Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report MUm03X31dO

Overview

General Information

Sample Name:MUm03X31dO (renamed file extension from none to dll)
Analysis ID:553376
MD5:3d903830752a14532ac653aec068a5ac
SHA1:18f66ff84a3d37245b060747823ddc220b7bb9ba
SHA256:413d3d3d717f9874ca23af53646794c7903ff817d9a97ac2be1b641695c1fc1a
Tags:32dllexe
Infos:

Most interesting Screenshot:

Detection

Emotet
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Changes security center settings (notifications, updates, antivirus, firewall)
Sigma detected: Suspicious Call by Ordinal
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
One or more processes crash
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
AV process strings found (often used to terminate AV products)
PE file contains an invalid checksum
PE file contains strange resources
Tries to load missing DLLs
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Connects to several IPs in different countries
Potential key logger detected (key state polling based)
Registers a DLL
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries disk information (often used to detect virtual machines)
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 3092 cmdline: loaddll32.exe "C:\Users\user\Desktop\MUm03X31dO.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938)
    • cmd.exe (PID: 3336 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\MUm03X31dO.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 5288 cmdline: rundll32.exe "C:\Users\user\Desktop\MUm03X31dO.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • rundll32.exe (PID: 5304 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\MUm03X31dO.dll",DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • regsvr32.exe (PID: 5396 cmdline: regsvr32.exe /s C:\Users\user\Desktop\MUm03X31dO.dll MD5: 426E7499F6A7346F0410DEAD0805586B)
      • rundll32.exe (PID: 1760 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\MUm03X31dO.dll",DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 2924 cmdline: rundll32.exe C:\Users\user\Desktop\MUm03X31dO.dll,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • rundll32.exe (PID: 6180 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Qcnuamvgfncza\wcwmsazphhlpar.wmq",LVfdvbviW MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • rundll32.exe (PID: 6212 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Qcnuamvgfncza\wcwmsazphhlpar.wmq",DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • WerFault.exe (PID: 6192 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3092 -s 280 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • svchost.exe (PID: 340 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 4732 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • WerFault.exe (PID: 6160 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3092 -ip 3092 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • svchost.exe (PID: 6220 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6312 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6388 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • SgrmBroker.exe (PID: 6496 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)
  • svchost.exe (PID: 6540 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • MpCmdRun.exe (PID: 4828 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: A267555174BFA53844371226F482B86B)
      • conhost.exe (PID: 2252 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • svchost.exe (PID: 6344 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6612 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 1236 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 4320 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6248 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

Threatname: Emotet

{"C2 list": ["45.138.98.34:80", "69.16.218.101:8080", "51.210.242.234:8080", "185.148.168.220:8080", "142.4.219.173:8080", "54.38.242.185:443", "191.252.103.16:80", "104.131.62.48:8080", "62.171.178.147:8080", "217.182.143.207:443", "168.197.250.14:80", "37.44.244.177:8080", "66.42.57.149:443", "210.57.209.142:8080", "159.69.237.188:443", "116.124.128.206:8080", "128.199.192.135:8080", "195.154.146.35:443", "185.148.168.15:8080", "195.77.239.39:8080", "207.148.81.119:8080", "85.214.67.203:8080", "190.90.233.66:443", "78.46.73.125:443", "78.47.204.80:443", "37.59.209.141:8080", "54.37.228.122:443"], "Public Key": ["RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW", "RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.325569236.0000000004F91000.00000020.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
    0000000C.00000002.789766626.0000000003591000.00000020.00000010.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
      00000005.00000002.279872863.0000000005681000.00000020.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
        00000007.00000002.325659124.0000000004FF1000.00000020.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
          00000005.00000002.279101229.0000000003420000.00000040.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
            Click to see the 51 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            3.2.regsvr32.exe.3210000.1.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
              10.2.rundll32.exe.4c70000.0.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                7.2.rundll32.exe.4f60000.4.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                  12.2.rundll32.exe.56b0000.6.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                    7.2.rundll32.exe.4ff0000.7.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                      Click to see the 79 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Suspicious Call by OrdinalShow sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: rundll32.exe "C:\Users\user\Desktop\MUm03X31dO.dll",#1, CommandLine: rundll32.exe "C:\Users\user\Desktop\MUm03X31dO.dll",#1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\MUm03X31dO.dll",#1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 3336, ProcessCommandLine: rundll32.exe "C:\Users\user\Desktop\MUm03X31dO.dll",#1, ProcessId: 5288

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 3.2.regsvr32.exe.31e0000.0.raw.unpackMalware Configuration Extractor: Emotet {"C2 list": ["45.138.98.34:80", "69.16.218.101:8080", "51.210.242.234:8080", "185.148.168.220:8080", "142.4.219.173:8080", "54.38.242.185:443", "191.252.103.16:80", "104.131.62.48:8080", "62.171.178.147:8080", "217.182.143.207:443", "168.197.250.14:80", "37.44.244.177:8080", "66.42.57.149:443", "210.57.209.142:8080", "159.69.237.188:443", "116.124.128.206:8080", "128.199.192.135:8080", "195.154.146.35:443", "185.148.168.15:8080", "195.77.239.39:8080", "207.148.81.119:8080", "85.214.67.203:8080", "190.90.233.66:443", "78.46.73.125:443", "78.47.204.80:443", "37.59.209.141:8080", "54.37.228.122:443"], "Public Key": ["RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW", "RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0"]}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: MUm03X31dO.dllVirustotal: Detection: 17%Perma Link
                      Source: MUm03X31dO.dllReversingLabs: Detection: 18%
                      Source: MUm03X31dO.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: Binary string: ws2_32.pdb source: WerFault.exe, 0000000B.00000003.286863013.00000000055D8000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.286934927.00000000055D8000.00000004.00000040.sdmp
                      Source: Binary string: winspool.pdb source: WerFault.exe, 0000000B.00000003.286918420.00000000055D0000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000B.00000003.286844011.0000000004F21000.00000004.00000001.sdmp
                      Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000B.00000003.281926953.0000000004C95000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.286844011.0000000004F21000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.282871171.0000000003162000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.282376403.0000000003162000.00000004.00000001.sdmp
                      Source: Binary string: sechost.pdb source: WerFault.exe, 0000000B.00000003.286852720.00000000055D2000.00000004.00000040.sdmp
                      Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000B.00000003.286863013.00000000055D8000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.286934927.00000000055D8000.00000004.00000040.sdmp
                      Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000000B.00000003.286863013.00000000055D8000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.286934927.00000000055D8000.00000004.00000040.sdmp
                      Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000B.00000003.286844011.0000000004F21000.00000004.00000001.sdmp
                      Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000B.00000003.286844011.0000000004F21000.00000004.00000001.sdmp
                      Source: Binary string: propsys.pdb source: WerFault.exe, 0000000B.00000003.286863013.00000000055D8000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.286934927.00000000055D8000.00000004.00000040.sdmp
                      Source: Binary string: nCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000000B.00000002.298073985.0000000000B02000.00000004.00000001.sdmp
                      Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000B.00000003.286852720.00000000055D2000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.286926282.00000000055D5000.00000004.00000040.sdmp
                      Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000B.00000003.286844011.0000000004F21000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.282348729.000000000315C000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.283216718.000000000315C000.00000004.00000001.sdmp
                      Source: Binary string: wrpcrt4.pdbk source: WerFault.exe, 0000000B.00000003.286852720.00000000055D2000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.286926282.00000000055D5000.00000004.00000040.sdmp
                      Source: Binary string: shcore.pdb source: WerFault.exe, 0000000B.00000003.286863013.00000000055D8000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.286934927.00000000055D8000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000B.00000003.286844011.0000000004F21000.00000004.00000001.sdmp
                      Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000B.00000003.286844011.0000000004F21000.00000004.00000001.sdmp
                      Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000B.00000003.286918420.00000000055D0000.00000004.00000040.sdmp
                      Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000B.00000003.286918420.00000000055D0000.00000004.00000040.sdmp
                      Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000B.00000003.286844011.0000000004F21000.00000004.00000001.sdmp
                      Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000B.00000003.286918420.00000000055D0000.00000004.00000040.sdmp
                      Source: Binary string: sechost.pdbk source: WerFault.exe, 0000000B.00000003.286852720.00000000055D2000.00000004.00000040.sdmp
                      Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000B.00000003.286844011.0000000004F21000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.282390808.0000000003168000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.282895122.0000000003168000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.282993001.0000000003168000.00000004.00000001.sdmp
                      Source: Binary string: wimm32.pdb source: WerFault.exe, 0000000B.00000003.286863013.00000000055D8000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.286934927.00000000055D8000.00000004.00000040.sdmp
                      Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000B.00000003.286863013.00000000055D8000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.286934927.00000000055D8000.00000004.00000040.sdmp
                      Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000B.00000003.282390808.0000000003168000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.282895122.0000000003168000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.282993001.0000000003168000.00000004.00000001.sdmp
                      Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000B.00000003.286918420.00000000055D0000.00000004.00000040.sdmp
                      Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000B.00000003.286844011.0000000004F21000.00000004.00000001.sdmp
                      Source: Binary string: combase.pdb source: WerFault.exe, 0000000B.00000003.286863013.00000000055D8000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.286934927.00000000055D8000.00000004.00000040.sdmp
                      Source: Binary string: wkernel32.pdb( source: WerFault.exe, 0000000B.00000003.282871171.0000000003162000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.282376403.0000000003162000.00000004.00000001.sdmp
                      Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000B.00000003.286863013.00000000055D8000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.286934927.00000000055D8000.00000004.00000040.sdmp
                      Source: Binary string: Kernel.Appcore.pdb| source: WerFault.exe, 0000000B.00000003.286918420.00000000055D0000.00000004.00000040.sdmp
                      Source: Binary string: apphelp.pdb source: WerFault.exe, 0000000B.00000003.286844011.0000000004F21000.00000004.00000001.sdmp
                      Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000B.00000003.286844011.0000000004F21000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdb( source: WerFault.exe, 0000000B.00000003.282348729.000000000315C000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.283216718.000000000315C000.00000004.00000001.sdmp

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 2404332 ET CNC Feodo Tracker Reported CnC Server TCP group 17 192.168.2.5:49759 -> 45.138.98.34:80
                      Source: TrafficSnort IDS: 2404338 ET CNC Feodo Tracker Reported CnC Server TCP group 20 192.168.2.5:49760 -> 69.16.218.101:8080
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 69.16.218.101 144
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 45.138.98.34 80
                      C2 URLs / IPs found in malware configurationShow sources
                      Source: Malware configuration extractorIPs: 45.138.98.34:80
                      Source: Malware configuration extractorIPs: 69.16.218.101:8080
                      Source: Malware configuration extractorIPs: 51.210.242.234:8080
                      Source: Malware configuration extractorIPs: 185.148.168.220:8080
                      Source: Malware configuration extractorIPs: 142.4.219.173:8080
                      Source: Malware configuration extractorIPs: 54.38.242.185:443
                      Source: Malware configuration extractorIPs: 191.252.103.16:80
                      Source: Malware configuration extractorIPs: 104.131.62.48:8080
                      Source: Malware configuration extractorIPs: 62.171.178.147:8080
                      Source: Malware configuration extractorIPs: 217.182.143.207:443
                      Source: Malware configuration extractorIPs: 168.197.250.14:80
                      Source: Malware configuration extractorIPs: 37.44.244.177:8080
                      Source: Malware configuration extractorIPs: 66.42.57.149:443
                      Source: Malware configuration extractorIPs: 210.57.209.142:8080
                      Source: Malware configuration extractorIPs: 159.69.237.188:443
                      Source: Malware configuration extractorIPs: 116.124.128.206:8080
                      Source: Malware configuration extractorIPs: 128.199.192.135:8080
                      Source: Malware configuration extractorIPs: 195.154.146.35:443
                      Source: Malware configuration extractorIPs: 185.148.168.15:8080
                      Source: Malware configuration extractorIPs: 195.77.239.39:8080
                      Source: Malware configuration extractorIPs: 207.148.81.119:8080
                      Source: Malware configuration extractorIPs: 85.214.67.203:8080
                      Source: Malware configuration extractorIPs: 190.90.233.66:443
                      Source: Malware configuration extractorIPs: 78.46.73.125:443
                      Source: Malware configuration extractorIPs: 78.47.204.80:443
                      Source: Malware configuration extractorIPs: 37.59.209.141:8080
                      Source: Malware configuration extractorIPs: 54.37.228.122:443
                      Source: global trafficTCP traffic: 192.168.2.5:49760 -> 69.16.218.101:8080
                      Source: unknownNetwork traffic detected: IP country count 12
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.98.34
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.98.34
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.98.34
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: svchost.exe, 00000025.00000003.569512810.00000138A9998000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-01-07T11:33:20.1626869Z||.||d5cdcec3-04df-404e-ba07-3240047c89f9||1152921505694348672||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
                      Source: svchost.exe, 00000025.00000003.569512810.00000138A9998000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-01-07T11:33:20.1626869Z||.||d5cdcec3-04df-404e-ba07-3240047c89f9||1152921505694348672||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
                      Source: svchost.exe, 00000001.00000002.607078121.00000253F4698000.00000004.00000001.sdmp, svchost.exe, 00000025.00000002.587514347.00000138A9900000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: svchost.exe, 00000001.00000002.606968312.00000253F4600000.00000004.00000001.sdmpString found in binary or memory: http://crl.ver)
                      Source: 77EC63BDA74BD0D0E0426DC8F80085060.12.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                      Source: rundll32.exe, 0000000C.00000003.320419910.00000000033F5000.00000004.00000001.sdmp, rundll32.exe, 0000000C.00000003.323602464.0000000003418000.00000004.00000001.sdmp, rundll32.exe, 0000000C.00000002.789355636.0000000003418000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?b74f4c1b3804a
                      Source: svchost.exe, 00000025.00000003.564818764.00000138A997F000.00000004.00000001.sdmp, svchost.exe, 00000025.00000003.564906625.00000138A99A0000.00000004.00000001.sdmp, svchost.exe, 00000025.00000003.564934406.00000138A9E02000.00000004.00000001.sdmp, svchost.exe, 00000025.00000003.564879291.00000138A99C0000.00000004.00000001.sdmp, svchost.exe, 00000025.00000003.564858410.00000138A99C0000.00000004.00000001.sdmpString found in binary or memory: http://help.disneyplus.com.
                      Source: Amcache.hve.11.drString found in binary or memory: http://upx.sf.net
                      Source: svchost.exe, 0000000F.00000002.308687351.000001FADDC13000.00000004.00000001.sdmpString found in binary or memory: http://www.bingmapsportal.com
                      Source: svchost.exe, 0000000D.00000002.788022465.0000020140E40000.00000004.00000001.sdmpString found in binary or memory: https://%s.dnet.xboxlive.com
                      Source: svchost.exe, 0000000D.00000002.788022465.0000020140E40000.00000004.00000001.sdmpString found in binary or memory: https://%s.xboxlive.com
                      Source: svchost.exe, 0000000D.00000002.788022465.0000020140E40000.00000004.00000001.sdmpString found in binary or memory: https://activity.windows.com
                      Source: svchost.exe, 0000000F.00000003.308096087.000001FADDC62000.00000004.00000001.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
                      Source: svchost.exe, 0000000D.00000002.788022465.0000020140E40000.00000004.00000001.sdmpString found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
                      Source: svchost.exe, 0000000D.00000002.788022465.0000020140E40000.00000004.00000001.sdmpString found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
                      Source: svchost.exe, 0000000F.00000002.308737849.000001FADDC29000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.308136639.000001FADDC4A000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
                      Source: svchost.exe, 0000000F.00000003.308136639.000001FADDC4A000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000002.308788623.000001FADDC4C000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
                      Source: svchost.exe, 0000000F.00000003.308096087.000001FADDC62000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
                      Source: svchost.exe, 0000000F.00000002.308768774.000001FADDC3E000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
                      Source: svchost.exe, 0000000F.00000003.308136639.000001FADDC4A000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000002.308788623.000001FADDC4C000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
                      Source: svchost.exe, 0000000F.00000002.308831607.000001FADDC6B000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.308067275.000001FADDC69000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
                      Source: svchost.exe, 0000000F.00000003.308096087.000001FADDC62000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
                      Source: svchost.exe, 0000000F.00000002.308796611.000001FADDC50000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.308113977.000001FADDC4F000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
                      Source: svchost.exe, 0000000F.00000002.308737849.000001FADDC29000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
                      Source: svchost.exe, 0000000F.00000003.308136639.000001FADDC4A000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000002.308788623.000001FADDC4C000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
                      Source: svchost.exe, 0000000F.00000003.308096087.000001FADDC62000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
                      Source: svchost.exe, 0000000F.00000002.308768774.000001FADDC3E000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
                      Source: svchost.exe, 0000000F.00000003.308096087.000001FADDC62000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
                      Source: svchost.exe, 0000000F.00000003.308096087.000001FADDC62000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
                      Source: svchost.exe, 0000000F.00000003.308096087.000001FADDC62000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
                      Source: svchost.exe, 0000000F.00000002.308737849.000001FADDC29000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
                      Source: svchost.exe, 0000000F.00000002.308777977.000001FADDC43000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.308165976.000001FADDC41000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.308193973.000001FADDC42000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
                      Source: svchost.exe, 0000000F.00000002.308777977.000001FADDC43000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.308165976.000001FADDC41000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.308193973.000001FADDC42000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
                      Source: svchost.exe, 0000000F.00000003.308096087.000001FADDC62000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
                      Source: svchost.exe, 0000000F.00000003.308136639.000001FADDC4A000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.308165976.000001FADDC41000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000002.308788623.000001FADDC4C000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
                      Source: svchost.exe, 00000025.00000003.564818764.00000138A997F000.00000004.00000001.sdmp, svchost.exe, 00000025.00000003.564906625.00000138A99A0000.00000004.00000001.sdmp, svchost.exe, 00000025.00000003.564934406.00000138A9E02000.00000004.00000001.sdmp, svchost.exe, 00000025.00000003.564879291.00000138A99C0000.00000004.00000001.sdmp, svchost.exe, 00000025.00000003.564858410.00000138A99C0000.00000004.00000001.sdmpString found in binary or memory: https://disneyplus.com/legal.
                      Source: svchost.exe, 0000000F.00000003.308136639.000001FADDC4A000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
                      Source: svchost.exe, 0000000F.00000002.308788623.000001FADDC4C000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
                      Source: svchost.exe, 0000000F.00000003.308136639.000001FADDC4A000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000002.308788623.000001FADDC4C000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
                      Source: svchost.exe, 0000000F.00000003.308165976.000001FADDC41000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.308193973.000001FADDC42000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t
                      Source: svchost.exe, 0000000F.00000003.308096087.000001FADDC62000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
                      Source: svchost.exe, 0000000F.00000002.308768774.000001FADDC3E000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
                      Source: svchost.exe, 0000000F.00000003.285984047.000001FADDC31000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
                      Source: svchost.exe, 0000000F.00000002.308768774.000001FADDC3E000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
                      Source: svchost.exe, 0000000F.00000002.308768774.000001FADDC3E000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000002.308687351.000001FADDC13000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
                      Source: svchost.exe, 0000000F.00000003.285984047.000001FADDC31000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
                      Source: svchost.exe, 0000000F.00000003.308187118.000001FADDC46000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.308165976.000001FADDC41000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
                      Source: svchost.exe, 0000000F.00000003.285984047.000001FADDC31000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
                      Source: svchost.exe, 0000000F.00000003.285984047.000001FADDC31000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.308264890.000001FADDC3B000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
                      Source: svchost.exe, 0000000F.00000002.308796611.000001FADDC50000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.308113977.000001FADDC4F000.00000004.00000001.sdmpString found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
                      Source: svchost.exe, 00000025.00000003.564818764.00000138A997F000.00000004.00000001.sdmp, svchost.exe, 00000025.00000003.564906625.00000138A99A0000.00000004.00000001.sdmp, svchost.exe, 00000025.00000003.564934406.00000138A9E02000.00000004.00000001.sdmp, svchost.exe, 00000025.00000003.564879291.00000138A99C0000.00000004.00000001.sdmp, svchost.exe, 00000025.00000003.564858410.00000138A99C0000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
                      Source: svchost.exe, 00000025.00000003.564818764.00000138A997F000.00000004.00000001.sdmp, svchost.exe, 00000025.00000003.564906625.00000138A99A0000.00000004.00000001.sdmp, svchost.exe, 00000025.00000003.564934406.00000138A9E02000.00000004.00000001.sdmp, svchost.exe, 00000025.00000003.564879291.00000138A99C0000.00000004.00000001.sdmp, svchost.exe, 00000025.00000003.564858410.00000138A99C0000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
                      Source: svchost.exe, 00000025.00000003.565870723.00000138A9E02000.00000004.00000001.sdmp, svchost.exe, 00000025.00000003.565849654.00000138A998B000.00000004.00000001.sdmp, svchost.exe, 00000025.00000003.565780572.00000138A99A2000.00000004.00000001.sdmp, svchost.exe, 00000025.00000003.565821635.00000138A99A2000.00000004.00000001.sdmpString found in binary or memory: https://www.tiktok.com/legal/report/feedback
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_10001280 recvfrom,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_10027958 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_10027958 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,

