Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
3j6e3XaMWM

Overview

General Information

Sample Name:3j6e3XaMWM (renamed file extension from none to dll)
Analysis ID:626491
MD5:fded8e79db5a443a816be9dde9f6b499
SHA1:bec722ecd7d977f06914c629a345bad171a352e3
SHA256:1ddda2d0e1f8885a26ddedce73bc64dd830bad2769ad1e4186b676e885dcf0ec
Tags:exetrojan
Infos:

Detection

Emotet
Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries the volume information (name, serial number etc) of a device
One or more processes crash
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Found evasive API chain (may stop execution after checking a module file name)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
IP address seen in connection with other malware
PE file contains an invalid checksum
Tries to load missing DLLs
Drops PE files to the windows directory (C:\Windows)
Checks if the current process is being debugged
Registers a DLL
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries disk information (often used to detect virtual machines)
Creates a process in suspended mode (likely to inject code)

Classification

  • System is w10x64
  • svchost.exe (PID: 6232 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • loaddll64.exe (PID: 5460 cmdline: loaddll64.exe "C:\Users\user\Desktop\3j6e3XaMWM.dll" MD5: 4E8A40CAD6CCC047914E3A7830A2D8AA)
    • cmd.exe (PID: 6240 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\3j6e3XaMWM.dll",#1 MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • rundll32.exe (PID: 6460 cmdline: rundll32.exe "C:\Users\user\Desktop\3j6e3XaMWM.dll",#1 MD5: 73C519F050C20580F8A62C849D49215A)
        • regsvr32.exe (PID: 644 cmdline: C:\Windows\system32\regsvr32.exe "C:\Windows\system32\THydtigNYD\IHlj.dll" MD5: D78B75FC68247E8A63ACBA846182740E)
    • regsvr32.exe (PID: 6472 cmdline: regsvr32.exe /s C:\Users\user\Desktop\3j6e3XaMWM.dll MD5: D78B75FC68247E8A63ACBA846182740E)
    • rundll32.exe (PID: 6488 cmdline: rundll32.exe C:\Users\user\Desktop\3j6e3XaMWM.dll,DllRegisterServer MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 4308 cmdline: rundll32.exe C:\Users\user\Desktop\3j6e3XaMWM.dll,DllUnregisterServer MD5: 73C519F050C20580F8A62C849D49215A)
      • WerFault.exe (PID: 2276 cmdline: C:\Windows\system32\WerFault.exe -u -p 4308 -s 328 MD5: 2AFFE478D86272288BBEF5A00BBEF6A0)
  • svchost.exe (PID: 3616 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • WerFault.exe (PID: 6540 cmdline: C:\Windows\system32\WerFault.exe -pss -s 468 -p 4308 -ip 4308 MD5: 2AFFE478D86272288BBEF5A00BBEF6A0)
  • svchost.exe (PID: 6808 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5412 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6204 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6896 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6860 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
00000005.00000002.375271651.0000000180001000.00000020.00001000.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
    00000006.00000000.381392623.0000022E50210000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
      00000007.00000002.883246847.0000000002C50000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
        00000006.00000000.380824464.0000000180001000.00000020.00001000.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
          00000006.00000000.382173038.0000000180001000.00000020.00001000.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
            Click to see the 9 entries
            SourceRuleDescriptionAuthorStrings
            6.2.rundll32.exe.22e50210000.1.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
              6.0.rundll32.exe.22e50210000.1.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                5.2.rundll32.exe.1b484850000.1.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                  4.2.rundll32.exe.209e1550000.0.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                    3.2.regsvr32.exe.8d0000.0.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                      Click to see the 9 entries
                      No Sigma rule has matched
                      No Snort rule has matched

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Source: 3j6e3XaMWM.dllVirustotal: Detection: 35%Perma Link
                      Source: unknownHTTPS traffic detected: 23.239.0.12:443 -> 192.168.2.6:49773 version: TLS 1.2
                      Source: 3j6e3XaMWM.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: msacm32.pdb source: rundll32.exe, 00000006.00000002.466956533.000000954DBA6000.00000004.00000010.00020000.00000000.sdmp, rundll32.exe, 00000006.00000000.381278248.000000954DBA6000.00000004.00000010.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.882878968.0000000000FF5000.00000004.00000010.00020000.00000000.sdmp
                      Source: Binary string: msacm32.pdbGCTL source: rundll32.exe, 00000006.00000002.466956533.000000954DBA6000.00000004.00000010.00020000.00000000.sdmp, rundll32.exe, 00000006.00000000.381278248.000000954DBA6000.00000004.00000010.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.882878968.0000000000FF5000.00000004.00000010.00020000.00000000.sdmp
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_000000018000D26C FindFirstFileW,FindNextFileW,FindClose,

                      Networking

                      barindex
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 23.239.0.12 443
                      Source: Joe Sandbox ViewASN Name: LINODE-APLinodeLLCUS LINODE-APLinodeLLCUS
                      Source: Joe Sandbox ViewJA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1Cookie: BEJM=B0MGT1W30RM3I4GmkEo6AFWzbLRu3On53gxiwSGx6yRZs0mGt+SHT8eG7/u0LeKrYNoQkBpLGorS2h/gEoZIBzBkiZOHVid0kwLK/hPcmLPzB3j0unJDOTA5Ud0K1Il2wc6nUP+e9EdQ02zLEC+OZuHSkXujChtUoRUlROWyeXOSUngdG2CIK5drFpd5Vja0+edokEuhYKG1nLzixOhGSFbNojUAyLkT5uaWwQVIm4n4K7lKtm5XNtsrrMSO7G5Ho12N6QI9SQi8B7a3Nrm1jrPog9Fd8/xe+/hF9GoCjtAzD40F9wj0eCX3GkPW6oXDn0qzrGs6wlZPplWLyXsv1OjEupTe4NYBxsza1XQVKPuZQEoZmdH6hsyZzw==Host: 23.239.0.12Connection: Keep-AliveCache-Control: no-cache
                      Source: Joe Sandbox ViewIP Address: 23.239.0.12 23.239.0.12
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49773
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49773 -> 443
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.239.0.12
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.239.0.12
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.239.0.12
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.239.0.12
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.239.0.12
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.239.0.12
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.239.0.12
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.239.0.12
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.239.0.12
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.239.0.12
                      Source: svchost.exe, 0000001A.00000003.689440057.000001D59E75E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO"," equals www.facebook.com (Facebook)
                      Source: svchost.exe, 0000001A.00000003.689440057.000001D59E75E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO"," equals www.twitter.com (Twitter)
                      Source: svchost.exe, 0000001A.00000003.689440057.000001D59E75E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-05-13T10:00:01.2192622Z||.||8adb3f26-c14b-4fc0-afb3-91b3c6daaa3f||1152921505694830749||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
                      Source: svchost.exe, 0000001A.00000003.689440057.000001D59E75E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-05-13T10:00:01.2192622Z||.||8adb3f26-c14b-4fc0-afb3-91b3c6daaa3f||1152921505694830749||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
                      Source: svchost.exe, 0000001A.00000003.689440057.000001D59E75E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-05-13T10:00:01.2192622Z||.||8adb3f26-c14b-4fc0-afb3-91b3c6daaa3f||1152921505694830749||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
                      Source: svchost.exe, 0000001A.00000003.689440057.000001D59E75E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-05-13T10:00:01.2192622Z||.||8adb3f26-c14b-4fc0-afb3-91b3c6daaa3f||1152921505694830749||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
                      Source: svchost.exe, 00000000.00000002.883904682.000002068908A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.446261214.000000000133B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.883077892.000000000133B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000002.700934222.000001D59DEEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: svchost.exe, 00000000.00000002.883904682.000002068908A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000002.700934222.000001D59DEEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
                      Source: svchost.exe, 00000000.00000002.883458243.0000020683A9E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.o
                      Source: regsvr32.exe, 00000007.00000002.882991017.00000000012E4000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.446504394.000000000130D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.882925406.00000000012AA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.446482007.000000000130A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.446460199.00000000012E4000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.446546176.0000000001310000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.883032132.0000000001310000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://23.239.0.12/
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_00000001800132F0 InternetReadFile,RtlAllocateHeap,
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1Cookie: BEJM=B0MGT1W30RM3I4GmkEo6AFWzbLRu3On53gxiwSGx6yRZs0mGt+SHT8eG7/u0LeKrYNoQkBpLGorS2h/gEoZIBzBkiZOHVid0kwLK/hPcmLPzB3j0unJDOTA5Ud0K1Il2wc6nUP+e9EdQ02zLEC+OZuHSkXujChtUoRUlROWyeXOSUngdG2CIK5drFpd5Vja0+edokEuhYKG1nLzixOhGSFbNojUAyLkT5uaWwQVIm4n4K7lKtm5XNtsrrMSO7G5Ho12N6QI9SQi8B7a3Nrm1jrPog9Fd8/xe+/hF9GoCjtAzD40F9wj0eCX3GkPW6oXDn0qzrGs6wlZPplWLyXsv1OjEupTe4NYBxsza1XQVKPuZQEoZmdH6hsyZzw==Host: 23.239.0.12Connection: Keep-AliveCache-Control: no-cache
                      Source: unknownHTTPS traffic detected: 23.239.0.12:443 -> 192.168.2.6:49773 version: TLS 1.2

