Edit tour

Windows Analysis Report
8N8j6QojHn.dll

Overview

General Information

Sample name:	8N8j6QojHn.dll
Analysis ID:	1578327
MD5:	78b199f0a4f453fc8a4a05d05695e91e
SHA1:	6ad0ec9ca2464af8c9cddf6d8959850c7e106f2f
SHA256:	7f675bb692afe3b8f6dcb4bd533de73e871f167e884c98a04453ec16da0e59dd
Infos:

Detection

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Queries BIOS fan information (via WMI, Win32_Fan, often done to detect virtual machines)

Queries memory information (via WMI often done to detect virtual machines)

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

Queries temperature or sensor information (via WMI often done to detect virtual machines)

Queries voltage information (via WMI often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found decision node followed by non-executed suspicious APIs

Found large amount of non-executed APIs

HTTP GET or POST without a user agent

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains an invalid checksum

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64native

loaddll64.exe (PID: 6980 cmdline: loaddll64.exe "C:\Users\user\Desktop\8N8j6QojHn.dll" MD5: 763455F9DCB24DFEECC2B9D9F8D46D52)

conhost.exe (PID: 552 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 7680 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\8N8j6QojHn.dll",#1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

rundll32.exe (PID: 3032 cmdline: rundll32.exe "C:\Users\user\Desktop\8N8j6QojHn.dll",#1 MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 3900 cmdline: rundll32.exe C:\Users\user\Desktop\8N8j6QojHn.dll,DllMain MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 1424 cmdline: rundll32.exe C:\Users\user\Desktop\8N8j6QojHn.dll,ServiceMain MD5: EF3179D498793BF4234F708D3BE28633)

WerFault.exe (PID: 5136 cmdline: C:\Windows\system32\WerFault.exe -u -p 1424 -s 428 MD5: 5C06542FED8EE68994D43938E7326D75)

rundll32.exe (PID: 836 cmdline: rundll32.exe C:\Users\user\Desktop\8N8j6QojHn.dll,get_hostfxr_path MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 8196 cmdline: rundll32.exe "C:\Users\user\Desktop\8N8j6QojHn.dll",DllMain MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 8204 cmdline: rundll32.exe "C:\Users\user\Desktop\8N8j6QojHn.dll",ServiceMain MD5: EF3179D498793BF4234F708D3BE28633)

WerFault.exe (PID: 8480 cmdline: C:\Windows\system32\WerFault.exe -u -p 8204 -s 428 MD5: 5C06542FED8EE68994D43938E7326D75)

rundll32.exe (PID: 8220 cmdline: rundll32.exe "C:\Users\user\Desktop\8N8j6QojHn.dll",get_hostfxr_path MD5: EF3179D498793BF4234F708D3BE28633)

cleanup

HTTP traffic detected: POST /api/4508128821837904/envelope/ HTTP/1.1x-sentry-auth: Sentry sentry_key=d9163996e0bda3370ab4e6b347b338e4, sentry_version=7, sentry_timestamp=1734619276.6109421, sentry_client=sentry.rust/0.34.0accept: */*host: o4508128816857088.ingest.de.sentry.iocontent-length: 11466

Source: 8N8j6QojHn.dll	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: 8N8j6QojHn.dll	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: rundll32.exe, 0000000E.00000002.19515707143.000001E02BA3D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639827896.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19514830461.000001E02A014000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18738221590.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881782889.000001E02A025000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: 8N8j6QojHn.dll	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: 8N8j6QojHn.dll	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: 8N8j6QojHn.dll	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: 8N8j6QojHn.dll	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: 8N8j6QojHn.dll	String found in binary or memory: http://ocsp.digicert.com0C
Source: 8N8j6QojHn.dll	String found in binary or memory: http://ocsp.digicert.com0N
Source: 8N8j6QojHn.dll	String found in binary or memory: http://www.digicert.com/CPS0
Source: rundll32.exe, 0000000E.00000002.19515707143.000001E02BA3D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19515707143.000001E02BA20000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadis.bm0
Source: rundll32.exe, 00000006.00000002.18358937095.00007FFA114AD000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.18343814995.00007FFA114AD000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000002.18404242298.00007FFA114AD000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.19516996241.00007FFA114AD000.00000002.00000001.01000000.00000003.sdmp, 8N8j6QojHn.dll	String found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support
Source: rundll32.exe, 0000000E.00000002.19515965457.000001E02BA83000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18738019511.000001E02BA9F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.sentry.io/product/accounts/quotas/
Source: rundll32.exe, 00000007.00000002.18342488238.0000025A79C05000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18957515236.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19245795841.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19514830461.000001E02A053000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881496685.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19317055592.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19459381571.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19100946319.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18810099963.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19173935973.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19388550191.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18738221590.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19514830461.000001E029FD1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639591046.000001E02A055000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18666984801.000001E02A052000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://o4508128816857088.ingest.de.sentry.io/api/4508128821837904/envelope/
Source: rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18957515236.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19245795841.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19514830461.000001E02A053000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881496685.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19317055592.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19459381571.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19100946319.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18810099963.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19173935973.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19388550191.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18738221590.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639591046.000001E02A055000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18666984801.000001E02A052000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://o4508128816857088.ingest.de.sentry.io/api/4508128821837904/envelope/d
Source: rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18957515236.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19245795841.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19514830461.000001E02A053000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881496685.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19317055592.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19459381571.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19100946319.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18810099963.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19173935973.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19388550191.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18738221590.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639591046.000001E02A055000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18666984801.000001E02A052000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://o4508128816857088.ingest.de.sentry.io/api/4508128821837904/envelope/dll
Source: rundll32.exe, 0000000E.00000002.19515707143.000001E02BA3D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19515707143.000001E02BA20000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: 8N8j6QojHn.dll	String found in binary or memory: https://www.digicert.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443

Source: unknown	HTTPS traffic detected: 34.120.62.213:443 -> 192.168.11.20:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.62.213:443 -> 192.168.11.20:49763 version: TLS 1.2

Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00007FFA111D19E0	6_2_00007FFA111D19E0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00007FFA1147FFC0	6_2_00007FFA1147FFC0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00007FFA1149F7F0	6_2_00007FFA1149F7F0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00007FFA1148D1E0	6_2_00007FFA1148D1E0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00007FFA1148A0B0	6_2_00007FFA1148A0B0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00007FFA114896B0	6_2_00007FFA114896B0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00007FFA11306290	6_2_00007FFA11306290
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00007FFA1147D500	6_2_00007FFA1147D500
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00007FFA1148D8D0	6_2_00007FFA1148D8D0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00007FFA112E25B0	6_2_00007FFA112E25B0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00007FFA112E1DA0	6_2_00007FFA112E1DA0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00007FFA1149ED40	6_2_00007FFA1149ED40

Source: C:\Windows\System32\rundll32.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1424 -s 428

Source: 8N8j6QojHn.dll	Binary string: \Device\Afd\Mio
Source: 8N8j6QojHn.dll	Binary string: Failed to open \Device\Afd\Mio: h

Source: classification engine

Classification label: mal84.evad.winDLL@22/8@3/5

Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1424
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:552:304:WilStaging_02
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess8204
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:552:120:WilError_03

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\c1380dce-5fba-47b6-bf2d-68dd0933185e

Jump to behavior

Source: 8N8j6QojHn.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM Win32_Process
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM Win32_Process
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM Win32_Process
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM Win32_Process
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM Win32_Process
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM Win32_Process
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM Win32_Process
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM Win32_Process
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM Win32_Process
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM Win32_Process
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM Win32_Process
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM Win32_Process
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM Win32_Process
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM Win32_Process

Source: C:\Windows\System32\loaddll64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll64.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\8N8j6QojHn.dll,DllMain

Source: 8N8j6QojHn.dll

ReversingLabs: Detection: 55%

Source: unknown	Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\8N8j6QojHn.dll"
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\8N8j6QojHn.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\8N8j6QojHn.dll,DllMain
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\8N8j6QojHn.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\8N8j6QojHn.dll,ServiceMain
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\8N8j6QojHn.dll,get_hostfxr_path
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1424 -s 428
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\8N8j6QojHn.dll",DllMain
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\8N8j6QojHn.dll",ServiceMain
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\8N8j6QojHn.dll",get_hostfxr_path
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 8204 -s 428
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\8N8j6QojHn.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\8N8j6QojHn.dll,DllMain	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\8N8j6QojHn.dll,ServiceMain	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\8N8j6QojHn.dll,get_hostfxr_path	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\8N8j6QojHn.dll",DllMain	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\8N8j6QojHn.dll",ServiceMain	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\8N8j6QojHn.dll",get_hostfxr_path	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\8N8j6QojHn.dll",#1	Jump to behavior

Source: C:\Windows\System32\loaddll64.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: kernel.appcore.dll	Jump to behavior

Source: C:\Windows\System32\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: 8N8j6QojHn.dll

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: 8N8j6QojHn.dll

Static PE information: Image base 0x180000000 > 0x60000000

Source: 8N8j6QojHn.dll

Static file information: File size 3645790 > 1048576

Source: 8N8j6QojHn.dll

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x2db200

Source: 8N8j6QojHn.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 8N8j6QojHn.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 8N8j6QojHn.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 8N8j6QojHn.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 8N8j6QojHn.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 8N8j6QojHn.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 8N8j6QojHn.dll

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source: 8N8j6QojHn.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: tQ.pdb"} source: rundll32.exe, 0000000E.00000003.19101104997.000001E02C1A3000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbentiony1 source: rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639827896.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19514830461.000001E02A014000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18738221590.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881782889.000001E02A025000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbentiony source: rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639827896.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19514830461.000001E02A014000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18738221590.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881782889.000001E02A025000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: a46760000","image_size":480128,"id":"0d41a8f8-776d-301d-9412-065ba7e4627d-1","code_id":"a38af655ae000","debug_file":"shcore.pdb"},{"type":"symbolic","name":"C:\\Windows\\System source: rundll32.exe, 0000000E.00000002.19515707143.000001E02BA20000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: sideload.pdb source: rundll32.exe, 00000006.00000002.18358937095.00007FFA114AD000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.18343814995.00007FFA114AD000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000002.18404242298.00007FFA114AD000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.19516996241.00007FFA114AD000.00000002.00000001.01000000.00000003.sdmp, 8N8j6QojHn.dll
Source:	Binary string: sspicli.pdbError source: rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639827896.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19514830461.000001E02A014000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18738221590.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881782889.000001E02A025000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: fwpuclnt.pdbDeviY source: rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639827896.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19514830461.000001E02A014000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18738221590.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881782889.000001E02A025000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: kernel32.pdbrUserConfige source: rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639827896.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19514830461.000001E02A014000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18738221590.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881782889.000001E02A025000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wbemcomn.pdbrorData source: rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639827896.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19514830461.000001E02A014000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18738221590.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881782889.000001E02A025000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: rundll32.pdbGCTL source: rundll32.exe, 0000000E.00000002.19515965457.000001E02BAC0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19515707143.000001E02BA3D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639437963.000001E02C192000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: 4h{rasadhlp.pdb"},{"type":"symbolic","name":"C:\\Windows\\System32\ source: rundll32.exe, 0000000E.00000003.19101104997.000001E02C1A3000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: msvcrt.pdbSecurityTools source: rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639827896.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19514830461.000001E02A014000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18738221590.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881782889.000001E02A025000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 4h{tQ.pdb"} source: rundll32.exe, 0000000E.00000003.19101104997.000001E02C1A3000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: gdi32.pdb007.exeupportedE source: rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639827896.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19514830461.000001E02A014000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18738221590.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881782889.000001E02A025000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: imagehlp.pdbeon source: rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639827896.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19514830461.000001E02A014000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18738221590.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881782889.000001E02A025000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: userenv.pdbecurityTools source: rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639827896.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19514830461.000001E02A014000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18738221590.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881782889.000001E02A025000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: user32.pdbSecurityTools source: rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639827896.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19514830461.000001E02A014000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18738221590.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881782889.000001E02A025000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: rasadhlp.pdbeHost.exe source: rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639827896.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19514830461.000001E02A014000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18738221590.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881782889.000001E02A025000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msvcp_win.pdburityTools source: rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639827896.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19514830461.000001E02A014000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18738221590.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881782889.000001E02A025000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: sechost.pdb* source: rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639827896.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19514830461.000001E02A014000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18738221590.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881782889.000001E02A025000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: secur32.pdbeksonInfoO source: rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639827896.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19514830461.000001E02A014000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18738221590.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881782889.000001E02A025000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cryptbase.pdbdressCodet source: rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639827896.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19514830461.000001E02A014000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18738221590.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881782889.000001E02A025000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: psapi.pdb/SecurityTools source: rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639827896.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19514830461.000001E02A014000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18738221590.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881782889.000001E02A025000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: advapi32.pdbrSizerus source: rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639827896.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19514830461.000001E02A014000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18738221590.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881782889.000001E02A025000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: combase.pdbecurityTools source: rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639827896.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19514830461.000001E02A014000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18738221590.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881782889.000001E02A025000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: fqamifhuxpifwyepyqozlh.exetsup.exe32.pdbML%Q" source: rundll32.exe, 0000000E.00000003.19101104997.000001E02C1A3000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19173646008.000001E02C1A3000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: msvcp_win.pdburityToolsW source: rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639827896.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19514830461.000001E02A014000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18738221590.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881782889.000001E02A025000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: oleaut32.pdbcurityTools source: rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639827896.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19514830461.000001E02A014000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18738221590.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881782889.000001E02A025000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: rasadhlp.pdb"},{"type":"symbolic","name":"C:\\Windows\\System32\ source: rundll32.exe, 0000000E.00000003.19101104997.000001E02C1A3000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19173646008.000001E02C1A3000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wbemprox.pdbrrortyTools source: rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639827896.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19514830461.000001E02A014000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18738221590.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881782889.000001E02A025000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: fwpuclnt.pdbDevi source: rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639827896.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19514830461.000001E02A014000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18738221590.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881782889.000001E02A025000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: sideload.pdbst.exe source: rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639827896.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19514830461.000001E02A014000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18738221590.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881782889.000001E02A025000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: imm32.pdb/SecurityToolse source: rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639827896.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19514830461.000001E02A014000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18738221590.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881782889.000001E02A025000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: sideload.pdbst.exe9 source: rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639827896.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19514830461.000001E02A014000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18738221590.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881782889.000001E02A025000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wbemsvc.pdbnetSecurity source: rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639827896.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19514830461.000001E02A014000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18738221590.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881782889.000001E02A025000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: CLBCatQ.pdbdcurityTools source: rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639827896.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19514830461.000001E02A014000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18738221590.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881782889.000001E02A025000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: profapi.pdb source: rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639827896.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19514830461.000001E02A014000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18738221590.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881782889.000001E02A025000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ucrtbase.pdbrrore source: rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639827896.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19514830461.000001E02A014000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18738221590.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881782889.000001E02A025000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: win32u.pdbnologytyTools source: rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639827896.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19514830461.000001E02A014000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18738221590.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881782889.000001E02A025000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: iphlpapi.pdbritytyTools source: rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639827896.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19514830461.000001E02A014000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18738221590.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881782889.000001E02A025000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msvcrt.pdbSecurityToolsA source: rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639827896.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19514830461.000001E02A014000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18738221590.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881782889.000001E02A025000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cryptbase.pdbdressCodetq source: rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639827896.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19514830461.000001E02A014000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18738221590.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881782889.000001E02A025000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dnsapi.pdbicecillin source: rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639827896.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19514830461.000001E02A014000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18738221590.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881782889.000001E02A025000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: rpcrt4.pdbvice.exeac source: rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639827896.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19514830461.000001E02A014000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18738221590.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881782889.000001E02A025000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: kernelbase.pdb.exe source: rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639827896.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19514830461.000001E02A014000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18738221590.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881782889.000001E02A025000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: fqamifhuxpifwyepyqozlh.exe2.pdb"},{"type source: rundll32.exe, 0000000E.00000003.19101104997.000001E02C1A3000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: advapi32.pdbrSizerusS source: rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639827896.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19514830461.000001E02A014000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18738221590.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881782889.000001E02A025000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ws2_32.pdbr.exe source: rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639827896.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19514830461.000001E02A014000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18738221590.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881782889.000001E02A025000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: fqamifhuxpifwyepyqozlh.execk.exeeapi.pdb1LqQ" source: rundll32.exe, 0000000E.00000003.19101104997.000001E02C1A3000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: shcore.pdbc.exeityToolsg source: rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639827896.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19514830461.000001E02A014000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18738221590.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881782889.000001E02A025000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: kernelbase.pdb.exe= source: rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639827896.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19514830461.000001E02A014000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18738221590.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881782889.000001E02A025000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: win32u.pdbnologytyToolsU source: rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639827896.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19514830461.000001E02A014000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18738221590.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881782889.000001E02A025000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: psapi.pdb/SecurityToolsI source: rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639827896.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19514830461.000001E02A014000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18738221590.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881782889.000001E02A025000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msctf.pdbeProtection.exe source: rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639827896.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19514830461.000001E02A014000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18738221590.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881782889.000001E02A025000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: bcryptprimitives.dllfile":"msvcrt.pdb"},{"type":"symbolic","name":"C:\\Windows\\System32\\combase.dll","arch":null,"image_addr":"0x7ffa44c90000","image_size":2334221,"id":"733e5da3-c48e-6dT source: rundll32.exe, 0000000E.00000002.19515707143.000001E02BA20000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: fqamifhuxpifwyepyqozlh.exetsup.exe32.pdb source: rundll32.exe, 0000000E.00000003.19245525198.000001E02C1A7000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: bcryptprimitives.pdbQ source: rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639827896.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19514830461.000001E02A014000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18738221590.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881782889.000001E02A025000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: secur32.pdbeksonInfo source: rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639827896.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19514830461.000001E02A014000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18738221590.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881782889.000001E02A025000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ucrtbase.pdbrroreFRO source: rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639827896.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19514830461.000001E02A014000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18738221590.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881782889.000001E02A025000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: sspicli.pdbErroru source: rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639827896.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19514830461.000001E02A014000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18738221590.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881782889.000001E02A025000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: fastprox.pdbrErrorCodety source: rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639827896.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19514830461.000001E02A014000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18738221590.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881782889.000001E02A025000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ws2_32.pdbr.exe) source: rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639827896.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19514830461.000001E02A014000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18738221590.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881782889.000001E02A025000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mswsock.pdbxeity source: rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639827896.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19514830461.000001E02A014000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18738221590.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881782889.000001E02A025000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ole32.pdbxe source: rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639827896.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19514830461.000001E02A014000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18738221590.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881782889.000001E02A025000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639827896.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19514830461.000001E02A014000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18738221590.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881782889.000001E02A025000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: UxTheme.pdbs source: rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639827896.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19514830461.000001E02A014000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18738221590.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881782889.000001E02A025000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: combase.pdbecurityToolsi source: rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639827896.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19514830461.000001E02A014000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18738221590.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881782889.000001E02A025000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: gdi32full.pdborDataools source: rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639827896.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19514830461.000001E02A014000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18738221590.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881782889.000001E02A025000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: bcryptprimitives.dlla46760000","image_size":480128,"id":"0d41a8f8-776d-301d-9412-065ba7e4627d-1","code_id":"a38af655ae000","debug_file":"shcore.pdb"},{"type":"symbolic","name":"C:\\Windows\\System source: rundll32.exe, 0000000E.00000002.19515707143.000001E02BA20000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ole32.pdbxea source: rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639827896.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19514830461.000001E02A014000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18738221590.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881782889.000001E02A025000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: shcore.pdbc.exeityTools source: rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639827896.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19514830461.000001E02A014000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18738221590.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881782889.000001E02A025000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wbemprox.pdbrrortyTools[ source: rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639827896.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19514830461.000001E02A014000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18738221590.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881782889.000001E02A025000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: bcryptprimitives.pdb source: rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639827896.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19514830461.000001E02A014000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18738221590.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881782889.000001E02A025000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Amsi.pdb source: rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639827896.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19514830461.000001E02A014000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18738221590.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881782889.000001E02A025000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: rundll32.pdb areorCode source: rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639827896.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19514830461.000001E02A014000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18738221590.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881782889.000001E02A025000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: rundll32.pdb source: rundll32.exe, 0000000E.00000002.19515965457.000001E02BAC0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19515707143.000001E02BA3D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639437963.000001E02C192000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: rpcrt4.pdbvice.exea source: rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639827896.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19514830461.000001E02A014000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18738221590.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881782889.000001E02A025000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: crypt32.pdbycurityTools source: rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639827896.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19514830461.000001E02A014000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18738221590.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881782889.000001E02A025000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: file":"msvcrt.pdb"},{"type":"symbolic","name":"C:\\Windows\\System32\\combase.dll","arch":null,"image_addr":"0x7ffa44c90000","image_size":2334221,"id":"733e5da3-c48e-6dT source: rundll32.exe, 0000000E.00000002.19515707143.000001E02BA20000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: xTheme.pdb"},{"tf source: rundll32.exe, 0000000E.00000002.19515707143.000001E02BA20000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: nsi.pdb1 source: rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639827896.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19514830461.000001E02A014000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18738221590.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881782889.000001E02A025000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: crypt32.pdbycurityTools- source: rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639827896.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19514830461.000001E02A014000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18738221590.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881782889.000001E02A025000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: bcrypt.pdbSecurityTools source: rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639827896.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19514830461.000001E02A014000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18738221590.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881782889.000001E02A025000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: kernel32.pdbrUserConfig source: rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639827896.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19514830461.000001E02A014000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18738221590.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881782889.000001E02A025000.00000004.00000020.00020000.00000000.sdmp

