,GetCurrentThreadId,__freeptd,

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected EmotetShow sources
                      Source: Yara matchFile source: 8.2.rundll32.exe.ad0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.4fd0000.12.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.5530000.22.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.e80000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.4f20000.11.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.regsvr32.exe.3490000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.510000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.5500000.21.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.4a80000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.regsvr32.exe.3490000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.4e90000.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.51d0000.16.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.e80000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.4a80000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.50e0000.15.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.49d0000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.51d0000.16.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.4c80000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.bb0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.4c10000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.54d0000.20.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.4d30000.11.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.4a00000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.b30000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.4c10000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.4d30000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.4fd0000.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.4b80000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.4d30000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.4dc0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.4dc0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.5530000.22.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.4ab0000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.4ef0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.4bb0000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.4d00000.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.53d0000.18.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.4b50000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.5400000.19.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.53d0000.18.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.4e90000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.5560000.23.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.4be0000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.510000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.4580000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.45f0000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.50b0000.14.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.5000000.13.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.790000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.4bb0000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.4550000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.4550000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.4ec0000.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.a00000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.4c40000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.54d0000.20.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.4ef0000.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.regsvr32.exe.4ea0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.4c50000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.790000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.790000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.4d00000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.49d0000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.4be0000.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.4bb0000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.4c50000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.4580000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.5200000.17.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.4d60000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.4bb0000.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.bb0000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.4ef0000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.50b0000.14.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.a00000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.4b50000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000002.00000002.678801674.0000000004EA1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1193813171.0000000000AD1000.00000020.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1196243909.0000000004FD0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.683302750.0000000004581000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1196558056.00000000051D0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1196279550.0000000005001000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1196152272.0000000004EF0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.681011389.0000000004BE1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1196337731.00000000050B0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1196188150.0000000004F21000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1197175277.0000000005530000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1193980230.0000000000BB0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.683437410.0000000004A01000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1195901433.0000000004C81000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.683851852.0000000004BB0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1196376857.00000000050E1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.681810027.0000000000A00000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1196877858.00000000053D0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1196081984.0000000004E90000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.680753650.0000000004A80000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1197104038.0000000005501000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.680819179.0000000004AB1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.683913602.0000000000791000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.683253680.0000000004550000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1197250321.0000000005561000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.681140235.0000000004C41000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1195970114.0000000004D30000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1193635496.0000000000790000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.684072161.0000000004D31000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.681069343.0000000004C10000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.684008424.0000000004D00000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1196596448.0000000005201000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.683386584.00000000049D0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.679189508.0000000004DC0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.683941130.0000000004BE1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1196982602.0000000005401000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.680200574.0000000000E80000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.680952916.0000000004BB0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.683690737.0000000004B81000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1195866286.0000000004C50000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1195525525.00000000045F1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1197067981.00000000054D0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.679337426.0000000004EF1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.680607350.0000000004581000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.678402531.0000000003490000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1196117652.0000000004EC1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.683812885.0000000000510000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1196009130.0000000004D61000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.681945178.0000000000B31000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.683628620.0000000004B50000.00000040.00000001.sdmp, type: MEMORY
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_100011C0 WSAStartup,_memset,htonl,htons,socket,bind,setsockopt,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100011C0 WSAStartup,_memset,htonl,htons,socket,bind,setsockopt,

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsNative API1DLL Side-Loading1DLL Side-Loading1Deobfuscate/Decode Files or Information1Input Capture1System Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumIngress Tool Transfer1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsProcess Injection112Obfuscated Files or Information2LSASS MemoryFile and Directory Discovery1Remote Desktop ProtocolInput Capture1Exfiltration Over BluetoothEncrypted Channel1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)DLL Side-Loading1Security Account ManagerSystem Information Discovery35SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Standard Port1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)File Deletion1NTDSQuery Registry1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol1SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptMasquerading2LSA SecretsSecurity Software Discovery31SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonVirtualization/Sandbox Evasion2Cached Domain CredentialsVirtualization/Sandbox Evasion2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsProcess Injection112DCSyncProcess Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobHidden Files and Directories1Proc FilesystemApplication Window Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Regsvr321/etc/passwd and /etc/shadowRemote System Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                      Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Rundll321Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 553116 Sample: 8ozP45Xn3V Startdate: 14/01/2022 Architecture: WINDOWS Score: 100 37 210.57.209.142 UNAIR-AS-IDUniversitasAirlanggaID Indonesia 2->37 39 85.214.67.203 STRATOSTRATOAGDE Germany 2->39 41 23 other IPs or domains 2->41 55 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->55 57 Found malware configuration 2->57 59 Antivirus detection for URL or domain 2->59 61 5 other signatures 2->61 9 loaddll32.exe 1 2->9         started        11 svchost.exe 12 2->11         started        14 svchost.exe 1 2->14         started        16 3 other processes 2->16 signatures3 process4 dnsIp5 18 rundll32.exe 2 9->18         started        21 cmd.exe 1 9->21         started        23 regsvr32.exe 9->23         started        43 192.168.2.1 unknown unknown 11->43 process6 signatures7 53 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->53 25 rundll32.exe 18->25         started        27 rundll32.exe 21->27         started        29 rundll32.exe 23->29         started        process8 process9 31 rundll32.exe 25->31         started        35 rundll32.exe 2 27->35         started        dnsIp10 45 45.138.98.34, 49809, 80 M247GB Germany 31->45 47 69.16.218.101, 49810, 8080 LIQUIDWEBUS United States 31->47 49 System process connects to network (likely due to code injection or exploit) 31->49 51 Hides that the sample has been downloaded from the Internet (zone.identifier) 35->51 signatures11

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      8ozP45Xn3V.dll26%VirustotalBrowse
                      8ozP45Xn3V.dll30%ReversingLabsWin32.Trojan.Emotet
                      8ozP45Xn3V.dll100%Joe Sandbox ML