                      E-Banking Fraud

                      barindex
                      Source: Yara matchFile source: 6.2.rundll32.exe.22e50210000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.0.rundll32.exe.22e50210000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.1b484850000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.209e1550000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.regsvr32.exe.8d0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.1b484850000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.regsvr32.exe.8d0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.22e50210000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.regsvr32.exe.2c50000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.0.rundll32.exe.22e50210000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.0.rundll32.exe.22e50210000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.209e1550000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.regsvr32.exe.2c50000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.0.rundll32.exe.22e50210000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000005.00000002.375271651.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000000.381392623.0000022E50210000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.883246847.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000000.380824464.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000000.382173038.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.467112227.0000022E50210000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.378481770.00000209E1550000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.883481095.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.375521942.000001B484850000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000000.382607830.0000022E50210000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.375328025.00000000008D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.466918273.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.375874843.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.377870030.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 468 -p 4308 -ip 4308
                      Source: C:\Windows\System32\rundll32.exeFile deleted: C:\Windows\System32\THydtigNYD\IHlj.dll:Zone.IdentifierJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00007FFF2E0AE6C0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00007FFF2E0A6F0C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00007FFF2E0AA77C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00007FFF2E0AAF70
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00007FFF2E0AFB6C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00007FFF2E0AEB60
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00007FFF2E0AFCA0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00007FFF2E0A895C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00007FFF2E0A5944
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00007FFF2E0AB5CC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00007FFF2E0AAA0C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00890000
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180010FF4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180028C20
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018002C058
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180009100
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018001C964
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000C608
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180021618
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018001E3AC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018001DBE8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018001FC0C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000580C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180022010
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018001481C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018002A42C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180011834
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180023831
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180021C3C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000703C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000AC48
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000FC48
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180006458
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018001C05C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018001A460
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180029888
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018001D49C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180008CA0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800248A8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180015CB0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800124B4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000C4B4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800288B8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800024B8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000D8C4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800250CC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800190D4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180017CE4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800264F0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800014F8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180020CFC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018002C904
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180017908
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180021510
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000F917
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000551C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000F128
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018001CD38
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180016D3C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018001F944
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180018148
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018001ED50
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180013150
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018001D950
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018001E960
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180019D60
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180001D68
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018001496C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180002D70
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180002178
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180024D80
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180018598
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180003598
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018002A9A8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800119A8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180025DAC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180018DAC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800269B0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800059B8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800029BC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800141C0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800125C4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800121CC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000BDD0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800075D4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800095DC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000F9E8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180002610
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180019618
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180013E28
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018001FA38
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000A270
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180019E78
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018001DA80
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180024698
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000EE98
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800176B8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018001AAB8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180011AD0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180008AD8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800296EC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000A6EC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800132F0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180019300
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018001BB04
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018002870C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180026B10
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000131C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000671C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180029B28
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180012F28
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000BB28
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018001EB30
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180020334
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180010758
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018001435C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180009F5C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180029368
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180020768
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180017378
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180013780
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180015388
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000338C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000738C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180002790
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180027F9C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800197A0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018002C7B4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018001DFB4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018001F7C0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800097C0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800157D8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180019FDC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180017BDC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000F7E0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180001FE0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180010FF4
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180028C20
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018002C058
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180009100
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180007958
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001C964
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800059B8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000C608
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180021618
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180013E28
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001E3AC
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001DBE8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001FC0C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000580C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180022010
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001481C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018002A42C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180011834
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180023831
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180021C3C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000703C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000AC48
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000FC48
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180024458
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180006458
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001C05C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001A460
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180029888
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001D49C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180008CA0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800248A8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180015CB0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800124B4
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000C4B4
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800288B8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800024B8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000D8C4
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800250CC
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800190D4
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180017CE4
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800264F0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800014F8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180020CFC
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018002C904
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180017908
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180021510
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000F917
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000551C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000F128
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001CD38
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180016D3C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001F944
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180018148
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001D950
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180013150
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001ED50
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001E960
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180019D60
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180001D68
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001496C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180002D70
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180024574
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180002178
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180024D80
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180018598
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180003598
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018002A9A8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800119A8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180025DAC
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180018DAC
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800269B0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800029BC
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800141C0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800125C4
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800121CC
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000BDD0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800075D4
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800095DC
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000F9E8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180002610
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180019618
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001FA38
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000A270
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180019E78
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001DA80
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180024698
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000EE98
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800176B8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001AAB8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180011AD0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180008AD8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800296EC
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000A6EC
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800132F0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180019300
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001BB04
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018002870C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180026B10
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000131C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000671C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180029B28
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180012F28
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000BB28
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001EB30
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180020334
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180010758
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001435C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180009F5C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180029368
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180020768
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180017378
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180013780
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180015388
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000338C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000738C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180002790
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180027F9C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800197A0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018002C7B4
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001DFB4
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001F7C0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800097C0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800157D8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180019FDC
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180017BDC
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000F7E0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180001FE0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000209E1540000
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180010FF4
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018002C058
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180009100
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018000C608
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180021618
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018001E3AC
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018001DBE8
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018001FC0C
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018000580C
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180022010
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018001481C
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018002A42C
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180011834
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180021C3C
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018000703C
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018000AC48
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018000FC48
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180006458
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018001C05C
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018001A460
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180029888
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018001D49C
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180008CA0
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000001800248A8
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180015CB0
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000001800124B4
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018000C4B4
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000001800288B8
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000001800024B8
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018000D8C4