Source: 8N8j6QojHn.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 8N8j6QojHn.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 8N8j6QojHn.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 8N8j6QojHn.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 8N8j6QojHn.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: 8N8j6QojHn.dll

Static PE information: real checksum: 0x37a4bb should be: 0x381d51

Source: C:\Windows\System32\rundll32.exe

Code function: 6_2_00007FFA111D3C31 push 314C2960h; ret

6_2_00007FFA111D3C36

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries BIOS fan information (via WMI, Win32_Fan, often done to detect virtual machines)

Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Fan
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Fan
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Fan
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Fan
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Fan
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Fan
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Fan
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Fan
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Fan
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Fan
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Fan
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Fan
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Fan

Queries memory information (via WMI often done to detect virtual machines)

Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PortConnector
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_PhysicalConnector
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_Slot
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PortConnector
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_PhysicalConnector
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_Slot
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PortConnector
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_PhysicalConnector
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_Slot
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PortConnector
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_PhysicalConnector
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_Slot
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PortConnector
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_PhysicalConnector
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_Slot
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PortConnector
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_PhysicalConnector
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_Slot
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PortConnector
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_PhysicalConnector
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_Slot
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PortConnector
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_PhysicalConnector
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_Slot
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PortConnector
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_PhysicalConnector
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_Slot
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PortConnector
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_PhysicalConnector
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_Slot
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PortConnector
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_PhysicalConnector
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_Slot
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PortConnector
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_PhysicalConnector
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_Slot
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PortConnector
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_PhysicalConnector
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_Slot

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PhysicalMemory
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PhysicalMemory
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PhysicalMemory
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PhysicalMemory
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PhysicalMemory
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PhysicalMemory
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PhysicalMemory
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PhysicalMemory
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PhysicalMemory
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PhysicalMemory
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PhysicalMemory
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PhysicalMemory
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PhysicalMemory

Queries temperature or sensor information (via WMI often done to detect virtual machines)

Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_NumericSensor
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_Sensor
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_NumericSensor
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_Sensor
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_NumericSensor
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_Sensor
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_NumericSensor
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_Sensor
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_NumericSensor
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_Sensor
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_NumericSensor
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_Sensor
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_NumericSensor
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_Sensor
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_NumericSensor
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_Sensor
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_NumericSensor
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_Sensor
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_NumericSensor
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_Sensor
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_NumericSensor
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_Sensor
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_NumericSensor
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_Sensor
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_NumericSensor
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_Sensor

Queries voltage information (via WMI often done to detect virtual machines)

Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_VoltageSensor
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VoltageProbe
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_VoltageSensor
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VoltageProbe
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_VoltageSensor
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VoltageProbe
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_VoltageSensor
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VoltageProbe
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_VoltageSensor
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VoltageProbe
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_VoltageSensor
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VoltageProbe
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_VoltageSensor
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VoltageProbe
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_VoltageSensor
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VoltageProbe
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_VoltageSensor
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VoltageProbe
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_VoltageSensor
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VoltageProbe
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_VoltageSensor
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VoltageProbe
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_VoltageSensor
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VoltageProbe
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_VoltageSensor
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VoltageProbe

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: rundll32.exe, 0000000E.00000003.19245525198.000001E02C1A7000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: FIDDLER.EXEP
Source: rundll32.exe, 0000000E.00000003.18452800122.000001E02BAC1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PROCESSHACKER.EXE1-RPN
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C66000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311391067.0000025A79C66000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.18342488238.0000025A79C66000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PROCESSHACKER.EXEC
Source: rundll32.exe, 0000000E.00000003.18452800122.000001E02BAC1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WIRESHARK.EXEP
Source: rundll32.exe, 0000000E.00000003.18809602086.000001E02C18C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: FILEMON.EXEEXEEN-WIN.EXE=JWQ
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311391067.0000025A79C48000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HREGMON.EXE_:
Source: rundll32.exe, 0000000E.00000003.18639398813.000001E02BAF1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18595455178.000001E02BAC0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18595680732.000001E02BAC1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PROCESSHACKER.EXEQOZLH.E
Source: rundll32.exe, 0000000E.00000003.18666830731.000001E02BAC1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PROCMON.EXEXE
Source: rundll32.exe, 0000000E.00000003.18666830731.000001E02BAC1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PROCMON.EXEXE*
Source: rundll32.exe, 0000000E.00000003.18881782889.000001E02A025000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HREGMON.EXE`
Source: rundll32.exe, 0000000E.00000003.18639398813.000001E02BAF1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18595455178.000001E02BAC0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18595680732.000001E02BAC1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WIRESHARK.EXEEXETYTOOLS
Source: rundll32.exe, 0000000E.00000002.19515372021.000001E02A06B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19459184614.000001E02A068000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FILEMON.EXE
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C66000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311391067.0000025A79C66000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.18342488238.0000025A79C66000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341357527.000001E02A041000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18957515236.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19245525198.000001E02C1A7000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19515965457.000001E02BAC0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19459255677.000001E02BAC0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18809602086.000001E02C18C000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18957929496.000001E02A068000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PROCMON.EXE
Source: rundll32.exe, 0000000E.00000003.18666984801.000001E02A052000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OLLYDBG.EXE-
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311391067.0000025A79C48000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19245525198.000001E02C1A7000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: OLLYDBG.EXE+
Source: rundll32.exe, 0000000E.00000003.19316889270.000001E02A068000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OLLYDBG.EXEEI
Source: rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19514830461.000001E02A014000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FILEMON.EXE*
Source: rundll32.exe, 0000000E.00000003.18809602086.000001E02C18C000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18452800122.000001E02BAC1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FIDDLER.EXE*
Source: rundll32.exe, 0000000E.00000003.19388180177.000001E02A068000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WIRESHARK.EXETIVIRUS
Source: rundll32.exe, 0000000E.00000003.18881558215.000001E02C189000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: OLLYDBG.EXE*`ES
Source: rundll32.exe, 0000000E.00000003.19028815928.000001E02C1A1000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: WIRESHARK.EXEURITYTOOLSIL)Q
Source: rundll32.exe, 0000000E.00000003.19173580422.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18809602086.000001E02C18C000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18524340370.000001E02C183000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: OLLYDBG.EXE*
Source: rundll32.exe, 0000000E.00000003.18809602086.000001E02C18C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: PROCMON.EXEEJ
Source: rundll32.exe, 0000000E.00000003.18881558215.000001E02C189000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: PROCMON.EXERV3Q
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C66000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311391067.0000025A79C66000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.18342488238.0000025A79C66000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341357527.000001E02A041000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18957515236.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19245525198.000001E02C1A7000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19515965457.000001E02BAC0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18380803698.000001E02BA28000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19459255677.000001E02BAC0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18957929496.000001E02A068000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FIDDLER.EXE
Source: rundll32.exe, 0000000E.00000003.19028815928.000001E02C1A1000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: FIDDLER.EXEML%Q
Source: rundll32.exe, 0000000E.00000003.18737819081.000001E02C19F000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: FIDDLER.EXEECURITYTOOLS
Source: rundll32.exe, 0000000E.00000003.18639398813.000001E02BAF1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18595455178.000001E02BAC0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18595680732.000001E02BAC1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PROCMON.EXEFWYEPYQOZLH.E`
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C66000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311391067.0000025A79C66000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.18342488238.0000025A79C66000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341357527.000001E02A041000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18957515236.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19245525198.000001E02C1A7000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19515965457.000001E02BAC0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18380803698.000001E02BA28000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19459255677.000001E02BAC0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18809602086.000001E02C18C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: WIRESHARK.EXE
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C66000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311391067.0000025A79C66000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.18342488238.0000025A79C66000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341357527.000001E02A041000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18957515236.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19515965457.000001E02BAC0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18380803698.000001E02BA28000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19459255677.000001E02BAC0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18809602086.000001E02C18C000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18957929496.000001E02A068000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PROCESSHACKER.EXE
Source: rundll32.exe, 0000000E.00000003.18639827896.000001E02A025000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FILEMON.EXEAY.EXECONFIG
Source: rundll32.exe, 0000000E.00000003.19388180177.000001E02A068000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PROCMON.EXEECURITYTOOLS
Source: rundll32.exe, 0000000E.00000003.19100946319.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19101038404.000001E02A068000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OLLYDBG.EXEE)
Source: rundll32.exe, 0000000E.00000002.19515965457.000001E02BAC0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19459255677.000001E02BAC0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PROCMON.EXE@
Source: rundll32.exe, 0000000E.00000003.19316889270.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19100946319.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18595356663.000001E02C183000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19101038404.000001E02A068000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OLLYDBG.EXEE
Source: rundll32.exe, 0000000E.00000003.18737819081.000001E02C19F000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: PROCMON.EXEE
Source: rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19514830461.000001E02A014000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18738221590.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881782889.000001E02A025000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FILEMON.EXEETYPEONIONSOR
Source: rundll32.exe, 00000007.00000003.18311636046.0000025A79C3B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FILEMON.EXEYZ
Source: rundll32.exe, 0000000E.00000003.18595356663.000001E02C183000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: OLLYDBG.EXEE0
Source: rundll32.exe, 0000000E.00000003.18639827896.000001E02A025000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FILEMON.EXEAY.EXECONFIGE
Source: rundll32.exe, 0000000E.00000003.18881496685.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881840303.000001E02A068000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FILEMON.EXEP
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C66000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311391067.0000025A79C66000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FIDDLER.EXEEEXE.EXEN.EXE
Source: rundll32.exe, 0000000E.00000003.19245525198.000001E02C1A7000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18737819081.000001E02C19F000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19388180177.000001E02A068000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PROCESSHACKER.EXEYTOOLS
Source: rundll32.exe, 0000000E.00000003.18380803698.000001E02BA28000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18380580752.000001E02BA25000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FIDDLER.EXE
Source: rundll32.exe, 0000000E.00000003.18452800122.000001E02BAC1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PROCMON.EXES
Source: rundll32.exe, 0000000E.00000003.19388180177.000001E02A068000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FILEMON.EXEP\
Source: rundll32.exe, 0000000E.00000003.19388180177.000001E02A068000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PROCESSHACKER.EXEEEEEI
Source: rundll32.exe, 0000000E.00000003.18639398813.000001E02BAF1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18595455178.000001E02BAC0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18595680732.000001E02BAC1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FIDDLER.EXEXEEXEEETOOLSD
Source: rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HREGMON.EXE+
Source: rundll32.exe, 0000000E.00000003.18639398813.000001E02BAF1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18595455178.000001E02BAC0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18595680732.000001E02BAC1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FIDDLER.EXEXEEXEEETOOLS
Source: rundll32.exe, 0000000E.00000002.19515707143.000001E02BA3D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HREGMON.EXE*
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311391067.0000025A79C48000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18957515236.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341357527.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341220309.000001E02A01F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881558215.000001E02C189000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18452716029.000001E02BACD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18380580752.000001E02BA25000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19028847204.000001E02C189000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: OLLYDBG.EXE
Source: rundll32.exe, 0000000E.00000003.18809602086.000001E02C18C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: FILEMON.EXEE.EXETION.EXE
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311391067.0000025A79C48000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18524461218.000001E02A06A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881782889.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18524586478.000001E02A078000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HREGMON.EXE
Source: rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HREGMON.EXE0
Source: rundll32.exe, 0000000E.00000003.19388051398.000001E02C1A3000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: OLLYDBG.EXE2HQQ
Source: rundll32.exe, 0000000E.00000003.19101441209.000001E02C18A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: PROCMON.EXE+
Source: rundll32.exe, 0000000E.00000003.18380803698.000001E02BA28000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18380580752.000001E02BA25000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PROCMON.EXE*
Source: rundll32.exe, 0000000E.00000003.19388180177.000001E02A068000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PROCESSHACKER.EXEEEEE
Source: rundll32.exe, 0000000E.00000003.19459228078.000001E02A075000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19459184614.000001E02A068000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OLLYDBG.EXEERNETSECURITY
Source: rundll32.exe, 0000000E.00000002.19515965457.000001E02BAC0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19459255677.000001E02BAC0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PROCESSHACKER.EXEP(
Source: rundll32.exe, 0000000E.00000003.18524340370.000001E02C183000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: PROCMON.EXE,
Source: rundll32.exe, 0000000E.00000003.18666830731.000001E02BAC1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PROCESSHACKER.EXE<
Source: rundll32.exe, 0000000E.00000003.19101441209.000001E02C18A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: FIDDLER.EXEXE
Source: rundll32.exe, 0000000E.00000003.18737819081.000001E02C19F000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19028815928.000001E02C1A1000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: WIRESHARK.EXEURITYTOOLS
Source: rundll32.exe, 0000000E.00000003.19388180177.000001E02A068000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PROCESSHACKER.EXEYTOOLSG

Source: C:\Windows\System32\rundll32.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

graph_6-2498

Source: C:\Windows\System32\rundll32.exe

API coverage: 0.0 %

Source: C:\Windows\System32\loaddll64.exe TID: 8072	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 3468	Thread sleep count: 83 > 30	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 8256	Thread sleep count: 58 > 30	Jump to behavior

Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\loaddll64.exe

Thread delayed: delay time: 120000

Jump to behavior

Source: rundll32.exe, 0000000E.00000002.19514830461.000001E02A014000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllFortinetSmartSecurity

Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Windows\System32\rundll32.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\rundll32.exe	Network Connect: 34.120.62.213 443	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Network Connect: 18.160.64.42 80	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Network Connect: 108.157.172.115 80	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Network Connect: 195.133.1.117 80	Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\8N8j6QojHn.dll",#1

Jump to behavior

Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\System32\rundll32.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\System32\rundll32.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\System32\rundll32.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\System32\rundll32.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\System32\rundll32.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\System32\rundll32.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\System32\rundll32.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\System32\rundll32.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\System32\rundll32.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\System32\rundll32.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\System32\rundll32.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\System32\rundll32.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\System32\rundll32.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\System32\rundll32.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\System32\rundll32.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\System32\rundll32.exe VolumeInformation	Jump to behavior

Source: C:\Windows\System32\rundll32.exe

Code function: 6_2_00007FFA1148FC00 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

6_2_00007FFA1148FC00

Source: C:\Windows\System32\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: rundll32.exe, 00000007.00000003.18311296742.0000025A79C3C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311569840.0000025A79C42000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18380903963.000001E02A06F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881496685.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18380661574.000001E02A06A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341220309.000001E02A01F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19173697388.000001E02BA81000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18810099963.000001E02A052000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SPIDERML.EXE
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C66000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311391067.0000025A79C66000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.18342488238.0000025A79C66000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341357527.000001E02A041000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18957515236.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19245525198.000001E02C1A7000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19515965457.000001E02BAC0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19459255677.000001E02BAC0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18809602086.000001E02C18C000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18957929496.000001E02A068000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: procmon.exe
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311391067.0000025A79C48000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18666894715.000001E02C183000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341357527.000001E02A041000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18957515236.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19173580422.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19245525198.000001E02C1A7000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19515965457.000001E02BAC0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18380803698.000001E02BA28000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639437963.000001E02C18A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: tmpfw.exe
Source: rundll32.exe, 00000007.00000003.18311296742.0000025A79C3C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311636046.0000025A79C3D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18809950264.000001E02A068000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AVKService.exe
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311391067.0000025A79C48000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18737983780.000001E02A07C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18957515236.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341357527.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341220309.000001E02A01F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881458175.000001E02A077000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18957929496.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18524277505.000001E02C193000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: fsgk32.exe
Source: rundll32.exe, 00000007.00000003.18311296742.0000025A79C3C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311701697.0000025A79C3E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311636046.0000025A79C3D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341357527.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639717164.000001E02A079000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19245602871.000001E02A075000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18380661574.000001E02A06A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341220309.000001E02A01F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19173697388.000001E02BA81000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: MCAGENT.exe
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.18342488238.0000025A79C45000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311569840.0000025A79C45000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19173580422.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19316889270.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18524510030.000001E02BAC1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341220309.000001E02A01F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18380879200.000001E02A077000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19459184614.000001E02A068000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: cctray.exe
Source: rundll32.exe, 0000000E.00000003.18881496685.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881840303.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19029009093.000001E02A068000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AVGNSX.EXE
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311391067.0000025A79C48000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18737983780.000001E02A07C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18957515236.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341357527.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341220309.000001E02A01F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881458175.000001E02A077000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18957929496.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18524277505.000001E02C193000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: fnrb32.exe
Source: rundll32.exe, 00000007.00000003.18311296742.0000025A79C3C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311636046.0000025A79C3D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AVGWDSVC.exe
Source: rundll32.exe, 0000000E.00000003.18639717164.000001E02A079000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18957344792.000001E02C1AF000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18380661574.000001E02A06A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19101441209.000001E02C18A000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18738221590.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19459255677.000001E02BA81000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19028815928.000001E02C1A1000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19388248315.000001E02BA81000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18595746016.000001E02A078000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: MCUPDATE.exe
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311391067.0000025A79C48000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18957515236.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341357527.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19245602871.000001E02A075000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341220309.000001E02A01F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19173697388.000001E02BA81000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18957929496.000001E02A068000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: KAVSVC.exe
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311391067.0000025A79C48000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18666894715.000001E02C183000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19245525198.000001E02C1A7000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639437963.000001E02C18A000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18809602086.000001E02C18C000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19316889270.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881458175.000001E02A077000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18737819081.000001E02C19F000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18452716029.000001E02BACD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: rtvscan.exe
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311391067.0000025A79C48000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18737983780.000001E02A07C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341357527.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19245795841.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19514830461.000001E02A053000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341220309.000001E02A01F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881458175.000001E02A077000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19459381571.000001E02A052000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: fsm32.exe
Source: rundll32.exe, 0000000E.00000003.18881496685.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881840303.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19029009093.000001E02A068000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AVGCSRVX.EXE
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311391067.0000025A79C48000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18957515236.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341357527.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639717164.000001E02A079000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341220309.000001E02A01F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18957929496.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19459255677.000001E02BA81000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19388248315.000001E02BA81000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: KPFWSvc.exe
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311391067.0000025A79C48000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18666894715.000001E02C183000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18957515236.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19173580422.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341357527.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639437963.000001E02C18A000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18809602086.000001E02C18C000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19316889270.000001E02A068000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ravmond.exe
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311391067.0000025A79C48000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18737983780.000001E02A07C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18957515236.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341357527.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19514830461.000001E02A053000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341220309.000001E02A01F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881458175.000001E02A077000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18957929496.000001E02A068000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: fsav32.exe
Source: rundll32.exe, 0000000E.00000003.18957515236.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18524510030.000001E02BAC1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341220309.000001E02A01F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18957929496.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18524277505.000001E02C193000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19173935973.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18595356663.000001E02C183000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18737878246.000001E02A077000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19101167051.000001E02BA81000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: defwatch.exe
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19173580422.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19316889270.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341220309.000001E02A01F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18380879200.000001E02A077000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19459184614.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18809713543.000001E02A077000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19101441209.000001E02C18A000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18595356663.000001E02C183000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: avgemc.exe
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311391067.0000025A79C48000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18737983780.000001E02A07C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18957515236.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341357527.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19245795841.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19514830461.000001E02A053000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341220309.000001E02A01F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881458175.000001E02A077000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: fsdfwd.exe
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311391067.0000025A79C48000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341357527.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341220309.000001E02A01F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19100946319.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881558215.000001E02C189000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18452716029.000001E02BACD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18524340370.000001E02C183000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18380580752.000001E02BA25000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: nmain.exe
Source: rundll32.exe, 00000007.00000003.18311296742.0000025A79C3C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311701697.0000025A79C3E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311636046.0000025A79C3D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19173580422.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CLAMWIN.exe
Source: rundll32.exe, 00000007.00000002.18342488238.0000025A79C0D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19514830461.000001E02A014000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ACAAS.exe
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311391067.0000025A79C48000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18957515236.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19459228078.000001E02A075000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19173580422.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19245525198.000001E02C1A7000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341357527.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881496685.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341220309.000001E02A01F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: pavfnsvr.exe
Source: rundll32.exe, 0000000E.00000003.18957515236.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639717164.000001E02A079000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19245602871.000001E02A075000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18380661574.000001E02A06A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18957929496.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18524277505.000001E02C193000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19101441209.000001E02C18A000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18738221590.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19459255677.000001E02BA81000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: MCSHIELD.EXE
Source: rundll32.exe, 0000000E.00000003.18341357527.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341220309.000001E02A01F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18452716029.000001E02BACD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18380803698.000001E02BA22000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18524340370.000001E02C183000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19388550191.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19173646008.000001E02C1A3000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18380689267.000001E02BA21000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18666984801.000001E02A052000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: kxetray.exe
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C66000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311391067.0000025A79C66000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.18342488238.0000025A79C66000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341357527.000001E02A041000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18957515236.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19245525198.000001E02C1A7000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19515965457.000001E02BAC0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18380803698.000001E02BA28000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19459255677.000001E02BAC0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18809602086.000001E02C18C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: wireshark.exe
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C66000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18308826884.0000025A79C56000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311391067.0000025A79C66000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.18342488238.0000025A79C66000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18666894715.000001E02C183000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18452976459.000001E02A079000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19173580422.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19174002374.000001E02A079000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639717164.000001E02A079000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19317098035.000001E02A079000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: fast.exe
Source: rundll32.exe, 0000000E.00000003.18737983780.000001E02A07C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18957515236.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18957929496.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19459381571.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18524277505.000001E02C193000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18595356663.000001E02C183000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18737878246.000001E02A077000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18380689267.000001E02BA21000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18809602086.000001E02C189000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: fameh32.exe
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.18342488238.0000025A79C45000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311569840.0000025A79C45000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19245795841.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18524510030.000001E02BAC1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341220309.000001E02A01F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881458175.000001E02A077000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19459381571.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18524277505.000001E02C193000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: drweb32w.exe
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.18342488238.0000025A79C45000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311569840.0000025A79C45000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19316889270.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341220309.000001E02A01F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19459184614.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18809713543.000001E02A077000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18667061492.000001E02BA9F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881782889.000001E02A025000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: aswupdsv.exe
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311391067.0000025A79C48000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18957515236.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19173580422.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19245525198.000001E02C1A7000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341357527.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18809602086.000001E02C18C000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19316889270.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881496685.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341220309.000001E02A01F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: pctsGui.exe
Source: rundll32.exe, 00000007.00000002.18342488238.0000025A79C0D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19514830461.000001E02A014000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19388248315.000001E02BA81000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 360tray.exe
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311391067.0000025A79C48000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341357527.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341220309.000001E02A01F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19100946319.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881558215.000001E02C189000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18452716029.000001E02BACD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18380803698.000001E02BA22000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18524340370.000001E02C183000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: kissvc.exe
Source: rundll32.exe, 00000007.00000003.18311296742.0000025A79C3C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311569840.0000025A79C42000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19173580422.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19316889270.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341220309.000001E02A01F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18380879200.000001E02A077000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19459184614.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18809713543.000001E02A077000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881782889.000001E02A025000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: avEngine.exe
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311391067.0000025A79C48000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18737983780.000001E02A07C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18957515236.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341357527.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19245795841.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341220309.000001E02A01F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19317055592.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881458175.000001E02A077000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: fsav95.exe
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18452976459.000001E02A079000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19173580422.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19028909132.000001E02BA9F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19316889270.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341220309.000001E02A01F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19459184614.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18524461218.000001E02A06A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19101507224.000001E02BA8B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WEBPROXY.EXE
Source: rundll32.exe, 00000007.00000003.18311296742.0000025A79C3C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311701697.0000025A79C3E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311636046.0000025A79C3D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18595455178.000001E02BA9F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18452976459.000001E02A075000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18380661574.000001E02A06A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18524277505.000001E02C193000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19515707143.000001E02BA20000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19245660868.000001E02BA8B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: NOD32.exe
Source: rundll32.exe, 0000000E.00000003.18341357527.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19245602871.000001E02A075000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341220309.000001E02A01F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19100946319.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18809713543.000001E02A077000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18452716029.000001E02BACD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18380803698.000001E02BA22000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18524340370.000001E02C183000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19173646008.000001E02C1A3000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: mcvsshld.exe
Source: rundll32.exe, 00000007.00000003.18311636046.0000025A79C3B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19316928646.000001E02BA81000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18809950264.000001E02A068000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CCenter.exe
Source: rundll32.exe, 00000007.00000003.18311296742.0000025A79C3C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311701697.0000025A79C3E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311636046.0000025A79C3D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18957515236.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341357527.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19245602871.000001E02A075000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341220309.000001E02A01F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19173697388.000001E02BA81000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: KWatch.exe
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311391067.0000025A79C48000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18666894715.000001E02C183000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341357527.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341220309.000001E02A01F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19100946319.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18737819081.000001E02C19F000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18452716029.000001E02BACD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18380803698.000001E02BA22000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: inicio.exe
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311391067.0000025A79C48000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341357527.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341220309.000001E02A01F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18738322688.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18452716029.000001E02BACD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18738221590.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19173646008.000001E02C1A3000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18666984801.000001E02A052000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: mcvsrte.exe
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C66000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18308826884.0000025A79C56000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311391067.0000025A79C66000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.18342488238.0000025A79C66000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18957077698.000001E02BAF1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19173580422.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19174002374.000001E02A079000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19317098035.000001E02A079000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19316889270.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19173187840.000001E02BAF5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: cfp.exe
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.18342488238.0000025A79C45000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311569840.0000025A79C45000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19173580422.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19316889270.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341220309.000001E02A01F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19459184614.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18809713543.000001E02A077000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19101441209.000001E02C18A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: aswUpdsv.exe
Source: rundll32.exe, 00000007.00000003.18311045370.0000025A79C8C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18667170217.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18666894715.000001E02C183000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18380903963.000001E02A06F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18340924448.000001E02A06A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18380661574.000001E02A06A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19514830461.000001E02A014000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18524461218.000001E02A06A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18524277505.000001E02C193000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: fsaa.exe
Source: rundll32.exe, 00000007.00000003.18311296742.0000025A79C3C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19515372021.000001E02A06B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19459184614.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19388180177.000001E02A068000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FPROTTRAY.exe
Source: rundll32.exe, 00000007.00000003.18311296742.0000025A79C3C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311701697.0000025A79C3E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311636046.0000025A79C3D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18666894715.000001E02C183000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19173697388.000001E02BA81000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19100946319.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18737819081.000001E02C19F000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18957745679.000001E02BA9F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19459255677.000001E02BA81000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19101038404.000001E02A068000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: RTVscan.exe
Source: rundll32.exe, 0000000E.00000002.19514830461.000001E029F87000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639591046.000001E02A055000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: KvXP.kxp
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311391067.0000025A79C48000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19173580422.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19245525198.000001E02C1A7000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341357527.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18809602086.000001E02C18C000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19316889270.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639827896.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341220309.000001E02A01F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: portmonitor.exe
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311391067.0000025A79C48000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18666894715.000001E02C183000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341357527.000001E02A041000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18957515236.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19173580422.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19245525198.000001E02C1A7000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19515965457.000001E02BAC0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18380803698.000001E02BA28000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639437963.000001E02C18A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: tmproxy.exe
Source: rundll32.exe, 00000007.00000003.18311296742.0000025A79C3C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311701697.0000025A79C3E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.18342488238.0000025A79C3C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311636046.0000025A79C3D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18452976459.000001E02A075000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18380661574.000001E02A06A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18810099963.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19316928646.000001E02BA81000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PSIMSVC.EXE
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311391067.0000025A79C48000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18737983780.000001E02A07C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18957515236.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341357527.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19245795841.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341220309.000001E02A01F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19317055592.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881458175.000001E02A077000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: fih32.exe
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311391067.0000025A79C48000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18957515236.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19245795841.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341220309.000001E02A01F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881458175.000001E02A077000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18957929496.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19459381571.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18524277505.000001E02C193000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: dwengine.exe
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311391067.0000025A79C48000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18957515236.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341357527.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19245602871.000001E02A075000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341220309.000001E02A01F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19173697388.000001E02BA81000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18957929496.000001E02A068000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: KAVSTART.exe
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311391067.0000025A79C48000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341357527.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341220309.000001E02A01F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19100946319.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881558215.000001E02C189000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18452716029.000001E02BACD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18380803698.000001E02BA22000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19388550191.000001E02A052000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: kvsrvxp.exe
Source: rundll32.exe, 00000007.00000003.18311296742.0000025A79C3C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311701697.0000025A79C3E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311636046.0000025A79C3D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19459228078.000001E02A075000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19173580422.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639827896.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881496685.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19100946319.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19459184614.000001E02A068000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CUREIT.exe
Source: rundll32.exe, 00000007.00000003.18311296742.0000025A79C3C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311701697.0000025A79C3E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311636046.0000025A79C3D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19173429418.000001E02C1AE000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18595455178.000001E02BA9F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19245525198.000001E02C1A7000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18452976459.000001E02A075000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18957344792.000001E02C1AF000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18380661574.000001E02A06A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18524277505.000001E02C193000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NMAIN.exe
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311391067.0000025A79C48000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18737983780.000001E02A07C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18957515236.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341357527.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341220309.000001E02A01F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18957929496.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18524277505.000001E02C193000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18452716029.000001E02BACD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: fsaua.exe
Source: rundll32.exe, 0000000E.00000003.18341357527.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341220309.000001E02A01F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19100946319.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18809713543.000001E02A077000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881558215.000001E02C189000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18452716029.000001E02BACD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18524340370.000001E02C183000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18380580752.000001E02BA25000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18595356663.000001E02C183000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: nod32krn.exe
Source: rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19459228078.000001E02A075000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19173580422.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19245525198.000001E02C1A7000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341357527.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18809602086.000001E02C18C000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19316889270.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639827896.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881496685.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341220309.000001E02A01F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: pctsSvc.exe
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18524510030.000001E02BAC1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341220309.000001E02A01F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18380879200.000001E02A077000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19459184614.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18809713543.000001E02A077000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18667061492.000001E02BA9F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19101441209.000001E02C18A000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18595356663.000001E02C183000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: avgupd.exe
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311391067.0000025A79C48000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341357527.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19514830461.000001E02A053000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341220309.000001E02A01F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19459381571.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19100946319.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18452716029.000001E02BACD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18380803698.000001E02BA22000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: kavstart.exe
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311391067.0000025A79C48000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19173580422.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19245525198.000001E02C1A7000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341357527.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18380803698.000001E02BA28000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18809602086.000001E02C18C000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19316889270.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639827896.000001E02A025000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: processmonitor.exe
Source: rundll32.exe, 0000000E.00000003.18881496685.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881840303.000001E02A068000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ASWUPDSV.exe
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19173580422.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19028909132.000001E02BA9F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19316889270.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341220309.000001E02A01F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19459184614.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18524461218.000001E02A06A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19101507224.000001E02BA8B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18738221590.000001E02A025000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UmxPol.exe
Source: rundll32.exe, 00000007.00000003.18311296742.0000025A79C3C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311636046.0000025A79C3D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AVGUPSVC.exe
Source: rundll32.exe, 00000007.00000003.18311296742.0000025A79C3C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311701697.0000025A79C3E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311636046.0000025A79C3D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639717164.000001E02A079000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18957344792.000001E02C1AF000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18380661574.000001E02A06A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18524277505.000001E02C193000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19101441209.000001E02C18A000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18738221590.000001E02A025000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: MCVSSHLD.exe
Source: rundll32.exe, 0000000E.00000003.19245795841.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341220309.000001E02A01F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639437963.000001E02C181000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19101167051.000001E02BA81000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19388051398.000001E02C1A3000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18452800122.000001E02BAC1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18738019511.000001E02BA9F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ashdisp.exe
Source: rundll32.exe, 00000007.00000003.18311296742.0000025A79C3C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311701697.0000025A79C3E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311636046.0000025A79C3D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18452976459.000001E02A075000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19173697388.000001E02BA81000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18810099963.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19316928646.000001E02BA81000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18737819081.000001E02C19F000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: PsCtrlS.exe
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311391067.0000025A79C48000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19514830461.000001E02A053000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19245602871.000001E02A075000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19459381571.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19100946319.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881558215.000001E02C189000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18452716029.000001E02BACD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18380803698.000001E02BA22000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18524340370.000001E02C183000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: lordpe.exe
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311391067.0000025A79C48000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18957515236.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19459228078.000001E02A075000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341357527.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341220309.000001E02A01F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19100946319.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19459184614.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18524461218.000001E02A06A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: spf.exe
Source: rundll32.exe, 00000007.00000002.18342488238.0000025A79C0D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ALsvc.exe
Source: rundll32.exe, 00000007.00000003.18311296742.0000025A79C3C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311569840.0000025A79C42000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18380903963.000001E02A06F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18380661574.000001E02A06A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341220309.000001E02A01F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19100946319.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18810099963.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18524461218.000001E02A06A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SAVAdminService.exe
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311391067.0000025A79C48000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18666894715.000001E02C183000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18957515236.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19173580422.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19245525198.000001E02C1A7000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19515965457.000001E02BAC0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341357527.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18380803698.000001E02BA28000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639437963.000001E02C18A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: spiderml.exe
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311569840.0000025A79C45000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18957077698.000001E02BAF1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19173580422.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19316889270.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341220309.000001E02A01F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19459184614.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18809713543.000001E02A077000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881782889.000001E02A025000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ashmaisv.exe
Source: rundll32.exe, 00000007.00000003.18311296742.0000025A79C3C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311569840.0000025A79C42000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18957077698.000001E02BAF1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19173580422.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341220309.000001E02A01F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19317055592.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18524461218.000001E02A06A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18809950264.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19101507224.000001E02BA8B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SpIDerAgent.exe
Source: rundll32.exe, 00000007.00000003.18311296742.0000025A79C3C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311569840.0000025A79C42000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18380903963.000001E02A06F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881496685.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18380661574.000001E02A06A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341220309.000001E02A01F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19173697388.000001E02BA81000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18810099963.000001E02A052000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SPIDERNT.EXE
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311391067.0000025A79C48000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341357527.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341220309.000001E02A01F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19100946319.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18809713543.000001E02A077000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18452716029.000001E02BACD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19173646008.000001E02C1A3000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19316822979.000001E02C1AD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: mcagent.exe
Source: rundll32.exe, 00000007.00000002.18342488238.0000025A79C0D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ALMon.exe
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19173580422.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19316889270.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341220309.000001E02A01F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18380879200.000001E02A077000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19459184614.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18809713543.000001E02A077000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18595356663.000001E02C183000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19245631153.000001E02A068000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: avgrsx.exe
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311391067.0000025A79C48000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341357527.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19245602871.000001E02A075000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341220309.000001E02A01F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19100946319.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18809713543.000001E02A077000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881558215.000001E02C189000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18452716029.000001E02BACD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: kvmonxp.kxp