                      E-Banking Fraud:

                      barindex
                      Yara detected EmotetShow sources
                      Source: Yara matchFile source: 3.2.regsvr32.exe.3210000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.4c70000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.4f60000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.56b0000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.4ff0000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.5ca0000.14.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.5cd0000.15.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.5300000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.5b90000.13.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.3420000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.5fb0000.19.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.5ca0000.14.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.5f80000.18.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.5b60000.12.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.4c70000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.55f0000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.21b0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.6080000.20.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.60e0000.22.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.5a00000.11.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.5870000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.3560000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.53a0000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.53d0000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.2180000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.21b0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.regsvr32.exe.31e0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.2180000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.4f30000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.21b0000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.4fc0000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.3420000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.54c0000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.3590000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.59d0000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.4f60000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.5600000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.56b0000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.5f80000.18.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.3450000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.5490000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.4f30000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.920000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.920000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.5b60000.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.6110000.23.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.2180000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.53a0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.2180000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.58a0000.11.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.regsvr32.exe.31e0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.5840000.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.5810000.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.2180000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.2180000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.5300000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.4ca0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.5db0000.17.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.5650000.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.4eb0000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.4e80000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.59d0000.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.56e0000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.4f90000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.5810000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.4810000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.4f90000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.4810000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.5870000.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.55f0000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.4fc0000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.60e0000.22.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.60b0000.21.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.2a00000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.5490000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.4840000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.5680000.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.6080000.20.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.3560000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.5650000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.5620000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.5d80000.16.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.5d80000.16.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.4e80000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000007.00000002.325569236.0000000004F91000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.789766626.0000000003591000.00000020.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.279872863.0000000005681000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.325659124.0000000004FF1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.279101229.0000000003420000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.279636390.00000000053D1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.792807841.0000000006080000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.789644115.0000000003560000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.283643613.0000000004CA1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.791029959.00000000056E1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.279824791.0000000005621000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.324583547.0000000004841000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.792730843.0000000005FB1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.792383699.0000000005DB1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.790492761.0000000005300000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.299691728.0000000002180000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.792197793.0000000005CD1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.791999231.0000000005B91000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.299733023.00000000021B1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.791439541.00000000058A1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.792916156.00000000060E0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.792123168.0000000005CA0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.279685009.0000000005490000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.283528746.0000000004C70000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.792865866.00000000060B1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.325516887.0000000004F60000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.274800070.0000000002180000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.790959470.00000000056B0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.325610829.0000000004FC0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.265604220.00000000031E0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.274835545.00000000021B1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.279848866.0000000005650000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.325399866.0000000004E80000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.265632005.0000000003211000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.791273424.0000000005841000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.791366610.0000000005870000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.267814395.0000000000920000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.790442344.0000000004F91000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.273742640.00000000021B1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.792648530.0000000005F80000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.790324399.0000000004F30000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.280137908.00000000059D0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.280317920.0000000005A01000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.279133215.0000000003451000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.279724153.00000000054C1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.792953896.0000000006111000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.791155668.0000000005810000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.792292788.0000000005D80000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.325458310.0000000004EB1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.279796782.00000000055F0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.271058479.0000000002A01000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.324499260.0000000004810000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.790839088.0000000005601000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.791959998.0000000005B60000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.273707412.0000000002180000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.279604016.00000000053A0000.00000040.00000001.sdmp, type: MEMORY

                      System Summary:

                      barindex
                      Source: MUm03X31dO.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3092 -ip 3092
                      Source: C:\Windows\SysWOW64\rundll32.exeFile deleted: C:\Windows\SysWOW64\Qcnuamvgfncza\wcwmsazphhlpar.wmq:Zone.IdentifierJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_021CEFDD
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_021C7A0F
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_021D2009
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_021C8806
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_021C9A01
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_021B3431
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_021B8636
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_021BB820
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_021C2E5D
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_021CB257
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_021C4244
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_021B7442
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_021BE640
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_021CF840
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_021BA445
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_021B7E79
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_021B7078
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_021C567B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_021CA474
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_021BA871
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_021CDC71
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_021BDE74
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_021D0A64
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_021C4A66
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_021D3263
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_021D46BD
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_021C0EBC
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_021BC6B8
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_021C0ABA
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_021BBAA9
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_021C3EAA
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_021D36AA
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_021CA2A5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_021B1CA1
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_021CCCD9
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_021CD8DB
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_021CCAD5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_021B80C0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_021CBEFD
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_021BF0E9
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_021D00EF
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_021D3EE9
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_021CE4E5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_021C5515
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_021B670B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_021D2B09
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_021CAD08
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_021BEF0C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_021C8D3D
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_021B1F38
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_021C5333
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_021CFF58
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_021C7D5B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_021CE955
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_021D2D53
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_021C654A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_021BD14C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_021C2142
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_021B6B7A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_021C5779
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_021C437A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_021C017B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_021C4F74
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_021C9774
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_021BF369
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_021B2194
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_021BFB8E
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_021B238C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_021C3D85
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_021C0F86
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_021C6187
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_021CD1BC
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_021D17BD
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_021B57B8
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_021BBFBE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_021C8FAE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_021D07AA
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_021B77A3
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_021CFBDE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_021BC5D8
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_021BE7DE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_021CC5D5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_021C85FF
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_021CE1F8
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_021B55FF
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_021C27F9
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_021B4BFC
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_021C07F4
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_021C9DF5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_021C67E6
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_100291F6
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_1002F378
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_100403D7
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_1004250B
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_10041557
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_100395A1
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_1002F784
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_1004091B
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_1002EACF
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_1002FBA4
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_10035D96
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_10040E5F
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_1002EFA4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1004091B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_100291F6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1002EACF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_100403D7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1004250B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10041557
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10035D96
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_100395A1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10040E5F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_100291F6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_1002F378
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_100403D7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_1004250B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_10041557
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_100395A1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_1002F784
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_1004091B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_1002EACF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_1002FBA4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_10035D96
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_10040E5F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_1002EFA4
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: String function: 10030E38 appears 57 times
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: String function: 10030535 appears 87 times
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 10030E38 appears 111 times
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 1003578B appears 45 times
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 10030535 appears 125 times
                      Source: MUm03X31dO.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: xboxlivetitleid.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: cdpsgshims.dll
                      Source: MUm03X31dO.dllVirustotal: Detection: 17%
                      Source: MUm03X31dO.dllReversingLabs: Detection: 18%
                      Source: MUm03X31dO.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\MUm03X31dO.dll"
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\MUm03X31dO.dll",#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\MUm03X31dO.dll
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\MUm03X31dO.dll",#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\MUm03X31dO.dll,DllRegisterServer
                      Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\MUm03X31dO.dll",DllRegisterServer
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\MUm03X31dO.dll",DllRegisterServer
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3092 -ip 3092
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Qcnuamvgfncza\wcwmsazphhlpar.wmq",LVfdvbviW
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3092 -s 280
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Qcnuamvgfncza\wcwmsazphhlpar.wmq",DllRegisterServer
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
                      Source: unknownProcess created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
                      Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\MUm03X31dO.dll",#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\MUm03X31dO.dll
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\MUm03X31dO.dll,DllRegisterServer
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\MUm03X31dO.dll",#1
                      Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\MUm03X31dO.dll",DllRegisterServer
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\MUm03X31dO.dll",DllRegisterServer
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Qcnuamvgfncza\wcwmsazphhlpar.wmq",LVfdvbviW
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3092 -ip 3092
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3092 -s 280
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess created: unknown unknown
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Qcnuamvgfncza\wcwmsazphhlpar.wmq",DllRegisterServer
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
                      Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32
                      Source: C:\Windows\System32\svchost.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER1570.tmpJump to behavior
                      Source: classification engineClassification label: mal96.troj.evad.winDLL@37/17@0/29
                      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Users\desktop.iniJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\MUm03X31dO.dll",#1
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \BaseNamedObjects\Local\SM0:6160:64:WilError_01
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3092
                      Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2252:120:WilError_01
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_10021183 LoadResource,LockResource,SizeofResource,
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: Binary string: ws2_32.pdb source: WerFault.exe, 0000000B.00000003.286863013.00000000055D8000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.286934927.00000000055D8000.00000004.00000040.sdmp
                      Source: Binary string: winspool.pdb source: WerFault.exe, 0000000B.00000003.286918420.00000000055D0000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000B.00000003.286844011.0000000004F21000.00000004.00000001.sdmp
                      Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000B.00000003.281926953.0000000004C95000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.286844011.0000000004F21000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.282871171.0000000003162000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.282376403.0000000003162000.00000004.00000001.sdmp
                      Source: Binary string: sechost.pdb source: WerFault.exe, 0000000B.00000003.286852720.00000000055D2000.00000004.00000040.sdmp
                      Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000B.00000003.286863013.00000000055D8000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.286934927.00000000055D8000.00000004.00000040.sdmp
                      Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000000B.00000003.286863013.00000000055D8000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.286934927.00000000055D8000.00000004.00000040.sdmp
                      Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000B.00000003.286844011.0000000004F21000.00000004.00000001.sdmp
                      Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000B.00000003.286844011.0000000004F21000.00000004.00000001.sdmp
                      Source: Binary string: propsys.pdb source: WerFault.exe, 0000000B.00000003.286863013.00000000055D8000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.286934927.00000000055D8000.00000004.00000040.sdmp
                      Source: Binary string: nCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000000B.00000002.298073985.0000000000B02000.00000004.00000001.sdmp
                      Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000B.00000003.286852720.00000000055D2000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.286926282.00000000055D5000.00000004.00000040.sdmp
                      Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000B.00000003.286844011.0000000004F21000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.282348729.000000000315C000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.283216718.000000000315C000.00000004.00000001.sdmp
                      Source: Binary string: wrpcrt4.pdbk source: WerFault.exe, 0000000B.00000003.286852720.00000000055D2000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.286926282.00000000055D5000.00000004.00000040.sdmp
                      Source: Binary string: shcore.pdb source: WerFault.exe, 0000000B.00000003.286863013.00000000055D8000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.286934927.00000000055D8000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000B.00000003.286844011.0000000004F21000.00000004.00000001.sdmp
                      Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000B.00000003.286844011.0000000004F21000.00000004.00000001.sdmp
                      Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000B.00000003.286918420.00000000055D0000.00000004.00000040.sdmp
                      Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000B.00000003.286918420.00000000055D0000.00000004.00000040.sdmp
                      Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000B.00000003.286844011.0000000004F21000.00000004.00000001.sdmp
                      Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000B.00000003.286918420.00000000055D0000.00000004.00000040.sdmp
                      Source: Binary string: sechost.pdbk source: WerFault.exe, 0000000B.00000003.286852720.00000000055D2000.00000004.00000040.sdmp
                      Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000B.00000003.286844011.0000000004F21000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.282390808.0000000003168000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.282895122.0000000003168000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.282993001.0000000003168000.00000004.00000001.sdmp
                      Source: Binary string: wimm32.pdb source: WerFault.exe, 0000000B.00000003.286863013.00000000055D8000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.286934927.00000000055D8000.00000004.00000040.sdmp
                      Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000B.00000003.286863013.00000000055D8000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.286934927.00000000055D8000.00000004.00000040.sdmp
                      Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000B.00000003.282390808.0000000003168000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.282895122.0000000003168000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.282993001.0000000003168000.00000004.00000001.sdmp
                      Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000B.00000003.286918420.00000000055D0000.00000004.00000040.sdmp
                      Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000B.00000003.286844011.0000000004F21000.00000004.00000001.sdmp
                      Source: Binary string: combase.pdb source: WerFault.exe, 0000000B.00000003.286863013.00000000055D8000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.286934927.00000000055D8000.00000004.00000040.sdmp
                      Source: Binary string: wkernel32.pdb( source: WerFault.exe, 0000000B.00000003.282871171.0000000003162000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.282376403.0000000003162000.00000004.00000001.sdmp
                      Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000B.00000003.286863013.00000000055D8000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.286934927.00000000055D8000.00000004.00000040.sdmp
                      Source: Binary string: Kernel.Appcore.pdb| source: WerFault.exe, 0000000B.00000003.286918420.00000000055D0000.00000004.00000040.sdmp
                      Source: Binary string: apphelp.pdb source: WerFault.exe, 0000000B.00000003.286844011.0000000004F21000.00000004.00000001.sdmp
                      Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000B.00000003.286844011.0000000004F21000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdb( source: WerFault.exe, 0000000B.00000003.282348729.000000000315C000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.283216718.000000000315C000.00000004.00000001.sdmp
                      Source: MUm03X31dO.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                      Source: MUm03X31dO.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                      Source: MUm03X31dO.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                      Source: MUm03X31dO.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                      Source: MUm03X31dO.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_021B1195 push cs; iretd
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_1003060D push ecx; ret
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_10030E7D push ecx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1003060D push ecx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10030E7D push ecx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_1003060D push ecx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_10030E7D push ecx; ret
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_1003E278 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,
                      Source: MUm03X31dO.dllStatic PE information: real checksum: 0x970bf should be: 0x915b9
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\MUm03X31dO.dll
                      Source: C:\Windows\SysWOW64\rundll32.exePE file moved: C:\Windows\SysWOW64\Qcnuamvgfncza\wcwmsazphhlpar.wmqJump to behavior