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000001800250CC
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000001800190D4
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180017CE4
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000001800264F0
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000001800014F8
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180020CFC
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018002C904
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180017908
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180021510
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018000F917
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018000551C
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018000F128
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018001CD38
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180016D3C
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018001F944
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180018148
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018001ED50
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180013150
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018001D950
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018001E960
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180019D60
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018001C964
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180001D68
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018001496C
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180002D70
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180002178
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180024D80
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180018598
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180003598
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018002A9A8
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000001800119A8
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180025DAC
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180018DAC
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000001800269B0
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000001800059B8
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000001800029BC
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000001800141C0
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000001800125C4
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000001800121CC
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000001800075D4
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000001800095DC
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018000F9E8
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180002610
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180019618
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180013E28
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018001FA38
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018000A270
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180019E78
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018001DA80
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180024698
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018000EE98
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000001800176B8
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018001AAB8
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180011AD0
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180008AD8
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000001800296EC
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018000A6EC
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000001800132F0
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180019300
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018001BB04
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018002870C
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180026B10
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018000131C
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018000671C
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180029B28
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180012F28
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018000BB28
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018001EB30
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180020334
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180010758
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018001435C
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180009F5C
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180029368
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180020768
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180017378
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180013780
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180015388
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018000338C
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018000738C
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180002790
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000001800197A0
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018002C7B4
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018001DFB4
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018001F7C0
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000001800097C0
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000001800157D8
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180019FDC
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180017BDC
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018000F7E0
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180001FE0
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000001B483200000
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_0000022E50200000
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_01600000
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_0000000180010FF4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_0000000180028C20
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_000000018002C058
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_000000018001ACA4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_000000018000551C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_0000000180018148
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_000000018001496C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_000000018000E1E0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_000000018000C608
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_0000000180021618
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_0000000180013E28
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_000000018002AE44
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_000000018000D26C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_0000000180025278
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_000000018000EE98
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_00000001800046A8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_0000000180004ACA
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_00000001800132F0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_0000000180026B10
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_000000018001DBE8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_000000018001FC0C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_000000018000580C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_0000000180022010
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_000000018001481C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_000000018002A42C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_0000000180011834
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_0000000180021C3C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_000000018000703C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_000000018000AC48
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_000000018000FC48
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_0000000180024458
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_0000000180006458
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_000000018001C05C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_000000018001A460
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_0000000180029888
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_000000018001D49C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_0000000180008CA0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_00000001800248A8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_0000000180015CB0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_00000001800124B4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_000000018000C4B4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_00000001800288B8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_00000001800024B8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_000000018000D8C4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_00000001800250CC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_00000001800190D4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_0000000180017CE4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_00000001800264F0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_00000001800014F8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_0000000180020CFC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_0000000180009100
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_000000018002C904
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_0000000180017908
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_0000000180021510
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_000000018000F917
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_000000018000F128
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_000000018001CD38
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_0000000180016D3C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_000000018001F944
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_000000018001D950
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_0000000180013150
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_000000018001ED50
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_000000018001E960
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_0000000180019D60
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_000000018001C964
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_000000018001C568
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_0000000180001D68
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_0000000180002D70
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_0000000180024574
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_0000000180002178
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_0000000180024D80
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_0000000180018598
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_0000000180003598
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_000000018001F1A4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_000000018002A9A8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_00000001800119A8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_0000000180025DAC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_0000000180018DAC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_00000001800269B0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_00000001800059B8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_00000001800029BC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_00000001800141C0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_00000001800125C4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_00000001800121CC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_000000018000BDD0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_00000001800075D4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_00000001800095DC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_000000018000F9E8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_0000000180002610
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_0000000180019618
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_000000018001FA38
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_000000018000A270
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_0000000180019E78
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_000000018001DA80
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_0000000180024698
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_00000001800176B8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_000000018001AAB8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_000000018002CAD0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_0000000180011AD0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_0000000180008AD8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_00000001800296EC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_000000018000A6EC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_0000000180019300
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_000000018001BB04
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_000000018002870C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_000000018000131C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_000000018000671C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_0000000180029B28
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_0000000180012F28
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_000000018000BB28
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_000000018001EB30
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_0000000180020334
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_0000000180010758
                      Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dll
                      Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dll
                      Source: 3j6e3XaMWM.dllVirustotal: Detection: 35%
                      Source: 3j6e3XaMWM.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Windows\System32\svchost.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\BITS
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                      Source: unknownProcess created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\3j6e3XaMWM.dll"
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\3j6e3XaMWM.dll",#1
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\3j6e3XaMWM.dll
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\3j6e3XaMWM.dll",#1
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3j6e3XaMWM.dll,DllRegisterServer
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3j6e3XaMWM.dll,DllUnregisterServer
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\THydtigNYD\IHlj.dll"
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 468 -p 4308 -ip 4308
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 4308 -s 328
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\3j6e3XaMWM.dll",#1
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\3j6e3XaMWM.dll
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3j6e3XaMWM.dll,DllRegisterServer
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3j6e3XaMWM.dll,DllUnregisterServer
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\3j6e3XaMWM.dll",#1
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\THydtigNYD\IHlj.dll"
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 468 -p 4308 -ip 4308
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 4308 -s 328
                      Source: C:\Windows\System32\WerFault.exeProcess created: unknown unknown
                      Source: C:\Windows\System32\regsvr32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D105A4D4-344C-48EB-9866-EE378D90658B}\InProcServer32
                      Source: C:\Windows\System32\svchost.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERE245.tmpJump to behavior
                      Source: classification engineClassification label: mal68.troj.evad.winDLL@25/8@0/3
                      Source: C:\Windows\System32\rundll32.exeCode function: CreateServiceW,
                      Source: C:\Windows\System32\regsvr32.exeFile read: C:\Users\desktop.iniJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_00000001800046A8 CreateToolhelp32Snapshot,Process32FirstW,FindCloseChangeNotification,
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\3j6e3XaMWM.dll",#1
                      Source: C:\Windows\System32\WerFault.exeMutant created: \BaseNamedObjects\Local\SM0:6540:120:WilError_01
                      Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4308
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: 3j6e3XaMWM.dllStatic PE information: Image base 0x180000000 > 0x60000000
                      Source: 3j6e3XaMWM.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: msacm32.pdb source: rundll32.exe, 00000006.00000002.466956533.000000954DBA6000.00000004.00000010.00020000.00000000.sdmp, rundll32.exe, 00000006.00000000.381278248.000000954DBA6000.00000004.00000010.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.882878968.0000000000FF5000.00000004.00000010.00020000.00000000.sdmp
                      Source: Binary string: msacm32.pdbGCTL source: rundll32.exe, 00000006.00000002.466956533.000000954DBA6000.00000004.00000010.00020000.00000000.sdmp, rundll32.exe, 00000006.00000000.381278248.000000954DBA6000.00000004.00000010.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.882878968.0000000000FF5000.00000004.00000010.00020000.00000000.sdmp
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018001AFFD push ebp; retf
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800051D1 push ebp; iretd
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018001BA32 push ebp; retf
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180004E83 push es; ret
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018001B694 push es; ret
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018001BADD push ebp; iretd
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018001B717 push ebp; iretd
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180007B3F push esp; retf
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018001AF4E push ebp; retf
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001AFFD push ebp; retf
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800051D1 push ebp; iretd
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001BA32 push ebp; retf
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180004E83 push es; ret
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001B694 push es; ret
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001BADD push ebp; iretd
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001B717 push ebp; iretd
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001AF4E push ebp; retf
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800253BC pushfd ; retn 0057h
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018001AFFD push ebp; retf
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000001800051D1 push ebp; iretd
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018001BA32 push ebp; retf
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180004E83 push es; ret
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018001B694 push es; ret
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018001BADD push ebp; iretd
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018001B717 push ebp; iretd
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180007B3F push esp; retf
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018001AF4E push ebp; retf
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_00000001800051D1 push ebp; iretd
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_0000000180004E83 push es; ret
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_0000000180007B3F push esp; retf
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00007FFF2E0A7BE8 DecodePointer,_errno,LoadLibraryA,GetProcAddress,_errno,GetLastError,GetLastError,EncodePointer,FreeLibrary,_errno,_errno,
                      Source: 3j6e3XaMWM.dllStatic PE information: real checksum: 0x85ab6 should be: 0x8883f
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\3j6e3XaMWM.dll
                      Source: C:\Windows\System32\rundll32.exePE file moved: C:\Windows\System32\THydtigNYD\IHlj.dllJump to behavior