Source: rundll32.exe, 00000007.00000003.18311296742.0000025A79C3C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311701697.0000025A79C3E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311636046.0000025A79C3D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19459228078.000001E02A075000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19173580422.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19459184614.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19316928646.000001E02BA81000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18809950264.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19515421305.000001E02A078000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CLAMTRAY.exe
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311391067.0000025A79C48000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18957515236.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19173580422.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19245525198.000001E02C1A7000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341357527.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19316889270.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639827896.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341220309.000001E02A01F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: portdetective.exe
Source: rundll32.exe, 00000007.00000003.18311045370.0000025A79C8C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18452976459.000001E02A079000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18957077698.000001E02BAF1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19173580422.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19174002374.000001E02A079000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639717164.000001E02A079000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19317098035.000001E02A079000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19316889270.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19173187840.000001E02BAF5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18340924448.000001E02A06A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bdss.exe
Source: rundll32.exe, 00000007.00000002.18342488238.0000025A79C0D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19514830461.000001E02A014000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ACAIS.exe
Source: rundll32.exe, 00000007.00000003.18311296742.0000025A79C3C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311636046.0000025A79C3D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18809950264.000001E02A068000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AVKWCtl.exe
Source: rundll32.exe, 00000007.00000003.18311296742.0000025A79C3C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311569840.0000025A79C42000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19173580422.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19316889270.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18524461218.000001E02A06A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18809950264.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19101507224.000001E02BA8B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19245631153.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19101167051.000001E02BA81000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19388051398.000001E02C1A3000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: TMBMSRV.exe
Source: rundll32.exe, 00000007.00000003.18311296742.0000025A79C3C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19514830461.000001E02A014000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19515372021.000001E02A06B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19459184614.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881782889.000001E02A025000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FPWIN.exe
Source: rundll32.exe, 00000007.00000003.18311296742.0000025A79C3C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311701697.0000025A79C3E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311636046.0000025A79C3D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18666894715.000001E02C183000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881496685.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18380661574.000001E02A06A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341220309.000001E02A01F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19173697388.000001E02BA81000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: QUHLPSVC.exe
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311391067.0000025A79C48000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18957515236.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341357527.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639717164.000001E02A079000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18380661574.000001E02A06A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341220309.000001E02A01F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18957929496.000001E02A068000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: KAVStart.exe
Source: rundll32.exe, 00000007.00000003.18311296742.0000025A79C3C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311701697.0000025A79C3E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311636046.0000025A79C3D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18380903963.000001E02A06F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881496685.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18380661574.000001E02A06A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18810099963.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18524461218.000001E02A06A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: RAVMOND.exe
Source: rundll32.exe, 0000000E.00000003.18737983780.000001E02A07C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341357527.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19245795841.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19514830461.000001E02A053000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341220309.000001E02A01F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19317055592.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881458175.000001E02A077000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19459381571.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18524277505.000001E02C193000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: fsgk32st.exe
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311391067.0000025A79C48000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18737983780.000001E02A07C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18957515236.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341357527.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19245795841.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341220309.000001E02A01F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881458175.000001E02A077000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18957929496.000001E02A068000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: f-prot.exe
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311391067.0000025A79C48000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18957077698.000001E02BAF1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19173580422.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19174002374.000001E02A079000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341357527.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639717164.000001E02A079000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19317098035.000001E02A079000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19316889270.000001E02A068000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: avp.exe
Source: rundll32.exe, 00000007.00000003.18311296742.0000025A79C3C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311569840.0000025A79C42000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18957077698.000001E02BAF1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881496685.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341220309.000001E02A01F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19317055592.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18524461218.000001E02A06A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19173935973.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18809950264.000001E02A068000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SavService.exe
Source: rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18666894715.000001E02C183000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18380903963.000001E02A06F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881496685.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18380661574.000001E02A06A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19173697388.000001E02BA81000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18810099963.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18524461218.000001E02A06A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19316928646.000001E02BA81000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18737819081.000001E02C19F000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: RavTask.exe
Source: rundll32.exe, 0000000E.00000003.19173580422.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19028909132.000001E02BA9F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19316889270.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341220309.000001E02A01F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19459184614.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18809950264.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19101507224.000001E02BA8B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18738221590.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18452851087.000001E02A077000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VBA32LDR.exe
Source: rundll32.exe, 00000007.00000002.18342488238.0000025A79C0D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19514830461.000001E02A014000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18738221590.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881782889.000001E02A025000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ASHDISP.exe
Source: rundll32.exe, 0000000E.00000003.19173580422.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18524510030.000001E02BAC1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341220309.000001E02A01F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18380879200.000001E02A077000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19459184614.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18809713543.000001E02A077000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19101441209.000001E02C18A000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18595356663.000001E02C183000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19245631153.000001E02A068000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: avgcsrvx.exe
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19173580422.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19028909132.000001E02BA9F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19316889270.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341220309.000001E02A01F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19459184614.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19101507224.000001E02BA8B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18738221590.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18452851087.000001E02A077000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UPSCHD.exe
Source: rundll32.exe, 00000007.00000003.18311296742.0000025A79C3C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311701697.0000025A79C3E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311636046.0000025A79C3D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19459228078.000001E02A075000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881496685.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19100946319.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19459184614.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19316928646.000001E02BA81000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18809950264.000001E02A068000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CLPSLS.exe
Source: rundll32.exe, 00000007.00000003.18311296742.0000025A79C3C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311701697.0000025A79C3E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.18342488238.0000025A79C3C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311636046.0000025A79C3D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18667170217.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18595455178.000001E02BA9F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18452976459.000001E02A075000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18380903963.000001E02A06F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18380661574.000001E02A06A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ONLINENT.exe
Source: rundll32.exe, 00000007.00000003.18311296742.0000025A79C3C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881496685.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19515372021.000001E02A06B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19459184614.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881840303.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19388180177.000001E02A068000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FPAVServer.exe
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C66000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311391067.0000025A79C66000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.18342488238.0000025A79C66000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18666894715.000001E02C183000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341357527.000001E02A041000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18957515236.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19245525198.000001E02C1A7000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19515965457.000001E02BAC0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18380803698.000001E02BA28000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19459255677.000001E02BAC0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: xcommsvr.exe
Source: rundll32.exe, 00000007.00000003.18311296742.0000025A79C3C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311569840.0000025A79C42000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18666894715.000001E02C183000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18380903963.000001E02A06F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18380661574.000001E02A06A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19173697388.000001E02BA81000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18810099963.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18524461218.000001E02A06A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PsImSvc.exe
Source: rundll32.exe, 0000000E.00000003.19173580422.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341220309.000001E02A01F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18380879200.000001E02A077000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19515372021.000001E02A06B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19459184614.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18809713543.000001E02A077000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19101441209.000001E02C18A000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18524340370.000001E02C183000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18595356663.000001E02C183000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: capfasem.exe
Source: rundll32.exe, 00000007.00000003.18311296742.0000025A79C3C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18524426030.000001E02BAF4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639398813.000001E02BAF1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18595455178.000001E02BAC0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19515372021.000001E02A06B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19459184614.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18595680732.000001E02BAC1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881782889.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19388180177.000001E02A068000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FSGK32.exe
Source: rundll32.exe, 00000007.00000003.18311296742.0000025A79C3C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311701697.0000025A79C3E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.18342488238.0000025A79C3C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311636046.0000025A79C3D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18667170217.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18595455178.000001E02BA9F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18452976459.000001E02A075000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18380903963.000001E02A06F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18380661574.000001E02A06A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OP_MON.exe
Source: rundll32.exe, 0000000E.00000003.18957515236.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19173580422.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19245525198.000001E02C1A7000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18809602086.000001E02C18C000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881496685.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18452716029.000001E02BACD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18524340370.000001E02C183000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881840303.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18380580752.000001E02BA25000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19028847204.000001E02C189000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: pavbckpt.exe
Source: rundll32.exe, 00000007.00000002.18342488238.0000025A79C0D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19173697388.000001E02BA81000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19514830461.000001E02A014000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: A2START.EXE
Source: rundll32.exe, 00000007.00000003.18311296742.0000025A79C3C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311569840.0000025A79C42000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19173580422.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19028909132.000001E02BA9F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19316889270.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19101507224.000001E02BA8B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18738221590.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18452851087.000001E02A077000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19245631153.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19101167051.000001E02BA81000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: TMPROXY.exe
Source: rundll32.exe, 00000007.00000003.18311636046.0000025A79C3B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CFP.exe
Source: rundll32.exe, 0000000E.00000003.18524426030.000001E02BAF4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18666894715.000001E02C183000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341357527.000001E02A041000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18957515236.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19245525198.000001E02C1A7000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19515965457.000001E02BAC0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18380803698.000001E02BA28000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639437963.000001E02C18A000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19459255677.000001E02BAC0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18809602086.000001E02C18C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: webproxy.exe
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311391067.0000025A79C48000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: GDFirewallTray.exe
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311391067.0000025A79C48000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18957515236.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341357527.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639717164.000001E02A079000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19245602871.000001E02A075000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18380661574.000001E02A06A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341220309.000001E02A01F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: KAVPFW.exe
Source: rundll32.exe, 0000000E.00000003.18341357527.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341220309.000001E02A01F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18809713543.000001E02A077000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881558215.000001E02C189000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18452716029.000001E02BACD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18524340370.000001E02C183000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18380580752.000001E02BA25000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18595356663.000001E02C183000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18737878246.000001E02A077000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: nod32kui.exe
Source: rundll32.exe, 00000007.00000003.18311296742.0000025A79C3C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311636046.0000025A79C3D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881496685.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881840303.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19029009093.000001E02A068000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AVGUI.EXE
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311391067.0000025A79C48000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341357527.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341220309.000001E02A01F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881558215.000001E02C189000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18452716029.000001E02BACD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18524340370.000001E02C183000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18595356663.000001E02C183000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19388051398.000001E02C1A3000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: nspupsvc.exe
Source: rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18380903963.000001E02A06F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18380661574.000001E02A06A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341220309.000001E02A01F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19173697388.000001E02BA81000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19100946319.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18810099963.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19316928646.000001E02BA81000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18737819081.000001E02C19F000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCANMSG.exe
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.18342488238.0000025A79C45000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311569840.0000025A79C45000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18957077698.000001E02BAF1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19316889270.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341220309.000001E02A01F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19459184614.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881782889.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639437963.000001E02C181000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: apvxdwin.exe
Source: rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18595455178.000001E02BA9F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18452976459.000001E02A075000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19173697388.000001E02BA81000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18810099963.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19316928646.000001E02BA81000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19515707143.000001E02BA20000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19029009093.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341478305.000001E02A01B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PAVFNSVR.exe
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311391067.0000025A79C48000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18957515236.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19317055592.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18957929496.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18524277505.000001E02C193000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19173935973.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18809602086.000001E02C189000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19388180177.000001E02A068000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: f-stopw.exe
Source: rundll32.exe, 00000007.00000003.18311296742.0000025A79C3C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311569840.0000025A79C42000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341220309.000001E02A01F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18380879200.000001E02A077000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19459184614.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18809713543.000001E02A077000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19028847204.000001E02C189000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18595356663.000001E02C183000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19245631153.000001E02A068000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: avgwdsvc.exe
Source: rundll32.exe, 00000007.00000003.18311045370.0000025A79C8C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18666894715.000001E02C183000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341357527.000001E02A041000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18957515236.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639717164.000001E02A079000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19317098035.000001E02A079000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19316889270.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18380903963.000001E02A06F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881873118.000001E02BAC1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18380661574.000001E02A06A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: fsav.exe
Source: rundll32.exe, 00000007.00000003.18311296742.0000025A79C3C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311701697.0000025A79C3E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311636046.0000025A79C3D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18452976459.000001E02A075000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18957344792.000001E02C1AF000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18380661574.000001E02A06A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18524277505.000001E02C193000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19101441209.000001E02C18A000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19459255677.000001E02BA81000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: MsMpEng.exe
Source: rundll32.exe, 0000000E.00000003.18341357527.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341220309.000001E02A01F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19100946319.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18809713543.000001E02A077000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881558215.000001E02C189000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18452716029.000001E02BACD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18380803698.000001E02BA22000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18524340370.000001E02C183000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19173646008.000001E02C1A3000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: mcupdate.exe
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311391067.0000025A79C48000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18737983780.000001E02A07C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18957515236.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341357527.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19245795841.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341220309.000001E02A01F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881458175.000001E02A077000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18957929496.000001E02A068000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: fp-win.exe
Source: rundll32.exe, 00000007.00000003.18311296742.0000025A79C3C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311701697.0000025A79C3E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311636046.0000025A79C3D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19173580422.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881496685.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19515372021.000001E02A06B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19100946319.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19459184614.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19316928646.000001E02BA81000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DRWEBSCD.EXE
Source: rundll32.exe, 0000000E.00000003.18957515236.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341357527.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19245795841.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19514830461.000001E02A053000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341220309.000001E02A01F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881458175.000001E02A077000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18957929496.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19459381571.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18524277505.000001E02C193000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: fsav530wtbyb.exe
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C66000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311391067.0000025A79C66000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.18342488238.0000025A79C66000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341357527.000001E02A041000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18957515236.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19515965457.000001E02BAC0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18380803698.000001E02BA28000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19459255677.000001E02BAC0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18809602086.000001E02C18C000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18524510030.000001E02BAC1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: zlclient.exe
Source: rundll32.exe, 00000007.00000003.18311296742.0000025A79C3C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311701697.0000025A79C3E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.18342488238.0000025A79C3C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311636046.0000025A79C3D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18666894715.000001E02C183000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18452976459.000001E02A075000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18380903963.000001E02A06F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881496685.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18380661574.000001E02A06A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PSHost.exe
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19173580422.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19316889270.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341220309.000001E02A01F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18380879200.000001E02A077000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19459184614.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18809713543.000001E02A077000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19101441209.000001E02C18A000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18595356663.000001E02C183000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: avgamsvr.exe
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.18342488238.0000025A79C45000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311569840.0000025A79C45000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18957077698.000001E02BAF1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19173580422.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19245795841.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19316889270.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341220309.000001E02A01F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19459184614.000001E02A068000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ashWebSv.exe
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19173580422.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18524510030.000001E02BAC1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341220309.000001E02A01F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19459184614.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18809713543.000001E02A077000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18667061492.000001E02BA9F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18595356663.000001E02C183000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19245631153.000001E02A068000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: avgtray.exe
Source: rundll32.exe, 00000007.00000003.18311296742.0000025A79C3C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311569840.0000025A79C42000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18380903963.000001E02A06F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881496685.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18380661574.000001E02A06A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19173697388.000001E02BA81000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18810099963.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19316928646.000001E02BA81000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18737819081.000001E02C19F000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SBAMSvc.exe
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.18342488238.0000025A79C45000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311569840.0000025A79C45000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18957515236.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341220309.000001E02A01F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881458175.000001E02A077000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18957929496.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19459381571.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18524277505.000001E02C193000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: drwebscd.exe
Source: rundll32.exe, 00000007.00000003.18311296742.0000025A79C3C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311569840.0000025A79C42000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18957077698.000001E02BAF1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19316889270.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341220309.000001E02A01F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19459184614.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18524461218.000001E02A06A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18809950264.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19101507224.000001E02BA8B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: TmPfw.exe
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311391067.0000025A79C48000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19173580422.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341357527.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18809602086.000001E02C18C000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19316889270.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341220309.000001E02A01F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881458175.000001E02A077000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18452716029.000001E02BACD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: procexp.exe
Source: rundll32.exe, 00000007.00000003.18311296742.0000025A79C3C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18524426030.000001E02BAF4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639398813.000001E02BAF1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19515707143.000001E02BA3D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18595455178.000001E02BAC0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18595680732.000001E02BAC1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881782889.000001E02A025000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FSM32.exe
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311391067.0000025A79C48000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19515707143.000001E02BA3D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18524461218.000001E02A06A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881782889.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18524586478.000001E02A078000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: GUARDXKICKOFF.exe
Source: rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18666894715.000001E02C183000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18452976459.000001E02A075000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881496685.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19173697388.000001E02BA81000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19100946319.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18810099963.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19459255677.000001E02BA81000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19101038404.000001E02A068000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PavFnSvr.exe
Source: rundll32.exe, 0000000E.00000003.18737983780.000001E02A07C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18957515236.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341357527.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19245795841.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341220309.000001E02A01F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881458175.000001E02A077000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18957929496.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19459381571.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18524277505.000001E02C193000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: f-prot95.exe
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18957077698.000001E02BAF1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19173580422.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19028909132.000001E02BA9F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19316889270.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881496685.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341220309.000001E02A01F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19459184614.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18524461218.000001E02A06A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WebProxy.exe
Source: rundll32.exe, 00000007.00000003.18311296742.0000025A79C3C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311636046.0000025A79C3D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19514830461.000001E02A014000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18809950264.000001E02A068000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AVKProxy.exe
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311391067.0000025A79C48000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18666894715.000001E02C183000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341357527.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341220309.000001E02A01F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18737819081.000001E02C19F000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18452716029.000001E02BACD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18380803698.000001E02BA22000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18524340370.000001E02C183000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: kav32.exe
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18957077698.000001E02BAF1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19173580422.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19316889270.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341220309.000001E02A01F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19459184614.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19101507224.000001E02BA8B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18738221590.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18452851087.000001E02A077000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UmxAgent.exe
Source: rundll32.exe, 00000007.00000003.18311296742.0000025A79C3C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311569840.0000025A79C42000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18380903963.000001E02A06F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881496685.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18380661574.000001E02A06A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341220309.000001E02A01F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19100946319.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18810099963.000001E02A052000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCFManager.exe
Source: rundll32.exe, 0000000E.00000003.18881496685.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881840303.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19029009093.000001E02A068000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ASHWEBSV.exe
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311391067.0000025A79C48000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18957515236.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639753936.000001E02A07C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341357527.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639717164.000001E02A079000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19245602871.000001E02A075000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18380661574.000001E02A06A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341220309.000001E02A01F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: K7RTScan.exe
Source: rundll32.exe, 00000007.00000003.18311296742.0000025A79C3C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18524426030.000001E02BAF4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639398813.000001E02BAF1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18595455178.000001E02BAC0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19514830461.000001E02A014000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19515372021.000001E02A06B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19459184614.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18595680732.000001E02BAC1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881782889.000001E02A025000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FSDFWD.exe
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19316889270.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341220309.000001E02A01F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18380879200.000001E02A077000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19459184614.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18809713543.000001E02A077000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18667061492.000001E02BA9F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19028847204.000001E02C189000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18595356663.000001E02C183000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: avgscanx.exe
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.18342488238.0000025A79C45000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311569840.0000025A79C45000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19173580422.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341220309.000001E02A01F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19459184614.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18809713543.000001E02A077000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19101441209.000001E02C18A000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881782889.000001E02A025000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: aswUpdSv.exe
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311391067.0000025A79C48000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341357527.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341220309.000001E02A01F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19100946319.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18809713543.000001E02A077000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18452716029.000001E02BACD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18380803698.000001E02BA22000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18524340370.000001E02C183000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: kavsvc.exe
Source: rundll32.exe, 00000007.00000003.18311296742.0000025A79C3C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311569840.0000025A79C42000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18380903963.000001E02A06F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881496685.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18380661574.000001E02A06A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341220309.000001E02A01F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19173697388.000001E02BA81000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18810099963.000001E02A052000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SPIDERUI.exe
Source: rundll32.exe, 0000000E.00000003.19173580422.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19316889270.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881496685.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19100946319.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881840303.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19101038404.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19245631153.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19029009093.000001E02A068000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AVGEMC.exe
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311391067.0000025A79C48000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19173580422.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19245525198.000001E02C1A7000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341357527.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18809602086.000001E02C18C000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19316889270.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639827896.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881496685.000001E02A052000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: procdump.exe
Source: rundll32.exe, 00000007.00000003.18311296742.0000025A79C3C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311569840.0000025A79C42000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19173580422.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19316889270.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341220309.000001E02A01F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18380879200.000001E02A077000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19459184614.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18809713543.000001E02A077000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639437963.000001E02C181000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: avengine.exe
Source: rundll32.exe, 00000007.00000003.18311296742.0000025A79C3C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311569840.0000025A79C42000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19173580422.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19316889270.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341220309.000001E02A01F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18380879200.000001E02A077000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19459184614.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18809713543.000001E02A077000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18595356663.000001E02C183000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: avgnsx.exe
Source: rundll32.exe, 00000007.00000003.18311296742.0000025A79C3C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18524426030.000001E02BAF4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18595455178.000001E02BA9F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639398813.000001E02BAF1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19515707143.000001E02BA3D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18595455178.000001E02BAC0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18595680732.000001E02BAC1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881782889.000001E02A025000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FSMA32.exe
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.18342488238.0000025A79C45000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311569840.0000025A79C45000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19173580422.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19316889270.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19459184614.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18809713543.000001E02A077000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19245631153.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19101167051.000001E02BA81000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18452800122.000001E02BAC1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ashserv.exe
Source: rundll32.exe, 00000007.00000003.18311636046.0000025A79C3B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18809950264.000001E02A068000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: BULLGUARD.EXE
Source: rundll32.exe, 00000007.00000002.18342488238.0000025A79C0D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19514830461.000001E02A014000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: A2SERVICE.EXE
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311391067.0000025A79C48000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18737983780.000001E02A07C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18957515236.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341357527.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341220309.000001E02A01F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19317055592.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881458175.000001E02A077000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18957929496.000001E02A068000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: fprot.exe
Source: rundll32.exe, 00000007.00000003.18311296742.0000025A79C3C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311701697.0000025A79C3E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311636046.0000025A79C3D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18957515236.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341357527.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639717164.000001E02A079000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19245602871.000001E02A075000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341220309.000001E02A01F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: KVSrvXP.exe
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311391067.0000025A79C48000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18737983780.000001E02A07C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18957515236.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341357527.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19245795841.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19514830461.000001E02A053000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341220309.000001E02A01F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881458175.000001E02A077000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: fsmb32.exe