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Qcnuamvgfncza\wcwmsazphhlpar.wmq:Zone.Identifier read attributes | delete
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Pudxszghsoap\ssyrppirwzddvfh.yvf:Zone.Identifier read attributes | delete
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_100250A3 IsIconic,GetWindowPlacement,GetWindowRect,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_1001DFC0 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_100250A3 IsIconic,GetWindowPlacement,GetWindowRect,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1001DFC0 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_100250A3 IsIconic,GetWindowPlacement,GetWindowRect,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_1001DFC0 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,
                      Source: C:\Windows\System32\svchost.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exe TID: 1064Thread sleep time: -30000s >= -30000s
                      Source: C:\Windows\System32\svchost.exe TID: 1064Thread sleep time: -30000s >= -30000s
                      Source: C:\Windows\System32\svchost.exe TID: 6856Thread sleep time: -150000s >= -30000s
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\SysWOW64\regsvr32.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleep
                      Source: C:\Windows\SysWOW64\rundll32.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleep
                      Source: C:\Windows\SysWOW64\rundll32.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
                      Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
                      Source: C:\Windows\SysWOW64\regsvr32.exeAPI coverage: 4.4 %
                      Source: C:\Windows\SysWOW64\rundll32.exeAPI coverage: 5.9 %
                      Source: C:\Windows\SysWOW64\rundll32.exeAPI coverage: 5.4 %
                      Source: C:\Windows\System32\svchost.exeProcess information queried: ProcessInformation
                      Source: C:\Windows\SysWOW64\regsvr32.exeAPI call chain: ExitProcess graph end node
                      Source: C:\Windows\SysWOW64\rundll32.exeAPI call chain: ExitProcess graph end node
                      Source: C:\Windows\SysWOW64\rundll32.exeAPI call chain: ExitProcess graph end node
                      Source: C:\Windows\SysWOW64\rundll32.exeAPI call chain: ExitProcess graph end node
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: Amcache.hve.11.drBinary or memory string: VMware
                      Source: svchost.exe, 00000001.00000002.606578422.00000253EEE29000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW`3f
                      Source: Amcache.hve.11.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
                      Source: svchost.exe, 00000001.00000002.607054158.00000253F4660000.00000004.00000001.sdmpBinary or memory string: "@Hyper-V RAW
                      Source: Amcache.hve.11.drBinary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
                      Source: Amcache.hve.11.drBinary or memory string: VMware Virtual USB Mouse
                      Source: Amcache.hve.11.drBinary or memory string: VMware, Inc.
                      Source: svchost.exe, 00000025.00000002.587178365.00000138A9084000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWp
                      Source: Amcache.hve.11.drBinary or memory string: VMware Virtual disk SCSI Disk Devicehbin
                      Source: Amcache.hve.11.drBinary or memory string: Microsoft Hyper-V Generation Counter
                      Source: Amcache.hve.11.drBinary or memory string: VMware7,1
                      Source: Amcache.hve.11.drBinary or memory string: NECVMWar VMware SATA CD00
                      Source: Amcache.hve.11.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                      Source: Amcache.hve.11.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                      Source: svchost.exe, 00000001.00000002.607036375.00000253F4649000.00000004.00000001.sdmp, svchost.exe, 00000025.00000002.587318157.00000138A90EA000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                      Source: Amcache.hve.11.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                      Source: Amcache.hve.11.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                      Source: Amcache.hve.11.drBinary or memory string: VMware, Inc.me
                      Source: Amcache.hve.11.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
                      Source: Amcache.hve.11.drBinary or memory string: VMware-42 35 bb 32 33 75 d2 27-52 00 3c e2 4b d4 32 71
                      Source: svchost.exe, 0000000D.00000002.788022465.0000020140E40000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000002.788104736.000001A399429000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: Amcache.hve.11.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_1002DB0D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_1003E278 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_10002F07 VirtualAlloc,SetLastError,GetProcessHeap,HeapAlloc,VirtualFree,SetLastError,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_021BF7F7 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\loaddll32.exeProcess queried: DebugPort
                      Source: C:\Windows\System32\loaddll32.exeProcess queried: DebugPort
                      Source: C:\Windows\System32\loaddll32.exeProcess queried: DebugPort
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_021BEC31 LdrInitializeThunk,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_1003A8D4 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_1002DB0D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_10032CB9 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1003A8D4 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1002DB0D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10032CB9 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_1003A8D4 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_1002DB0D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_10032CB9 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 69.16.218.101 144
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 45.138.98.34 80
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\MUm03X31dO.dll",#1
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3092 -ip 3092
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3092 -s 280
                      Source: loaddll32.exe, 00000000.00000000.274747919.0000000000CF0000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.273662677.0000000000CF0000.00000002.00020000.sdmp, rundll32.exe, 0000000C.00000002.790126633.0000000003A20000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: loaddll32.exe, 00000000.00000000.274747919.0000000000CF0000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.273662677.0000000000CF0000.00000002.00020000.sdmp, rundll32.exe, 0000000C.00000002.790126633.0000000003A20000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: loaddll32.exe, 00000000.00000000.274747919.0000000000CF0000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.273662677.0000000000CF0000.00000002.00020000.sdmp, rundll32.exe, 0000000C.00000002.790126633.0000000003A20000.00000002.00020000.sdmpBinary or memory string: SProgram Managerl
                      Source: loaddll32.exe, 00000000.00000000.274747919.0000000000CF0000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.273662677.0000000000CF0000.00000002.00020000.sdmp, rundll32.exe, 0000000C.00000002.790126633.0000000003A20000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd,
                      Source: loaddll32.exe, 00000000.00000000.274747919.0000000000CF0000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.273662677.0000000000CF0000.00000002.00020000.sdmp, rundll32.exe, 0000000C.00000002.790126633.0000000003A20000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: GetLocaleInfoA,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: _strcpy_s,GetLocaleInfoA,__snwprintf_s,LoadLibraryA,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: GetLocaleInfoA,GetLocaleInfoA,GetACP,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: _LocaleUpdate::_LocaleUpdate,GetLocaleInfoW,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,__alloca_probe_16,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,GetLocaleInfoA,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: _LocaleUpdate::_LocaleUpdate,GetLocaleInfoW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: _strcpy_s,GetLocaleInfoA,__snwprintf_s,LoadLibraryA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,GetLocaleInfoA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,GetLocaleInfoA,GetACP,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: _strcpy_s,GetLocaleInfoA,__snwprintf_s,LoadLibraryA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,GetLocaleInfoA,GetACP,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: _LocaleUpdate::_LocaleUpdate,GetLocaleInfoW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,__alloca_probe_16,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,GetLocaleInfoA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_1003732F GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_10024F01 _memset,GetVersionExA,

                      Lowering of HIPS / PFW / Operating System Security Settings:

                      barindex
                      Changes security center settings (notifications, updates, antivirus, firewall)Show sources
                      Source: C:\Windows\System32\svchost.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cvalJump to behavior
                      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
                      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
                      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
                      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct
                      Source: Amcache.hve.11.drBinary or memory string: msmpeng.exe
                      Source: Amcache.hve.11.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                      Source: svchost.exe, 00000012.00000002.787887499.000002171B429000.00000004.00000001.sdmp, svchost.exe, 00000012.00000002.788071999.000002171B502000.00000004.00000001.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                      Source: svchost.exe, 00000012.00000002.787978776.000002171B440000.00000004.00000001.sdmpBinary or memory string: *@V%ProgramFiles%\Windows Defender\MsMpeng.exe

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected EmotetShow sources
                      Source: Yara matchFile source: 3.2.regsvr32.exe.3210000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.4c70000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.4f60000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.56b0000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.4ff0000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.5ca0000.14.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.5cd0000.15.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.5300000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.5b90000.13.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.3420000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.5fb0000.19.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.5ca0000.14.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.5f80000.18.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.5b60000.12.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.4c70000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.55f0000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.21b0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.6080000.20.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.60e0000.22.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.5a00000.11.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.5870000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.3560000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.53a0000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.53d0000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.2180000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.21b0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.regsvr32.exe.31e0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.2180000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.4f30000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.21b0000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.4fc0000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.3420000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.54c0000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.3590000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.59d0000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.4f60000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.5600000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.56b0000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.5f80000.18.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.3450000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.5490000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.4f30000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.920000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.920000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.5b60000.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.6110000.23.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.2180000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.53a0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.2180000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.58a0000.11.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.regsvr32.exe.31e0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.5840000.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.5810000.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.2180000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.2180000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.5300000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.4ca0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.5db0000.17.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.5650000.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.4eb0000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.4e80000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.59d0000.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.56e0000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.4f90000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.5810000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.4810000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.4f90000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.4810000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.5870000.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.55f0000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.4fc0000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.60e0000.22.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.60b0000.21.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.2a00000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.5490000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.4840000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.5680000.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.6080000.20.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.3560000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.5650000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.5620000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.5d80000.16.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.5d80000.16.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.4e80000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000007.00000002.325569236.0000000004F91000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.789766626.0000000003591000.00000020.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.279872863.0000000005681000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.325659124.0000000004FF1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.279101229.0000000003420000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.279636390.00000000053D1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.792807841.0000000006080000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.789644115.0000000003560000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.283643613.0000000004CA1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.791029959.00000000056E1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.279824791.0000000005621000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.324583547.0000000004841000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.792730843.0000000005FB1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.792383699.0000000005DB1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.790492761.0000000005300000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.299691728.0000000002180000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.792197793.0000000005CD1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.791999231.0000000005B91000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.299733023.00000000021B1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.791439541.00000000058A1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.792916156.00000000060E0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.792123168.0000000005CA0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.279685009.0000000005490000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.283528746.0000000004C70000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.792865866.00000000060B1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.325516887.0000000004F60000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.274800070.0000000002180000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.790959470.00000000056B0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.325610829.0000000004FC0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.265604220.00000000031E0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.274835545.00000000021B1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.279848866.0000000005650000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.325399866.0000000004E80000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.265632005.0000000003211000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.791273424.0000000005841000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.791366610.0000000005870000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.267814395.0000000000920000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.790442344.0000000004F91000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.273742640.00000000021B1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.792648530.0000000005F80000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.790324399.0000000004F30000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.280137908.00000000059D0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.280317920.0000000005A01000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.279133215.0000000003451000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.279724153.00000000054C1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.792953896.0000000006111000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.791155668.0000000005810000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.792292788.0000000005D80000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.325458310.0000000004EB1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.279796782.00000000055F0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.271058479.0000000002A01000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.324499260.0000000004810000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.790839088.0000000005601000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.791959998.0000000005B60000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.273707412.0000000002180000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.279604016.00000000053A0000.00000040.00000001.sdmp, type: MEMORY
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_10001160 WSAStartup,_memset,htonl,htons,socket,bind,setsockopt,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10001160 WSAStartup,_memset,htonl,htons,socket,bind,setsockopt,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_10001160 WSAStartup,_memset,htonl,htons,socket,bind,setsockopt,

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation1DLL Side-Loading1DLL Side-Loading1Disable or Modify Tools1Input Capture1System Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumIngress Tool Transfer1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsNative API2Boot or Logon Initialization ScriptsProcess Injection112Deobfuscate/Decode Files or Information1LSASS MemoryFile and Directory Discovery1Remote Desktop ProtocolInput Capture1Exfiltration Over BluetoothEncrypted Channel1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information2Security Account ManagerSystem Information Discovery34SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Standard Port1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)DLL Side-Loading1NTDSQuery Registry1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol1SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptFile Deletion1LSA SecretsSecurity Software Discovery61SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonMasquerading2Cached Domain CredentialsVirtualization/Sandbox Evasion3VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsVirtualization/Sandbox Evasion3DCSyncProcess Discovery2Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobProcess Injection112Proc FilesystemApplication Window Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Hidden Files and Directories1/etc/passwd and /etc/shadowRemote System Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                      Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Regsvr321Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
                      Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronRundll321Input CapturePermission Groups DiscoveryReplication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 553376 Sample: MUm03X31dO Startdate: 14/01/2022 Architecture: WINDOWS Score: 96 46 210.57.209.142 UNAIR-AS-IDUniversitasAirlanggaID Indonesia 2->46 48 85.214.67.203 STRATOSTRATOAGDE Germany 2->48 50 23 other IPs or domains 2->50 60 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->60 62 Found malware configuration 2->62 64 Multi AV Scanner detection for submitted file 2->64 66 3 other signatures 2->66 9 loaddll32.exe 1 2->9         started        11 svchost.exe 2->11         started        14 svchost.exe 9 1 2->14         started        17 10 other processes 2->17 signatures3 process4 dnsIp5 19 rundll32.exe 2 9->19         started        22 cmd.exe 1 9->22         started        24 regsvr32.exe 9->24         started        26 WerFault.exe 3 9 9->26         started        74 Changes security center settings (notifications, updates, antivirus, firewall) 11->74 28 MpCmdRun.exe 11->28         started        58 127.0.0.1 unknown unknown 14->58 30 WerFault.exe 17->30         started        signatures6 process7 signatures8 68 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->68 32 rundll32.exe 19->32         started        34 rundll32.exe 22->34         started        36 rundll32.exe 24->36         started        38 conhost.exe 28->38         started        process9 process10 40 rundll32.exe 32->40         started        44 rundll32.exe 2 34->44         started        dnsIp11 52 45.138.98.34, 49759, 80 M247GB Germany 40->52 54 69.16.218.101, 49760, 8080 LIQUIDWEBUS United States 40->54 56 192.168.2.1 unknown unknown 40->56 70 System process connects to network (likely due to code injection or exploit) 40->70 72 Hides that the sample has been downloaded from the Internet (zone.identifier) 44->72 signatures12

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      MUm03X31dO.dll17%VirustotalBrowse
                      MUm03X31dO.dll19%ReversingLabs