                      Hooking and other Techniques for Hiding and Protection

                      barindex
                      Source: C:\Windows\System32\regsvr32.exeFile opened: C:\Windows\system32\BDGVfQXOMvdcLJAl\OtDglnCbdQIQacE.dll:Zone.Identifier read attributes | delete
                      Source: C:\Windows\System32\rundll32.exeFile opened: C:\Windows\system32\THydtigNYD\IHlj.dll:Zone.Identifier read attributes | delete
                      Source: C:\Windows\System32\rundll32.exeFile opened: C:\Windows\system32\PeAoZwvNIG\hlRaq.dll:Zone.Identifier read attributes | delete
                      Source: C:\Windows\System32\WerFault.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exe TID: 820Thread sleep time: -30000s >= -30000s
                      Source: C:\Windows\System32\svchost.exe TID: 6700Thread sleep time: -30000s >= -30000s
                      Source: C:\Windows\System32\regsvr32.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
                      Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
                      Source: C:\Windows\System32\regsvr32.exeProcess information queried: ProcessInformation
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_000000018000D26C FindFirstFileW,FindNextFileW,FindClose,
                      Source: C:\Windows\System32\regsvr32.exeAPI call chain: ExitProcess graph end node
                      Source: C:\Windows\System32\regsvr32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\System32\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: svchost.exe, 00000000.00000002.883887080.0000020689061000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000002.700955723.000001D59DEFB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @Hyper-V RAW
                      Source: svchost.exe, 00000000.00000002.883870627.000002068904A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.883165478.0000020683A29000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.882991017.00000000012E4000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.446504394.000000000130D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.446482007.000000000130A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.446460199.00000000012E4000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.446546176.0000000001310000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.883032132.0000000001310000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000002.700934222.000001D59DEEC000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000002.700786296.000001D59DE83000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                      Source: svchost.exe, 00000011.00000002.882962844.0000020516402000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
                      Source: rundll32.exe, 00000005.00000002.375456684.000001B482E98000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                      Source: svchost.exe, 00000011.00000002.883011029.0000020516428000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00007FFF2E0A20E0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00007FFF2E0A7BE8 DecodePointer,_errno,LoadLibraryA,GetProcAddress,_errno,GetLastError,GetLastError,EncodePointer,FreeLibrary,_errno,_errno,
                      Source: C:\Windows\System32\loaddll64.exeProcess queried: DebugPort
                      Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPort
                      Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPort
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00007FFF2E0AD318 RtlCaptureContext,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00007FFF2E0A20E0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00007FFF2E0A6550 RtlCaptureContext,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 23.239.0.12 443
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\3j6e3XaMWM.dll",#1
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 468 -p 4308 -ip 4308
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 4308 -s 328
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\regsvr32.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\regsvr32.exeCode function: _getptd,GetLocaleInfoA,
                      Source: C:\Windows\System32\regsvr32.exeCode function: _getptd,GetLocaleInfoA,
                      Source: C:\Windows\System32\regsvr32.exeCode function: GetLocaleInfoW,
                      Source: C:\Windows\System32\regsvr32.exeCode function: GetLocaleInfoW,
                      Source: C:\Windows\System32\regsvr32.exeCode function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,free,GetLocaleInfoA,
                      Source: C:\Windows\System32\regsvr32.exeCode function: GetLocaleInfoA,
                      Source: C:\Windows\System32\regsvr32.exeCode function: EnumSystemLocalesA,
                      Source: C:\Windows\System32\regsvr32.exeCode function: EnumSystemLocalesA,
                      Source: C:\Windows\System32\regsvr32.exeCode function: _getptd,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,
                      Source: C:\Windows\System32\regsvr32.exeCode function: EnumSystemLocalesA,
                      Source: C:\Windows\System32\regsvr32.exeCode function: _getptd,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,GetLocaleInfoA,_itow_s,
                      Source: C:\Windows\System32\regsvr32.exeCode function: GetLocaleInfoA,GetLocaleInfoA,GetACP,
                      Source: C:\Windows\System32\regsvr32.exeCode function: GetLocaleInfoA,
                      Source: C:\Windows\System32\regsvr32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00007FFF2E0A4558 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00007FFF2E0AE6C0 _lock,___lc_codepage_func,free,free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

                      Stealing of Sensitive Information

                      barindex
                      Source: Yara matchFile source: 6.2.rundll32.exe.22e50210000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.0.rundll32.exe.22e50210000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.1b484850000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.209e1550000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.regsvr32.exe.8d0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.1b484850000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.regsvr32.exe.8d0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.22e50210000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.regsvr32.exe.2c50000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.0.rundll32.exe.22e50210000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.0.rundll32.exe.22e50210000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.209e1550000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.regsvr32.exe.2c50000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.0.rundll32.exe.22e50210000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000005.00000002.375271651.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000000.381392623.0000022E50210000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.883246847.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000000.380824464.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000000.382173038.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.467112227.0000022E50210000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.378481770.00000209E1550000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.883481095.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.375521942.000001B484850000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000000.382607830.0000022E50210000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.375328025.00000000008D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.466918273.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.375874843.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.377870030.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid Accounts2
                      Native API
                      1
                      Windows Service
                      1
                      Windows Service
                      2
                      Masquerading
                      OS Credential Dumping2
                      System Time Discovery
                      Remote Services1
                      Archive Collected Data
                      Exfiltration Over Other Network Medium11
                      Encrypted Channel
                      Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/Job1
                      DLL Side-Loading
                      111
                      Process Injection
                      3
                      Virtualization/Sandbox Evasion
                      LSASS Memory1
                      Query Registry
                      Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth2
                      Ingress Tool Transfer
                      Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)1
                      DLL Side-Loading
                      111
                      Process Injection
                      Security Account Manager31
                      Security Software Discovery
                      SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
                      Non-Application Layer Protocol
                      Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
                      Hidden Files and Directories
                      NTDS3
                      Virtualization/Sandbox Evasion
                      Distributed Component Object ModelInput CaptureScheduled Transfer2
                      Application Layer Protocol
                      SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                      Obfuscated Files or Information
                      LSA Secrets2
                      Process Discovery
                      SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.common1
                      Regsvr32
                      Cached Domain Credentials1
                      Remote System Discovery
                      VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup Items1
                      Rundll32
                      DCSync2
                      File and Directory Discovery
                      Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
                      DLL Side-Loading
                      Proc Filesystem34
                      System Information Discovery
                      Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)1
                      File Deletion
                      /etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 626491 Sample: 3j6e3XaMWM Startdate: 14/05/2022 Architecture: WINDOWS Score: 68 43 Multi AV Scanner detection for submitted file 2->43 45 Yara detected Emotet 2->45 8 loaddll64.exe 1 2->8         started        10 svchost.exe 4 2->10         started        12 svchost.exe 9 1 2->12         started        15 5 other processes 2->15 process3 dnsIp4 17 cmd.exe 1 8->17         started        19 regsvr32.exe 2 8->19         started        22 rundll32.exe 2 8->22         started        24 rundll32.exe 8->24         started        26 WerFault.exe 10->26         started        39 127.0.0.1 unknown unknown 12->39 41 192.168.2.1 unknown unknown 15->41 process5 signatures6 28 rundll32.exe 2 17->28         started        49 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->49 31 WerFault.exe 17 9 24->31         started        process7 signatures8 51 Hides that the sample has been downloaded from the Internet (zone.identifier) 28->51 33 regsvr32.exe 28->33         started        process9 dnsIp10 37 23.239.0.12, 443, 49773 LINODE-APLinodeLLCUS United States 33->37 47 System process connects to network (likely due to code injection or exploit) 33->47 signatures11