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      7.2.rundll32.exe.510000.0.unpack100%AviraHEUR/AGEN.1145233Download File
                      8.2.rundll32.exe.5500000.21.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      8.2.rundll32.exe.4c80000.5.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      2.2.regsvr32.exe.3490000.0.unpack100%AviraHEUR/AGEN.1145233Download File
                      8.2.rundll32.exe.4f20000.11.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      8.2.rundll32.exe.51d0000.16.unpack100%AviraHEUR/AGEN.1145233Download File
                      8.2.rundll32.exe.5530000.22.unpack100%AviraHEUR/AGEN.1145233Download File
                      6.2.rundll32.exe.e80000.0.unpack100%AviraHEUR/AGEN.1145233Download File
                      8.2.rundll32.exe.ad0000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      4.2.rundll32.exe.49d0000.4.unpack100%AviraHEUR/AGEN.1145233Download File
                      8.2.rundll32.exe.50e0000.15.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      8.2.rundll32.exe.bb0000.2.unpack100%AviraHEUR/AGEN.1145233Download File
                      6.2.rundll32.exe.4a80000.2.unpack100%AviraHEUR/AGEN.1145233Download File
                      6.2.rundll32.exe.4c10000.6.unpack100%AviraHEUR/AGEN.1145233Download File
                      8.2.rundll32.exe.54d0000.20.unpack100%AviraHEUR/AGEN.1145233Download File
                      4.2.rundll32.exe.b30000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      4.2.rundll32.exe.4a00000.5.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      4.2.rundll32.exe.4d30000.11.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      8.2.rundll32.exe.4fd0000.12.unpack100%AviraHEUR/AGEN.1145233Download File
                      8.2.rundll32.exe.4d30000.6.unpack100%AviraHEUR/AGEN.1145233Download File
                      3.2.rundll32.exe.4dc0000.0.unpack100%AviraHEUR/AGEN.1145233Download File
                      8.2.rundll32.exe.53d0000.18.unpack100%AviraHEUR/AGEN.1145233Download File
                      4.2.rundll32.exe.4b80000.7.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      6.2.rundll32.exe.4ab0000.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      8.2.rundll32.exe.5400000.19.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      6.2.rundll32.exe.4bb0000.4.unpack100%AviraHEUR/AGEN.1145233Download File
                      3.2.rundll32.exe.4ef0000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      6.2.rundll32.exe.4be0000.5.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      4.2.rundll32.exe.4b50000.6.unpack100%AviraHEUR/AGEN.1145233Download File
                      8.2.rundll32.exe.4e90000.8.unpack100%AviraHEUR/AGEN.1145233Download File
                      8.2.rundll32.exe.5560000.23.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      8.2.rundll32.exe.50b0000.14.unpack100%AviraHEUR/AGEN.1145233Download File
                      4.2.rundll32.exe.4580000.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      8.2.rundll32.exe.45f0000.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      8.2.rundll32.exe.5000000.13.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      7.2.rundll32.exe.790000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      6.2.rundll32.exe.4c40000.7.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      4.2.rundll32.exe.4550000.2.unpack100%AviraHEUR/AGEN.1145233Download File
                      8.2.rundll32.exe.4ec0000.9.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      2.2.regsvr32.exe.4ea0000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      4.2.rundll32.exe.4be0000.9.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      8.2.rundll32.exe.4c50000.4.unpack100%AviraHEUR/AGEN.1145233Download File
                      8.2.rundll32.exe.790000.0.unpack100%AviraHEUR/AGEN.1145233Download File
                      4.2.rundll32.exe.4d00000.10.unpack100%AviraHEUR/AGEN.1145233Download File
                      4.2.rundll32.exe.4bb0000.8.unpack100%AviraHEUR/AGEN.1145233Download File
                      6.2.rundll32.exe.4580000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      8.2.rundll32.exe.5200000.17.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      8.2.rundll32.exe.4d60000.7.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      4.2.rundll32.exe.a00000.0.unpack100%AviraHEUR/AGEN.1145233Download File
                      8.2.rundll32.exe.4ef0000.10.unpack100%AviraHEUR/AGEN.1145233Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://schemas.mi0%URL Reputationsafe
                      http://Passport.NET/tbpose0%Avira URL Cloudsafe
                      https://45.138.98.34/tC100%Avira URL Cloudmalware
                      https://69.16.218.101:8080/mqHphxEnNLNXvTjzpCyiWOKGJsACjqrMZUZsOV0%Avira URL Cloudsafe
                      https://45.138.98.34:80/kTrIpBlTHDTtgSQyGu100%Avira URL Cloudmalware
                      https://69.16.218.101/0%Avira URL Cloudsafe
                      https://69.16.218.101/PCH0%Avira URL Cloudsafe
                      https://www.disneyplus.com/legal/your-california-privacy-rights0%URL Reputationsafe
                      http://crl.ver)0%Avira URL Cloudsafe
                      http://passport.net/tb0%Avira URL Cloudsafe
                      https://www.tiktok.com/legal/report/feedback0%URL Reputationsafe
                      https://69.16.218.101:8080/mqHphxEnNLNXvTjzpCyiWOKGJsACjqrMZUZsOVl0%Avira URL Cloudsafe
                      https://45.138.98.34:80/kTrIpBlTHDTtgSQyG100%Avira URL Cloudmalware
                      https://www.disneyplus.com/legal/privacy-policy0%URL Reputationsafe
                      https://45.138.98.34/BCF100%Avira URL Cloudmalware
                      https://disneyplus.com/legal.0%URL Reputationsafe
                      http://help.disneyplus.com.0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://schemas.misvchost.exe, 00000017.00000003.1166288410.000002C9BA70F000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      unknown
                      http://schemas.xmlsoap.org/ws/2005/02/scsicesvchost.exe, 00000017.00000002.1194692154.000002C9BA737000.00000004.00000001.sdmpfalse
                        high
                        http://schemas.xmlsoap.org/ws/2005/02/scicysvchost.exe, 00000017.00000002.1194692154.000002C9BA737000.00000004.00000001.sdmpfalse
                          high
                          http://schemas.xmlsoap.org/ws/2005/02/trustsvchost.exe, 00000017.00000002.1194692154.000002C9BA737000.00000004.00000001.sdmp, svchost.exe, 00000017.00000002.1194770983.000002C9BA768000.00000004.00000001.sdmpfalse
                            high
                            http://Passport.NET/tbposesvchost.exe, 00000017.00000002.1194981678.000002C9BAC34000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdUSMiY0svchost.exe, 00000017.00000002.1194580462.000002C9BA700000.00000004.00000001.sdmpfalse
                              high
                              https://45.138.98.34/tCrundll32.exe, 00000008.00000002.1194259270.0000000000E09000.00000004.00000001.sdmp, rundll32.exe, 00000008.00000003.724853392.0000000000E09000.00000004.00000001.sdmptrue
                              • Avira URL Cloud: malware
                              unknown
                              http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issuesvchost.exe, 00000017.00000002.1194692154.000002C9BA737000.00000004.00000001.sdmpfalse
                                high
                                https://account.live.com/InlineSignup.aspx?iww=1&id=80502ssuersvchost.exe, 00000017.00000002.1194009149.000002C9B9E3D000.00000004.00000001.sdmpfalse
                                  high
                                  https://69.16.218.101:8080/mqHphxEnNLNXvTjzpCyiWOKGJsACjqrMZUZsOVrundll32.exe, 00000008.00000002.1194144589.0000000000DBA000.00000004.00000020.sdmp, rundll32.exe, 00000008.00000003.724853392.0000000000E09000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdsvchost.exe, 00000017.00000002.1193992900.000002C9B9E2A000.00000004.00000001.sdmpfalse
                                    high
                                    https://account.live.com/InlineSignup.aspx?iww=1&id=80502svchost.exe, 00000017.00000003.1164484627.000002C9BA751000.00000004.00000001.sdmpfalse
                                      high
                                      https://account.live.com/inlinesignup.aspx?iww=1&id=80600ssuersvchost.exe, 00000017.00000002.1194009149.000002C9B9E3D000.00000004.00000001.sdmpfalse
                                        high
                                        https://45.138.98.34:80/kTrIpBlTHDTtgSQyGurundll32.exe, 00000008.00000002.1194144589.0000000000DBA000.00000004.00000020.sdmptrue
                                        • Avira URL Cloud: malware
                                        unknown
                                        https://signup.live.com/signup.aspxsvchost.exe, 00000017.00000002.1194009149.000002C9B9E3D000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164570052.000002C9BA73B000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164493083.000002C9BA73B000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164735346.000002C9BA741000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164674528.000002C9BA740000.00000004.00000001.sdmpfalse
                                          high
                                          https://69.16.218.101/rundll32.exe, 00000008.00000002.1194259270.0000000000E09000.00000004.00000001.sdmp, rundll32.exe, 00000008.00000003.724853392.0000000000E09000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          unknown
                                          https://69.16.218.101/PCHrundll32.exe, 00000008.00000002.1194259270.0000000000E09000.00000004.00000001.sdmp, rundll32.exe, 00000008.00000003.724853392.0000000000E09000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          unknown
                                          https://www.disneyplus.com/legal/your-california-privacy-rightssvchost.exe, 00000014.00000003.808230171.000002AF41B8E000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.808218416.000002AF41B7D000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.808191366.000002AF41BC0000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.808173476.000002AF41BBF000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.808255276.000002AF41BDE000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.810750105.000002AF41B5B000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          unknown
                                          https://account.live.com/inlinesignup.aspx?iww=1&id=80603svchost.exe, 00000017.00000003.1164345799.000002C9BA72C000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164475418.000002C9BA72C000.00000004.00000001.sdmpfalse
                                            high
                                            http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdst=svchost.exe, 00000017.00000003.1166171131.000002C9BA75E000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1166149860.000002C9BA75A000.00000004.00000001.sdmpfalse
                                              high
                                              http://schemas.xmlsoap.org/ws/2004/09/policysvchost.exe, 00000017.00000002.1193992900.000002C9B9E2A000.00000004.00000001.sdmpfalse
                                                high