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      7.2.rundll32.exe.4fc0000.6.unpack100%AviraHEUR/AGEN.1145233Download File
                      5.2.rundll32.exe.3420000.0.unpack100%AviraHEUR/AGEN.1145233Download File
                      12.2.rundll32.exe.5b90000.13.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      12.2.rundll32.exe.4f30000.2.unpack100%AviraHEUR/AGEN.1145233Download File
                      12.2.rundll32.exe.5b60000.12.unpack100%AviraHEUR/AGEN.1145233Download File
                      5.2.rundll32.exe.5a00000.11.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      12.2.rundll32.exe.3590000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      0.0.loaddll32.exe.21b0000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      12.2.rundll32.exe.5fb0000.19.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      5.2.rundll32.exe.53d0000.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      3.2.regsvr32.exe.3210000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      10.2.rundll32.exe.4c70000.0.unpack100%AviraHEUR/AGEN.1145233Download File
                      7.2.rundll32.exe.4f60000.4.unpack100%AviraHEUR/AGEN.1145233Download File
                      7.2.rundll32.exe.4ff0000.7.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      12.2.rundll32.exe.5ca0000.14.unpack100%AviraHEUR/AGEN.1145233Download File
                      12.2.rundll32.exe.5cd0000.15.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      12.2.rundll32.exe.5300000.4.unpack100%AviraHEUR/AGEN.1145233Download File
                      0.2.loaddll32.exe.21b0000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      12.2.rundll32.exe.5870000.10.unpack100%AviraHEUR/AGEN.1145233Download File
                      0.0.loaddll32.exe.21b0000.4.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      5.2.rundll32.exe.54c0000.5.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      5.2.rundll32.exe.59d0000.10.unpack100%AviraHEUR/AGEN.1145233Download File
                      12.2.rundll32.exe.5600000.5.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      12.2.rundll32.exe.56b0000.6.unpack100%AviraHEUR/AGEN.1145233Download File
                      5.2.rundll32.exe.3450000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      12.2.rundll32.exe.5f80000.18.unpack100%AviraHEUR/AGEN.1145233Download File
                      5.2.rundll32.exe.53a0000.2.unpack100%AviraHEUR/AGEN.1145233Download File
                      5.2.rundll32.exe.5490000.4.unpack100%AviraHEUR/AGEN.1145233Download File
                      4.2.rundll32.exe.920000.0.unpack100%AviraHEUR/AGEN.1145233Download File
                      0.0.loaddll32.exe.2180000.0.unpack100%AviraHEUR/AGEN.1145233Download File
                      12.2.rundll32.exe.6110000.23.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      12.2.rundll32.exe.58a0000.11.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      3.2.regsvr32.exe.31e0000.0.unpack100%AviraHEUR/AGEN.1145233Download File
                      12.2.rundll32.exe.5840000.9.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      12.2.rundll32.exe.5db0000.17.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      0.2.loaddll32.exe.2180000.0.unpack100%AviraHEUR/AGEN.1145233Download File
                      0.0.loaddll32.exe.2180000.3.unpack100%AviraHEUR/AGEN.1145233Download File
                      10.2.rundll32.exe.4ca0000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      7.2.rundll32.exe.4eb0000.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      7.2.rundll32.exe.4e80000.2.unpack100%AviraHEUR/AGEN.1145233Download File
                      12.2.rundll32.exe.56e0000.7.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      12.2.rundll32.exe.5810000.8.unpack100%AviraHEUR/AGEN.1145233Download File
                      12.2.rundll32.exe.4f90000.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      7.2.rundll32.exe.4f90000.5.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      7.2.rundll32.exe.4810000.0.unpack100%AviraHEUR/AGEN.1145233Download File
                      12.2.rundll32.exe.60e0000.22.unpack100%AviraHEUR/AGEN.1145233Download File
                      5.2.rundll32.exe.55f0000.6.unpack100%AviraHEUR/AGEN.1145233Download File
                      12.2.rundll32.exe.60b0000.21.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      4.2.rundll32.exe.2a00000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      7.2.rundll32.exe.4840000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      12.2.rundll32.exe.6080000.20.unpack100%AviraHEUR/AGEN.1145233Download File
                      5.2.rundll32.exe.5620000.7.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      5.2.rundll32.exe.5680000.9.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      12.2.rundll32.exe.3560000.0.unpack100%AviraHEUR/AGEN.1145233Download File
                      12.2.rundll32.exe.5d80000.16.unpack100%AviraHEUR/AGEN.1145233Download File
                      5.2.rundll32.exe.5650000.8.unpack100%AviraHEUR/AGEN.1145233Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      https://www.disneyplus.com/legal/your-california-privacy-rights0%URL Reputationsafe
                      http://crl.ver)0%Avira URL Cloudsafe
                      https://www.tiktok.com/legal/report/feedback0%URL Reputationsafe
                      https://%s.xboxlive.com0%URL Reputationsafe
                      https://www.disneyplus.com/legal/privacy-policy0%URL Reputationsafe
                      https://dynamic.t0%URL Reputationsafe
                      https://disneyplus.com/legal.0%URL Reputationsafe
                      http://help.disneyplus.com.0%URL Reputationsafe
                      https://%s.dnet.xboxlive.com0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashxsvchost.exe, 0000000F.00000003.308096087.000001FADDC62000.00000004.00000001.sdmpfalse
                        		high
                        https://www.disneyplus.com/legal/your-california-privacy-rightssvchost.exe, 00000025.00000003.564818764.00000138A997F000.00000004.00000001.sdmp, svchost.exe, 00000025.00000003.564906625.00000138A99A0000.00000004.00000001.sdmp, svchost.exe, 00000025.00000003.564934406.00000138A9E02000.00000004.00000001.sdmp, svchost.exe, 00000025.00000003.564879291.00000138A99C0000.00000004.00000001.sdmp, svchost.exe, 00000025.00000003.564858410.00000138A99C0000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=svchost.exe, 0000000F.00000003.308187118.000001FADDC46000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.308165976.000001FADDC41000.00000004.00000001.sdmpfalse
                          		high
                          https://dev.ditu.live.com/REST/v1/Routes/svchost.exe, 0000000F.00000002.308768774.000001FADDC3E000.00000004.00000001.sdmpfalse
                            		high
                            https://dev.virtualearth.net/REST/v1/Routes/Drivingsvchost.exe, 0000000F.00000003.308096087.000001FADDC62000.00000004.00000001.sdmpfalse
                              		high
                              https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashxsvchost.exe, 0000000F.00000002.308768774.000001FADDC3E000.00000004.00000001.sdmpfalse
                                		high
                                https://dev.ditu.live.com/REST/v1/Traffic/Incidents/svchost.exe, 0000000F.00000003.308136639.000001FADDC4A000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000002.308788623.000001FADDC4C000.00000004.00000001.sdmpfalse
                                  		high
                                  https://dev.ditu.live.com/REST/v1/Transit/Stops/svchost.exe, 0000000F.00000002.308831607.000001FADDC6B000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.308067275.000001FADDC69000.00000004.00000001.sdmpfalse
                                    		high
                                    https://t0.tiles.ditu.live.com/tiles/gensvchost.exe, 0000000F.00000002.308796611.000001FADDC50000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.308113977.000001FADDC4F000.00000004.00000001.sdmpfalse
                                      		high
                                      https://dev.virtualearth.net/REST/v1/Routes/svchost.exe, 0000000F.00000002.308768774.000001FADDC3E000.00000004.00000001.sdmpfalse
                                        		high
                                        https://dev.virtualearth.net/REST/v1/Traffic/Incidents/svchost.exe, 0000000F.00000002.308737849.000001FADDC29000.00000004.00000001.sdmpfalse
                                          		high
                                          https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=svchost.exe, 0000000F.00000003.285984047.000001FADDC31000.00000004.00000001.sdmpfalse
                                            		high
                                            https://dev.virtualearth.net/REST/v1/Routes/Walkingsvchost.exe, 0000000F.00000003.308096087.000001FADDC62000.00000004.00000001.sdmpfalse
                                              		high
                                              http://crl.ver)svchost.exe, 00000001.00000002.606968312.00000253F4600000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		low
                                              https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?svchost.exe, 0000000F.00000003.308136639.000001FADDC4A000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.308165976.000001FADDC41000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000002.308788623.000001FADDC4C000.00000004.00000001.sdmpfalse
                                                		high
                                                http://upx.sf.netAmcache.hve.11.drfalse
                                                  		high
                                                  https://www.tiktok.com/legal/report/feedbacksvchost.exe, 00000025.00000003.565870723.00000138A9E02000.00000004.00000001.sdmp, svchost.exe, 00000025.00000003.565849654.00000138A998B000.00000004.00000001.sdmp, svchost.exe, 00000025.00000003.565780572.00000138A99A2000.00000004.00000001.sdmp, svchost.exe, 00000025.00000003.565821635.00000138A99A2000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=svchost.exe, 0000000F.00000002.308768774.000001FADDC3E000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000002.308687351.000001FADDC13000.00000004.00000001.sdmpfalse
                                                    		high
                                                    https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=svchost.exe, 0000000F.00000002.308777977.000001FADDC43000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.308165976.000001FADDC41000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.308193973.000001FADDC42000.00000004.00000001.sdmpfalse
                                                      		high
                                                      https://%s.xboxlive.comsvchost.exe, 0000000D.00000002.788022465.0000020140E40000.00000004.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      		low
                                                      https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=svchost.exe, 0000000F.00000002.308796611.000001FADDC50000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.308113977.000001FADDC4F000.00000004.00000001.sdmpfalse
                                                        		high
                                                        https://dev.virtualearth.net/REST/v1/Locationssvchost.exe, 0000000F.00000003.308096087.000001FADDC62000.00000004.00000001.sdmpfalse
                                                          		high
                                                          https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=svchost.exe, 0000000F.00000003.285984047.000001FADDC31000.00000004.00000001.sdmpfalse
                                                            		high
                                                            https://dev.virtualearth.net/mapcontrol/logging.ashxsvchost.exe, 0000000F.00000003.308096087.000001FADDC62000.00000004.00000001.sdmpfalse
                                                              		high
                                                              https://dev.ditu.live.com/mapcontrol/logging.ashxsvchost.exe, 0000000F.00000003.308096087.000001FADDC62000.00000004.00000001.sdmpfalse
                                                                		high
                                                                https://dev.ditu.live.com/REST/v1/Imagery/Copyright/svchost.exe, 0000000F.00000002.308737849.000001FADDC29000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.308136639.000001FADDC4A000.00000004.00000001.sdmpfalse
                                                                  		high
                                                                  https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=svchost.exe, 0000000F.00000003.285984047.000001FADDC31000.00000004.00000001.sdmpfalse
                                                                    		high
                                                                    https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=svchost.exe, 0000000F.00000002.308788623.000001FADDC4C000.00000004.00000001.sdmpfalse
                                                                      		high
                                                                      https://www.disneyplus.com/legal/privacy-policysvchost.exe, 00000025.00000003.564818764.00000138A997F000.00000004.00000001.sdmp, svchost.exe, 00000025.00000003.564906625.00000138A99A0000.00000004.00000001.sdmp, svchost.exe, 00000025.00000003.564934406.00000138A9E02000.00000004.00000001.sdmp, svchost.exe, 00000025.00000003.564879291.00000138A99C0000.00000004.00000001.sdmp, svchost.exe, 00000025.00000003.564858410.00000138A99C0000.00000004.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/svchost.exe, 0000000F.00000003.308136639.000001FADDC4A000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000002.308788623.000001FADDC4C000.00000004.00000001.sdmpfalse
                                                                        		high
                                                                        https://dev.virtualearth.net/REST/v1/Transit/Schedules/svchost.exe, 0000000F.00000002.308777977.000001FADDC43000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.308165976.000001FADDC41000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.308193973.000001FADDC42000.00000004.00000001.sdmpfalse
                                                                          		high
                                                                          https://dynamic.tsvchost.exe, 0000000F.00000003.308165976.000001FADDC41000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.308193973.000001FADDC42000.00000004.00000001.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          https://dev.virtualearth.net/REST/v1/Routes/Transitsvchost.exe, 0000000F.00000003.308096087.000001FADDC62000.00000004.00000001.sdmpfalse
                                                                            		high
                                                                            https://disneyplus.com/legal.svchost.exe, 00000025.00000003.564818764.00000138A997F000.00000004.00000001.sdmp, svchost.exe, 00000025.00000003.564906625.00000138A99A0000.00000004.00000001.sdmp, svchost.exe, 00000025.00000003.564934406.00000138A9E02000.00000004.00000001.sdmp, svchost.exe, 00000025.00000003.564879291.00000138A99C0000.00000004.00000001.sdmp, svchost.exe, 00000025.00000003.564858410.00000138A99C0000.00000004.00000001.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            https://t0.ssl.ak.tiles.virtualearth.net/tiles/gensvchost.exe, 0000000F.00000003.285984047.000001FADDC31000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.308264890.000001FADDC3B000.00000004.00000001.sdmpfalse
                                                                              		high
                                                                              https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=svchost.exe, 0000000F.00000003.308136639.000001FADDC4A000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000002.308788623.000001FADDC4C000.00000004.00000001.sdmpfalse
                                                                                		high
                                                                                https://activity.windows.comsvchost.exe, 0000000D.00000002.788022465.0000020140E40000.00000004.00000001.sdmpfalse
                                                                                  		high
                                                                                  http://www.bingmapsportal.comsvchost.exe, 0000000F.00000002.308687351.000001FADDC13000.00000004.00000001.sdmpfalse
                                                                                    		high
                                                                                    https://dev.ditu.live.com/REST/v1/Locationssvchost.exe, 0000000F.00000003.308096087.000001FADDC62000.00000004.00000001.sdmpfalse
                                                                                      		high
                                                                                      https://dev.virtualearth.net/REST/v1/Imagery/Copyright/svchost.exe, 0000000F.00000002.308737849.000001FADDC29000.00000004.00000001.sdmpfalse
                                                                                        		high
                                                                                        http://help.disneyplus.com.svchost.exe, 00000025.00000003.564818764.00000138A997F000.00000004.00000001.sdmp, svchost.exe, 00000025.00000003.564906625.00000138A99A0000.00000004.00000001.sdmp, svchost.exe, 00000025.00000003.564934406.00000138A9E02000.00000004.00000001.sdmp, svchost.exe, 00000025.00000003.564879291.00000138A99C0000.00000004.00000001.sdmp, svchost.exe, 00000025.00000003.564858410.00000138A99C0000.00000004.00000001.sdmpfalse
                                                                                        • URL Reputation: safe
                                                                                        		unknown
                                                                                        https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/svchost.exe, 0000000F.00000002.308768774.000001FADDC3E000.00000004.00000001.sdmpfalse
                                                                                          		high
                                                                                          https://%s.dnet.xboxlive.comsvchost.exe, 0000000D.00000002.788022465.0000020140E40000.00000004.00000001.sdmpfalse
                                                                                          • URL Reputation: safe
                                                                                          		low
                                                                                          https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/svchost.exe, 0000000F.00000003.308136639.000001FADDC4A000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000002.308788623.000001FADDC4C000.00000004.00000001.sdmpfalse
                                                                                            		high
                                                                                            https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=svchost.exe, 0000000F.00000003.308136639.000001FADDC4A000.00000004.00000001.sdmpfalse
                                                                                              		high

                                                                                              Contacted IPs

                                                                                              • No. of IPs < 25%
                                                                                              • 25% < No. of IPs < 50%
                                                                                              • 50% < No. of IPs < 75%
                                                                                              • 75% < No. of IPs

                                                                                              Public

                                                                                              IPDomainCountryFlagASNASN NameMalicious
                                                                                              207.148.81.119
                                                                                              		unknownUnited States
                                                                                              		20473AS-CHOOPAUStrue
                                                                                              104.131.62.48
                                                                                              		unknownUnited States
                                                                                              		14061DIGITALOCEAN-ASNUStrue
                                                                                              85.214.67.203
                                                                                              		unknownGermany
                                                                                              		6724STRATOSTRATOAGDEtrue
                                                                                              191.252.103.16
                                                                                              		unknownBrazil
                                                                                              		27715LocawebServicosdeInternetSABRtrue
                                                                                              168.197.250.14
                                                                                              		unknownArgentina
                                                                                              		264776OmarAnselmoRipollTDCNETARtrue
                                                                                              66.42.57.149
                                                                                              		unknownUnited States
                                                                                              		20473AS-CHOOPAUStrue
                                                                                              185.148.168.15
                                                                                              		unknownGermany
                                                                                              		44780EVERSCALE-ASDEtrue
                                                                                              51.210.242.234
                                                                                              		unknownFrance
                                                                                              		16276OVHFRtrue
                                                                                              217.182.143.207
                                                                                              		unknownFrance
                                                                                              		16276OVHFRtrue
                                                                                              69.16.218.101
                                                                                              		unknownUnited States
                                                                                              		32244LIQUIDWEBUStrue
                                                                                              159.69.237.188
                                                                                              		unknownGermany
                                                                                              		24940HETZNER-ASDEtrue
                                                                                              45.138.98.34
                                                                                              		unknownGermany
                                                                                              		9009M247GBtrue
                                                                                              116.124.128.206
                                                                                              		unknownKorea Republic of
                                                                                              		9318SKB-ASSKBroadbandCoLtdKRtrue
                                                                                              78.46.73.125
                                                                                              		unknownGermany
                                                                                              		24940HETZNER-ASDEtrue
                                                                                              37.59.209.141
                                                                                              		unknownFrance
                                                                                              		16276OVHFRtrue
                                                                                              210.57.209.142
                                                                                              		unknownIndonesia
                                                                                              		38142UNAIR-AS-IDUniversitasAirlanggaIDtrue
                                                                                              185.148.168.220
                                                                                              		unknownGermany
                                                                                              		44780EVERSCALE-ASDEtrue
                                                                                              54.37.228.122
                                                                                              		unknownFrance
                                                                                              		16276OVHFRtrue
                                                                                              190.90.233.66
                                                                                              		unknownColombia
                                                                                              		18678INTERNEXASAESPCOtrue
                                                                                              142.4.219.173
                                                                                              		unknownCanada
                                                                                              		16276OVHFRtrue
                                                                                              54.38.242.185
                                                                                              		unknownFrance
                                                                                              		16276OVHFRtrue
                                                                                              195.154.146.35
                                                                                              		unknownFrance
                                                                                              		12876OnlineSASFRtrue
                                                                                              195.77.239.39
                                                                                              		unknownSpain
                                                                                              		60493FICOSA-ASEStrue
                                                                                              78.47.204.80
                                                                                              		unknownGermany
                                                                                              		24940HETZNER-ASDEtrue
                                                                                              37.44.244.177
                                                                                              		unknownGermany
                                                                                              		47583AS-HOSTINGERLTtrue
                                                                                              62.171.178.147
                                                                                              		unknownUnited Kingdom
                                                                                              		51167CONTABODEtrue
                                                                                              128.199.192.135
                                                                                              		unknownUnited Kingdom
                                                                                              		14061DIGITALOCEAN-ASNUStrue