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand
                      SourceDetectionScannerLabelLink
                      3j6e3XaMWM.dll36%VirustotalBrowse
                      No Antivirus matches
                      SourceDetectionScannerLabelLinkDownload
                      6.2.rundll32.exe.22e50210000.1.unpack100%AviraHEUR/AGEN.1215493Download File
                      5.2.rundll32.exe.1b484850000.1.unpack100%AviraHEUR/AGEN.1215493Download File
                      6.0.rundll32.exe.22e50210000.4.unpack100%AviraHEUR/AGEN.1215493Download File
                      4.2.rundll32.exe.209e1550000.0.unpack100%AviraHEUR/AGEN.1215493Download File
                      6.0.rundll32.exe.22e50210000.1.unpack100%AviraHEUR/AGEN.1215493Download File
                      3.2.regsvr32.exe.8d0000.0.unpack100%AviraHEUR/AGEN.1215493Download File
                      7.2.regsvr32.exe.2c50000.1.unpack100%AviraHEUR/AGEN.1215493Download File
                      No Antivirus matches
                      SourceDetectionScannerLabelLink
                      http://crl.ver)0%Avira URL Cloudsafe
                      https://23.239.0.12/0%URL Reputationsafe
                      http://schemas.xmlsoap.o0%URL Reputationsafe
                      No contacted domains info
                      NameMaliciousAntivirus DetectionReputation
                      https://23.239.0.12/true
                      • URL Reputation: safe
                      unknown
                      NameSourceMaliciousAntivirus DetectionReputation
                      http://crl.ver)svchost.exe, 00000000.00000002.883904682.000002068908A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000002.700934222.000001D59DEEC000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      low
                      http://schemas.xmlsoap.osvchost.exe, 00000000.00000002.883458243.0000020683A9E000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      unknown
                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs
                      IPDomainCountryFlagASNASN NameMalicious
                      23.239.0.12
                      unknownUnited States
                      63949LINODE-APLinodeLLCUStrue
                      IP
                      192.168.2.1
                      127.0.0.1
                      Joe Sandbox Version:34.0.0 Boulder Opal
                      Analysis ID:626491
                      Start date and time: 14/05/202204:43:322022-05-14 04:43:32 +02:00
                      Joe Sandbox Product:CloudBasic
                      Overall analysis duration:0h 11m 17s
                      Hypervisor based Inspection enabled:false
                      Report type:light
                      Sample file name:3j6e3XaMWM (renamed file extension from none to dll)
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                      Number of analysed new started processes analysed:29
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • HDC enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Detection:MAL
                      Classification:mal68.troj.evad.winDLL@25/8@0/3
                      EGA Information:
                      • Successful, ratio: 100%
                      HDC Information:Failed
                      HCA Information:
                      • Successful, ratio: 99%
                      • Number of executed functions: 0
                      • Number of non-executed functions: 0
                      Cookbook Comments:
                      • Adjust boot time
                      • Enable AMSI
                      • Override analysis time to 240s for rundll32
                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, wuapihost.exe
                      • Excluded IPs from analysis (whitelisted): 23.211.4.86, 20.82.210.154, 52.168.117.173, 20.82.209.183, 20.223.24.244, 40.112.88.60
                      • Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, login.live.com, sls.update.microsoft.com, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, www.msftconnecttest.com, watson.telemetry.microsoft.com, prod.fs.microsoft.com.akadns.net, client.wns.windows.com, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, displaycatalog-rp.md.mp.micros
                      • Not all processes where analyzed, report is missing behavior information
                      • Report size exceeded maximum capacity and may have missing behavior information.
                      • Report size getting too big, too many NtOpenKeyEx calls found.
                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.
                      TimeTypeDescription
                      04:44:41API Interceptor3x Sleep call for process: svchost.exe modified
                      04:45:29API Interceptor1x Sleep call for process: WerFault.exe modified
                      No context
                      No context
                      No context
                      No context
                      No context
                      Process:C:\Windows\System32\svchost.exe
                      File Type:Extensible storage user DataBase, version 0x620, checksum 0x495d275e, page size 16384, DirtyShutdown, Windows version 10.0
                      Category:dropped
                      Size (bytes):786432
                      Entropy (8bit):0.25073284170659477
                      Encrypted:false
                      SSDEEP:384:E+W0StseCJ48EApW0StseCJ48E2rTSjlK/ebmLerYSRSY1J2:7SB2nSB2RSjlK/+mLesOj1J2
                      MD5:3C582CB8347FD420AD0F44734E1811CA
                      SHA1:313FE58A374EC33FC484AA96BE8D5E74E1265E84
                      SHA-256:967739C2B1FAB4191C23D5A7D3BB8D61E8A8A9F599A7938BECDDE8C93AB91F5A
                      SHA-512:3A20447921562CF40A688E95022718F6B55BB60F65FF0A0AEEF15A714ECABCA6519F13B9F29D86B202B474D83916031BBDE1E79FFD630FF276160965911BEDCD
                      Malicious:false
                      Preview:I]'^... ................e.f.3...w........................&..........w..),...zi.h.(..............................3...w...........................................................................................................B...........@...................................................................................................... ........3...w......................................................................................................................................................................................................................................#.5.),...zi>................].lU),...zi.........................................................................................................................................................................................................................................................................................................................................................................................
                      Process:C:\Windows\System32\WerFault.exe
                      File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):65536
                      Entropy (8bit):0.7851018601842029
                      Encrypted:false
                      SSDEEP:192:QZOi9f6JKpHK7gPri4jg9/u7spS274ltO:EOilEKZK7gPri4ja/u7spX4ltO
                      MD5:A9EC094463456F9A02C42C2697E0613E
                      SHA1:CEA6652B099CCD5CC90CFA6FD8116F940685BE83
                      SHA-256:B81D3C6596BFC27133F673BE6F7308FBBD11CA2C6EF9BD454F8BE9B550B6162E
                      SHA-512:CCD772494BF1225809E1FBF30CE0C16AA714A09471B6DFBED049096903F730F083A71397E742F46D43F96271FC9558CE16131373AC081C40A31FEDF99F4D7DA6
                      Malicious:false
                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.6.4.....E.v.e.n.t.T.i.m.e.=.1.3.2.9.7.0.0.2.2.9.2.6.4.0.8.8.1.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.9.7.0.0.2.2.9.5.0.4.7.0.9.0.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.a.3.3.e.4.8.f.-.8.d.3.6.-.4.9.c.7.-.8.7.2.f.-.5.d.3.3.1.f.7.9.6.c.d.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.0.9.3.c.f.3.0.-.1.c.b.1.-.4.3.2.2.-.9.2.a.7.-.b.1.f.c.a.7.6.e.e.8.9.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.3.j.6.e.3.X.a.M.W.M...d.l.l.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.0.d.4.-.0.0.0.1.-.0.0.1.8.-.d.0.e.3.-.5.7.0.2.8.8.6.7.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.2.f.3.4.c.c.f.d.d.8.1.4.1.a.e.e.e.2.e.8.9.f.f.b.0.7.0.c.e.2.3.9.c.7.d.0.0.7.0.6.!.
                      Process:C:\Windows\System32\WerFault.exe
                      File Type:Mini DuMP crash report, 15 streams, Sat May 14 11:44:53 2022, 0x1205a4 type
                      Category:dropped
                      Size (bytes):62662
                      Entropy (8bit):2.3342614143803724
                      Encrypted:false