                                                http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymoussvchost.exe, 00000017.00000002.1194692154.000002C9BA737000.00000004.00000001.sdmpfalse
                                                  high
                                                  http://docs.oasis-open.org/wss/2004/XX/oasis-2004XX-wss-saml-toksvchost.exe, 00000017.00000003.1166081062.000002C9BA729000.00000004.00000001.sdmpfalse
                                                    high
                                                    https://account.live.com/inlinesignup.aspx?iww=1&id=80605svchost.exe, 00000017.00000003.1164345799.000002C9BA72C000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164338085.000002C9BA729000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164475418.000002C9BA72C000.00000004.00000001.sdmpfalse
                                                      high
                                                      https://account.live.com/inlinesignup.aspx?iww=1&id=80604svchost.exe, 00000017.00000003.1164345799.000002C9BA72C000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164475418.000002C9BA72C000.00000004.00000001.sdmpfalse
                                                        high
                                                        https://account.live.com/msangcwamsvchost.exe, 00000017.00000003.1164466007.000002C9BA729000.00000004.00000001.sdmp, svchost.exe, 00000017.00000002.1194009149.000002C9B9E3D000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164570052.000002C9BA73B000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164345799.000002C9BA72C000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164493083.000002C9BA73B000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164735346.000002C9BA741000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164338085.000002C9BA729000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164674528.000002C9BA740000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164475418.000002C9BA72C000.00000004.00000001.sdmpfalse
                                                          high
                                                          http://crl.ver)svchost.exe, 00000017.00000002.1194368719.000002C9B9ED6000.00000004.00000001.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          low
                                                          http://passport.net/tbsvchost.exe, 00000017.00000002.1194171773.000002C9B9E7B000.00000004.00000001.sdmp, svchost.exe, 00000017.00000002.1194073407.000002C9B9E5D000.00000004.00000001.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          unknown
                                                          https://www.tiktok.com/legal/report/feedbacksvchost.exe, 00000014.00000003.810766937.000002AF41BD6000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.810797201.000002AF41BD6000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.811421758.000002AF41B95000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.810823224.000002AF41BBF000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.810847190.000002AF42002000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.810750105.000002AF41B5B000.00000004.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          unknown
                                                          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdxmlns:svchost.exe, 00000017.00000003.1166171131.000002C9BA75E000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1166149860.000002C9BA75A000.00000004.00000001.sdmpfalse
                                                            high
                                                            http://schemas.xmlsoap.org/ws/2005/02/scTw=svchost.exe, 00000017.00000002.1194692154.000002C9BA737000.00000004.00000001.sdmpfalse
                                                              high
                                                              http://schemas.xmlsoap.org/ws/2005/02/trust/Issuesvchost.exe, 00000017.00000003.1166089900.000002C9BA72F000.00000004.00000001.sdmpfalse
                                                                high
                                                                https://69.16.218.101:8080/mqHphxEnNLNXvTjzpCyiWOKGJsACjqrMZUZsOVlrundll32.exe, 00000008.00000002.1194259270.0000000000E09000.00000004.00000001.sdmp, rundll32.exe, 00000008.00000003.724853392.0000000000E09000.00000004.00000001.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                unknown
                                                                https://45.138.98.34:80/kTrIpBlTHDTtgSQyGrundll32.exe, 00000008.00000002.1194259270.0000000000E09000.00000004.00000001.sdmp, rundll32.exe, 00000008.00000003.724853392.0000000000E09000.00000004.00000001.sdmptrue
                                                                • Avira URL Cloud: malware
                                                                unknown
                                                                https://www.disneyplus.com/legal/privacy-policysvchost.exe, 00000014.00000003.808230171.000002AF41B8E000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.808218416.000002AF41B7D000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.808191366.000002AF41BC0000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.808173476.000002AF41BBF000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.808255276.000002AF41BDE000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.810750105.000002AF41B5B000.00000004.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                unknown
                                                                https://account.live.com/Wizard/Password/Change?id=80601svchost.exe, 00000017.00000002.1194009149.000002C9B9E3D000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164345799.000002C9BA72C000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164484627.000002C9BA751000.00000004.00000001.sdmpfalse
                                                                  high
                                                                  http://schemas.xmlsoap.org/ws/2005/02/scsvchost.exe, 00000017.00000002.1194692154.000002C9BA737000.00000004.00000001.sdmp, svchost.exe, 00000017.00000002.1194638282.000002C9BA713000.00000004.00000001.sdmp, svchost.exe, 00000017.00000002.1194770983.000002C9BA768000.00000004.00000001.sdmpfalse
                                                                    high
                                                                    https://account.live.com/inlinesignup.aspx?iww=1&id=80601svchost.exe, 00000017.00000002.1194009149.000002C9B9E3D000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164484627.000002C9BA751000.00000004.00000001.sdmpfalse
                                                                      high
                                                                      https://45.138.98.34/BCFrundll32.exe, 00000008.00000002.1194259270.0000000000E09000.00000004.00000001.sdmp, rundll32.exe, 00000008.00000003.724853392.0000000000E09000.00000004.00000001.sdmptrue
                                                                      • Avira URL Cloud: malware
                                                                      unknown
                                                                      https://account.live.com/inlinesignup.aspx?iww=1&id=80600svchost.exe, 00000017.00000003.1164484627.000002C9BA751000.00000004.00000001.sdmpfalse
                                                                        high
                                                                        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd5KSBqsvchost.exe, 00000017.00000002.1194580462.000002C9BA700000.00000004.00000001.sdmpfalse
                                                                          high
                                                                          http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issuesvchost.exe, 00000017.00000002.1194692154.000002C9BA737000.00000004.00000001.sdmpfalse
                                                                            high
                                                                            https://disneyplus.com/legal.svchost.exe, 00000014.00000003.808230171.000002AF41B8E000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.808218416.000002AF41B7D000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.808191366.000002AF41BC0000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.808173476.000002AF41BBF000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.808255276.000002AF41BDE000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.810750105.000002AF41B5B000.00000004.00000001.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            unknown
                                                                            http://schemas.xmlsoap.org/ws/2005/02/trustnsvchost.exe, 00000017.00000002.1194638282.000002C9BA713000.00000004.00000001.sdmpfalse
                                                                              high
                                                                              https://account.live.com/inlinesignup.aspx?iww=1&id=80605svchost.exe, 00000017.00000002.1194073407.000002C9B9E5D000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164484627.000002C9BA751000.00000004.00000001.sdmpfalse
                                                                                high
                                                                                https://account.live.com/inlinesignup.aspx?iww=1&id=80603svchost.exe, 00000017.00000002.1194009149.000002C9B9E3D000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164345799.000002C9BA72C000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164484627.000002C9BA751000.00000004.00000001.sdmpfalse
                                                                                  high
                                                                                  https://account.live.com/inlinesignup.aspx?iww=1&id=80604svchost.exe, 00000017.00000002.1194073407.000002C9B9E5D000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164484627.000002C9BA751000.00000004.00000001.sdmpfalse
                                                                                    high
                                                                                    http://help.disneyplus.com.svchost.exe, 00000014.00000003.808230171.000002AF41B8E000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.808218416.000002AF41B7D000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.808191366.000002AF41BC0000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.808173476.000002AF41BBF000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.808255276.000002AF41BDE000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.810750105.000002AF41B5B000.00000004.00000001.sdmpfalse
                                                                                    • URL Reputation: safe
                                                                                    unknown
                                                                                    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdsvchost.exe, 00000017.00000002.1193992900.000002C9B9E2A000.00000004.00000001.sdmpfalse
                                                                                      high