                                                                                              Private

                                                                                              IP
                                                                                              192.168.2.1
                                                                                              127.0.0.1

                                                                                              General Information

                                                                                              Joe Sandbox Version:34.0.0 Boulder Opal
                                                                                              Analysis ID:553376
                                                                                              Start date:14.01.2022
                                                                                              Start time:19:31:36
                                                                                              Joe Sandbox Product:CloudBasic
                                                                                              Overall analysis duration:0h 15m 56s
                                                                                              Hypervisor based Inspection enabled:false
                                                                                              Report type:light
                                                                                              Sample file name:MUm03X31dO (renamed file extension from none to dll)
                                                                                              Cookbook file name:default.jbs
                                                                                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                              Number of analysed new started processes analysed:40
                                                                                              Number of new started drivers analysed:0
                                                                                              Number of existing processes analysed:0
                                                                                              Number of existing drivers analysed:0
                                                                                              Number of injected processes analysed:0
                                                                                              Technologies:
                                                                                              • HCA enabled
                                                                                              • EGA enabled
                                                                                              • HDC enabled
                                                                                              • AMSI enabled
                                                                                              Analysis Mode:default
                                                                                              Analysis stop reason:Timeout
                                                                                              Detection:MAL
                                                                                              Classification:mal96.troj.evad.winDLL@37/17@0/29
                                                                                              EGA Information:
                                                                                              • Successful, ratio: 100%
                                                                                              HDC Information:
                                                                                              • Successful, ratio: 98.9% (good quality ratio 92.4%)
                                                                                              • Quality average: 70.5%
                                                                                              • Quality standard deviation: 26.8%
                                                                                              HCA Information:
                                                                                              • Successful, ratio: 68%
                                                                                              • Number of executed functions: 0
                                                                                              • Number of non-executed functions: 0
                                                                                              Cookbook Comments:
                                                                                              • Adjust boot time
                                                                                              • Enable AMSI
                                                                                              • Override analysis time to 240s for rundll32
                                                                                              Warnings:
                                                                                              Show All
                                                                                              • Exclude process from analysis (whitelisted): audiodg.exe, BackgroundTransferHost.exe, HxTsr.exe, RuntimeBroker.exe, WMIADAP.exe, backgroundTaskHost.exe, wuapihost.exe
                                                                                              • Excluded IPs from analysis (whitelisted): 23.3.108.67, 173.222.108.226, 173.222.108.210, 20.54.110.249, 40.91.112.76, 20.190.159.136, 40.126.31.137, 40.126.31.8, 40.126.31.1, 40.126.31.4, 40.126.31.139, 40.126.31.141, 20.190.159.138, 51.104.136.2
                                                                                              • Excluded domains from analysis (whitelisted): displaycatalog-rp-uswest.md.mp.microsoft.com.akadns.net, www.tm.lg.prod.aadmsa.akadns.net, a767.dspw65.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, wus2-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, arc.msn.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, login.live.com, consumer-displaycatalogrp-aks2aks-uswest.md.mp.microsoft.com.akadns.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, client.wns.windows.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu-shim.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, settings-win.data.microsoft.com, www.tm.a.prd.aadg.akadns.net, login.msa.msidentity.com, download.windowsupdate.com.edgesuite.net, settingsfd-geo.trafficmanager.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                                                              • Not all processes where analyzed, report is missing behavior information
                                                                                              • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                              • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                              Simulations

                                                                                              Behavior and APIs

                                                                                              TimeTypeDescription
                                                                                              19:32:41API Interceptor10x Sleep call for process: svchost.exe modified
                                                                                              19:33:58API Interceptor1x Sleep call for process: MpCmdRun.exe modified