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311391067.0000025A79C48000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18666894715.000001E02C183000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18957515236.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19173580422.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19245525198.000001E02C1A7000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19515965457.000001E02BAC0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341357527.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18380803698.000001E02BA28000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: spiderui.exe
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311391067.0000025A79C48000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18524426030.000001E02BAF4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18666894715.000001E02C183000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341357527.000001E02A041000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19245525198.000001E02C1A7000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19515965457.000001E02BAC0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18380803698.000001E02BA28000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639437963.000001E02C18A000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19459255677.000001E02BAC0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vsserv.exe
Source: rundll32.exe, 00000007.00000003.18311296742.0000025A79C3C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311701697.0000025A79C3E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.18342488238.0000025A79C3C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311636046.0000025A79C3D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18666894715.000001E02C183000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18452976459.000001E02A075000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18380903963.000001E02A06F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881496685.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18380661574.000001E02A06A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PavPrSrv.exe
Source: rundll32.exe, 00000007.00000002.18342488238.0000025A79C0D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639827896.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19514830461.000001E02A014000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: A2GUARD.EXE
Source: rundll32.exe, 0000000E.00000003.19100946319.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18380803698.000001E02BA22000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19388550191.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19173646008.000001E02C1A3000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18380689267.000001E02BA21000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18957646612.000001E02C189000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18595293741.000001E02C195000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: kpfw32.exe
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311391067.0000025A79C48000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18666894715.000001E02C183000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19173580422.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19245525198.000001E02C1A7000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341357527.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639437963.000001E02C18A000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18809602086.000001E02C18C000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19316889270.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341220309.000001E02A01F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: qoeloader.exe
Source: rundll32.exe, 00000007.00000003.18311296742.0000025A79C3C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311636046.0000025A79C3D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18809950264.000001E02A068000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AVKTray.exe
Source: rundll32.exe, 00000007.00000003.18311296742.0000025A79C3C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19515372021.000001E02A06B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19459184614.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19388180177.000001E02A068000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FAMEH32.exe
Source: rundll32.exe, 00000007.00000003.18311296742.0000025A79C3C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311636046.0000025A79C3D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881496685.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881840303.000001E02A068000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AVGTRAY.exe
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311391067.0000025A79C48000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18666894715.000001E02C183000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18957515236.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19173580422.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19245525198.000001E02C1A7000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19515965457.000001E02BAC0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341357527.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18380803698.000001E02BA28000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639437963.000001E02C18A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: spidernt.exe
Source: rundll32.exe, 00000007.00000003.18311636046.0000025A79C3B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19173580422.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881496685.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19515372021.000001E02A06B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19100946319.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19459184614.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19316928646.000001E02BA81000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18809950264.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881840303.000001E02A068000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EMLPROUI.exe
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311391067.0000025A79C48000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18666894715.000001E02C183000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18957515236.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19173580422.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19245525198.000001E02C1A7000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19515965457.000001E02BAC0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341357527.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18380803698.000001E02BA28000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: spideragent.exe
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311391067.0000025A79C48000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341357527.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341220309.000001E02A01F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18809713543.000001E02A077000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881558215.000001E02C189000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18452716029.000001E02BACD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18524340370.000001E02C183000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18380580752.000001E02BA25000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: nod32.exe
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311391067.0000025A79C48000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18452976459.000001E02A079000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19173580422.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19174002374.000001E02A079000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639717164.000001E02A079000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19317098035.000001E02A079000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19316889270.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18340924448.000001E02A06A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19245602871.000001E02A075000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: cafw.exe
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311391067.0000025A79C48000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18667170217.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19459111249.000001E02C1A7000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18452976459.000001E02A079000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341357527.000001E02A041000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18957515236.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639717164.000001E02A079000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19316889270.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18380903963.000001E02A06F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: kav.exe
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311391067.0000025A79C48000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18666894715.000001E02C183000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18957515236.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19173580422.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19245525198.000001E02C1A7000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341357527.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18380803698.000001E02BA28000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639437963.000001E02C18A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: savservice.exe
Source: rundll32.exe, 0000000E.00000003.19173580422.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19316889270.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341220309.000001E02A01F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19173697388.000001E02BA81000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19459184614.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18524461218.000001E02A06A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19316928646.000001E02BA81000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18809950264.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19245660868.000001E02BA8B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VRMONSVC.exe
Source: rundll32.exe, 00000007.00000002.18342488238.0000025A79C0D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639827896.000001E02A025000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ACAEGMgr.exe
Source: rundll32.exe, 00000007.00000003.18311296742.0000025A79C3C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311701697.0000025A79C3E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311636046.0000025A79C3D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19173580422.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881496685.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19515372021.000001E02A06B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19100946319.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19459184614.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19316928646.000001E02BA81000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DefWatch.exe
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.18342488238.0000025A79C45000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311569840.0000025A79C45000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341220309.000001E02A01F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18380879200.000001E02A077000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18809713543.000001E02A077000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18524340370.000001E02C183000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18595356663.000001E02C183000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19245631153.000001E02A068000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bdagent.exe
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311391067.0000025A79C48000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18957515236.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19459228078.000001E02A075000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19173580422.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19245525198.000001E02C1A7000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341357527.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18809602086.000001E02C18C000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19316889270.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341220309.000001E02A01F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: pctsAuxs.exe
Source: rundll32.exe, 00000007.00000003.18311296742.0000025A79C3C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19173580422.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881496685.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19515372021.000001E02A06B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19100946319.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19459184614.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19316928646.000001E02BA81000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18809950264.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881840303.000001E02A068000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EMLPROXY.exe
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311391067.0000025A79C48000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18957515236.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341357527.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19245602871.000001E02A075000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19515707143.000001E02BA3D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18380661574.000001E02A06A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341220309.000001E02A01F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ITMRTSVC.exe
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311391067.0000025A79C48000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18957515236.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341357527.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639717164.000001E02A079000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19245602871.000001E02A075000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341220309.000001E02A01F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19173697388.000001E02BA81000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: K7TSMngr.exe
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311391067.0000025A79C48000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18957515236.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341357527.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639717164.000001E02A079000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19245602871.000001E02A075000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341220309.000001E02A01F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19173697388.000001E02BA81000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: KSafeTray.exe
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19173580422.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341220309.000001E02A01F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19459184614.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18809950264.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19101507224.000001E02BA8B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18452851087.000001E02A077000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881782889.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639787326.000001E02A068000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UmxFwHlp.exe
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311391067.0000025A79C48000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19515707143.000001E02BA3D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18524461218.000001E02A06A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881782889.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18524586478.000001E02A078000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: GUARDXSERVICE.exe
Source: rundll32.exe, 00000007.00000003.18311296742.0000025A79C3C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311701697.0000025A79C3E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311636046.0000025A79C3D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19459228078.000001E02A075000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19173580422.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881496685.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19459184614.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19316928646.000001E02BA81000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18809950264.000001E02A068000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ClamTray.exe
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19316889270.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341220309.000001E02A01F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18810099963.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18738221590.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881782889.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19101167051.000001E02BA81000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18452800122.000001E02BAC1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ahnsdsv.exe
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311391067.0000025A79C48000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18666894715.000001E02C183000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19173580422.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341357527.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18809602086.000001E02C18C000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19316889270.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639827896.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341220309.000001E02A01F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: psimsvc.exe
Source: rundll32.exe, 00000007.00000003.18311296742.0000025A79C3C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311701697.0000025A79C3E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311636046.0000025A79C3D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18667170217.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18595455178.000001E02BA9F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18452976459.000001E02A075000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18380903963.000001E02A06F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18380661574.000001E02A06A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PAVPRSRV.exe
Source: rundll32.exe, 0000000E.00000003.18881496685.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881840303.000001E02A068000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ASHSERV.exe
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311391067.0000025A79C48000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341357527.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341220309.000001E02A01F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19100946319.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18809713543.000001E02A077000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881558215.000001E02C189000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18452716029.000001E02BACD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18380580752.000001E02BA25000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: msascui.exe
Source: rundll32.exe, 00000007.00000003.18311636046.0000025A79C3B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19515372021.000001E02A06B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19459184614.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19388180177.000001E02A068000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: F-STOPW.exe
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311391067.0000025A79C48000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18666894715.000001E02C183000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19245795841.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881458175.000001E02A077000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18452716029.000001E02BACD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18809950264.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18524340370.000001E02C183000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18738221590.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19101167051.000001E02BA81000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: guard.exe
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.18342488238.0000025A79C45000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311569840.0000025A79C45000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19173580422.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19316889270.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341220309.000001E02A01F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18809713543.000001E02A077000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18667061492.000001E02BA9F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881782889.000001E02A025000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ashMaiSv.exe
Source: rundll32.exe, 00000007.00000003.18311296742.0000025A79C3C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311569840.0000025A79C42000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18666894715.000001E02C183000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18452976459.000001E02A075000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18380903963.000001E02A06F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881496685.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18380661574.000001E02A06A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19173697388.000001E02BA81000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Qoeloader.exe
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18957077698.000001E02BAF1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19028909132.000001E02BA9F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19514830461.000001E02A053000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341220309.000001E02A01F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19459381571.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18809950264.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19101507224.000001E02BA8B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18738221590.000001E02A025000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UmxCfg.exe
Source: rundll32.exe, 0000000E.00000003.18881782889.000001E02A025000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AVP.EXE
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311391067.0000025A79C48000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341357527.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341220309.000001E02A01F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19100946319.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18452716029.000001E02BACD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18380803698.000001E02BA22000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18524340370.000001E02C183000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19388550191.000001E02A052000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: kwatch.exe
Source: rundll32.exe, 0000000E.00000003.18341357527.000001E02A041000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18957515236.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19173580422.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19245525198.000001E02C1A7000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639437963.000001E02C18A000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19316889270.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18339253020.000001E02A034000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18524340370.000001E02C183000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19028847204.000001E02C189000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18595356663.000001E02C183000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: tpsrv.exe
Source: rundll32.exe, 0000000E.00000003.18666894715.000001E02C183000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18957515236.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19173580422.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19245525198.000001E02C1A7000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341357527.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639437963.000001E02C18A000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18809602086.000001E02C18C000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19316889270.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341220309.000001E02A01F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: pskmssvc.exe
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311391067.0000025A79C48000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311045370.0000025A79C8C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18667170217.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19459111249.000001E02C1A7000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18957515236.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19173580422.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19317098035.000001E02A079000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19316889270.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18380903963.000001E02A06F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: kvxp.kxp
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.18342488238.0000025A79C45000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311391067.0000025A79C48000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18524426030.000001E02BAF4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18666894715.000001E02C183000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341357527.000001E02A041000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19515965457.000001E02BAC0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18380803698.000001E02BA28000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639437963.000001E02C18A000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19459255677.000001E02BAC0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vsmon.exe
Source: rundll32.exe, 0000000E.00000003.18380903963.000001E02A06F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881496685.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18380661574.000001E02A06A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341220309.000001E02A01F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19173697388.000001E02BA81000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19100946319.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19101038404.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18452851087.000001E02A077000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639787326.000001E02A068000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Rtvscan.exe
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311391067.0000025A79C48000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18666894715.000001E02C183000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341357527.000001E02A041000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18957515236.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19173580422.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19245525198.000001E02C1A7000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19515965457.000001E02BAC0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18380803698.000001E02BA28000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19459255677.000001E02BAC0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tnbutil.exe
Source: rundll32.exe, 00000007.00000003.18311296742.0000025A79C3C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18524426030.000001E02BAF4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639398813.000001E02BAF1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19515707143.000001E02BA3D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18595455178.000001E02BAC0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18595680732.000001E02BAC1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881782889.000001E02A025000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FSMB32.exe
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311391067.0000025A79C48000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18737983780.000001E02A07C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18957515236.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341357527.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19245795841.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19514830461.000001E02A053000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341220309.000001E02A01F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881458175.000001E02A077000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: fsma32.exe
Source: rundll32.exe, 0000000E.00000003.18639717164.000001E02A079000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18957344792.000001E02C1AF000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19101441209.000001E02C18A000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18738221590.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19459255677.000001E02BA81000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19028815928.000001E02C1A1000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18595746016.000001E02A078000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19515965457.000001E02BA83000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341478305.000001E02A01B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: MSASCui.exe
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311391067.0000025A79C48000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18737983780.000001E02A07C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18957515236.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341357527.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19245795841.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19514830461.000001E02A053000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341220309.000001E02A01F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881458175.000001E02A077000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: fsav530stbyb.exe
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311391067.0000025A79C48000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341357527.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341220309.000001E02A01F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19100946319.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18809713543.000001E02A077000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18452716029.000001E02BACD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18524340370.000001E02C183000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18595356663.000001E02C183000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: livesrv.exe
Source: rundll32.exe, 00000007.00000002.18342488238.0000025A79C0D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19514830461.000001E02A014000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18738221590.000001E02A025000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 360Safe.exe
Source: rundll32.exe, 00000007.00000003.18311636046.0000025A79C3B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881496685.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19515372021.000001E02A06B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19459184614.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881840303.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19388180177.000001E02A068000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FCH32.exe
Source: rundll32.exe, 00000007.00000003.18311296742.0000025A79C3C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311569840.0000025A79C42000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881496685.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341220309.000001E02A01F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19173697388.000001E02BA81000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19100946319.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18810099963.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18524461218.000001E02A06A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCFService.exe
Source: rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18667170217.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19173697388.000001E02BA81000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18810099963.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19316928646.000001E02BA81000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19515707143.000001E02BA20000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19029009093.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18666984801.000001E02A052000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ONLNSVC.exe
Source: rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18666894715.000001E02C183000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18452976459.000001E02A075000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18380661574.000001E02A06A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19173697388.000001E02BA81000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18810099963.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19316928646.000001E02BA81000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19388248315.000001E02BA81000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639437963.000001E02C1AF000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: PSIMSVC.exe
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311391067.0000025A79C48000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18737983780.000001E02A07C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18957515236.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341357527.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19245795841.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341220309.000001E02A01F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19317055592.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881458175.000001E02A077000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: fch32.exe
Source: rundll32.exe, 0000000E.00000003.19173580422.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881496685.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19100946319.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881840303.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19101038404.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19029009093.000001E02A068000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AVGNT.exe
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.18342488238.0000025A79C45000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311569840.0000025A79C45000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19173580422.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19316889270.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341220309.000001E02A01F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19459184614.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18809713543.000001E02A077000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19101507224.000001E02BA8B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ashServ.exe
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311391067.0000025A79C48000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18667170217.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19459111249.000001E02C1A7000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341357527.000001E02A041000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18957515236.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19316889270.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18957344792.000001E02C1AF000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18340924448.000001E02A06A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19245602871.000001E02A075000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: mbam.exe
Source: rundll32.exe, 0000000E.00000003.18666894715.000001E02C183000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18380903963.000001E02A06F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881496685.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18380661574.000001E02A06A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19173697388.000001E02BA81000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18524461218.000001E02A06A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19316928646.000001E02BA81000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19459255677.000001E02BA81000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18452851087.000001E02A077000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639437963.000001E02C1AF000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: RavMonD.exe
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311391067.0000025A79C48000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18957515236.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341357527.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341220309.000001E02A01F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881558215.000001E02C189000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18452716029.000001E02BACD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18380580752.000001E02BA25000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19028847204.000001E02C189000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: ollydbg.exe
Source: rundll32.exe, 00000007.00000003.18311296742.0000025A79C3C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311701697.0000025A79C3E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311636046.0000025A79C3D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881496685.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19515372021.000001E02A06B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19100946319.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19459184614.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19316928646.000001E02BA81000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18809950264.000001E02A068000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DRWEB32W.EXE
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.18342488238.0000025A79C45000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311569840.0000025A79C45000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18957077698.000001E02BAF1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19173580422.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19316889270.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341220309.000001E02A01F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19459184614.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18524461218.000001E02A06A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: alsvc.exe
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311391067.0000025A79C48000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19515707143.000001E02BA3D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881782889.000001E02A025000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: GDFwSvc.exe
Source: rundll32.exe, 0000000E.00000003.18341357527.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341220309.000001E02A01F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19100946319.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18809713543.000001E02A077000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18452716029.000001E02BACD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18380803698.000001E02BA22000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18524340370.000001E02C183000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18595356663.000001E02C183000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19173646008.000001E02C1A3000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: mcshield.exe
Source: rundll32.exe, 00000007.00000003.18311636046.0000025A79C3B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19317098035.000001E02A079000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19316889270.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19245602871.000001E02A075000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18380879200.000001E02A077000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639591046.000001E02A055000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18380632627.000001E02A075000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: KAV.exe
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.18342488238.0000025A79C45000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311569840.0000025A79C45000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18957077698.000001E02BAF1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19173580422.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19245795841.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19316889270.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341220309.000001E02A01F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19459184614.000001E02A068000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ashwebsv.exe
Source: rundll32.exe, 00000007.00000003.18311296742.0000025A79C3C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18524426030.000001E02BAF4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639398813.000001E02BAF1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19515707143.000001E02BA3D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18595455178.000001E02BAC0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18595680732.000001E02BAC1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881782889.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19388180177.000001E02A068000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FSGK32ST.exe
Source: rundll32.exe, 00000007.00000003.18311296742.0000025A79C3C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311701697.0000025A79C3E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.18342488238.0000025A79C3C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311636046.0000025A79C3D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18666894715.000001E02C183000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18452976459.000001E02A075000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18380903963.000001E02A06F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881496685.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18380661574.000001E02A06A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PavBckPT.exe
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311391067.0000025A79C48000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18957515236.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341357527.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639717164.000001E02A079000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19245602871.000001E02A075000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18380661574.000001E02A06A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341220309.000001E02A01F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: K7TSecurity.exe
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.18342488238.0000025A79C45000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311569840.0000025A79C45000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18524510030.000001E02BAC1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341220309.000001E02A01F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18380879200.000001E02A077000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19317055592.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18524277505.000001E02C193000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881629068.000001E02BA9F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: cmdagent.exe
Source: rundll32.exe, 00000007.00000003.18311296742.0000025A79C3C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19514830461.000001E02A014000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19515372021.000001E02A06B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19459184614.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881782889.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19388180177.000001E02A068000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FSAV32.exe
Source: rundll32.exe, 00000007.00000003.18311296742.0000025A79C3C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311569840.0000025A79C42000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19173580422.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19316889270.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18524510030.000001E02BAC1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341220309.000001E02A01F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18380879200.000001E02A077000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19459184614.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18809713543.000001E02A077000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: avgas.exe
Source: rundll32.exe, 00000007.00000003.18311296742.0000025A79C3C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311569840.0000025A79C42000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19316889270.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18380879200.000001E02A077000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18809713543.000001E02A077000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19101441209.000001E02C18A000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19028847204.000001E02C189000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18380632627.000001E02A075000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18452800122.000001E02BAC1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18738019511.000001E02BA9F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: avguard.exe
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C66000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18308826884.0000025A79C56000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311391067.0000025A79C66000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.18342488238.0000025A79C66000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18452976459.000001E02A079000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18957077698.000001E02BAF1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639717164.000001E02A079000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18380903963.000001E02A06F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19173187840.000001E02BAF5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: cpf.exe
Source: rundll32.exe, 0000000E.00000003.18738221590.000001E02A025000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AVP.exe
Source: rundll32.exe, 0000000E.00000003.18881496685.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19100946319.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881840303.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19101038404.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19029009093.000001E02A068000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AVENGINE.exe
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311391067.0000025A79C48000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19173580422.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19245525198.000001E02C1A7000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341357527.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18809602086.000001E02C18C000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881496685.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341220309.000001E02A01F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18452716029.000001E02BACD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: pctsTray.exe
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311391067.0000025A79C48000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341357527.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639717164.000001E02A079000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19245602871.000001E02A075000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341220309.000001E02A01F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19101507224.000001E02BA8B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19459255677.000001E02BA81000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: KVMonXP.kxp
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311569840.0000025A79C45000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19173580422.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19316889270.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341220309.000001E02A01F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18380879200.000001E02A077000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19515372021.000001E02A06B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19459184614.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18809713543.000001E02A077000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ccprovsp.exe
Source: rundll32.exe, 0000000E.00000003.19173580422.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19028909132.000001E02BA9F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19316889270.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341220309.000001E02A01F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19459184614.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18809950264.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19101507224.000001E02BA8B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18738221590.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19245631153.000001E02A068000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VRFWSVC.exe
Source: rundll32.exe, 00000007.00000003.18311296742.0000025A79C3C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311569840.0000025A79C42000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881496685.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341220309.000001E02A01F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19173697388.000001E02BA81000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19100946319.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18810099963.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18524461218.000001E02A06A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCANWSCS.exe
Source: rundll32.exe, 00000007.00000003.18311114099.0000025A79C44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19173580422.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19028909132.000001E02BA9F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341220309.000001E02A01F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18524461218.000001E02A06A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18809950264.000001E02A068000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19101507224.000001E02BA8B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18738221590.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639787326.000001E02A068000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VRMONNT.exe
Source: rundll32.exe, 0000000E.00000003.18380903963.000001E02A06F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881496685.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18380661574.000001E02A06A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341220309.000001E02A01F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19173697388.000001E02BA81000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18524461218.000001E02A06A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18737819081.000001E02C19F000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18957745679.000001E02BA9F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19459255677.000001E02BA81000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SPYBOTSD.exe
Source: rundll32.exe, 00000007.00000003.18311296742.0000025A79C3C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881782889.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19388180177.000001E02A068000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FProtTray.exe
Source: rundll32.exe, 00000007.00000003.18311296742.0000025A79C3C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311701697.0000025A79C3E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.18311636046.0000025A79C3D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341020848.000001E02A018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19316928646.000001E02BA81000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18341478305.000001E02A01B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ClamWin.exe