                                                                                      Contacted IPs

                                                                                      • No. of IPs < 25%
                                                                                      • 25% < No. of IPs < 50%
                                                                                      • 50% < No. of IPs < 75%
                                                                                      • 75% < No. of IPs

                                                                                      Public

                                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                                      207.148.81.119
                                                                                      unknownUnited States
                                                                                      20473AS-CHOOPAUStrue
                                                                                      104.131.62.48
                                                                                      unknownUnited States
                                                                                      14061DIGITALOCEAN-ASNUStrue
                                                                                      85.214.67.203
                                                                                      unknownGermany
                                                                                      6724STRATOSTRATOAGDEtrue
                                                                                      191.252.103.16
                                                                                      unknownBrazil
                                                                                      27715LocawebServicosdeInternetSABRtrue
                                                                                      168.197.250.14
                                                                                      unknownArgentina
                                                                                      264776OmarAnselmoRipollTDCNETARtrue
                                                                                      66.42.57.149
                                                                                      unknownUnited States
                                                                                      20473AS-CHOOPAUStrue
                                                                                      185.148.168.15
                                                                                      unknownGermany
                                                                                      44780EVERSCALE-ASDEtrue
                                                                                      51.210.242.234
                                                                                      unknownFrance
                                                                                      16276OVHFRtrue
                                                                                      217.182.143.207
                                                                                      unknownFrance
                                                                                      16276OVHFRtrue
                                                                                      69.16.218.101
                                                                                      unknownUnited States
                                                                                      32244LIQUIDWEBUStrue
                                                                                      159.69.237.188
                                                                                      unknownGermany
                                                                                      24940HETZNER-ASDEtrue
                                                                                      45.138.98.34
                                                                                      unknownGermany
                                                                                      9009M247GBtrue
                                                                                      116.124.128.206
                                                                                      unknownKorea Republic of
                                                                                      9318SKB-ASSKBroadbandCoLtdKRtrue
                                                                                      78.46.73.125
                                                                                      unknownGermany
                                                                                      24940HETZNER-ASDEtrue
                                                                                      37.59.209.141
                                                                                      unknownFrance
                                                                                      16276OVHFRtrue
                                                                                      210.57.209.142
                                                                                      unknownIndonesia
                                                                                      38142UNAIR-AS-IDUniversitasAirlanggaIDtrue
                                                                                      185.148.168.220
                                                                                      unknownGermany
                                                                                      44780EVERSCALE-ASDEtrue
                                                                                      54.37.228.122
                                                                                      unknownFrance
                                                                                      16276OVHFRtrue
                                                                                      190.90.233.66
                                                                                      unknownColombia
                                                                                      18678INTERNEXASAESPCOtrue
                                                                                      142.4.219.173
                                                                                      unknownCanada
                                                                                      16276OVHFRtrue
                                                                                      54.38.242.185
                                                                                      unknownFrance
                                                                                      16276OVHFRtrue
                                                                                      195.154.146.35
                                                                                      unknownFrance
                                                                                      12876OnlineSASFRtrue
                                                                                      195.77.239.39
                                                                                      unknownSpain
                                                                                      60493FICOSA-ASEStrue
                                                                                      78.47.204.80
                                                                                      unknownGermany
                                                                                      24940HETZNER-ASDEtrue
                                                                                      37.44.244.177
                                                                                      unknownGermany
                                                                                      47583AS-HOSTINGERLTtrue
                                                                                      62.171.178.147
                                                                                      unknownUnited Kingdom
                                                                                      51167CONTABODEtrue
                                                                                      128.199.192.135
                                                                                      unknownUnited Kingdom
                                                                                      14061DIGITALOCEAN-ASNUStrue

                                                                                      Private

                                                                                      IP
                                                                                      192.168.2.1

                                                                                      General Information

                                                                                      Joe Sandbox Version:34.0.0 Boulder Opal
                                                                                      Analysis ID:553116
                                                                                      Start date:14.01.2022
                                                                                      Start time:10:39:27
                                                                                      Joe Sandbox Product:CloudBasic
                                                                                      Overall analysis duration:0h 14m 8s
                                                                                      Hypervisor based Inspection enabled:false
                                                                                      Report type:light
                                                                                      Sample file name:8ozP45Xn3V (renamed file extension from none to dll)
                                                                                      Cookbook file name:default.jbs
                                                                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                      Number of analysed new started processes analysed:24
                                                                                      Number of new started drivers analysed:0
                                                                                      Number of existing processes analysed:0
                                                                                      Number of existing drivers analysed:0
                                                                                      Number of injected processes analysed:0
                                                                                      Technologies:
                                                                                      • HCA enabled
                                                                                      • EGA enabled
                                                                                      • HDC enabled
                                                                                      • AMSI enabled
                                                                                      Analysis Mode:default
                                                                                      Analysis stop reason:Timeout
                                                                                      Detection:MAL
                                                                                      Classification:mal100.troj.evad.winDLL@22/2@0/28
                                                                                      EGA Information:
                                                                                      • Successful, ratio: 100%
                                                                                      HDC Information:
                                                                                      • Successful, ratio: 33.5% (good quality ratio 32.2%)
                                                                                      • Quality average: 77.7%
                                                                                      • Quality standard deviation: 24.9%
                                                                                      HCA Information:
                                                                                      • Successful, ratio: 100%
                                                                                      • Number of executed functions: 0
                                                                                      • Number of non-executed functions: 0
                                                                                      Cookbook Comments:
                                                                                      • Adjust boot time
                                                                                      • Enable AMSI
                                                                                      • Override analysis time to 240s for rundll32
                                                                                      Warnings:
                                                                                      Show All
                                                                                      • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, wuapihost.exe
                                                                                      • Excluded IPs from analysis (whitelisted): 173.222.108.210, 173.222.108.226, 20.54.110.249, 40.91.112.76, 20.190.160.67, 20.190.160.4, 20.190.160.136, 20.190.160.129, 20.190.160.6, 20.190.160.71, 20.190.160.2, 20.190.160.73
                                                                                      • Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, displaycatalog-rp-uswest.md.mp.microsoft.com.akadns.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu-shim.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, www.tm.lg.prod.aadmsa.akadns.net, ctldl.windowsupdate.com, www.tm.a.prd.aadg.akadns.net, a767.dspw65.akamai.net, wus2-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, arc.msn.com, login.msa.msidentity.com, download.windowsupdate.com.edgesuite.net, ris.api.iris.microsoft.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, login.live.com, consumer-displaycatalogrp-aks2aks-uswest.md.mp.microsoft.com.akadns.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                                      • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                      • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                      Simulations

                                                                                      Behavior and APIs

                                                                                      TimeTypeDescription
                                                                                      10:41:30API Interceptor7x Sleep call for process: svchost.exe modified