                                                                                              Joe Sandbox View / Context

                                                                                              IPs

                                                                                              No context

                                                                                              Domains

                                                                                              No context

                                                                                              ASN

                                                                                              No context

                                                                                              JA3 Fingerprints

                                                                                              No context

                                                                                              Dropped Files

                                                                                              No context

                                                                                              Created / dropped Files

                                                                                              C:\ProgramData\Microsoft\Network\Downloader\edb.chk
                                                                                              Process:C:\Windows\System32\svchost.exe
                                                                                              File Type:data
                                                                                              Category:dropped
                                                                                              Size (bytes):8192
                                                                                              Entropy (8bit):0.3593198815979092
                                                                                              Encrypted:false
                                                                                              SSDEEP:12:SnaaD0JcaaD0JwQQU2naaD0JcaaD0JwQQU:4tgJctgJw/tgJctgJw
                                                                                              MD5:BF1DC7D5D8DAD7478F426DF8B3F8BAA6
                                                                                              SHA1:C6B0BDE788F553F865D65F773D8F6A3546887E42
                                                                                              SHA-256:BE47C764C38CA7A90A345BE183F5261E89B98743B5E35989E9A8BE0DA498C0F2
                                                                                              SHA-512:00F2412AA04E09EA19A8315D80BE66D2727C713FC0F5AE6A9334BABA539817F568A98CA3A45B2673282BDD325B8B0E2840A393A4DCFADCB16473F5EAF2AF3180
                                                                                              Malicious:false
                                                                                              Reputation:unknown
                                                                                              Preview: .............*..........3...w..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@......................................................*.............................................................................................................................................................................................................................................................................................................................................................
                                                                                              C:\ProgramData\Microsoft\Network\Downloader\edb.log
                                                                                              Process:C:\Windows\System32\svchost.exe
                                                                                              File Type:MPEG-4 LOAS
                                                                                              Category:dropped
                                                                                              Size (bytes):1310720
                                                                                              Entropy (8bit):0.24944949370058617
                                                                                              Encrypted:false
                                                                                              SSDEEP:1536:BJiRdfVzkZm3lyf49uyc0ga04PdHS9LrM/oVMUdSRU4z:BJiRdwfu2SRU4z
                                                                                              MD5:DA79B1CFF93094877D4823E1BB39FF75
                                                                                              SHA1:8EF7FBDD0B80B283A8D8C0A4143634B7F54E9139
                                                                                              SHA-256:EFA463496BA0F7483BEF0818A07060B483FFF7C1362B93D3CDBD5A28F9227858
                                                                                              SHA-512:D2A161564F1C9ACDEBBD5BAECC833CEE51AA5D8DA42D510310EAAF42CC3069C4173BC916AE210B2DE2AFC62CD2C707A507BF2F3F1485B223804F033334430D24
                                                                                              Malicious:false
                                                                                              Reputation:unknown
                                                                                              Preview: V.d.........@..@.3...w...........................3...w..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@.........................................d#.................................................................................................................................................................................................................................................................................................................................................
                                                                                              C:\ProgramData\Microsoft\Network\Downloader\qmgr.db
                                                                                              Process:C:\Windows\System32\svchost.exe
                                                                                              File Type:Extensible storage engine DataBase, version 0x620, checksum 0xc989125a, page size 16384, Windows version 10.0
                                                                                              Category:dropped
                                                                                              Size (bytes):786432
                                                                                              Entropy (8bit):0.2505690875436149
                                                                                              Encrypted:false
                                                                                              SSDEEP:384:FbK+W0StseCJ48EApW0StseCJ48E2rTSjlK/ebmLerYSRSY1J2:FblSB2nSB2RSjlK/+mLesOj1J2
                                                                                              MD5:7BE22708E512B569928E4F0BE9268AF8
                                                                                              SHA1:E2B6DE482B08F50508DFB83D70E7B61352EED899
                                                                                              SHA-256:405DF419C0A6E1AD9CF6E889D77460A8D0305AB5036477435F6301D78CF26FED
                                                                                              SHA-512:99393E8FA54EFACA9B6AB5277EDAE1B868DE28A079E5A12BF6FD79C3B60319529D6122F0843AED4AD36D6D3B512BAAD54052E53C13F224520C0AD7F84E3ADDB3
                                                                                              Malicious:false
                                                                                              Reputation:unknown
                                                                                              Preview: ..Z... ................e.f.3...w........................).....4#...zA.) ...z[.h.(.....4#...zA...)..............3...w...........................................................................................................B...........@...................................................................................................... ....................................................................................................................................................................................................................................................v*4#...zA.....................4#...zA.........................................................................................................................................................................................................................................................................................................................................................................................
                                                                                              C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm
                                                                                              Process:C:\Windows\System32\svchost.exe
                                                                                              File Type:data
                                                                                              Category:dropped
                                                                                              Size (bytes):16384
                                                                                              Entropy (8bit):0.0762198684655764
                                                                                              Encrypted:false
                                                                                              SSDEEP:3:cFm/tJ7vMFmsjqWol/l/7oRskg1GmfimXlxqdl/l/oll3Vkttlmlnl:ck1JrMBWdlt8Rskg1FKGlx4ltA3
                                                                                              MD5:30972233CA962E112B3596684632133A
                                                                                              SHA1:09735D2999BDA833429C97FB303ABFCE686A1289
                                                                                              SHA-256:F06A86B134A4BE362B256D0F1797C6F72988FC45582AFC804C2C72EB84B68211
                                                                                              SHA-512:D6176347A228C22A117906FEB05F0D7C7DDD4DE8D8EE497DEC8E5E3FEB46DBA3B49E9FB87319C33BBBDC1F4DA8A5E06BDDA00C2B6F093CD0C993274EC38ED725
                                                                                              Malicious:false
                                                                                              Reputation:unknown
                                                                                              Preview: .0 B.....................................3...w..) ...z[.4#...zA.........4#...zA.4#...zA..I..4#...z......................4#...zA.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                              C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_d422a667165d65114742feca998c4f65a16c35b9_7cac0383_19861961\Report.wer
                                                                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                              File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):65536
                                                                                              Entropy (8bit):0.7985022435663411
                                                                                              Encrypted:false
                                                                                              SSDEEP:96:7CAYSLnYyIy9haol7JfqpXIQcQSc6mcEUcw3/s+a+z+HbHgNVG4rmMoVazWbSmDx:F7nEHsieryj1q/u7sgS274ItW
                                                                                              MD5:CD418AB53651DE1F8C950953AE0108BB
                                                                                              SHA1:A65A5FF2B07F481534A3190866FB1C40B4CD7ECA
                                                                                              SHA-256:94EBAFF64FADD0CAE2FAC266C12260844DF4A96A5AEF80C954351AC379EA978F
                                                                                              SHA-512:E165973A91CE8AF97D1A66DB8737F21C7EDCC869C701C98EADA934747AB35FD7485CF0489ED8929564E5249A876F45113EEA652EB4DEE8A629744FBD9C218FED
                                                                                              Malicious:false
                                                                                              Reputation:unknown
                                                                                              Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.8.6.6.9.1.1.7.3.4.9.2.9.3.5.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.a.a.e.2.4.6.6.-.b.f.d.f.-.4.3.7.2.-.8.7.f.a.-.7.5.5.0.5.2.4.4.1.e.c.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.2.c.2.5.e.4.4.-.3.6.8.4.-.4.d.8.a.-.9.8.7.3.-.d.d.6.a.1.3.2.8.6.6.c.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.l.o.a.d.d.l.l.3.2...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.c.1.4.-.0.0.0.1.-.0.0.1.6.-.4.5.2.0.-.b.9.8.c.c.0.0.9.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.l.o.a.d.d.l.l.3.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.1././.1.2././.1.3.:.0.9.:.0.7.:.1.6.!.0.!.l.o.a.d.d.l.l.3.2...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.
                                                                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER1570.tmp.csv
                                                                                              Process:C:\Windows\System32\svchost.exe
                                                                                              File Type:data
                                                                                              Category:dropped
                                                                                              Size (bytes):50666
                                                                                              Entropy (8bit):3.072279897276509
                                                                                              Encrypted:false
                                                                                              SSDEEP:768:2IHC75EXp8V22RJxG5An3tPzXWy3MO+HrM3J3Brq+:2IHCUp8V22/xG5q3tPzGycO4rOJ3N7
                                                                                              MD5:3701E3A9A355B301D2EE18A47566FAF5
                                                                                              SHA1:629F7E43701FB7AA405149F1E6447E88CCFC0F55
                                                                                              SHA-256:39D509DA64FA0E4B0300C0B32F0484F0F35E2D34075195E7B10D7F584471A46D
                                                                                              SHA-512:E40BDC3255BE9C50F95422D13C21A8178B86361ABA5B876CA2155850F004C08947EA744C1F18925F09BE512267EF2986FF70FFEFDACE013C58D64F8CD8580099
                                                                                              Malicious:false
                                                                                              Reputation:unknown
                                                                                              Preview: I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.
                                                                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER192A.tmp.txt
                                                                                              Process:C:\Windows\System32\svchost.exe
                                                                                              File Type:data
                                                                                              Category:dropped
                                                                                              Size (bytes):13340
                                                                                              Entropy (8bit):2.693170788236181
                                                                                              Encrypted:false
                                                                                              SSDEEP:96:9GiZYWs7XT7wYQYxWYHVfUYEZzot8iOZqOKwEDeanyKbrlbhNIv63:9jZDXHvyCanyKb5dSv63
                                                                                              MD5:3E83A5FABFDDBAE23C05ACAE852EEB6A
                                                                                              SHA1:7852DBD08FE1F29911236A70BAFE885B82EDA804
                                                                                              SHA-256:82C966945282FCB3C3DC3BD3046884972EBF0156961A8CCEC4F5233556EC061B
                                                                                              SHA-512:0E3FE2CAAE0C99D1DDE4259D643B842E68CFF63DB04BECBF8D720FB90DC3F25ADB0727F9847FB8B016468E2F578BAABAC462F243DD22250B96AD999B5B7599FF
                                                                                              Malicious:false
                                                                                              Reputation:unknown
                                                                                              Preview: B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.1.5.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .
                                                                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER26E.tmp.dmp
                                                                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                              File Type:Mini DuMP crash report, 15 streams, Sat Jan 15 03:32:54 2022, 0x1205a4 type
                                                                                              Category:dropped
                                                                                              Size (bytes):44556
                                                                                              Entropy (8bit):2.115394953653192
                                                                                              Encrypted:false
                                                                                              SSDEEP:192:v/tsMxaj1O5JNEMXcT/7Ngwvuxwfy+jw/SpenVXTLAsBjI8D9:hIjY5TEMX0Zgw2Wfy+jw/SpcVXTFIo
                                                                                              MD5:D876DE2D22DC89A4C4042154918334F6
                                                                                              SHA1:13CBD0C04E3C09BBBCC5C33AB6D0F6F7FA5C92E5
                                                                                              SHA-256:E9DD6A45EE39CA97270FC5B3B9129099487B86E2E969ED53F8BE5BEF8B90AC83
                                                                                              SHA-512:57B627F090520860DA014D240E010344A06C4E9061B046DF6A711A79BBD1CE00412455BC08F3299C47B68CFF90E7EE42185AB188F7737475F447EC47AA7FEB88
                                                                                              Malicious:false
                                                                                              Reputation:unknown
                                                                                              Preview: MDMP....... .......f@.a....................................$...T............%..........`.......8...........T...........................x...........d....................................................................U...........B..............GenuineIntelW...........T...........X@.a.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER9B3.tmp.WERInternalMetadata.xml
                                                                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                              File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):8346
                                                                                              Entropy (8bit):3.6998653556481806
                                                                                              Encrypted:false
                                                                                              SSDEEP:192:Rrl7r3GLNiiw6/MpO6YIUSUw6+gmfjSwGQCpBqx89bPSsfYFm:RrlsNiN6/MpO6YbSUw6+gmfjSw+PRf3
                                                                                              MD5:EB9636925492D691CC9C760791AC599A
                                                                                              SHA1:BA95C80FA251BBC5031062397513C02BAC5AEB1F
                                                                                              SHA-256:13E5CE70174E79CB775728312A4DB17F843C39587E17F7BAAAA9DC65ECC7B05D
                                                                                              SHA-512:CB1CD2742B9330303BE01D5653DE2F99EFA96AD2C1266F9749E22602B78FF9300BC0B718F220F644FBEA3AE9DB1C0F2E74FCAD37993B15BAAE30039698689316
                                                                                              Malicious:false
                                                                                              Reputation:unknown
                                                                                              Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.0.9.2.<./.P.i.d.>.......
                                                                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WERFCE.tmp.xml
                                                                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):4598
                                                                                              Entropy (8bit):4.4724972705081765
                                                                                              Encrypted:false
                                                                                              SSDEEP:48:cvIwSD8zsFJgtWI9vfWSC8Bqn8fm8M4J2++ZFWkj+q84pDBKcQIcQw0ed:uITffsOSNosJ4ikjlBKkw0ed
                                                                                              MD5:1F9E5D8163DDE4B7E2258BEE70E1DB68
                                                                                              SHA1:A801F83AE601B33BEE49F99834A9B4B5A4644187
                                                                                              SHA-256:20D4463D4A237A2EF14827C4A975AC6CF5571A98C1C7D8BC68743520BF2E586F
                                                                                              SHA-512:A9DCD87B505639E37622A1B32800F46D32568AB71F6D1C5EF905C53FABB2169F4BC6C5A595AAECD7C3911390A8F45A08AE5C2834E11878C5EC88E4BD99E53946
                                                                                              Malicious:false
                                                                                              Reputation:unknown
                                                                                              Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1342843" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                                              C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
                                                                                              Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                              File Type:Microsoft Cabinet archive data, 61414 bytes, 1 file
                                                                                              Category:dropped
                                                                                              Size (bytes):61414
                                                                                              Entropy (8bit):7.995245868798237
                                                                                              Encrypted:true
                                                                                              SSDEEP:1536:EysgU6qmzixT64jYMZ8HbVPGfVDwm/xLZ9rP:wF6qmeo4eH1m9wmLvrP
                                                                                              MD5:ACAEDA60C79C6BCAC925EEB3653F45E0
                                                                                              SHA1:2AAAE490BCDACCC6172240FF1697753B37AC5578
                                                                                              SHA-256:6B0CECCF0103AFD89844761417C1D23ACC41F8AEBF3B7230765209B61EEE5658
                                                                                              SHA-512:FEAA6E7ED7DDA1583739B3E531AB5C562A222EE6ECD042690AE7DCFF966717C6E968469A7797265A11F6E899479AE0F3031E8CF5BEBE1492D5205E9C59690900
                                                                                              Malicious:false
                                                                                              Reputation:unknown
                                                                                              Preview: MSCF............,...................I.......;w........RSNj .authroot.stl..>.(.5..CK..8T....c_.d...A.K...+.d.H..*i.RJJ.IQIR..$t)Kd.-[..T\{..ne......<.w......A..B........c...wi......D....c.0D,L........fy....Rg...=........i,3.3..Z....~^ve<...TF.*...f.zy.,...m.@.0.0...m.3..I(..+..v#...(.2....e...L..*y..V.......~U...."<ke.....l.X:Dt..R<7.5\A7L0=..T.V...IDr..8<....r&...I-.^..b.b.".Af....E.._..r.>.`;,.Hob..S.....7'..\.R$.".g..+..64..@nP.....k3...B.`.G..@D.....L.....`^...#OpW.....!....`.....rf:.}.R.@....gR.#7....l..H.#...d.Qh..3..fCX....==#..M.l..~&....[.J9.\..Ww.....Tx.%....]..a4E...q.+...#.*a..x..O..V.t..Y1!.T..`U...-...< _@...|(.....0..3.`.LU...E0.Gu.4KN....5...?.....I.p..'..........N<.d.O..dH@c1t...[w/...T....cYK.X>.0..Z.....O>..9.3.#9X.%.b...5.YK.E.V.....`./.3.._..nN]..=..M.o.F.._..z....._...gY..!Z..?l....vp.l.:.d.Z..W.....~...N.._.k...&.....$......i.F.d.....D!e.....Y..,.E..m.;.1... $.F..O.F.o_}.uG....,.%.>,.Zx.......o....c../.;....g&.....
                                                                                              C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
                                                                                              Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                              File Type:data
                                                                                              Category:modified
                                                                                              Size (bytes):328
                                                                                              Entropy (8bit):3.1101581551051365
                                                                                              Encrypted:false
                                                                                              SSDEEP:6:kK6k8SN+SkQlPlEGYRMY9z+4KlDA3RUeYlUmlUR/t:y9kPlE99SNxAhUeYlUSA/t
                                                                                              MD5:8108B7C43873A62B639C7DFC11477F9C
                                                                                              SHA1:6E778FB9B54A008ED03F0FD09AFA9805DAC2DEF8
                                                                                              SHA-256:01ECD101B08F450660661D33D67B696ED47C534468DA582999BCBEC32245C7FD
                                                                                              SHA-512:0C60ED2002485C21C5558B4371399C943739DC22DC2176837333DE36F03769A12F1831569AFD198A4829590FA5E443C1F881146B6A47E3C10CA03FAE9C0A7BC5
                                                                                              Malicious:false
                                                                                              Reputation:unknown
                                                                                              Preview: p...... ........./!.....(....................................................... ........q.\].......&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.7.1.e.1.5.c.5.d.c.4.d.7.1.:.0."...
                                                                                              C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
                                                                                              Process:C:\Windows\System32\svchost.exe
                                                                                              File Type:ASCII text, with no line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):55
                                                                                              Entropy (8bit):4.306461250274409
                                                                                              Encrypted:false
                                                                                              SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                                              MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                                              SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                                              SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                                              SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                                              Malicious:false
                                                                                              Reputation:unknown
                                                                                              Preview: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}
                                                                                              C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log
                                                                                              Process:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                              File Type:Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
                                                                                              Category:modified
                                                                                              Size (bytes):7250
                                                                                              Entropy (8bit):3.1680623670304033
                                                                                              Encrypted:false
                                                                                              SSDEEP:96:cEj+AbCEH+AbuEAc+AbhGEA+AbNEe+Ab/Ee+AbPE6w9+Ab1wTEx+Ab4:cY+38+DJc+iGr+MZ+65+6tg+ECW+B
                                                                                              MD5:0A6E5EC29FF6CBB78182FD4643A0620B
                                                                                              SHA1:6A19A5EA76FD223350BD837277D4934B23E4DF28
                                                                                              SHA-256:010E92702DFA0CE7B6FDD0808651022536AF40225D196DC703665D8CC1CCA520
                                                                                              SHA-512:291EED49336602D6BB7560B380CD26FD341E47F19E4F2DF5D7128DCCF5D4F1E52C56D95B76732777DEFEA4E429D95F4E34E5DB44F1AE305AE95AA21C6036F831
                                                                                              Malicious:false
                                                                                              Reputation:unknown
                                                                                              Preview: ..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. T.h.u. .. J.u.n. .. 2.7. .. 2.0.1.9. .0.1.:.2.9.:.4.9.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e.....E.R.R.O.R.:. .M.p.W.D.E.n.a.b.l.e.(.T.R.U.E.). .f.a.i.l.e.d. .(.8.0.0.7.0.4.E.C.).....M.p.C.m.d.R.u.n.:. .E.n.d. .T.i.m.e.:. .. T.h.u. .. J.u.n. .. 2.7. .. 2.0.1.9. .0.1.:.2.9.:.4.9.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.............-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.
                                                                                              C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Logs\dosvc.20220115_033253_275.etl
                                                                                              Process:C:\Windows\System32\svchost.exe
                                                                                              File Type:data
                                                                                              Category:dropped
                                                                                              Size (bytes):12288
                                                                                              Entropy (8bit):3.7827604547607203
                                                                                              Encrypted:false
                                                                                              SSDEEP:96:6C/dQpo+FP5uT9n2YAFCrSI2lAvkjM4vOT2YYFzSbUMCN6JRnXgY5vbMCUl5rbMR:xC22cl22hpTCmQCxCiCpCHCo
                                                                                              MD5:0F27C294FAE023B00E4F8CB7EAE449D3
                                                                                              SHA1:93C990066F145FDBA5D5B9DF28421FE5B69AA238
                                                                                              SHA-256:F4685B3366AA4484CE7CA9E6FFCD7ECDBFC91BB63C3237A2E63047C7C494C34C
                                                                                              SHA-512:42CE8FAF4C3E12ADAD31AF87B16D7DD2496F16BF015922FE083AFCBD1AB1D395E88FB10B8ABAD3B81BDC759598276DFAE0E1C5BCF628536ED683B4386F601A31
                                                                                              Malicious:false
                                                                                              Reputation:unknown
                                                                                              Preview: .... ... ....................................... ...!............................................................B..............Zb... ... ..........................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1............................................................./_8..... ......qC.............8.6.9.6.E.A.C.4.-.1.2.8.8.-.4.2.8.8.-.A.4.E.E.-.4.9.E.E.4.3.1.B.0.A.D.9...C.:.\.W.i.n.d.o.w.s.\.S.e.r.v.i.c.e.P.r.o.f.i.l.e.s.\.N.e.t.w.o.r.k.S.e.r.v.i.c.e.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.D.e.l.i.v.e.r.y.O.p.t.i.m.i.z.a.t.i.o.n.\.L.o.g.s.\.d.o.s.v.c...2.0.2.2.0.1.1.5._.0.3.3.2.5.3._.2.7.5...e.t.l.........P.P.................................................................................................................................................................................................................................................................................
                                                                                              C:\Windows\appcompat\Programs\Amcache.hve
                                                                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                              File Type:MS Windows registry file, NT/2000 or above
                                                                                              Category:dropped
                                                                                              Size (bytes):1572864
                                                                                              Entropy (8bit):4.261074529688364
                                                                                              Encrypted:false
                                                                                              SSDEEP:12288:tgdqPEaAOMUFFzFG/4clZ69ZB7/0yp/6gc22XfHwBweiLja4QzDqCIlN:GdqPEaAOMUFFzFGNwt4N
                                                                                              MD5:45C880898530C968183384352ADE982A
                                                                                              SHA1:525A6D7AE3529BF6186CFBB92ABCEB09AD8D8A93
                                                                                              SHA-256:EBF318B3A2DFB7748D405EF3129CE7E93FC720ED3AE22709F53980CFCBB9F23B
                                                                                              SHA-512:91791891CDCA5CCFF4B39B2FA85C6DDE9C7AA86621D020D808E065A99BB4B7BF4F29CBF8B88E8A01CF1506CA53A3AB8CBEFDF5F2AFFA2B070127A3ACC609B5A9
                                                                                              Malicious:false
                                                                                              Reputation:unknown
                                                                                              Preview: regfQ...Q...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm.q....................................................................................................................................................................................................................................................................................................................................................%.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                              C:\Windows\appcompat\Programs\Amcache.hve.LOG1
                                                                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                              File Type:MS Windows registry file, NT/2000 or above
                                                                                              Category:dropped
                                                                                              Size (bytes):16384
                                                                                              Entropy (8bit):3.0442502429089067
                                                                                              Encrypted:false
                                                                                              SSDEEP:192:iEHbVa11ROZsWwYeQ5FSE9lMqXyQVWnxuYW2o8Kqe8mxwpBuN5t:jBMQ5TXQnxuf2o8PmxwpBuN5t
                                                                                              MD5:0D708793D647F5999B3D8CEE2E15C069
                                                                                              SHA1:E01F43E16DB4489E52683E3F94D71EE0BADB4156
                                                                                              SHA-256:8BE86D96F159B46096D184C91EC570B2FA09C7BA1129D28ECCB053CD73D73EB7
                                                                                              SHA-512:0F6E3337912024ED1777640ECD916634907C335D7ED847BBF7467BA352B8A0543D0C157BF946752C044286FA5235E0FB8764324189F0B5DC8B2E36D09FC4605B
                                                                                              Malicious:false
                                                                                              Reputation:unknown
                                                                                              Preview: regfP...P...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm.q....................................................................................................................................................................................................................................................................................................................................................%.HvLE.>......P............B.p P.-.~..zhjd........................hbin................p.\..,..........nk,...0.........@........................... ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk ...0......... ...........P............... .......Z.......................Root........lf......Root....nk ...0......................}.............. ...............*...............DeviceCensus.......................vk..................WritePermissionsCheck.......p...

                                                                                              Static File Info

                                                                                              General

                                                                                              File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                              Entropy (8bit):6.76759273829286
                                                                                              TrID:
                                                                                              • Win32 Dynamic Link Library (generic) (1002004/3) 98.32%
                                                                                              • Windows Screen Saver (13104/52) 1.29%
                                                                                              • Generic Win/DOS Executable (2004/3) 0.20%
                                                                                              • DOS Executable Generic (2002/1) 0.20%
                                                                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                              File name:MUm03X31dO.dll
                                                                                              File size:588288
                                                                                              MD5:3d903830752a14532ac653aec068a5ac
                                                                                              SHA1:18f66ff84a3d37245b060747823ddc220b7bb9ba
                                                                                              SHA256:413d3d3d717f9874ca23af53646794c7903ff817d9a97ac2be1b641695c1fc1a
                                                                                              SHA512:ee2eedf9ae409940ebbd94f8ca367249550e6becda89189f40cd56c00a0748000dc953175870116327a2739aed1f3dba3c4cf5a5c8ce9bd2ca4bb0a55ff146ae
                                                                                              SSDEEP:6144:cNU5LwA22222GgngDrDRVyYli/ci2tEGW78ODQiE4tvOSk5DKXOW14IkFxVFgY4E:x5w7YM/cYVV7E5OpOJyvnHtytFyQ
                                                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m.......................................^F......^P.n....^W.t....^Y......^A......^G......^B.....Rich....................PE..L..