                      SSDEEP:384:6hjgvroVw5Cx6tsUfIMyq7QEi55uqyRKvwj/9TPG:uhQCx6rfxyeNi55uqyRKk96
                      MD5:A261D05651CA09EA09C3A858A27F173D
                      SHA1:59CC2B5E70F87C4B5ED5F275C411B0EA3932CABC
                      SHA-256:2EAF9841421BE1AC3FFC878409BFD74DCAB6C2DC0168BA698A1A46A84FC6D85F
                      SHA-512:0A61432F1EAC1269B3E7001E75CEADD93984B353BAC3509336E1637BFD927A3CDF7FC857F46F4B19A01DC3DA6071587C7186C97567597CB6FF0E37810FCCE60C
                      Malicious:false
                      Preview:MDMP....... .......5..b....................................|...8.......D...L;..........`.......8...........T...........X...n............"...........$...................................................................U...........B......8%......Lw......................T...........-..b.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................
                      Process:C:\Windows\System32\WerFault.exe
                      File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):6660
                      Entropy (8bit):3.722023604388019
                      Encrypted:false
                      SSDEEP:192:Rrl7r3GLNiqqj2tMe5IeY8YS05CprD89b2jx1nfIEym:RrlsNivj2tMeBY8YS012jxVfIw
                      MD5:09B436CB0CFBF8F5E7622E9EF5EBADA9
                      SHA1:5104CB3DFD561D554885FEB1D6B466EB753762D8
                      SHA-256:EBC06CEAB45BA9C27AD21A65AF2601F8DCE32E18898E8DC0279B310F08DE350B
                      SHA-512:C3245FC04219AB4BE9FA781F7DBDD5DD41C451BF15DB024EE299E25283A730186BA4D0A3A9ACD7E30F7184743A0B0041A9242CA587CD184146FEBF4106BB29E0
                      Malicious:false
                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.3.0.8.<./.P.i.d.>.......
                      Process:C:\Windows\System32\WerFault.exe
                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):4892
                      Entropy (8bit):4.502558522664939
                      Encrypted:false
                      SSDEEP:48:cvIwSD8zsPrJgtBI9ZtWgc8sqYjo8fm8M4JCDG/CDGWinFaLHyq8vhDGWiOZESCM:uITfPFTcgrsqYxJOR7LHW5zVvnd
                      MD5:6625D9F06FC4E4DB1CB79616E60ECAA0
                      SHA1:FC3212AF0C360D160ED3882F74271B7893366E46
                      SHA-256:C6AB146EC5FD01ACD520F74E7E7324CAC7684649B44879B1B89871EE0BD7A04B
                      SHA-512:EF4EE338B212E5DEDC6FAB156D817FAD62B04CC6A45D330E52D396780DA381837E8A674AF01CFB63B2D53B3A573B77B9EE0786ABBB6E880418A211FE23A193F8
                      Malicious:false
                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1514695" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                      Process:C:\Windows\System32\svchost.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):52252
                      Entropy (8bit):3.0611303193015345
                      Encrypted:false
                      SSDEEP:1536:7THbFC8TFNS0H4wPXKiAUvdlSMC01BscPwy:7THbFC8TFNS0H4wPaiAUvdlSMC01Bscz
                      MD5:114C6E3C676AA514C1D85CFA4055D947
                      SHA1:A15D041FABC99507E2949924D02F931FF3468662
                      SHA-256:F7F52C48A45A5256F48B0FE20A48009523D960AEC5011F3B67D00FBE719F69E2
                      SHA-512:F32475D2F37DB0FF4F5F68D8A359731CE24C3A808EC48AD31107B853224CBEDD46A81AFD8B730CDB2804059C7CBD4EA95D077EFACF4684AFF2252C03619AF6A8
                      Malicious:false
                      Preview:I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.
                      Process:C:\Windows\System32\svchost.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):13340
                      Entropy (8bit):2.6967709586535684
                      Encrypted:false
                      SSDEEP:96:kiZYWSxAFi5YYYHWBCdOHdYEZvUtFi3eBki1w65saB4+73EXIWd3:hZDS/vvSCa++73E4Wd3
                      MD5:6E150EB4E31351784200FC0FF6C48C07
                      SHA1:B18166F0BFF696070098BA2F1C920054A2757584
                      SHA-256:263692D28F1652D586CA7DA2B96C73ABBA90084FB7B610556A926DB5495F2D9E
                      SHA-512:775DC596EF4B2C09A59DD5C97EE62EC162FE261F9C88FA2611AE127E1B79A8646C3C072113BE1D3392334381CE9F004982B2049EAFDE73754CB4179BDED024A9
                      Malicious:false
                      Preview:B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.2.6.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .
                      Process:C:\Windows\System32\svchost.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):55
                      Entropy (8bit):4.306461250274409
                      Encrypted:false
                      SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                      MD5:DCA83F08D448911A14C22EBCACC5AD57
                      SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                      SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                      SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                      Malicious:false
                      Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}
                      File type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                      Entropy (8bit):6.48207883239968
                      TrID:
                      • Win64 Dynamic Link Library (generic) (102004/3) 86.43%
                      • Win64 Executable (generic) (12005/4) 10.17%
                      • Generic Win/DOS Executable (2004/3) 1.70%
                      • DOS Executable Generic (2002/1) 1.70%
                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
                      File name:3j6e3XaMWM.dll
                      File size:545280
                      MD5:fded8e79db5a443a816be9dde9f6b499
                      SHA1:bec722ecd7d977f06914c629a345bad171a352e3
                      SHA256:1ddda2d0e1f8885a26ddedce73bc64dd830bad2769ad1e4186b676e885dcf0ec
                      SHA512:8bd1be01ae9feeb3f6439cc22396195e5713ad8cbc5574932947999dbeb5bccfca26684bb26dd7b1ba33ab9e692d10a9b50be984a7e1708d8e5a94db095c5496
                      SSDEEP:12288:B4UJY9B+TenWsSEPHjMOUP9uXdt7JpfYNVr9RM54RutCTdJGqIoTCZ4eEsZoHxHy:B4UJY9BSenZSEPHjMOUP9Udt7JpfYNV0
                      TLSH:A9C4CFA5435C08FCE762C3395C975BC5B1F7BDAE0664AF260BC18DA05E1BA90F53A381
                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......2.H.v.&.v.&.v.&.h...o.&.h...2.&.h.....&.Q6].s.&.v.'.9.&.h...w.&.h...w.&.h...w.&.h...w.&.Richv.&.........PE..d.....}b.........."
                      Icon Hash:74f0e4ecccdce0e4
                      Entrypoint:0x1800423a8
                      Entrypoint Section:.text
                      Digitally signed:false
                      Imagebase:0x180000000
                      Subsystem:windows gui
                      Image File Characteristics:EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT
                      Time Stamp:0x627D8598 [Thu May 12 22:09:28 2022 UTC]
                      TLS Callbacks:
                      CLR (.Net) Version:
                      OS Version Major:5
                      OS Version Minor:2
                      File Version Major:5
                      File Version Minor:2
                      Subsystem Version Major:5
                      Subsystem Version Minor:2
                      Import Hash:b268dbaa2e6eb6acd16e04d482356598
                      Instruction
                      dec eax
                      mov dword ptr [esp+08h], ebx
                      dec eax
                      mov dword ptr [esp+10h], esi
                      push edi
                      dec eax
                      sub esp, 20h
                      dec ecx
                      mov edi, eax
                      mov ebx, edx
                      dec eax
                      mov esi, ecx
                      cmp edx, 01h
                      jne 00007F5E20DB9767h
                      call 00007F5E20DBB8F4h
                      dec esp
                      mov eax, edi
                      mov edx, ebx
                      dec eax
                      mov ecx, esi
                      dec eax
                      mov ebx, dword ptr [esp+30h]
                      dec eax
                      mov esi, dword ptr [esp+38h]
                      dec eax
                      add esp, 20h
                      pop edi
                      jmp 00007F5E20DB9610h
                      int3
                      int3
                      int3
                      dec eax
                      mov dword ptr [esp+08h], ecx
                      dec eax
                      sub esp, 00000088h
                      dec eax
                      lea ecx, dword ptr [00014D05h]
                      call dword ptr [0000FC7Fh]
                      dec esp
                      mov ebx, dword ptr [00014DF0h]
                      dec esp
                      mov dword ptr [esp+58h], ebx
                      inc ebp