                                                                                      Joe Sandbox View / Context

                                                                                      IPs

                                                                                      No context

                                                                                      Domains

                                                                                      No context

                                                                                      ASN

                                                                                      No context

                                                                                      JA3 Fingerprints

                                                                                      No context

                                                                                      Dropped Files

                                                                                      No context

                                                                                      Created / dropped Files

                                                                                      C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
                                                                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                      File Type:Microsoft Cabinet archive data, 61414 bytes, 1 file
                                                                                      Category:dropped
                                                                                      Size (bytes):61414
                                                                                      Entropy (8bit):7.995245868798237
                                                                                      Encrypted:true
                                                                                      SSDEEP:1536:EysgU6qmzixT64jYMZ8HbVPGfVDwm/xLZ9rP:wF6qmeo4eH1m9wmLvrP
                                                                                      MD5:ACAEDA60C79C6BCAC925EEB3653F45E0
                                                                                      SHA1:2AAAE490BCDACCC6172240FF1697753B37AC5578
                                                                                      SHA-256:6B0CECCF0103AFD89844761417C1D23ACC41F8AEBF3B7230765209B61EEE5658
                                                                                      SHA-512:FEAA6E7ED7DDA1583739B3E531AB5C562A222EE6ECD042690AE7DCFF966717C6E968469A7797265A11F6E899479AE0F3031E8CF5BEBE1492D5205E9C59690900
                                                                                      Malicious:false
                                                                                      Preview: MSCF............,...................I.......;w........RSNj .authroot.stl..>.(.5..CK..8T....c_.d...A.K...+.d.H..*i.RJJ.IQIR..$t)Kd.-[..T\{..ne......<.w......A..B........c...wi......D....c.0D,L........fy....Rg...=........i,3.3..Z....~^ve<...TF.*...f.zy.,...m.@.0.0...m.3..I(..+..v#...(.2....e...L..*y..V.......~U...."<ke.....l.X:Dt..R<7.5\A7L0=..T.V...IDr..8<....r&...I-.^..b.b.".Af....E.._..r.>.`;,.Hob..S.....7'..\.R$.".g..+..64..@nP.....k3...B.`.G..@D.....L.....`^...#OpW.....!....`.....rf:.}.R.@....gR.#7....l..H.#...d.Qh..3..fCX....==#..M.l..~&....[.J9.\..Ww.....Tx.%....]..a4E...q.+...#.*a..x..O..V.t..Y1!.T..`U...-...< _@...|(.....0..3.`.LU...E0.Gu.4KN....5...?.....I.p..'..........N<.d.O..dH@c1t...[w/...T....cYK.X>.0..Z.....O>..9.3.#9X.%.b...5.YK.E.V.....`./.3.._..nN]..=..M.o.F.._..z....._...gY..!Z..?l....vp.l.:.d.Z..W.....~...N.._.k...&.....$......i.F.d.....D!e.....Y..,.E..m.;.1... $.F..O.F.o_}.uG....,.%.>,.Zx.......o....c../.;....g&.....
                                                                                      C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
                                                                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                      File Type:data
                                                                                      Category:modified
                                                                                      Size (bytes):328
                                                                                      Entropy (8bit):3.1244568012511515
                                                                                      Encrypted:false
                                                                                      SSDEEP:6:kKYKk8SN+SkQlPlEGYRMY9z+4KlDA3RUeYlUmlUR/t:AK9kPlE99SNxAhUeYlUSA/t
                                                                                      MD5:7F9CE138123D4418F3E412CAFD07AE3B
                                                                                      SHA1:5BF5C7CF67E6D88277AF89B5CAAA67CA2517AA30
                                                                                      SHA-256:6F01F1D2AB46CC5F4D6F0F7A27A4F257220C35E7E21C462B36E9B29DAAD4F699
                                                                                      SHA-512:8B5A4FBCA12AE2C670884CCA22650F75D5AA48F5901BAA10A7A8A877FD376DA6EDA999E264210384ABF2B0CDAB88A92771DB12FE5C6072DF88CDA8D0F8443BAD
                                                                                      Malicious:false
                                                                                      Preview: p...... ..........*...(....................................................... ........q.\].......&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.7.1.e.1.5.c.5.d.c.4.d.7.1.:.0."...

                                                                                      Static File Info

                                                                                      General

                                                                                      File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                      Entropy (8bit):7.087985108864896
                                                                                      TrID:
                                                                                      • Win32 Dynamic Link Library (generic) (1002004/3) 95.65%
                                                                                      • Win32 EXE PECompact compressed (generic) (41571/9) 3.97%
                                                                                      • Generic Win/DOS Executable (2004/3) 0.19%
                                                                                      • DOS Executable Generic (2002/1) 0.19%
                                                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                      File name:8ozP45Xn3V.dll
                                                                                      File size:417792
                                                                                      MD5:5b1f5dfeb1d63dfad1961f11a1d13ccd
                                                                                      SHA1:140fae6f1e530e994b73b5ccf3d8343aa2c3e94b
                                                                                      SHA256:408e24e34e423d0ee843ee6b153b804765896348e8a046d9aae7b899b3194fb8
                                                                                      SHA512:63a1b92e00304a14876c2875f252777f88cba5a8151cb7ac87240556fea42f9517e5fa5ef33df2b963c1b1556e08744b53fb98c5c542cbb3a95dec81db1e2230
                                                                                      SSDEEP:6144:o1ju3jPam65ucnNgDoDUhuGGwKveuo4VKYjHyCAJOhrmBlDxqms9ujAJKedmL/:yMjcuDaUImeStJorohvsMjmKe
                                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Z'...F...F...F...I...F...I...F...F...D..9....F..9....F..9....F..9....F..9....F..9....F..Rich.F..................PE..L...k+.a...

                                                                                      File Icon

                                                                                      Icon Hash:71b018ccc6577131

                                                                                      Static PE Info

                                                                                      General

                                                                                      Entrypoint:0x10017b85
                                                                                      Entrypoint Section:.text
                                                                                      Digitally signed:false
                                                                                      Imagebase:0x10000000
                                                                                      Subsystem:windows gui
                                                                                      Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                                                                                      DLL Characteristics:
                                                                                      Time Stamp:0x61E02B6B [Thu Jan 13 13:38:51 2022 UTC]
                                                                                      TLS Callbacks:
                                                                                      CLR (.Net) Version:
                                                                                      OS Version Major:4
                                                                                      OS Version Minor:0
                                                                                      File Version Major:4
                                                                                      File Version Minor:0
                                                                                      Subsystem Version Major:4
                                                                                      Subsystem Version Minor:0
                                                                                      Import Hash:90add561a8bf6976696c056c199a41b8

                                                                                      Entrypoint Preview

                                                                                      Instruction
                                                                                      cmp dword ptr [esp+08h], 01h
                                                                                      jne 00007F9D08D7A707h
                                                                                      call 00007F9D08D82488h
                                                                                      push dword ptr [esp+04h]
                                                                                      mov ecx, dword ptr [esp+10h]
                                                                                      mov edx, dword ptr [esp+0Ch]
                                                                                      call 00007F9D08D7A5F2h
                                                                                      pop ecx
                                                                                      retn 000Ch
                                                                                      push 00000000h
                                                                                      push dword ptr [esp+14h]
                                                                                      push dword ptr [esp+14h]
                                                                                      push dword ptr [esp+14h]
                                                                                      push dword ptr [esp+14h]
                                                                                      call 00007F9D08D824F0h
                                                                                      add esp, 14h
                                                                                      ret
                                                                                      push eax
                                                                                      push dword ptr fs:[00000000h]
                                                                                      lea eax, dword ptr [esp+0Ch]
                                                                                      sub esp, dword ptr [esp+0Ch]
                                                                                      push ebx
                                                                                      push esi
                                                                                      push edi
                                                                                      mov dword ptr [eax], ebp
                                                                                      mov ebp, eax
                                                                                      mov eax, dword ptr [10057A08h]
                                                                                      xor eax, ebp
                                                                                      push eax
                                                                                      push dword ptr [ebp-04h]
                                                                                      mov dword ptr [ebp-04h], FFFFFFFFh
                                                                                      lea eax, dword ptr [ebp-0Ch]
                                                                                      mov dword ptr fs:[00000000h], eax
                                                                                      ret
                                                                                      push eax
                                                                                      push dword ptr fs:[00000000h]
                                                                                      lea eax, dword ptr [esp+0Ch]
                                                                                      sub esp, dword ptr [esp+0Ch]
                                                                                      push ebx
                                                                                      push esi
                                                                                      push edi
                                                                                      mov dword ptr [eax], ebp
                                                                                      mov ebp, eax
                                                                                      mov eax, dword ptr [10057A08h]
                                                                                      xor eax, ebp
                                                                                      push eax
                                                                                      mov dword ptr [ebp-10h], esp
                                                                                      push dword ptr [ebp-04h]
                                                                                      mov dword ptr [ebp-04h], FFFFFFFFh
                                                                                      lea eax, dword ptr [ebp-0Ch]
                                                                                      mov dword ptr fs:[00000000h], eax
                                                                                      ret
                                                                                      push eax
                                                                                      push dword ptr fs:[00000000h]
                                                                                      lea eax, dword ptr [esp+0Ch]
                                                                                      sub esp, dword ptr [esp+0Ch]
                                                                                      push ebx
                                                                                      push esi
                                                                                      push edi
                                                                                      mov dword ptr [eax], ebp
                                                                                      mov ebp, eax
                                                                                      mov eax, dword ptr [10057A08h]
                                                                                      xor eax, ebp
                                                                                      push eax
                                                                                      mov dword ptr [ebp-10h], eax