Source: C:\Windows\System32\rundll32.exe

Code function: 6_2_00007FFA11471730 accept,WSAGetLastError,closesocket,bind,WSAGetLastError,closesocket,

6_2_00007FFA11471730

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	611 Windows Management Instrumentation	1 DLL Side-Loading	111 Process Injection	1 Disable or Modify Tools	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	131 Virtualization/Sandbox Evasion	LSASS Memory	731 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	111 Process Injection	Security Account Manager	131 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	14 System Information Discovery	Distributed Component Object Model	Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Rundll32	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
8N8j6QojHn.dll	55%	ReversingLabs	Win64.Backdoor.Bastdoor

Name	IP	Active	Malicious	Antivirus Detection	Reputation
d2np1vqkcxhde6.cloudfront.net	18.160.64.42	true	true		unknown
o4508128816857088.ingest.de.sentry.io	34.120.62.213	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://d2np1vqkcxhde6.cloudfront.net/ws	true		unknown
http://195.133.1.117/ws	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://o4508128816857088.ingest.de.sentry.io/api/4508128821837904/envelope/	rundll32.exe, 00000007.00000002.18342488238.0000025A79C05000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18957515236.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19245795841.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19514830461.000001E02A053000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881496685.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19317055592.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19459381571.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19100946319.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18810099963.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19173935973.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19388550191.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18738221590.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19514830461.000001E029FD1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639591046.000001E02A055000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18666984801.000001E02A052000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://o4508128816857088.ingest.de.sentry.io/api/4508128821837904/envelope/d	rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18957515236.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19245795841.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19514830461.000001E02A053000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881496685.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19317055592.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19459381571.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19100946319.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18810099963.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19173935973.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19388550191.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18738221590.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639591046.000001E02A055000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18666984801.000001E02A052000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://www.quovadis.bm0	rundll32.exe, 0000000E.00000002.19515707143.000001E02BA3D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19515707143.000001E02BA20000.00000004.00000020.00020000.00000000.sdmp	false	high
https://docs.sentry.io/product/accounts/quotas/	rundll32.exe, 0000000E.00000002.19515965457.000001E02BA83000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18738019511.000001E02BA9F000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://ocsp.quovadisoffshore.com0	rundll32.exe, 0000000E.00000002.19515707143.000001E02BA3D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19515707143.000001E02BA20000.00000004.00000020.00020000.00000000.sdmp	false	high
https://o4508128816857088.ingest.de.sentry.io/api/4508128821837904/envelope/dll	rundll32.exe, 0000000E.00000003.18810001946.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18957515236.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19245795841.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.19514830461.000001E02A053000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18881496685.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19317055592.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19459381571.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19100946319.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18810099963.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19173935973.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.19388550191.000001E02A052000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18738221590.000001E02A025000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18639591046.000001E02A055000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.18666984801.000001E02A052000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://docs.rs/getrandom#nodejs-es-module-support	rundll32.exe, 00000006.00000002.18358937095.00007FFA114AD000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.18343814995.00007FFA114AD000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000002.18404242298.00007FFA114AD000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.19516996241.00007FFA114AD000.00000002.00000001.01000000.00000003.sdmp, 8N8j6QojHn.dll	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
108.157.172.115	unknown	United States	16509	AMAZON-02US	true
34.120.62.213	o4508128816857088.ingest.de.sentry.io	United States	15169	GOOGLEUS	false
18.160.64.42	d2np1vqkcxhde6.cloudfront.net	United States	3	MIT-GATEWAYSUS	true
195.133.1.117	unknown	Russian Federation	48347	MTW-ASRU	true

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1578327
Start date and time:	2024-12-19 15:39:00 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 56s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 128, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Run name:	Suspected VM Detection
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	8N8j6QojHn.dll
Detection:	MAL
Classification:	mal84.evad.winDLL@22/8@3/5
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .dll