                      xor eax, eax
                      dec eax
                      lea edx, dword ptr [esp+60h]
                      dec eax
                      mov ecx, dword ptr [esp+58h]
                      call 00007F5E20DC82EAh
                      dec eax
                      mov dword ptr [esp+50h], eax
                      dec eax
                      cmp dword ptr [esp+50h], 00000000h
                      je 00007F5E20DB97A3h
                      dec eax
                      mov dword ptr [esp+38h], 00000000h
                      dec eax
                      lea eax, dword ptr [esp+48h]
                      dec eax
                      mov dword ptr [esp+30h], eax
                      dec eax
                      lea eax, dword ptr [esp+40h]
                      dec eax
                      mov dword ptr [esp+28h], eax
                      dec eax
                      lea eax, dword ptr [00014CB0h]
                      dec eax
                      mov dword ptr [esp+20h], eax
                      dec esp
                      mov ecx, dword ptr [esp+50h]
                      dec esp
                      mov eax, dword ptr [esp+58h]
                      dec eax
                      mov edx, dword ptr [esp+60h]
                      xor ecx, ecx
                      call 00007F5E20DC8298h
                      jmp 00007F5E20DB9784h
                      dec eax
                      mov eax, dword ptr [eax+eax+00000000h]
                      Programming Language:
                      • [ C ] VS2008 build 21022
                      • [LNK] VS2008 build 21022
                      • [ASM] VS2008 build 21022
                      • [IMP] VS2005 build 50727
                      • [RES] VS2008 build 21022
                      • [EXP] VS2008 build 21022
                      • [C++] VS2008 build 21022
                      NameVirtual AddressVirtual Size Is in Section
                      IMAGE_DIRECTORY_ENTRY_EXPORT0x55cf00x6f.rdata
                      IMAGE_DIRECTORY_ENTRY_IMPORT0x5544c0x3c.rdata
                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x5a0000x2dffc.rsrc
                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x590000xe1c.pdata
                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x880000x1d8.reloc
                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IAT0x520000x288.rdata
                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                      .text0x10000x504ca0x50600False0.389081940124zlib compressed data5.26882252971IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      .rdata0x520000x3d5f0x3e00False0.355153729839data5.39183642982IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .data0x560000x20d80x1200False0.180772569444data2.18161586025IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                      .pdata0x590000xe1c0x1000False0.44580078125data4.98556265168IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .rsrc0x5a0000x2dffc0x2e000False0.839408542799data7.73448363752IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .reloc0x880000x6f80x800False0.1796875data1.81179169858IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                      NameRVASizeTypeLanguageCountry
                      RT_RCDATA0x5a0a00x2de00dataEnglishUnited States
                      RT_MANIFEST0x87ea00x15aASCII text, with CRLF line terminatorsEnglishUnited States
                      DLLImport
                      KERNEL32.dllExitProcess, VirtualAlloc, CompareStringW, CompareStringA, GetTimeZoneInformation, GetLocaleInfoW, GetCurrentThreadId, FlsSetValue, GetCommandLineA, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, RtlVirtualUnwind, RtlLookupFunctionEntry, RtlCaptureContext, EncodePointer, DecodePointer, TlsAlloc, FlsGetValue, FlsFree, SetLastError, GetLastError, GetCurrentThread, FlsAlloc, HeapFree, Sleep, GetModuleHandleW, GetProcAddress, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, DeleteCriticalSection, GetModuleFileNameA, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, HeapSetInformation, HeapCreate, HeapDestroy, RtlUnwindEx, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, LeaveCriticalSection, FatalAppExitA, EnterCriticalSection, HeapAlloc, HeapReAlloc, WriteFile, SetConsoleCtrlHandler, FreeLibrary, LoadLibraryA, InitializeCriticalSectionAndSpinCount, LCMapStringA, MultiByteToWideChar, LCMapStringW, GetStringTypeA, GetStringTypeW, GetDateFormatA, GetTimeFormatA, GetUserDefaultLCID, GetLocaleInfoA, EnumSystemLocalesA, IsValidLocale, HeapSize, SetEnvironmentVariableA
                      ole32.dllCoTaskMemFree, CoLoadLibrary, CoTaskMemAlloc
                      NameOrdinalAddress
                      DllRegisterServer10x180042050
                      DllUnregisterServer20x180042080
                      Language of compilation systemCountry where language is spokenMap
                      EnglishUnited States
                      TimestampSource PortDest PortSource IPDest IP
                      May 14, 2022 04:45:19.296314001 CEST49773443192.168.2.623.239.0.12
                      May 14, 2022 04:45:19.296422958 CEST4434977323.239.0.12192.168.2.6
                      May 14, 2022 04:45:19.296587944 CEST49773443192.168.2.623.239.0.12
                      May 14, 2022 04:45:19.325927019 CEST49773443192.168.2.623.239.0.12
                      May 14, 2022 04:45:19.325999975 CEST4434977323.239.0.12192.168.2.6
                      May 14, 2022 04:45:19.868187904 CEST4434977323.239.0.12192.168.2.6
                      May 14, 2022 04:45:19.868375063 CEST49773443192.168.2.623.239.0.12
                      May 14, 2022 04:45:20.298702002 CEST49773443192.168.2.623.239.0.12
                      May 14, 2022 04:45:20.298738003 CEST4434977323.239.0.12192.168.2.6
                      May 14, 2022 04:45:20.299345970 CEST4434977323.239.0.12192.168.2.6
                      May 14, 2022 04:45:20.299448967 CEST49773443192.168.2.623.239.0.12
                      May 14, 2022 04:45:20.302984953 CEST49773443192.168.2.623.239.0.12
                      May 14, 2022 04:45:20.344536066 CEST4434977323.239.0.12192.168.2.6
                      May 14, 2022 04:45:21.148293018 CEST4434977323.239.0.12192.168.2.6
                      May 14, 2022 04:45:21.148446083 CEST4434977323.239.0.12192.168.2.6
                      May 14, 2022 04:45:21.148520947 CEST49773443192.168.2.623.239.0.12
                      May 14, 2022 04:45:21.148566961 CEST49773443192.168.2.623.239.0.12
                      May 14, 2022 04:45:21.149230003 CEST49773443192.168.2.623.239.0.12
                      May 14, 2022 04:45:21.149265051 CEST4434977323.239.0.12192.168.2.6
                      • 23.239.0.12
                      Session IDSource IPSource PortDestination IPDestination PortProcess
                      0192.168.2.64977323.239.0.12443C:\Windows\System32\regsvr32.exe
                      TimestampkBytes transferredDirectionData
                      2022-05-14 02:45:20 UTC0OUTGET / HTTP/1.1
                      Cookie: BEJM=B0MGT1W30RM3I4GmkEo6AFWzbLRu3On53gxiwSGx6yRZs0mGt+SHT8eG7/u0LeKrYNoQkBpLGorS2h/gEoZIBzBkiZOHVid0kwLK/hPcmLPzB3j0unJDOTA5Ud0K1Il2wc6nUP+e9EdQ02zLEC+OZuHSkXujChtUoRUlROWyeXOSUngdG2CIK5drFpd5Vja0+edokEuhYKG1nLzixOhGSFbNojUAyLkT5uaWwQVIm4n4K7lKtm5XNtsrrMSO7G5Ho12N6QI9SQi8B7a3Nrm1jrPog9Fd8/xe+/hF9GoCjtAzD40F9wj0eCX3GkPW6oXDn0qzrGs6wlZPplWLyXsv1OjEupTe4NYBxsza1XQVKPuZQEoZmdH6hsyZzw==
                      Host: 23.239.0.12
                      Connection: Keep-Alive
                      Cache-Control: no-cache
                      2022-05-14 02:45:21 UTC0INHTTP/1.1 200 OK
                      Server: nginx
                      Date: Sat, 14 May 2022 02:45:21 GMT
                      Content-Type: text/html; charset=UTF-8
                      Transfer-Encoding: chunked
                      Connection: close
                      2022-05-14 02:45:21 UTC0INData Raw: 33 35 37 0d 0a cd 88 ff 0c 87 57 86 be 58 7d 10 94 93 fb 4c 01 9f 85 e2 e0 e8 69 cf b2 81 7e b3 09 4b 21 8b 84 fd 72 bc f6 cb 89 c6 64 66 7e 99 59 b8 27 8e a1 99 57 09 71 19 2b e0 b6 55 6c 5d e9 56 e4 89 55 03 1c 97 a9 62 8e 7a b9 ad 41 25 50 a7 a9 ad e3 bc 2a 76 36 8c a8 c9 01 a2 7b 45 ad 9a 03 71 6e 9b 18 54 45 7a 4a 36 00 f3 09 ee a5 fa 92 59 17 5a fe d3 0b 92 ed d3 cc 19 19 47 1f 36 cd c3 58 cf 5f ad e2 c5 dd c3 14 5b a3 06 9e f9 26 61 31 c9 ba 10 8a f1 bd bd 26 31 01 e0 2e 65 41 62 db cd cf 40 3c d0 09 de 21 b4 1e 9a 6b 6f c4 f5 ca 93 d2 7e 1b 2f a2 96 e2 32 d8 ce 4a 97 c8 45 d0 fe 69 13 01 5e ec 11 50 56 a8 f3 84 ed b5 fd d0 db 7e c9 a2 82 35 9a 6f 75 df d9 b1 cf 84 5b 21 cd 48 1e 63 17 c9 e0 fe c7 a4 0f 70 76 b0 24 5f 0d 3b c0 2c 2d ef 69 f2 e2 e1
                      Data Ascii: 357WX}Li~K!rdf~Y'Wq+Ul]VUbzA%P*v6{EqnTEzJ6YZG6X_[&a1&1.eAb@<!ko~/2JEi^PV~5ou[!Hcpv$_;,-i