                                                                                      Rich Headers

                                                                                      Programming Language:
                                                                                      • [RES] VS2005 build 50727
                                                                                      • [ C ] VS2005 build 50727
                                                                                      • [EXP] VS2005 build 50727
                                                                                      • [C++] VS2005 build 50727
                                                                                      • [ASM] VS2005 build 50727
                                                                                      • [LNK] VS2005 build 50727

                                                                                      Data Directories

                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x313c00x50.rdata
                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x2fdcc0xb4.rdata
                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x5d0000x3664.rsrc
                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x610000x3df4.reloc
                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x2cd600x40.rdata
                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x290000x440.rdata
                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x2fd440x40.rdata
                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                      Sections

                                                                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                      .text0x10000x27f5e0x28000False0.514996337891data6.66251942868IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                      .rdata0x290000x84100x9000False0.308865017361data4.83047040925IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                      .data0x320000x2a9a00x27000False0.963572966747data7.93281036967IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                      .rsrc0x5d0000x36640x4000False0.274780273438data4.49622273105IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                      .reloc0x610000x82840x9000False0.33251953125data3.82081999119IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                      Resources

                                                                                      NameRVASizeTypeLanguageCountry
                                                                                      RT_CURSOR0x5db080x134dataChineseChina
                                                                                      RT_CURSOR0x5dc3c0xb4dataChineseChina
                                                                                      RT_CURSOR0x5dcf00x134AmigaOS bitmap fontChineseChina
                                                                                      RT_CURSOR0x5de240x134dataChineseChina
                                                                                      RT_CURSOR0x5df580x134dataChineseChina
                                                                                      RT_CURSOR0x5e08c0x134dataChineseChina
                                                                                      RT_CURSOR0x5e1c00x134dataChineseChina
                                                                                      RT_CURSOR0x5e2f40x134dataChineseChina
                                                                                      RT_CURSOR0x5e4280x134dataChineseChina
                                                                                      RT_CURSOR0x5e55c0x134dataChineseChina
                                                                                      RT_CURSOR0x5e6900x134dataChineseChina
                                                                                      RT_CURSOR0x5e7c40x134dataChineseChina
                                                                                      RT_CURSOR0x5e8f80x134AmigaOS bitmap fontChineseChina
                                                                                      RT_CURSOR0x5ea2c0x134dataChineseChina
                                                                                      RT_CURSOR0x5eb600x134dataChineseChina
                                                                                      RT_CURSOR0x5ec940x134dataChineseChina
                                                                                      RT_BITMAP0x5edc80xb8dataChineseChina
                                                                                      RT_BITMAP0x5ee800x144dataChineseChina
                                                                                      RT_ICON0x5efc40x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 67108992, next used block 3293332676ChineseChina
                                                                                      RT_ICON0x5f2ac0x128GLS_BINARY_LSB_FIRSTChineseChina
                                                                                      RT_DIALOG0x5f3d40x33cdataChineseChina
                                                                                      RT_DIALOG0x5f7100xe2dataChineseChina
                                                                                      RT_DIALOG0x5f7f40x34dataChineseChina
                                                                                      RT_STRING0x5f8280x54dataChineseChina
                                                                                      RT_STRING0x5f87c0x2cdataChineseChina
                                                                                      RT_STRING0x5f8a80x82dataChineseChina
                                                                                      RT_STRING0x5f92c0x1d0dataChineseChina
                                                                                      RT_STRING0x5fafc0x164dataChineseChina
                                                                                      RT_STRING0x5fc600x132dataChineseChina
                                                                                      RT_STRING0x5fd940x50dataChineseChina
                                                                                      RT_STRING0x5fde40x40dataChineseChina
                                                                                      RT_STRING0x5fe240x6adataChineseChina
                                                                                      RT_STRING0x5fe900x1d6dataChineseChina
                                                                                      RT_STRING0x600680x110dataChineseChina
                                                                                      RT_STRING0x601780x24dataChineseChina
                                                                                      RT_STRING0x6019c0x30dataChineseChina
                                                                                      RT_GROUP_CURSOR0x601cc0x22Lotus unknown worksheet or configuration, revision 0x2ChineseChina
                                                                                      RT_GROUP_CURSOR0x601f00x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
                                                                                      RT_GROUP_CURSOR0x602040x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
                                                                                      RT_GROUP_CURSOR0x602180x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
                                                                                      RT_GROUP_CURSOR0x6022c0x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
                                                                                      RT_GROUP_CURSOR0x602400x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
                                                                                      RT_GROUP_CURSOR0x602540x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
                                                                                      RT_GROUP_CURSOR0x602680x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
                                                                                      RT_GROUP_CURSOR0x6027c0x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
                                                                                      RT_GROUP_CURSOR0x602900x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
                                                                                      RT_GROUP_CURSOR0x602a40x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
                                                                                      RT_GROUP_CURSOR0x602b80x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
                                                                                      RT_GROUP_CURSOR0x602cc0x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
                                                                                      RT_GROUP_CURSOR0x602e00x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
                                                                                      RT_GROUP_CURSOR0x602f40x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
                                                                                      RT_GROUP_ICON0x603080x22dataChineseChina
                                                                                      RT_VERSION0x6032c0x2e0dataChineseChina
                                                                                      RT_MANIFEST0x6060c0x56ASCII text, with CRLF line terminatorsEnglishUnited States