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.189.173.20, 20.189.173.22, 20.190.157.11
Excluded domains from analysis (whitelisted): login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus15.westus.cloudapp.azure.com, onedsblobprdwus17.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: 8N8j6QojHn.dll

Simulations

Behavior and APIs

Time	Type	Description
09:41:16	API Interceptor	1x Sleep call for process: loaddll64.exe modified
09:41:18	API Interceptor	2x Sleep call for process: WerFault.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
MIT-GATEWAYSUS	powerpc.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	19.138.81.245
	sh4.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	18.91.181.84
	arm7.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	18.114.19.101
	sparc.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	19.79.75.43
	arm5.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	19.70.98.4
	mips.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	19.98.16.193
	powerpc.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	19.172.91.23
	x86_32.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	128.30.30.174
	NOTIFICATION_OF_DEPENDANTS.vbs	Get hash	malicious	Unknown	Browse	18.161.69.16
	https://d2kjcgrb1q4xt7.cloudfront.net/mULiCoBDj2Ug.exe	Get hash	malicious	Unknown	Browse	18.66.153.159
MTW-ASRU	ET5.exe	Get hash	malicious	Unknown	Browse	45.141.101.45
	la.bot.powerpc.elf	Get hash	malicious	Unknown	Browse	193.124.107.252
	na.elf	Get hash	malicious	Unknown	Browse	193.124.64.114
	la.bot.mips.elf	Get hash	malicious	Unknown	Browse	193.124.64.126
	g082Q9DajU.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, Clipboard Hijacker, CryptOne, Cryptbot, PureLog Stealer	Browse	195.133.48.136
	file.exe	Get hash	malicious	LummaC, Amadey, CryptOne, Cryptbot, LummaC Stealer, PureLog Stealer, RedLine	Browse	195.133.48.136
	Set-up.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	195.133.48.136
	SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	Get hash	malicious	LummaC, Amadey, Clipboard Hijacker, CryptOne, Cryptbot, LummaC Stealer, PureLog Stealer	Browse	195.133.48.136
	https://t.co/Tmh47fiTWd	Get hash	malicious	Unknown	Browse	93.95.97.29
AMAZON-02US	https://tfsroanoke.com/home/tfs/public_html/new/ckfinder/userfiles/files/12719803849.pdf	Get hash	malicious	PDFPhish	Browse	3.77.62.172
	setup.msi	Get hash	malicious	AteraAgent	Browse	108.158.75.12
	powerpc.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	18.180.43.133
	sh4.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	34.212.245.104
	Last Annual payment.htm	Get hash	malicious	Phisher	Browse	52.16.219.193
	arm.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	3.6.240.229
	arm7.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	13.61.42.195
	x86_32.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	54.245.29.89
	RECOUVREMENT -FACTURER1184521.pdf	Get hash	malicious	Unknown	Browse	13.226.2.54

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	PURCHASE ORDER TRC-090971819130-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	34.120.62.213
	PAYMENT ADVICE 750013-1012449943-81347-pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	34.120.62.213
	Tii6ue74NB.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, RHADAMANTHYS, Stealc, Vidar	Browse	34.120.62.213
	Non-Disclosure Agreement.html	Get hash	malicious	Unknown	Browse	34.120.62.213
	rs.lnk.d.lnk	Get hash	malicious	Unknown	Browse	34.120.62.213
	ny.lnk.d.lnk	Get hash	malicious	Unknown	Browse	34.120.62.213
	hnsadjhfg18De.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	34.120.62.213
	slifdgjsidfg19.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	34.120.62.213
	De17De16.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	34.120.62.213

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_8N8_227981c0f83afa88f5535c5c353a7cf1b92740eb_28fdd4fb_0552533c-2f0a-4297-9945-863846b0ca38\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8391848984652737
Encrypted:	false
SSDEEP:	96:1EFjghiPyKywsjQ4RvTifntvXIxcQjc6mcEccw3oB9XaXz+HbHgSQgJjalo1zaw+:qxCiPywNm9iGWNjx5Du76CfAlx8u
MD5:	6ED8909C59C34F51F69ED4AAB019AD4A
SHA1:	362C257CDAF5328AAB5C5374AE68ABDE74AD988F
SHA-256:	36A41EE727C18571C66C3E1391606E7A6989AC51FE194C752C0564DAE197DCCA
SHA-512:	12F40306A8DEBC97922F5015D1279068D8FB7D3941B41DCE6EB013433AA2A3AE665394576EB13FCE37E3517F2DA3C9E8602A183029587A431DEE2958CCAB243F
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.9.0.9.2.8.8.1.7.1.4.3.9.6.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.9.0.9.2.8.8.2.0.2.6.7.9.3.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.5.5.2.5.3.3.c.-.2.f.0.a.-.4.2.9.7.-.9.9.4.5.-.8.6.3.8.4.6.b.0.c.a.3.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.4.3.1.0.5.c.8.-.5.5.7.3.-.4.1.9.c.-.8.0.7.7.-.5.4.2.c.8.7.8.0.9.5.3.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.8.N.8.j.6.Q.o.j.H.n...d.l.l.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.2.0.0.c.-.0.0.0.1.-.0.0.5.0.-.6.7.5.4.-.4.1.0.f.2.4.5.2.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.d.d.3.9.9.a.e.4.6.3.0.3.3.4.3.f.9.f.0.d.a.1.8.9.a.e.e.1.1.c.6.7.b.d.8.6.8.2.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_8N8_227981c0f83afa88f5535c5c353a7cf1b92740eb_28fdd4fb_920365fd-1804-4983-87e1-96076e6e39b4\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8391899891763874
Encrypted:	false
SSDEEP:	96:e2FtQhiewyKy4sjQ4RvTifntvXIxcQjc6mcEccw3oB9XaXz+HbHgSQgJjalo1zaZ:pPSiRy4Nm9iGWNjx5Du76CfAlx8u
MD5:	00B9F8EEA505CF40EACED7B4CA658252
SHA1:	80BE0B73DA07C769774320132C4E9C16188A0CCF
SHA-256:	FA181F6530E5B05E1527BD7510B7E804BAF2C5161A173C5BAB3329117CCF4A2D
SHA-512:	B8FD591EE0B572C9C19D11969451CD2D42B62A24E1FB6885862B6AE9DBDC082F4114A8F6BF3FFCDBBA35A25B8F144671CBB27823EBFBC117A9D4D73C5CD67307
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.9.0.9.2.8.7.5.7.7.8.5.1.9.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.9.0.9.2.8.7.6.1.5.3.4.2.9.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.2.0.3.6.5.f.d.-.1.8.0.4.-.4.9.8.3.-.8.7.e.1.-.9.6.0.7.6.e.6.e.3.9.b.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.8.8.b.2.5.4.e.-.5.f.0.4.-.4.b.9.9.-.b.a.f.a.-.b.c.7.e.2.0.e.d.7.5.6.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.8.N.8.j.6.Q.o.j.H.n...d.l.l.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.5.9.0.-.0.0.0.1.-.0.0.5.0.-.9.c.a.a.-.a.1.0.b.2.4.5.2.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.d.d.3.9.9.a.e.4.6.3.0.3.3.4.3.f.9.f.0.d.a.1.8.9.a.e.e.1.1.c.6.7.b.d.8.6.8.2.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER152.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Thu Dec 19 14:41:21 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	67302
Entropy (8bit):	1.5403003252269734
Encrypted:	false
SSDEEP:	96:5H8fFLIE6w5M0G5eoi7M8YNbqq37ngA/upUGMWI8mIBEeUHGMSxREx1:uflf5EXOM8YhqqrburTUH3gy1
MD5:	3890320BAA09BC4B0435AE89020B2411
SHA1:	AA5831069359BB75F95532560F6AE6787C825CF7
SHA-256:	89D08EBA5E75927D8CE505F21510117CA8E5DA3A9B9491BC4AF3178BAA073F2B
SHA-512:	E1BD39A680A54622445A5B0C1C1C9FAC1AB191CD50B81A8D38533E44DFEFC8F38CF6DF5E8113648541728797580BAE9E86674E30A0EBBE234A89A4B0A99B60C0
Malicious:	false
Preview:	MDMP..a..... ........0dg.........................................2..........T.......8...........T...........@...........................................................................................................bJ......h.......Lw......................T........ ...0dg.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1A1.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8746
Entropy (8bit):	3.7028609647517476
Encrypted:	false
SSDEEP:	192:R9l7lZNiwMI0v6YVvHxgmfk583tprv89buQefPam:R9lnNiMG6Y9Hxgmfk58QuJfT
MD5:	9A6BC0CDD1699BFC25AD5C3054F74C7A
SHA1:	1BCB29A48D92D0CBACC8EE0474CFA26EC2D22C1F
SHA-256:	8B1E06DE307AA28A1AD7A5BE93F06A7A1C28B1ACCF9407C0CEBCE86A354FFE82
SHA-512:	4510EFFB154F9F959912F79EDB80F148F4FA60D8052C8375C20212BDDA9B9F0F7A83D9189C4D97BD792A11DF1C572B64307CB438F6E998ECA605AEF50FA75F2D
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.2.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...1.1.6.5...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.1.6.5.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.8.2.0.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1D1.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4949
Entropy (8bit):	4.534467526077932
Encrypted:	false
SSDEEP:	48:cvIwwtl8zsVe70xzI7VFJ5WS2CfjkLGs3rm8M4JC1CdxBFSWyq85mZG6ptSTSVNd:uILfc7y8ySPfMJfB7RpoOfd
MD5:	F128685B4C53F986CF1BC6DB35728618
SHA1:	82587D438F03D8FFFD6213EDD3C40846E1A1CCAC
SHA-256:	4BBC8CA87F2349A5401952B3730560D58971F3255E6D7063E46AB665742F2D30
SHA-512:	DFE834A3834F374196FF5E5AC6B5EC30D939D0500BE10B27B179935111F95E42F648058D6425A6CE4B6A52BBF453FEFEA1BD525AD54A7458277356021731C76F
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19042" />.. <arg nm="vercsdbld" val="1165" />.. <arg nm="verqfe" val="1165" />.. <arg nm="csdbld" val="1165" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="242" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="222982072" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="

C:\ProgramData\Microsoft\Windows\WER\Temp\WEREA11.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Thu Dec 19 14:41:15 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	68262
Entropy (8bit):	1.5256126232361615
Encrypted:	false
SSDEEP:	192:MLjmf5LJXOM8Y1BAR1QQuhcehbkgF03K:l5LJ+FY1WUkgCa
MD5:	997E736E0E985A0BD7B799172C20C7C6
SHA1:	B2DD682DF947AB158767A3863698BFCA8FC9F2CC
SHA-256:	850C0871D3DA4BCB70CE43C7192E774FCC929F7BF75C74CD2EF27AF5EA7CCB00
SHA-512:	135FA82ACE378D57F72CC0F644F603E7314D0C18335BBB6F2F3C63BA698AF7754C4DDF57886135CC3FDE19720EC73A602C4EC5688D9F3144BA1EBAA1B40777F0
Malicious:	false
Preview:	MDMP..a..... ........0dg.........................................2..........T.......8...........T...........@...f.......................................................................................................bJ......h.......Lw......................T............0dg.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WEREABE.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8950
Entropy (8bit):	3.7045572222781793
Encrypted:	false
SSDEEP:	192:R9l7lZNieW0p6YWZIgmfk583tprT89bJ1efUfDm:R9lnNiHg6YgIgmfk58EJ8fUS
MD5:	F4AF2C1EB01D45B409BDEFE35E8F929E
SHA1:	8B388382293E7CC4A7BDBA05949E6EFFDDA5624F
SHA-256:	C9F38967B0ED6BE7E3A49058CD75AADBD21333554041411D4EAA61A3CCB8573C
SHA-512:	1AD44DE64B0087B4BC187C6D153B98D0AC20A97E2945F13742A9C4DBC9F48694B2C14DB7B62F35138BD25E6B4C7390E0EB3B563C8AC4343CA3090A7682E36B9D
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.2.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...1.1.6.5...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.1.6.5.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.4.2.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WEREAEE.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4949
Entropy (8bit):	4.531676523271381
Encrypted:	false
SSDEEP:	48:cvIwwtl8zsVe70xzI7VFJ5WS2Cfjkms3rm8M4JC1CdxBFOO+yq85mZGrn2ptSTSt:uILfc7y8ySPfsJfc75poOXd
MD5:	9CA36BF4DD3B9E083DF990E29D806026
SHA1:	86A538F2238D318CFD680D25332E328AE68A72FF
SHA-256:	1CB0021A553614541FB0F3121675F3F1F2A2CED1F9EFFBFF38788CE883137785
SHA-512:	F0C0161A0D4C4830447C33A3D5E8310E4EBBFE6BCF6F5BB33C33FEF52B93DFD652AEC2050DBA1B61AA671995DE0EDB45CDE0784A94750AF0A20EAB38A246E972
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19042" />.. <arg nm="vercsdbld" val="1165" />.. <arg nm="verqfe" val="1165" />.. <arg nm="csdbld" val="1165" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="242" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="222982072" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="

Static File Info

General

File type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Entropy (8bit):	6.401808042340704
TrID:	Win64 Dynamic Link Library (generic) (102004/3) 86.43% Win64 Executable (generic) (12005/4) 10.17% Generic Win/DOS Executable (2004/3) 1.70% DOS Executable Generic (2002/1) 1.70% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
File name:	8N8j6QojHn.dll
File size:	3'645'790 bytes
MD5:	78b199f0a4f453fc8a4a05d05695e91e
SHA1:	6ad0ec9ca2464af8c9cddf6d8959850c7e106f2f
SHA256:	7f675bb692afe3b8f6dcb4bd533de73e871f167e884c98a04453ec16da0e59dd
SHA512:	fb189d535a99f5548d92b391c2273040ddd6d61528daac4e4b92a9da14bc0a41c1e9bcf6d6f0d96122945d73c3ef995f7e08d671bb690c14052262ad8fa567b6
SSDEEP:	49152:Lg4eSTLnnStKQlAtCITgJL77D6nMTABbVfPoNyiClmE+S/iCz7g2:l/fptPTi65+S/ie02
TLSH:	E8F51903E613089CC03AD1B497977932BA31BC494335BAFF5AC45B222F56BE07A79749
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........9..NX\|.NX\|.NX\|.. ..GX\|.. y..X\|.. x.CX\|.^...GX\|.^.x.@X\|.^.y.oX\|.. }.LX\|..-}.SX\|.NX}.pY\|.NX\|..Y\|...\|.OX\|.....OX\|...~.OX\|.RichNX\|

File Icon


Icon Hash:	7ae282899bbab082

Static PE Info

General

Entrypoint:	0x1802bfbc0
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x180000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DLL
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x672B7282 [Wed Nov 6 13:43:30 2024 UTC]
TLS Callbacks:	0x802916a0, 0x1
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	1a26f8d82312018d551f2e0028c5eb49

Authenticode Signature

Signature Valid:
Signature Issuer:
Signature Validation Error:
Error Number:
Not Before, Not After
Subject Chain
Version:
Thumbprint MD5:
Thumbprint SHA-1:
Thumbprint SHA-256:
Serial:

Entrypoint Preview

Instruction
dec eax
mov dword ptr [esp+08h], ebx
dec eax
mov dword ptr [esp+10h], esi
push edi
dec eax
sub esp, 20h
dec ecx
mov edi, eax
mov ebx, edx
dec eax
mov esi, ecx
cmp edx, 01h
jne 00007F4AC8F04047h
call 00007F4AC8F04064h
dec esp
mov eax, edi
mov edx, ebx
dec eax
mov ecx, esi
dec eax
mov ebx, dword ptr [esp+30h]
dec eax
mov esi, dword ptr [esp+38h]
dec eax
add esp, 20h
pop edi
jmp 00007F4AC8F03EE0h
int3
int3
int3
dec eax
mov dword ptr [esp+18h], ebx
push ebp
dec eax
mov ebp, esp
dec eax
sub esp, 30h
dec eax
mov eax, dword ptr [000ADBECh]
dec eax
mov ebx, 2DDFA232h
cdq
sub eax, dword ptr [eax]
add byte ptr [eax+3Bh], cl
ret
jne 00007F4AC8F040B6h
dec eax
and dword ptr [ebp+10h], 00000000h
dec eax
lea ecx, dword ptr [ebp+10h]
call dword ptr [0001D69Eh]
dec eax
mov eax, dword ptr [ebp+10h]
dec eax
mov dword ptr [ebp-10h], eax
call dword ptr [0001D698h]
mov eax, eax
dec eax
xor dword ptr [ebp-10h], eax
call dword ptr [0001D4FCh]
mov eax, eax
dec eax
lea ecx, dword ptr [ebp+18h]
dec eax
xor dword ptr [ebp-10h], eax
call dword ptr [0001D7F4h]
mov eax, dword ptr [ebp+18h]
dec eax
lea ecx, dword ptr [ebp-10h]
dec eax
shl eax, 20h
dec eax
xor eax, dword ptr [ebp+18h]
dec eax
xor eax, dword ptr [ebp-10h]
dec eax
xor eax, ecx
dec eax
mov ecx, FFFFFFFFh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x36a8f0	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x36a968	0x118	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x37b000	0x3f0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x370000	0xa104	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x379400	0xd40
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x37c000	0x2e60	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x366920	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x366b00	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x3667e0	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2dd000	0x6e8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2db040	0x2db200	eb89e6117e562f42dee0472f1e93f28a	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2dd000	0x8f236	0x8f400	5f7686d6b36ddb2236ec8c754c35b634	False	0.4832910667539267	data	6.032330304078537	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x36d000	0x26e0	0x1400	abecdfb9703961d2506dffebe3630ad3	False	0.159765625	data	2.1126320736313366	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x370000	0xa104	0xa200	0ed626b7ebecc3bdc355d551f00abe86	False	0.5114052854938271	data	6.006328827673415	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x37b000	0x3f0	0x400	91081ec536ee22308130ad5ac40a2000	False	0.4658203125	data	4.228310792125718	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x37c000	0x2e60	0x3000	06eaa847943e10b2cc7f5eb457c31ed8	False	0.344970703125	data	5.409227767100945	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x37b0a0	0x1a0	data	English	United States	0.49759615384615385
RT_MANIFEST	0x37b240	0x1af	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5359628770301624