                                                                                              File Icon

                                                                                              Icon Hash:71b018ccc6577131

                                                                                              Static PE Info

                                                                                              General

                                                                                              Entrypoint:0x1002eaac
                                                                                              Entrypoint Section:.text
                                                                                              Digitally signed:false
                                                                                              Imagebase:0x10000000
                                                                                              Subsystem:windows gui
                                                                                              Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                                                                                              DLL Characteristics:
                                                                                              Time Stamp:0x61E03DE6 [Thu Jan 13 14:57:42 2022 UTC]
                                                                                              TLS Callbacks:
                                                                                              CLR (.Net) Version:
                                                                                              OS Version Major:5
                                                                                              OS Version Minor:0
                                                                                              File Version Major:5
                                                                                              File Version Minor:0
                                                                                              Subsystem Version Major:5
                                                                                              Subsystem Version Minor:0
                                                                                              Import Hash:7f57698bb210fa88a6b01b1feaf20957

                                                                                              Entrypoint Preview

                                                                                              Instruction
                                                                                              mov edi, edi
                                                                                              push ebp
                                                                                              mov ebp, esp
                                                                                              cmp dword ptr [ebp+0Ch], 01h
                                                                                              jne 00007F65F12EC9F7h
                                                                                              call 00007F65F12F5268h
                                                                                              push dword ptr [ebp+08h]
                                                                                              mov ecx, dword ptr [ebp+10h]
                                                                                              mov edx, dword ptr [ebp+0Ch]
                                                                                              call 00007F65F12EC8E1h
                                                                                              pop ecx
                                                                                              pop ebp
                                                                                              retn 000Ch
                                                                                              mov edi, edi
                                                                                              push ebp
                                                                                              mov ebp, esp
                                                                                              push esi
                                                                                              push edi
                                                                                              mov edi, dword ptr [ebp+10h]
                                                                                              mov eax, edi
                                                                                              sub eax, 00000000h
                                                                                              je 00007F65F12EDFDBh
                                                                                              dec eax
                                                                                              je 00007F65F12EDFC3h
                                                                                              dec eax
                                                                                              je 00007F65F12EDF8Eh
                                                                                              dec eax
                                                                                              je 00007F65F12EDF3Fh
                                                                                              dec eax
                                                                                              je 00007F65F12EDEAFh
                                                                                              mov ecx, dword ptr [ebp+0Ch]
                                                                                              mov eax, dword ptr [ebp+08h]
                                                                                              push ebx
                                                                                              push 00000020h
                                                                                              pop edx
                                                                                              jmp 00007F65F12ECE67h
                                                                                              mov esi, dword ptr [eax]
                                                                                              cmp esi, dword ptr [ecx]
                                                                                              je 00007F65F12ECA6Eh
                                                                                              movzx esi, byte ptr [eax]
                                                                                              movzx ebx, byte ptr [ecx]
                                                                                              sub esi, ebx
                                                                                              je 00007F65F12ECA07h
                                                                                              xor ebx, ebx
                                                                                              test esi, esi
                                                                                              setnle bl
                                                                                              lea ebx, dword ptr [ebx+ebx-01h]
                                                                                              mov esi, ebx
                                                                                              test esi, esi
                                                                                              jne 00007F65F12ECE5Fh
                                                                                              movzx esi, byte ptr [eax+01h]
                                                                                              movzx ebx, byte ptr [ecx+01h]
                                                                                              sub esi, ebx
                                                                                              je 00007F65F12ECA07h
                                                                                              xor ebx, ebx
                                                                                              test esi, esi
                                                                                              setnle bl
                                                                                              lea ebx, dword ptr [ebx+ebx-01h]
                                                                                              mov esi, ebx
                                                                                              test esi, esi
                                                                                              jne 00007F65F12ECE3Eh
                                                                                              movzx esi, byte ptr [eax+02h]
                                                                                              movzx ebx, byte ptr [ecx+02h]
                                                                                              sub esi, ebx
                                                                                              je 00007F65F12ECA07h
                                                                                              xor ebx, ebx
                                                                                              test esi, esi
                                                                                              setnle bl
                                                                                              lea ebx, dword ptr [ebx+ebx-01h]
                                                                                              mov esi, ebx
                                                                                              test esi, esi
                                                                                              jne 00007F65F12ECE1Dh

                                                                                              Rich Headers

                                                                                              Programming Language:
                                                                                              • [ C ] VS2008 build 21022
                                                                                              • [LNK] VS2008 build 21022
                                                                                              • [ C ] VS2005 build 50727
                                                                                              • [ASM] VS2008 build 21022
                                                                                              • [IMP] VS2005 build 50727
                                                                                              • [RES] VS2008 build 21022
                                                                                              • [EXP] VS2008 build 21022
                                                                                              • [C++] VS2008 build 21022

                                                                                              Data Directories

                                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x50bc00x50.rdata
                                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x4f5380xb4.rdata
                                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x890000x3410.rsrc
                                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x8d0000x415c.reloc
                                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x4bd000x40.rdata
                                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_IAT0x470000x454.rdata
                                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x4f4b00x40.rdata
                                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                              Sections

                                                                                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                              .text0x10000x45bb90x45c00False0.379756804435data6.37093799262IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                              .rdata0x470000x9c100x9e00False0.357421875data5.22219001933IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                              .data0x510000x3735c0x33800False0.741035535498data6.11335979295IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                              .rsrc0x890000x34100x3600False0.306640625data4.34913645958IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                              .reloc0x8d0000x8c340x8e00False0.346308318662data4.00973830682IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                              Resources

                                                                                              NameRVASizeTypeLanguageCountry
                                                                                              RT_CURSOR0x89ac00x134dataChineseChina
                                                                                              RT_CURSOR0x89bf40xb4dataChineseChina
                                                                                              RT_CURSOR0x89ca80x134AmigaOS bitmap fontChineseChina
                                                                                              RT_CURSOR0x89ddc0x134dataChineseChina
                                                                                              RT_CURSOR0x89f100x134dataChineseChina
                                                                                              RT_CURSOR0x8a0440x134dataChineseChina
                                                                                              RT_CURSOR0x8a1780x134dataChineseChina
                                                                                              RT_CURSOR0x8a2ac0x134dataChineseChina
                                                                                              RT_CURSOR0x8a3e00x134dataChineseChina
                                                                                              RT_CURSOR0x8a5140x134dataChineseChina
                                                                                              RT_CURSOR0x8a6480x134dataChineseChina
                                                                                              RT_CURSOR0x8a77c0x134dataChineseChina
                                                                                              RT_CURSOR0x8a8b00x134AmigaOS bitmap fontChineseChina
                                                                                              RT_CURSOR0x8a9e40x134dataChineseChina
                                                                                              RT_CURSOR0x8ab180x134dataChineseChina
                                                                                              RT_CURSOR0x8ac4c0x134dataChineseChina
                                                                                              RT_BITMAP0x8ad800xb8dataChineseChina
                                                                                              RT_BITMAP0x8ae380x144dataChineseChina
                                                                                              RT_ICON0x8af7c0x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 67108992, next used block 3293332676ChineseChina
                                                                                              RT_ICON0x8b2640x128GLS_BINARY_LSB_FIRSTChineseChina
                                                                                              RT_DIALOG0x8b38c0x33cdataChineseChina
                                                                                              RT_DIALOG0x8b6c80xe2dataChineseChina
                                                                                              RT_DIALOG0x8b7ac0x34dataChineseChina
                                                                                              RT_STRING0x8b7e00x4edataChineseChina
                                                                                              RT_STRING0x8b8300x2cdataChineseChina
                                                                                              RT_STRING0x8b85c0x82dataChineseChina
                                                                                              RT_STRING0x8b8e00x1d6dataChineseChina
                                                                                              RT_STRING0x8bab80x160dataChineseChina
                                                                                              RT_STRING0x8bc180x12edataChineseChina
                                                                                              RT_STRING0x8bd480x50dataChineseChina
                                                                                              RT_STRING0x8bd980x44dataChineseChina
                                                                                              RT_STRING0x8bddc0x68dataChineseChina
                                                                                              RT_STRING0x8be440x1b8dataChineseChina
                                                                                              RT_STRING0x8bffc0x104dataChineseChina
                                                                                              RT_STRING0x8c1000x24dataChineseChina
                                                                                              RT_STRING0x8c1240x30dataChineseChina
                                                                                              RT_GROUP_CURSOR0x8c1540x22Lotus unknown worksheet or configuration, revision 0x2ChineseChina
                                                                                              RT_GROUP_CURSOR0x8c1780x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
                                                                                              RT_GROUP_CURSOR0x8c18c0x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
                                                                                              RT_GROUP_CURSOR0x8c1a00x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
                                                                                              RT_GROUP_CURSOR0x8c1b40x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
                                                                                              RT_GROUP_CURSOR0x8c1c80x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
                                                                                              RT_GROUP_CURSOR0x8c1dc0x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
                                                                                              RT_GROUP_CURSOR0x8c1f00x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
                                                                                              RT_GROUP_CURSOR0x8c2040x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
                                                                                              RT_GROUP_CURSOR0x8c2180x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
                                                                                              RT_GROUP_CURSOR0x8c22c0x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
                                                                                              RT_GROUP_CURSOR0x8c2400x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
                                                                                              RT_GROUP_CURSOR0x8c2540x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
                                                                                              RT_GROUP_CURSOR0x8c2680x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
                                                                                              RT_GROUP_CURSOR0x8c27c0x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
                                                                                              RT_GROUP_ICON0x8c2900x22dataChineseChina
                                                                                              RT_MANIFEST0x8c2b40x15aASCII text, with CRLF line terminatorsEnglishUnited States

                                                                                              Imports

                                                                                              DLLImport
                                                                                              KERNEL32.dllGetOEMCP, GetCommandLineA, RtlUnwind, ExitProcess, HeapReAlloc, RaiseException, HeapSize, TerminateProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetACP, IsValidCodePage, LCMapStringA, LCMapStringW, HeapCreate, HeapDestroy, GetStdHandle, GetCPInfo, GetFileType, GetStartupInfoA, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, QueryPerformanceCounter, GetTickCount, GetSystemTimeAsFileTime, InitializeCriticalSectionAndSpinCount, GetConsoleCP, GetConsoleMode, GetStringTypeA, GetStringTypeW, GetUserDefaultLCID, EnumSystemLocalesA, IsValidLocale, GetLocaleInfoW, SetStdHandle, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, GetModuleHandleW, CreateFileA, GetCurrentProcess, FlushFileBuffers, SetFilePointer, WriteFile, ReadFile, InterlockedIncrement, TlsFree, LocalReAlloc, TlsSetValue, TlsAlloc, GlobalHandle, GlobalReAlloc, TlsGetValue, LocalAlloc, WritePrivateProfileStringA, GlobalFlags, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSection, GlobalGetAtomNameA, GlobalFindAtomA, lstrcmpW, GetVersionExA, FormatMessageA, LocalFree, lstrlenA, InterlockedDecrement, MulDiv, MultiByteToWideChar, GlobalUnlock, GlobalFree, FreeResource, GlobalAddAtomA, GetCurrentProcessId, GetLastError, GlobalDeleteAtom, GetCurrentThread, GetCurrentThreadId, ConvertDefaultLocale, EnumResourceLanguagesA, GetModuleFileNameA, GetLocaleInfoA, WideCharToMultiByte, CompareStringA, FindResourceA, LoadResource, LockResource, SizeofResource, InterlockedExchange, GlobalLock, lstrcmpA, GlobalAlloc, GetModuleHandleA, CreateThread, CloseHandle, VirtualProtect, LoadLibraryA, VirtualAlloc, GetProcAddress, SetLastError, Sleep, IsBadReadPtr, GetProcessHeap, VirtualFree, HeapFree, HeapAlloc, FreeLibrary, VirtualQuery, SetHandleCount, GetNativeSystemInfo
                                                                                              USER32.dllLoadCursorA, GetSysColorBrush, SetWindowTextA, IsDialogMessageA, SetDlgItemTextA, GetDlgItemTextA, RegisterWindowMessageA, SendDlgItemMessageA, WinHelpA, GetCapture, GetClassLongA, GetClassNameA, SetPropA, GetPropA, RemovePropA, GetForegroundWindow, GetTopWindow, GetMessageTime, GetMessagePos, MapWindowPoints, SetMenu, SetForegroundWindow, CreateWindowExA, GetClassInfoExA, GetClassInfoA, RegisterClassA, AdjustWindowRectEx, CopyRect, PtInRect, GetDlgCtrlID, DefWindowProcA, CallWindowProcA, SetWindowLongA, SetWindowPos, SystemParametersInfoA, GetWindowPlacement, GetWindowRect, GetMenuItemID, GetMenuItemCount, GetSubMenu, UnhookWindowsHookEx, GetSysColor, EndPaint, BeginPaint, ReleaseDC, GetDC, ClientToScreen, GrayStringA, DrawTextExA, DrawTextA, TabbedTextOutA, GetWindowTextLengthA, GetWindowTextA, GetWindow, SetFocus, GetDesktopWindow, SetActiveWindow, CreateDialogIndirectParamA, DestroyWindow, IsWindow, GetDlgItem, GetNextDlgTabItem, EndDialog, SetWindowsHookExA, CallNextHookEx, GetMessageA, DestroyMenu, UpdateWindow, TranslateMessage, DispatchMessageA, GetActiveWindow, IsWindowVisible, GetKeyState, PeekMessageA, GetCursorPos, ValidateRect, GetWindowThreadProcessId, GetWindowLongA, GetLastActivePopup, IsWindowEnabled, MessageBoxA, SetCursor, PostQuitMessage, SetMenuItemBitmaps, GetMenuCheckMarkDimensions, LoadBitmapA, GetFocus, GetParent, ModifyMenuA, GetMenuState, EnableMenuItem, CheckMenuItem, SetTimer, IsIconic, KillTimer, LoadIconA, DrawIcon, GetClientRect, SendMessageA, ShowWindow, PostMessageA, GetSystemMetrics, EnableWindow, GetMenu
                                                                                              GDI32.dllGetStockObject, SelectObject, GetDeviceCaps, DeleteDC, Escape, ExtTextOutA, TextOutA, RectVisible, ScaleWindowExtEx, SetWindowExtEx, ScaleViewportExtEx, SetViewportExtEx, OffsetViewportOrgEx, CreateBitmap, PtVisible, GetObjectA, DeleteObject, GetClipBox, SetMapMode, SetTextColor, SetBkColor, RestoreDC, SaveDC, SetViewportOrgEx
                                                                                              WINSPOOL.DRVDocumentPropertiesA, ClosePrinter, OpenPrinterA
                                                                                              ADVAPI32.dllRegSetValueExA, RegCreateKeyExA, RegQueryValueA, RegOpenKeyA, RegEnumKeyA, RegDeleteKeyA, RegOpenKeyExA, RegQueryValueExA, RegCloseKey
                                                                                              SHLWAPI.dllPathFindExtensionA
                                                                                              OLEAUT32.dllVariantClear, VariantChangeType, VariantInit
                                                                                              WS2_32.dllhtons, setsockopt, sendto, htonl, bind, socket, closesocket, inet_addr, recvfrom, WSACleanup, WSAStartup

                                                                                              Exports

                                                                                              NameOrdinalAddress
                                                                                              DllRegisterServer10x1001df20

                                                                                              Possible Origin

                                                                                              Language of compilation systemCountry where language is spokenMap
                                                                                              ChineseChina
                                                                                              EnglishUnited States

                                                                                              Network Behavior

                                                                                              Snort IDS Alerts

                                                                                              TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                              01/14/22-19:33:04.728184TCP2404332ET CNC Feodo Tracker Reported CnC Server TCP group 174975980192.168.2.545.138.98.34
                                                                                              01/14/22-19:33:06.058425TCP2404338ET CNC Feodo Tracker Reported CnC Server TCP group 20497608080192.168.2.569.16.218.101

                                                                                              Network Port Distribution

                                                                                              TCP Packets

                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                              Jan 14, 2022 19:33:04.728183985 CET4975980192.168.2.545.138.98.34
                                                                                              Jan 14, 2022 19:33:04.745012999 CET804975945.138.98.34192.168.2.5
                                                                                              Jan 14, 2022 19:33:05.336929083 CET4975980192.168.2.545.138.98.34
                                                                                              Jan 14, 2022 19:33:05.353924036 CET804975945.138.98.34192.168.2.5
                                                                                              Jan 14, 2022 19:33:06.024596930 CET4975980192.168.2.545.138.98.34
                                                                                              Jan 14, 2022 19:33:06.041500092 CET804975945.138.98.34192.168.2.5
                                                                                              Jan 14, 2022 19:33:06.058424950 CET497608080192.168.2.569.16.218.101
                                                                                              Jan 14, 2022 19:33:06.189708948 CET80804976069.16.218.101192.168.2.5
                                                                                              Jan 14, 2022 19:33:06.189893007 CET497608080192.168.2.569.16.218.101
                                                                                              Jan 14, 2022 19:33:06.240536928 CET497608080192.168.2.569.16.218.101
                                                                                              Jan 14, 2022 19:33:06.372925997 CET80804976069.16.218.101192.168.2.5
                                                                                              Jan 14, 2022 19:33:06.385310888 CET80804976069.16.218.101192.168.2.5
                                                                                              Jan 14, 2022 19:33:06.385348082 CET80804976069.16.218.101192.168.2.5
                                                                                              Jan 14, 2022 19:33:06.385689974 CET497608080192.168.2.569.16.218.101
                                                                                              Jan 14, 2022 19:33:06.387833118 CET497608080192.168.2.569.16.218.101
                                                                                              Jan 14, 2022 19:33:11.379013062 CET497608080192.168.2.569.16.218.101
                                                                                              Jan 14, 2022 19:33:11.510134935 CET80804976069.16.218.101192.168.2.5
                                                                                              Jan 14, 2022 19:33:11.511019945 CET80804976069.16.218.101192.168.2.5
                                                                                              Jan 14, 2022 19:33:11.511121988 CET497608080192.168.2.569.16.218.101
                                                                                              Jan 14, 2022 19:33:11.523237944 CET497608080192.168.2.569.16.218.101
                                                                                              Jan 14, 2022 19:33:11.656239033 CET80804976069.16.218.101192.168.2.5
                                                                                              Jan 14, 2022 19:33:12.168735027 CET80804976069.16.218.101192.168.2.5
                                                                                              Jan 14, 2022 19:33:12.168952942 CET497608080192.168.2.569.16.218.101
                                                                                              Jan 14, 2022 19:33:15.168406963 CET80804976069.16.218.101192.168.2.5
                                                                                              Jan 14, 2022 19:33:15.168432951 CET80804976069.16.218.101192.168.2.5
                                                                                              Jan 14, 2022 19:33:15.168648958 CET497608080192.168.2.569.16.218.101
                                                                                              Jan 14, 2022 19:34:54.661190033 CET497608080192.168.2.569.16.218.101
                                                                                              Jan 14, 2022 19:34:54.661230087 CET497608080192.168.2.569.16.218.101