                                                                                      Imports

                                                                                      DLLImport
                                                                                      KERNEL32.dllCreateFileA, GetCPInfo, GetOEMCP, RtlUnwind, HeapReAlloc, GetCommandLineA, RaiseException, ExitProcess, HeapSize, HeapDestroy, HeapCreate, TerminateProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetACP, LCMapStringW, GetStdHandle, SetHandleCount, GetFileType, GetStartupInfoA, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, QueryPerformanceCounter, GetTickCount, GetSystemTimeAsFileTime, GetConsoleCP, GetConsoleMode, GetStringTypeA, GetStringTypeW, SetStdHandle, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, GetCurrentProcess, GetThreadLocale, FlushFileBuffers, SetFilePointer, WriteFile, ReadFile, GlobalFlags, WritePrivateProfileStringA, TlsFree, DeleteCriticalSection, LocalReAlloc, TlsSetValue, TlsAlloc, InitializeCriticalSection, GlobalHandle, GlobalReAlloc, EnterCriticalSection, TlsGetValue, LeaveCriticalSection, LocalAlloc, InterlockedIncrement, GlobalGetAtomNameA, GlobalFindAtomA, lstrcmpW, GetVersionExA, InterlockedDecrement, FreeResource, GetCurrentProcessId, GlobalAddAtomA, GetCurrentThread, GetCurrentThreadId, ConvertDefaultLocale, GetModuleFileNameA, EnumResourceLanguagesA, GetLocaleInfoA, lstrcmpA, GlobalDeleteAtom, GetModuleHandleA, GlobalFree, GlobalAlloc, GlobalLock, GlobalUnlock, FormatMessageA, LocalFree, FindResourceA, LoadResource, LockResource, SizeofResource, MulDiv, CreateThread, CloseHandle, HeapFree, GetNativeSystemInfo, GetProcessHeap, HeapAlloc, FreeLibrary, GetProcAddress, LoadLibraryA, IsBadReadPtr, VirtualProtect, SetLastError, VirtualAlloc, VirtualFree, VirtualQuery, Sleep, GetLastError, lstrlenA, WideCharToMultiByte, CompareStringA, MultiByteToWideChar, GetVersion, LCMapStringA, InterlockedExchange
                                                                                      USER32.dllLoadCursorA, GetSysColorBrush, EndPaint, BeginPaint, ReleaseDC, GetDC, ClientToScreen, GrayStringA, DrawTextExA, DrawTextA, TabbedTextOutA, SetWindowTextA, IsDialogMessageA, SetDlgItemTextA, GetDlgItemTextA, RegisterWindowMessageA, SendDlgItemMessageA, WinHelpA, GetCapture, GetClassLongA, GetClassNameA, SetPropA, GetPropA, RemovePropA, SetFocus, GetWindowTextLengthA, GetWindowTextA, GetForegroundWindow, GetTopWindow, GetMessageTime, MapWindowPoints, SetForegroundWindow, UpdateWindow, GetMenu, CreateWindowExA, GetClassInfoExA, GetClassInfoA, RegisterClassA, GetSysColor, CopyRect, PtInRect, GetDlgCtrlID, DefWindowProcA, CallWindowProcA, SetWindowLongA, SetWindowPos, SystemParametersInfoA, GetWindowPlacement, GetWindowRect, GetWindow, UnhookWindowsHookEx, GetDesktopWindow, SetActiveWindow, CreateDialogIndirectParamA, DestroyWindow, IsWindow, GetDlgItem, GetNextDlgTabItem, EndDialog, GetWindowThreadProcessId, GetWindowLongA, GetLastActivePopup, IsWindowEnabled, MessageBoxA, SetCursor, SetWindowsHookExA, CallNextHookEx, GetMessageA, TranslateMessage, DispatchMessageA, GetActiveWindow, IsWindowVisible, GetKeyState, PeekMessageA, GetCursorPos, ValidateRect, SetMenuItemBitmaps, DestroyMenu, UnregisterClassA, GetMessagePos, GetMenuCheckMarkDimensions, LoadBitmapA, GetFocus, GetParent, ModifyMenuA, EnableMenuItem, CheckMenuItem, PostQuitMessage, GetMenuState, GetMenuItemID, GetMenuItemCount, GetSubMenu, SetTimer, KillTimer, IsIconic, GetSystemMetrics, GetClientRect, DrawIcon, SendMessageA, ShowWindow, EnableWindow, LoadIconA, PostMessageA, AdjustWindowRectEx
                                                                                      GDI32.dllSetWindowExtEx, ScaleWindowExtEx, DeleteDC, GetStockObject, ScaleViewportExtEx, SetViewportExtEx, OffsetViewportOrgEx, SetViewportOrgEx, SelectObject, Escape, ExtTextOutA, TextOutA, RectVisible, PtVisible, GetDeviceCaps, DeleteObject, SetMapMode, RestoreDC, SaveDC, GetObjectA, SetBkColor, SetTextColor, GetClipBox, CreateBitmap
                                                                                      WINSPOOL.DRVDocumentPropertiesA, ClosePrinter, OpenPrinterA
                                                                                      ADVAPI32.dllRegSetValueExA, RegCreateKeyExA, RegQueryValueA, RegEnumKeyA, RegDeleteKeyA, RegOpenKeyExA, RegQueryValueExA, RegOpenKeyA, RegCloseKey
                                                                                      SHLWAPI.dllPathFindExtensionA
                                                                                      OLEAUT32.dllVariantClear, VariantChangeType, VariantInit
                                                                                      WS2_32.dllsendto, recvfrom, WSAStartup, inet_addr, htons, socket, bind, setsockopt, WSACleanup, closesocket, htonl

                                                                                      Exports

                                                                                      NameOrdinalAddress
                                                                                      DllRegisterServer10x10008af0

                                                                                      Version Infos

                                                                                      DescriptionData
                                                                                      LegalCopyright (C) 2014
                                                                                      InternalNameUDPTool
                                                                                      FileVersion1, 0, 0, 1
                                                                                      CompanyName
                                                                                      LegalTrademarks
                                                                                      ProductNameUDPTool
                                                                                      ProductVersion1, 0, 0, 1
                                                                                      FileDescriptionUDPTool Microsoft
                                                                                      OriginalFilenameUDPTool.EXE
                                                                                      Translation0x0804 0x04b0

                                                                                      Possible Origin

                                                                                      Language of compilation systemCountry where language is spokenMap
                                                                                      ChineseChina
                                                                                      EnglishUnited States

                                                                                      Network Behavior

                                                                                      Snort IDS Alerts

                                                                                      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                      01/14/22-10:40:44.635950TCP2404332ET CNC Feodo Tracker Reported CnC Server TCP group 174980980192.168.2.445.138.98.34
                                                                                      01/14/22-10:40:45.850475TCP2404338ET CNC Feodo Tracker Reported CnC Server TCP group 20498108080192.168.2.469.16.218.101

                                                                                      Network Port Distribution

                                                                                      TCP Packets

                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                      Jan 14, 2022 10:40:44.635950089 CET4980980192.168.2.445.138.98.34
                                                                                      Jan 14, 2022 10:40:44.652827978 CET804980945.138.98.34192.168.2.4
                                                                                      Jan 14, 2022 10:40:45.226506948 CET4980980192.168.2.445.138.98.34
                                                                                      Jan 14, 2022 10:40:45.243325949 CET804980945.138.98.34192.168.2.4
                                                                                      Jan 14, 2022 10:40:45.820275068 CET4980980192.168.2.445.138.98.34
                                                                                      Jan 14, 2022 10:40:45.837666035 CET804980945.138.98.34192.168.2.4
                                                                                      Jan 14, 2022 10:40:45.850475073 CET498108080192.168.2.469.16.218.101
                                                                                      Jan 14, 2022 10:40:45.980114937 CET80804981069.16.218.101192.168.2.4
                                                                                      Jan 14, 2022 10:40:45.980295897 CET498108080192.168.2.469.16.218.101
                                                                                      Jan 14, 2022 10:40:46.015775919 CET498108080192.168.2.469.16.218.101
                                                                                      Jan 14, 2022 10:40:46.146003008 CET80804981069.16.218.101192.168.2.4
                                                                                      Jan 14, 2022 10:40:46.159126997 CET80804981069.16.218.101192.168.2.4
                                                                                      Jan 14, 2022 10:40:46.159154892 CET80804981069.16.218.101192.168.2.4
                                                                                      Jan 14, 2022 10:40:46.159277916 CET498108080192.168.2.469.16.218.101
                                                                                      Jan 14, 2022 10:40:50.986057997 CET498108080192.168.2.469.16.218.101
                                                                                      Jan 14, 2022 10:40:51.115719080 CET80804981069.16.218.101192.168.2.4
                                                                                      Jan 14, 2022 10:40:51.116323948 CET80804981069.16.218.101192.168.2.4
                                                                                      Jan 14, 2022 10:40:51.116410017 CET498108080192.168.2.469.16.218.101
                                                                                      Jan 14, 2022 10:40:51.121643066 CET498108080192.168.2.469.16.218.101
                                                                                      Jan 14, 2022 10:40:51.251354933 CET80804981069.16.218.101192.168.2.4
                                                                                      Jan 14, 2022 10:40:51.793253899 CET80804981069.16.218.101192.168.2.4
                                                                                      Jan 14, 2022 10:40:51.793672085 CET498108080192.168.2.469.16.218.101
                                                                                      Jan 14, 2022 10:40:54.795973063 CET80804981069.16.218.101192.168.2.4
                                                                                      Jan 14, 2022 10:40:54.795998096 CET80804981069.16.218.101192.168.2.4
                                                                                      Jan 14, 2022 10:40:54.796070099 CET498108080192.168.2.469.16.218.101
                                                                                      Jan 14, 2022 10:40:54.796103001 CET498108080192.168.2.469.16.218.101
                                                                                      Jan 14, 2022 10:42:32.892111063 CET498108080192.168.2.469.16.218.101
                                                                                      Jan 14, 2022 10:42:32.892158985 CET498108080192.168.2.469.16.218.101