                      Click to jump to process

                      Target ID:0
                      Start time:04:44:41
                      Start date:14/05/2022
                      Path:C:\Windows\System32\svchost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                      Imagebase:0x7ff726010000
                      File size:51288 bytes
                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high

                      Target ID:1
                      Start time:04:44:41
                      Start date:14/05/2022
                      Path:C:\Windows\System32\loaddll64.exe
                      Wow64 process (32bit):false
                      Commandline:loaddll64.exe "C:\Users\user\Desktop\3j6e3XaMWM.dll"
                      Imagebase:0x7ff754fc0000
                      File size:140288 bytes
                      MD5 hash:4E8A40CAD6CCC047914E3A7830A2D8AA
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high

                      Target ID:2
                      Start time:04:44:41
                      Start date:14/05/2022
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\3j6e3XaMWM.dll",#1
                      Imagebase:0x7ff6edbd0000
                      File size:273920 bytes
                      MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high

                      Target ID:3
                      Start time:04:44:42
                      Start date:14/05/2022
                      Path:C:\Windows\System32\regsvr32.exe
                      Wow64 process (32bit):false
                      Commandline:regsvr32.exe /s C:\Users\user\Desktop\3j6e3XaMWM.dll
                      Imagebase:0x7ff637120000
                      File size:24064 bytes
                      MD5 hash:D78B75FC68247E8A63ACBA846182740E
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.375328025.00000000008D0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.375874843.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                      Reputation:high

                      Target ID:4
                      Start time:04:44:42
                      Start date:14/05/2022
                      Path:C:\Windows\System32\rundll32.exe
                      Wow64 process (32bit):false
                      Commandline:rundll32.exe "C:\Users\user\Desktop\3j6e3XaMWM.dll",#1
                      Imagebase:0x7ff7ed6f0000
                      File size:69632 bytes
                      MD5 hash:73C519F050C20580F8A62C849D49215A
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.378481770.00000209E1550000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.377870030.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                      Reputation:high

                      Target ID:5
                      Start time:04:44:42
                      Start date:14/05/2022
                      Path:C:\Windows\System32\rundll32.exe
                      Wow64 process (32bit):false
                      Commandline:rundll32.exe C:\Users\user\Desktop\3j6e3XaMWM.dll,DllRegisterServer
                      Imagebase:0x7ff7ed6f0000
                      File size:69632 bytes
                      MD5 hash:73C519F050C20580F8A62C849D49215A
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.375271651.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.375521942.000001B484850000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                      Reputation:high

                      Target ID:6
                      Start time:04:44:46
                      Start date:14/05/2022
                      Path:C:\Windows\System32\rundll32.exe
                      Wow64 process (32bit):false
                      Commandline:rundll32.exe C:\Users\user\Desktop\3j6e3XaMWM.dll,DllUnregisterServer
                      Imagebase:0x7ff7ed6f0000
                      File size:69632 bytes
                      MD5 hash:73C519F050C20580F8A62C849D49215A
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000000.381392623.0000022E50210000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000000.380824464.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000000.382173038.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.467112227.0000022E50210000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000000.382607830.0000022E50210000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.466918273.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                      Reputation:high

                      Target ID:7
                      Start time:04:44:48
                      Start date:14/05/2022
                      Path:C:\Windows\System32\regsvr32.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\regsvr32.exe "C:\Windows\system32\THydtigNYD\IHlj.dll"
                      Imagebase:0x7ff637120000
                      File size:24064 bytes
                      MD5 hash:D78B75FC68247E8A63ACBA846182740E
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.883246847.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.883481095.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                      Reputation:high

                      Target ID:8
                      Start time:04:44:49
                      Start date:14/05/2022
                      Path:C:\Windows\System32\svchost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\System32\svchost.exe -k WerSvcGroup
                      Imagebase:0x7ff726010000
                      File size:51288 bytes
                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language

                      Target ID:9
                      Start time:04:44:49
                      Start date:14/05/2022
                      Path:C:\Windows\System32\WerFault.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\WerFault.exe -pss -s 468 -p 4308 -ip 4308
                      Imagebase:0x7ff7164b0000
                      File size:494488 bytes
                      MD5 hash:2AFFE478D86272288BBEF5A00BBEF6A0
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language

                      Target ID:10
                      Start time:04:44:52
                      Start date:14/05/2022
                      Path:C:\Windows\System32\WerFault.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\WerFault.exe -u -p 4308 -s 328
                      Imagebase:0x7ff7164b0000
                      File size:494488 bytes
                      MD5 hash:2AFFE478D86272288BBEF5A00BBEF6A0
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language

                      Target ID:16
                      Start time:04:45:11
                      Start date:14/05/2022
                      Path:C:\Windows\System32\svchost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                      Imagebase:0x7ff726010000
                      File size:51288 bytes
                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language

                      Target ID:17
                      Start time:04:45:23
                      Start date:14/05/2022
                      Path:C:\Windows\System32\svchost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                      Imagebase:0x7ff726010000
                      File size:51288 bytes
                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language

                      Target ID:19
                      Start time:04:45:29
                      Start date:14/05/2022
                      Path:C:\Windows\System32\svchost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                      Imagebase:0x7ff726010000
                      File size:51288 bytes
                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language

                      Target ID:23
                      Start time:04:45:56
                      Start date:14/05/2022
                      Path:C:\Windows\System32\svchost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                      Imagebase:0x7ff726010000
                      File size:51288 bytes
                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language

                      Target ID:26
                      Start time:04:46:07
                      Start date:14/05/2022
                      Path:C:\Windows\System32\svchost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                      Imagebase:0x7ff726010000
                      File size:51288 bytes
                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language

                      No disassembly