                                                                                              DNS Answers

                                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                              Jan 14, 2022 19:37:25.699086905 CET8.8.8.8192.168.2.50x5dd8No error (0)prda.aadg.msidentity.comwww.tm.a.prd.aadg.akadns.netCNAME (Canonical name)IN (0x0001)

                                                                                              Code Manipulations

                                                                                              Statistics

                                                                                              Behavior

                                                                                              Click to jump to process

                                                                                              System Behavior

                                                                                              Analysis Process: loaddll32.exe PID: 3092 Parent PID: 5556

                                                                                              General

                                                                                              Start time:19:32:40
                                                                                              Start date:14/01/2022
                                                                                              Path:C:\Windows\System32\loaddll32.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:loaddll32.exe "C:\Users\user\Desktop\MUm03X31dO.dll"
                                                                                              Imagebase:0x20000
                                                                                              File size:116736 bytes
                                                                                              MD5 hash:7DEB5DB86C0AC789123DEC286286B938
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Yara matches:
                                                                                              • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000002.299691728.0000000002180000.00000040.00000001.sdmp, Author: Joe Security
                                                                                              • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000002.299733023.00000000021B1000.00000020.00000001.sdmp, Author: Joe Security
                                                                                              • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.274800070.0000000002180000.00000040.00000001.sdmp, Author: Joe Security
                                                                                              • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.274835545.00000000021B1000.00000020.00000001.sdmp, Author: Joe Security
                                                                                              • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.273742640.00000000021B1000.00000020.00000001.sdmp, Author: Joe Security
                                                                                              • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.273707412.0000000002180000.00000040.00000001.sdmp, Author: Joe Security
                                                                                              Reputation:moderate

                                                                                              Analysis Process: svchost.exe PID: 340 Parent PID: 556

                                                                                              General

                                                                                              Start time:19:32:41
                                                                                              Start date:14/01/2022
                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                              Imagebase:0x7ff797770000
                                                                                              File size:51288 bytes
                                                                                              MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Reputation:high

                                                                                              Analysis Process: cmd.exe PID: 3336 Parent PID: 3092

                                                                                              General

                                                                                              Start time:19:32:41
                                                                                              Start date:14/01/2022
                                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\MUm03X31dO.dll",#1
                                                                                              Imagebase:0x150000
                                                                                              File size:232960 bytes
                                                                                              MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Reputation:high

                                                                                              Analysis Process: regsvr32.exe PID: 5396 Parent PID: 3092

                                                                                              General

                                                                                              Start time:19:32:41
                                                                                              Start date:14/01/2022
                                                                                              Path:C:\Windows\SysWOW64\regsvr32.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:regsvr32.exe /s C:\Users\user\Desktop\MUm03X31dO.dll
                                                                                              Imagebase:0x1190000
                                                                                              File size:20992 bytes
                                                                                              MD5 hash:426E7499F6A7346F0410DEAD0805586B
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Yara matches:
                                                                                              • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.265604220.00000000031E0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                              • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.265632005.0000000003211000.00000020.00000001.sdmp, Author: Joe Security
                                                                                              Reputation:high

                                                                                              Analysis Process: rundll32.exe PID: 5288 Parent PID: 3336

                                                                                              General

                                                                                              Start time:19:32:41
                                                                                              Start date:14/01/2022
                                                                                              Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:rundll32.exe "C:\Users\user\Desktop\MUm03X31dO.dll",#1
                                                                                              Imagebase:0x9a0000
                                                                                              File size:61952 bytes
                                                                                              MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Yara matches:
                                                                                              • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.267814395.0000000000920000.00000040.00000001.sdmp, Author: Joe Security
                                                                                              • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.271058479.0000000002A01000.00000020.00000001.sdmp, Author: Joe Security
                                                                                              Reputation:high

                                                                                              Analysis Process: rundll32.exe PID: 2924 Parent PID: 3092

                                                                                              General

                                                                                              Start time:19:32:42
                                                                                              Start date:14/01/2022
                                                                                              Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:rundll32.exe C:\Users\user\Desktop\MUm03X31dO.dll,DllRegisterServer
                                                                                              Imagebase:0x9a0000
                                                                                              File size:61952 bytes
                                                                                              MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Yara matches:
                                                                                              • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.279872863.0000000005681000.00000020.00000001.sdmp, Author: Joe Security
                                                                                              • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.279101229.0000000003420000.00000040.00000001.sdmp, Author: Joe Security
                                                                                              • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.279636390.00000000053D1000.00000020.00000001.sdmp, Author: Joe Security
                                                                                              • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.279824791.0000000005621000.00000020.00000001.sdmp, Author: Joe Security
                                                                                              • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.279685009.0000000005490000.00000040.00000001.sdmp, Author: Joe Security
                                                                                              • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.279848866.0000000005650000.00000040.00000001.sdmp, Author: Joe Security
                                                                                              • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.280137908.00000000059D0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                              • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.280317920.0000000005A01000.00000020.00000001.sdmp, Author: Joe Security
                                                                                              • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.279133215.0000000003451000.00000020.00000001.sdmp, Author: Joe Security
                                                                                              • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.279724153.00000000054C1000.00000020.00000001.sdmp, Author: Joe Security
                                                                                              • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.279796782.00000000055F0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                              • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.279604016.00000000053A0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                              Reputation:high

                                                                                              Analysis Process: rundll32.exe PID: 1760 Parent PID: 5396

                                                                                              General

                                                                                              Start time:19:32:43
                                                                                              Start date:14/01/2022
                                                                                              Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\MUm03X31dO.dll",DllRegisterServer
                                                                                              Imagebase:0x9a0000
                                                                                              File size:61952 bytes
                                                                                              MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Reputation:high

                                                                                              Analysis Process: rundll32.exe PID: 5304 Parent PID: 5288

                                                                                              General

                                                                                              Start time:19:32:43
                                                                                              Start date:14/01/2022
                                                                                              Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\MUm03X31dO.dll",DllRegisterServer
                                                                                              Imagebase:0x9a0000
                                                                                              File size:61952 bytes
                                                                                              MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Yara matches:
                                                                                              • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.325569236.0000000004F91000.00000020.00000001.sdmp, Author: Joe Security
                                                                                              • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.325659124.0000000004FF1000.00000020.00000001.sdmp, Author: Joe Security
                                                                                              • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.324583547.0000000004841000.00000020.00000001.sdmp, Author: Joe Security
                                                                                              • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.325516887.0000000004F60000.00000040.00000001.sdmp, Author: Joe Security
                                                                                              • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.325610829.0000000004FC0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                              • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.325399866.0000000004E80000.00000040.00000001.sdmp, Author: Joe Security
                                                                                              • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.325458310.0000000004EB1000.00000020.00000001.sdmp, Author: Joe Security
                                                                                              • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.324499260.0000000004810000.00000040.00000001.sdmp, Author: Joe Security
                                                                                              Reputation:high

                                                                                              Analysis Process: svchost.exe PID: 4732 Parent PID: 556

                                                                                              General

                                                                                              Start time:19:32:47
                                                                                              Start date:14/01/2022
                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:C:\Windows\System32\svchost.exe -k WerSvcGroup
                                                                                              Imagebase:0x7ff797770000
                                                                                              File size:51288 bytes
                                                                                              MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language

                                                                                              Analysis Process: WerFault.exe PID: 6160 Parent PID: 4732

                                                                                              General

                                                                                              Start time:19:32:48
                                                                                              Start date:14/01/2022
                                                                                              Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3092 -ip 3092
                                                                                              Imagebase:0xe60000
                                                                                              File size:434592 bytes
                                                                                              MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language

                                                                                              Analysis Process: rundll32.exe PID: 6180 Parent PID: 2924

                                                                                              General

                                                                                              Start time:19:32:49
                                                                                              Start date:14/01/2022
                                                                                              Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Qcnuamvgfncza\wcwmsazphhlpar.wmq",LVfdvbviW
                                                                                              Imagebase:0x9a0000
                                                                                              File size:61952 bytes
                                                                                              MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Yara matches:
                                                                                              • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.283643613.0000000004CA1000.00000020.00000001.sdmp, Author: Joe Security
                                                                                              • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.283528746.0000000004C70000.00000040.00000001.sdmp, Author: Joe Security

                                                                                              Analysis Process: WerFault.exe PID: 6192 Parent PID: 3092

                                                                                              General

                                                                                              Start time:19:32:49
                                                                                              Start date:14/01/2022
                                                                                              Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 3092 -s 280
                                                                                              Imagebase:0xe60000
                                                                                              File size:434592 bytes
                                                                                              MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language

                                                                                              Analysis Process: rundll32.exe PID: 6212 Parent PID: 6180

                                                                                              General

                                                                                              Start time:19:32:51
                                                                                              Start date:14/01/2022
                                                                                              Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Qcnuamvgfncza\wcwmsazphhlpar.wmq",DllRegisterServer
                                                                                              Imagebase:0x9a0000
                                                                                              File size:61952 bytes
                                                                                              MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Yara matches:
                                                                                              • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000C.00000002.789766626.0000000003591000.00000020.00000010.sdmp, Author: Joe Security
                                                                                              • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000C.00000002.792807841.0000000006080000.00000040.00000001.sdmp, Author: Joe Security
                                                                                              • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000C.00000002.789644115.0000000003560000.00000040.00000010.sdmp, Author: Joe Security
                                                                                              • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000C.00000002.791029959.00000000056E1000.00000020.00000001.sdmp, Author: Joe Security
                                                                                              • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000C.00000002.792730843.0000000005FB1000.00000020.00000001.sdmp, Author: Joe Security
                                                                                              • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000C.00000002.792383699.0000000005DB1000.00000020.00000001.sdmp, Author: Joe Security
                                                                                              • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000C.00000002.790492761.0000000005300000.00000040.00000001.sdmp, Author: Joe Security
                                                                                              • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000C.00000002.792197793.0000000005CD1000.00000020.00000001.sdmp, Author: Joe Security
                                                                                              • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000C.00000002.791999231.0000000005B91000.00000020.00000001.sdmp, Author: Joe Security
                                                                                              • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000C.00000002.791439541.00000000058A1000.00000020.00000001.sdmp, Author: Joe Security
                                                                                              • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000C.00000002.792916156.00000000060E0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                              • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000C.00000002.792123168.0000000005CA0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                              • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000C.00000002.792865866.00000000060B1000.00000020.00000001.sdmp, Author: Joe Security
                                                                                              • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000C.00000002.790959470.00000000056B0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                              • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000C.00000002.791273424.0000000005841000.00000020.00000001.sdmp, Author: Joe Security
                                                                                              • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000C.00000002.791366610.0000000005870000.00000040.00000001.sdmp, Author: Joe Security
                                                                                              • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000C.00000002.790442344.0000000004F91000.00000020.00000001.sdmp, Author: Joe Security
                                                                                              • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000C.00000002.792648530.0000000005F80000.00000040.00000001.sdmp, Author: Joe Security
                                                                                              • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000C.00000002.790324399.0000000004F30000.00000040.00000001.sdmp, Author: Joe Security
                                                                                              • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000C.00000002.792953896.0000000006111000.00000020.00000001.sdmp, Author: Joe Security
                                                                                              • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000C.00000002.791155668.0000000005810000.00000040.00000001.sdmp, Author: Joe Security
                                                                                              • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000C.00000002.792292788.0000000005D80000.00000040.00000001.sdmp, Author: Joe Security
                                                                                              • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000C.00000002.790839088.0000000005601000.00000020.00000001.sdmp, Author: Joe Security
                                                                                              • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000C.00000002.791959998.0000000005B60000.00000040.00000001.sdmp, Author: Joe Security

                                                                                              Analysis Process: svchost.exe PID: 6220 Parent PID: 556

                                                                                              General

                                                                                              Start time:19:32:51
                                                                                              Start date:14/01/2022
                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
                                                                                              Imagebase:0x7ff797770000
                                                                                              File size:51288 bytes
                                                                                              MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:false
                                                                                              Programmed in:C, C++ or other language

                                                                                              Analysis Process: svchost.exe PID: 6312 Parent PID: 556

                                                                                              General

                                                                                              Start time:19:32:52
                                                                                              Start date:14/01/2022
                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
                                                                                              Imagebase:0x7ff797770000
                                                                                              File size:51288 bytes
                                                                                              MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:false
                                                                                              Programmed in:C, C++ or other language

                                                                                              Analysis Process: svchost.exe PID: 6388 Parent PID: 556

                                                                                              General

                                                                                              Start time:19:32:53
                                                                                              Start date:14/01/2022
                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:C:\Windows\System32\svchost.exe -k NetworkService -p
                                                                                              Imagebase:0x7ff797770000
                                                                                              File size:51288 bytes
                                                                                              MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:false
                                                                                              Programmed in:C, C++ or other language

                                                                                              Analysis Process: SgrmBroker.exe PID: 6496 Parent PID: 556

                                                                                              General

                                                                                              Start time:19:32:54
                                                                                              Start date:14/01/2022
                                                                                              Path:C:\Windows\System32\SgrmBroker.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:C:\Windows\system32\SgrmBroker.exe
                                                                                              Imagebase:0x7ff722c40000
                                                                                              File size:163336 bytes
                                                                                              MD5 hash:D3170A3F3A9626597EEE1888686E3EA6
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language

                                                                                              Analysis Process: svchost.exe PID: 6540 Parent PID: 556

                                                                                              General

                                                                                              Start time:19:32:55
                                                                                              Start date:14/01/2022
                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
                                                                                              Imagebase:0x7ff797770000
                                                                                              File size:51288 bytes
                                                                                              MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:false
                                                                                              Programmed in:C, C++ or other language

                                                                                              Analysis Process: svchost.exe PID: 6344 Parent PID: 556

                                                                                              General

                                                                                              Start time:19:33:16
                                                                                              Start date:14/01/2022
                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                              Imagebase:0x7ff797770000
                                                                                              File size:51288 bytes
                                                                                              MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language

                                                                                              Analysis Process: svchost.exe PID: 6612 Parent PID: 556

                                                                                              General

                                                                                              Start time:19:33:29
                                                                                              Start date:14/01/2022
                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                              Imagebase:0x7ff797770000
                                                                                              File size:51288 bytes
                                                                                              MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language

                                                                                              Analysis Process: svchost.exe PID: 1236 Parent PID: 556

                                                                                              General

                                                                                              Start time:19:33:54
                                                                                              Start date:14/01/2022
                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                              Imagebase:0x7ff797770000
                                                                                              File size:51288 bytes
                                                                                              MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language

                                                                                              Analysis Process: MpCmdRun.exe PID: 4828 Parent PID: 6540

                                                                                              General

                                                                                              Start time:19:33:58
                                                                                              Start date:14/01/2022
                                                                                              Path:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:"C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
                                                                                              Imagebase:0x7ff6cfd80000
                                                                                              File size:455656 bytes
                                                                                              MD5 hash:A267555174BFA53844371226F482B86B
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:false
                                                                                              Programmed in:C, C++ or other language

                                                                                              Analysis Process: conhost.exe PID: 2252 Parent PID: 4828

                                                                                              General

                                                                                              Start time:19:33:58
                                                                                              Start date:14/01/2022
                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                              Imagebase:0x7ff7ecfc0000
                                                                                              File size:625664 bytes
                                                                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:false
                                                                                              Programmed in:C, C++ or other language

                                                                                              Analysis Process: svchost.exe PID: 4320 Parent PID: 556

                                                                                              General

                                                                                              Start time:19:35:02
                                                                                              Start date:14/01/2022
                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                              Imagebase:0x7ff797770000
                                                                                              File size:51288 bytes
                                                                                              MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language

                                                                                              Analysis Process: svchost.exe PID: 6248 Parent PID: 556

                                                                                              General

                                                                                              Start time:19:35:21
                                                                                              Start date:14/01/2022
                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                              Imagebase:0x7ff797770000
                                                                                              File size:51288 bytes
                                                                                              MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language

                                                                                              Disassembly

                                                                                              Code Analysis

                                                                                              Reset < >