                                                                                      DNS Answers

                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                      Jan 14, 2022 10:44:17.350881100 CET8.8.8.8192.168.2.40x90deNo error (0)prda.aadg.msidentity.comwww.tm.a.prd.aadg.akadns.netCNAME (Canonical name)IN (0x0001)

                                                                                      Code Manipulations

                                                                                      Statistics

                                                                                      Behavior

                                                                                      Click to jump to process

                                                                                      System Behavior

                                                                                      General

                                                                                      Start time:10:40:25
                                                                                      Start date:14/01/2022
                                                                                      Path:C:\Windows\System32\loaddll32.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:loaddll32.exe "C:\Users\user\Desktop\8ozP45Xn3V.dll"
                                                                                      Imagebase:0x140000
                                                                                      File size:116736 bytes
                                                                                      MD5 hash:7DEB5DB86C0AC789123DEC286286B938
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:moderate

                                                                                      General

                                                                                      Start time:10:40:26
                                                                                      Start date:14/01/2022
                                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\8ozP45Xn3V.dll",#1
                                                                                      Imagebase:0x11d0000
                                                                                      File size:232960 bytes
                                                                                      MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high

                                                                                      General

                                                                                      Start time:10:40:26
                                                                                      Start date:14/01/2022
                                                                                      Path:C:\Windows\SysWOW64\regsvr32.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:regsvr32.exe /s C:\Users\user\Desktop\8ozP45Xn3V.dll
                                                                                      Imagebase:0x240000
                                                                                      File size:20992 bytes
                                                                                      MD5 hash:426E7499F6A7346F0410DEAD0805586B
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000002.00000002.678801674.0000000004EA1000.00000020.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000002.00000002.678402531.0000000003490000.00000040.00000001.sdmp, Author: Joe Security
                                                                                      Reputation:high

                                                                                      General

                                                                                      Start time:10:40:26
                                                                                      Start date:14/01/2022
                                                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:rundll32.exe "C:\Users\user\Desktop\8ozP45Xn3V.dll",#1
                                                                                      Imagebase:0xec0000
                                                                                      File size:61952 bytes
                                                                                      MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.679189508.0000000004DC0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.679337426.0000000004EF1000.00000020.00000001.sdmp, Author: Joe Security
                                                                                      Reputation:high

                                                                                      General

                                                                                      Start time:10:40:26
                                                                                      Start date:14/01/2022
                                                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:rundll32.exe C:\Users\user\Desktop\8ozP45Xn3V.dll,DllRegisterServer
                                                                                      Imagebase:0xec0000
                                                                                      File size:61952 bytes
                                                                                      MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.683302750.0000000004581000.00000020.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.683437410.0000000004A01000.00000020.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.683851852.0000000004BB0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.681810027.0000000000A00000.00000040.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.683253680.0000000004550000.00000040.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.684072161.0000000004D31000.00000020.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.684008424.0000000004D00000.00000040.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.683386584.00000000049D0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.683941130.0000000004BE1000.00000020.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.683690737.0000000004B81000.00000020.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.681945178.0000000000B31000.00000020.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.683628620.0000000004B50000.00000040.00000001.sdmp, Author: Joe Security
                                                                                      Reputation:high

                                                                                      General

                                                                                      Start time:10:40:27
                                                                                      Start date:14/01/2022
                                                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\8ozP45Xn3V.dll",DllRegisterServer
                                                                                      Imagebase:0xec0000
                                                                                      File size:61952 bytes
                                                                                      MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high

                                                                                      General

                                                                                      Start time:10:40:27
                                                                                      Start date:14/01/2022
                                                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\8ozP45Xn3V.dll",DllRegisterServer
                                                                                      Imagebase:0xec0000
                                                                                      File size:61952 bytes
                                                                                      MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.681011389.0000000004BE1000.00000020.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.680753650.0000000004A80000.00000040.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.680819179.0000000004AB1000.00000020.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.681140235.0000000004C41000.00000020.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.681069343.0000000004C10000.00000040.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.680200574.0000000000E80000.00000040.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.680952916.0000000004BB0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.680607350.0000000004581000.00000020.00000001.sdmp, Author: Joe Security
                                                                                      Reputation:high

                                                                                      General

                                                                                      Start time:10:40:30
                                                                                      Start date:14/01/2022
                                                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Awmbc\hyrvgwa.iff",ywJlCo
                                                                                      Imagebase:0xec0000
                                                                                      File size:61952 bytes
                                                                                      MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.683913602.0000000000791000.00000020.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.683812885.0000000000510000.00000040.00000001.sdmp, Author: Joe Security
                                                                                      Reputation:high

                                                                                      General

                                                                                      Start time:10:40:31
                                                                                      Start date:14/01/2022
                                                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Awmbc\hyrvgwa.iff",DllRegisterServer
                                                                                      Imagebase:0xec0000
                                                                                      File size:61952 bytes
                                                                                      MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000008.00000002.1193813171.0000000000AD1000.00000020.00000010.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000008.00000002.1196243909.0000000004FD0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000008.00000002.1196558056.00000000051D0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000008.00000002.1196279550.0000000005001000.00000020.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000008.00000002.1196152272.0000000004EF0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000008.00000002.1196337731.00000000050B0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000008.00000002.1196188150.0000000004F21000.00000020.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000008.00000002.1197175277.0000000005530000.00000040.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000008.00000002.1193980230.0000000000BB0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000008.00000002.1195901433.0000000004C81000.00000020.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000008.00000002.1196376857.00000000050E1000.00000020.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000008.00000002.1196877858.00000000053D0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000008.00000002.1196081984.0000000004E90000.00000040.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000008.00000002.1197104038.0000000005501000.00000020.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000008.00000002.1197250321.0000000005561000.00000020.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000008.00000002.1195970114.0000000004D30000.00000040.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000008.00000002.1193635496.0000000000790000.00000040.00000010.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000008.00000002.1196596448.0000000005201000.00000020.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000008.00000002.1196982602.0000000005401000.00000020.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000008.00000002.1195866286.0000000004C50000.00000040.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000008.00000002.1195525525.00000000045F1000.00000020.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000008.00000002.1197067981.00000000054D0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000008.00000002.1196117652.0000000004EC1000.00000020.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000008.00000002.1196009130.0000000004D61000.00000020.00000001.sdmp, Author: Joe Security
                                                                                      Reputation:high

                                                                                      General

                                                                                      Start time:10:40:32
                                                                                      Start date:14/01/2022
                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                      Imagebase:0x7ff6eb840000
                                                                                      File size:51288 bytes
                                                                                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language

                                                                                      General

                                                                                      Start time:10:40:54
                                                                                      Start date:14/01/2022
                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                      Imagebase:0x7ff6eb840000
                                                                                      File size:51288 bytes
                                                                                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language

                                                                                      General

                                                                                      Start time:10:41:13
                                                                                      Start date:14/01/2022
                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                      Imagebase:0x7ff6eb840000
                                                                                      File size:51288 bytes
                                                                                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language

                                                                                      General

                                                                                      Start time:10:41:28
                                                                                      Start date:14/01/2022
                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                      Imagebase:0x7ff6eb840000
                                                                                      File size:51288 bytes
                                                                                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language

                                                                                      General

                                                                                      Start time:10:44:16
                                                                                      Start date:14/01/2022
                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
                                                                                      Imagebase:0x7ff6eb840000
                                                                                      File size:51288 bytes
                                                                                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language

                                                                                      Disassembly

                                                                                      Code Analysis

                                                                                      Reset < >