Imports

DLL	Import
bcryptprimitives.dll	ProcessPrng
api-ms-win-core-synch-l1-2-0.dll	WaitOnAddress, WakeByAddressAll, WakeByAddressSingle
ws2_32.dll	getsockname, getpeername, WSASocketW, bind, connect, listen, getsockopt, shutdown, recv, send, WSASend, setsockopt, WSAIoctl, WSAStartup, accept, socket, WSACleanup, WSAGetLastError, freeaddrinfo, ioctlsocket, closesocket, getaddrinfo
kernel32.dll	GetOEMCP, GetCommandLineA, FlsAlloc, GetACP, FreeLibrary, HeapFree, GetProcessHeap, FlsGetValue, lstrlenW, CreateMutexA, GetCurrentProcessId, WaitForSingleObjectEx, RtlVirtualUnwind, RtlLookupFunctionEntry, RtlCaptureContext, WideCharToMultiByte, ReleaseMutex, GetNativeSystemInfo, GetSystemInfo, FlsSetValue, GetLastError, LCMapStringW, GetModuleHandleA, GetComputerNameExW, VirtualQuery, LoadLibraryExW, IsValidCodePage, FindFirstFileExW, HeapAlloc, GetModuleHandleExW, GetModuleHandleW, RtlPcToFileHeader, RaiseException, GetStringTypeW, HeapSize, FormatMessageW, FlsFree, CreateEventW, SetStdHandle, GetConsoleOutputCP, DuplicateHandle, EncodePointer, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InterlockedFlushSList, SetHandleInformation, RtlUnwindEx, IsProcessorFeaturePresent, GetStartupInfoW, SetUnhandledExceptionFilter, UnhandledExceptionFilter, IsDebuggerPresent, InitializeSListHead, GetSystemTimeAsFileTime, GetCurrentThreadId, GetCurrentProcess, LoadLibraryA, GetProcAddress, CreateIoCompletionPort, GetQueuedCompletionStatusEx, PostQueuedCompletionStatus, CloseHandle, GetCPInfo, ReadFile, GetOverlappedResult, WriteFile, SetFileCompletionNotificationModes, Sleep, WriteConsoleW, MultiByteToWideChar, GetCommandLineW, ExitProcess, GetFileType, GetConsoleMode, HeapReAlloc, GetSystemTimePreciseAsFileTime, SetWaitableTimer, CreateWaitableTimerExW, CreateThread, CancelIo, WaitForMultipleObjects, ReadFileEx, CreateNamedPipeW, GetTempPathW, CopyFileExW, DeleteFileW, FindFirstFileW, WaitForSingleObject, SetFileInformationByHandle, SetThreadStackGuarantee, GetCurrentThread, SetLastError, GetFullPathNameW, GetWindowsDirectoryW, GetSystemDirectoryW, GetModuleFileNameW, GetEnvironmentVariableW, GetCurrentDirectoryW, WriteFileEx, SleepEx, SwitchToThread, QueryPerformanceCounter, QueryPerformanceFrequency, FreeEnvironmentStringsW, DeleteProcThreadAttributeList, GetEnvironmentStringsW, CompareStringOrdinal, GetFileAttributesW, CreateProcessW, GetStdHandle, TerminateProcess, GetExitCodeProcess, InitializeProcThreadAttributeList, UpdateProcThreadAttribute, FindNextFileW, FindClose, CreateFileW, FlushFileBuffers, GetFileInformationByHandle, GetFileInformationByHandleEx, SetFilePointerEx
advapi32.dll	RegisterServiceCtrlHandlerExW, SetServiceStatus, SystemFunction036, RegCloseKey, RegQueryValueExW, RegOpenKeyExW
oleaut32.dll	SafeArrayCreateVector, SysAllocStringLen, SysStringLen, SysFreeString, GetErrorInfo, SafeArrayPutElement, SafeArrayGetLBound, SafeArrayDestroy, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayCreate, SafeArrayGetUBound, VariantClear
ole32.dll	CoSetProxyBlanket, CoInitializeEx, CoCreateInstance, CoInitializeSecurity
user32.dll	GetSystemMetrics
secur32.dll	AcquireCredentialsHandleA, QueryContextAttributesW, ApplyControlToken, EncryptMessage, AcceptSecurityContext, FreeContextBuffer, InitializeSecurityContextW, DecryptMessage, DeleteSecurityContext, FreeCredentialsHandle
crypt32.dll	CertFreeCertificateChain, CertDuplicateCertificateChain, CertEnumCertificatesInStore, CertAddCertificateContextToStore, CertOpenStore, CertCloseStore, CertDuplicateStore, CertDuplicateCertificateContext, CertFreeCertificateContext, CertVerifyCertificateChainPolicy, CertGetCertificateChain
bcrypt.dll	BCryptGenRandom
ntdll.dll	RtlNtStatusToDosError, NtCreateFile, NtWriteFile, NtCancelIoFileEx, NtDeviceIoControlFile, NtReadFile
PSAPI.DLL	GetModuleFileNameExW, EnumProcessModules, GetModuleInformation

Exports

Name	Ordinal	Address
DllMain	1	0x180134480
ServiceMain	2	0x180122500
get_hostfxr_path	3	0x180134490

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 19, 2024 15:41:16.819675922 CET	49745	80	192.168.11.20	18.160.64.42
Dec 19, 2024 15:41:16.960021973 CET	80	49745	18.160.64.42	192.168.11.20
Dec 19, 2024 15:41:16.960314989 CET	49745	80	192.168.11.20	18.160.64.42
Dec 19, 2024 15:41:16.960803032 CET	49745	80	192.168.11.20	18.160.64.42
Dec 19, 2024 15:41:17.101214886 CET	80	49745	18.160.64.42	192.168.11.20
Dec 19, 2024 15:41:17.366375923 CET	80	49745	18.160.64.42	192.168.11.20
Dec 19, 2024 15:41:17.417277098 CET	49745	80	192.168.11.20	18.160.64.42
Dec 19, 2024 15:41:17.570432901 CET	49745	80	192.168.11.20	18.160.64.42
Dec 19, 2024 15:41:19.611268044 CET	49750	80	192.168.11.20	18.160.64.42
Dec 19, 2024 15:41:19.751683950 CET	80	49750	18.160.64.42	192.168.11.20
Dec 19, 2024 15:41:19.751842022 CET	49750	80	192.168.11.20	18.160.64.42
Dec 19, 2024 15:41:19.751956940 CET	49750	80	192.168.11.20	18.160.64.42
Dec 19, 2024 15:41:19.892425060 CET	80	49750	18.160.64.42	192.168.11.20
Dec 19, 2024 15:41:20.190294981 CET	80	49750	18.160.64.42	192.168.11.20
Dec 19, 2024 15:41:20.244857073 CET	49750	80	192.168.11.20	18.160.64.42
Dec 19, 2024 15:41:21.508755922 CET	49750	80	192.168.11.20	18.160.64.42
Dec 19, 2024 15:41:21.649326086 CET	80	49750	18.160.64.42	192.168.11.20
Dec 19, 2024 15:41:21.649586916 CET	49750	80	192.168.11.20	18.160.64.42
Dec 19, 2024 15:41:21.790070057 CET	80	49750	18.160.64.42	192.168.11.20
Dec 19, 2024 15:41:21.799252033 CET	80	49750	18.160.64.42	192.168.11.20
Dec 19, 2024 15:41:21.854589939 CET	49750	80	192.168.11.20	18.160.64.42
Dec 19, 2024 15:41:21.987499952 CET	49751	443	192.168.11.20	34.120.62.213
Dec 19, 2024 15:41:21.987519979 CET	443	49751	34.120.62.213	192.168.11.20
Dec 19, 2024 15:41:21.987732887 CET	49751	443	192.168.11.20	34.120.62.213
Dec 19, 2024 15:41:22.006937027 CET	49751	443	192.168.11.20	34.120.62.213
Dec 19, 2024 15:41:22.006946087 CET	443	49751	34.120.62.213	192.168.11.20
Dec 19, 2024 15:41:22.285742044 CET	443	49751	34.120.62.213	192.168.11.20
Dec 19, 2024 15:41:22.286000967 CET	49751	443	192.168.11.20	34.120.62.213
Dec 19, 2024 15:41:22.287292004 CET	49751	443	192.168.11.20	34.120.62.213
Dec 19, 2024 15:41:22.287316084 CET	443	49751	34.120.62.213	192.168.11.20
Dec 19, 2024 15:41:22.287903070 CET	443	49751	34.120.62.213	192.168.11.20
Dec 19, 2024 15:41:22.315426111 CET	49751	443	192.168.11.20	34.120.62.213
Dec 19, 2024 15:41:22.315464973 CET	49751	443	192.168.11.20	34.120.62.213
Dec 19, 2024 15:41:22.315499067 CET	443	49751	34.120.62.213	192.168.11.20
Dec 19, 2024 15:41:22.315524101 CET	49751	443	192.168.11.20	34.120.62.213
Dec 19, 2024 15:41:22.315543890 CET	443	49751	34.120.62.213	192.168.11.20
Dec 19, 2024 15:41:22.560962915 CET	443	49751	34.120.62.213	192.168.11.20
Dec 19, 2024 15:41:22.561055899 CET	443	49751	34.120.62.213	192.168.11.20
Dec 19, 2024 15:41:22.561201096 CET	49751	443	192.168.11.20	34.120.62.213
Dec 19, 2024 15:41:22.567905903 CET	49751	443	192.168.11.20	34.120.62.213
Dec 19, 2024 15:41:22.567935944 CET	443	49751	34.120.62.213	192.168.11.20
Dec 19, 2024 15:41:22.568165064 CET	49751	443	192.168.11.20	34.120.62.213
Dec 19, 2024 15:41:22.568181038 CET	443	49751	34.120.62.213	192.168.11.20
Dec 19, 2024 15:41:26.822642088 CET	49753	80	192.168.11.20	195.133.1.117
Dec 19, 2024 15:41:27.099931002 CET	80	49753	195.133.1.117	192.168.11.20
Dec 19, 2024 15:41:27.100290060 CET	49753	80	192.168.11.20	195.133.1.117
Dec 19, 2024 15:41:27.100353956 CET	49753	80	192.168.11.20	195.133.1.117
Dec 19, 2024 15:41:27.377597094 CET	80	49753	195.133.1.117	192.168.11.20
Dec 19, 2024 15:41:27.377870083 CET	80	49753	195.133.1.117	192.168.11.20
Dec 19, 2024 15:41:27.431420088 CET	49753	80	192.168.11.20	195.133.1.117
Dec 19, 2024 15:41:28.723632097 CET	49753	80	192.168.11.20	195.133.1.117
Dec 19, 2024 15:41:29.001384974 CET	80	49753	195.133.1.117	192.168.11.20
Dec 19, 2024 15:41:29.001565933 CET	49753	80	192.168.11.20	195.133.1.117
Dec 19, 2024 15:41:29.320267916 CET	80	49753	195.133.1.117	192.168.11.20
Dec 19, 2024 15:41:31.523180962 CET	49750	80	192.168.11.20	18.160.64.42
Dec 19, 2024 15:41:31.664068937 CET	80	49750	18.160.64.42	192.168.11.20
Dec 19, 2024 15:41:31.664264917 CET	49750	80	192.168.11.20	18.160.64.42
Dec 19, 2024 15:41:34.008580923 CET	49754	80	192.168.11.20	18.160.64.42
Dec 19, 2024 15:41:34.149765968 CET	80	49754	18.160.64.42	192.168.11.20
Dec 19, 2024 15:41:34.149971008 CET	49754	80	192.168.11.20	18.160.64.42
Dec 19, 2024 15:41:34.150073051 CET	49754	80	192.168.11.20	18.160.64.42
Dec 19, 2024 15:41:34.291229963 CET	80	49754	18.160.64.42	192.168.11.20
Dec 19, 2024 15:41:34.559561014 CET	80	49754	18.160.64.42	192.168.11.20
Dec 19, 2024 15:41:34.600558043 CET	49754	80	192.168.11.20	18.160.64.42
Dec 19, 2024 15:41:35.877975941 CET	49754	80	192.168.11.20	18.160.64.42
Dec 19, 2024 15:41:36.019120932 CET	80	49754	18.160.64.42	192.168.11.20
Dec 19, 2024 15:41:36.019335985 CET	49754	80	192.168.11.20	18.160.64.42
Dec 19, 2024 15:41:36.153346062 CET	80	49754	18.160.64.42	192.168.11.20
Dec 19, 2024 15:41:36.160496950 CET	80	49754	18.160.64.42	192.168.11.20
Dec 19, 2024 15:41:36.208235979 CET	49754	80	192.168.11.20	18.160.64.42
Dec 19, 2024 15:41:38.740067959 CET	49753	80	192.168.11.20	195.133.1.117
Dec 19, 2024 15:41:39.060314894 CET	80	49753	195.133.1.117	192.168.11.20
Dec 19, 2024 15:41:41.161696911 CET	49755	80	192.168.11.20	195.133.1.117
Dec 19, 2024 15:41:41.439068079 CET	80	49755	195.133.1.117	192.168.11.20
Dec 19, 2024 15:41:41.439224005 CET	49755	80	192.168.11.20	195.133.1.117
Dec 19, 2024 15:41:41.442650080 CET	49755	80	192.168.11.20	195.133.1.117
Dec 19, 2024 15:41:41.719842911 CET	80	49755	195.133.1.117	192.168.11.20
Dec 19, 2024 15:41:41.720027924 CET	80	49755	195.133.1.117	192.168.11.20
Dec 19, 2024 15:41:41.770663023 CET	49755	80	192.168.11.20	195.133.1.117
Dec 19, 2024 15:41:42.993484974 CET	49755	80	192.168.11.20	195.133.1.117
Dec 19, 2024 15:41:43.271136999 CET	80	49755	195.133.1.117	192.168.11.20
Dec 19, 2024 15:41:43.271399975 CET	49755	80	192.168.11.20	195.133.1.117
Dec 19, 2024 15:41:43.592777967 CET	80	49755	195.133.1.117	192.168.11.20
Dec 19, 2024 15:41:45.886785030 CET	49754	80	192.168.11.20	18.160.64.42
Dec 19, 2024 15:41:46.028734922 CET	80	49754	18.160.64.42	192.168.11.20
Dec 19, 2024 15:41:46.028884888 CET	49754	80	192.168.11.20	18.160.64.42
Dec 19, 2024 15:41:48.278881073 CET	49757	80	192.168.11.20	18.160.64.42
Dec 19, 2024 15:41:48.419225931 CET	80	49757	18.160.64.42	192.168.11.20
Dec 19, 2024 15:41:48.419431925 CET	49757	80	192.168.11.20	18.160.64.42
Dec 19, 2024 15:41:48.419586897 CET	49757	80	192.168.11.20	18.160.64.42
Dec 19, 2024 15:41:48.560077906 CET	80	49757	18.160.64.42	192.168.11.20
Dec 19, 2024 15:41:48.860482931 CET	80	49757	18.160.64.42	192.168.11.20
Dec 19, 2024 15:41:48.901767015 CET	49757	80	192.168.11.20	18.160.64.42
Dec 19, 2024 15:41:50.136029959 CET	49757	80	192.168.11.20	18.160.64.42
Dec 19, 2024 15:41:50.276417971 CET	80	49757	18.160.64.42	192.168.11.20
Dec 19, 2024 15:41:50.276638985 CET	49757	80	192.168.11.20	18.160.64.42
Dec 19, 2024 15:41:50.417285919 CET	80	49757	18.160.64.42	192.168.11.20
Dec 19, 2024 15:41:50.426175117 CET	80	49757	18.160.64.42	192.168.11.20
Dec 19, 2024 15:41:50.466274023 CET	49757	80	192.168.11.20	18.160.64.42
Dec 19, 2024 15:41:52.998205900 CET	49755	80	192.168.11.20	195.133.1.117
Dec 19, 2024 15:41:53.317049980 CET	80	49755	195.133.1.117	192.168.11.20
Dec 19, 2024 15:41:55.435339928 CET	49758	80	192.168.11.20	195.133.1.117
Dec 19, 2024 15:41:55.712886095 CET	80	49758	195.133.1.117	192.168.11.20
Dec 19, 2024 15:41:55.713154078 CET	49758	80	192.168.11.20	195.133.1.117
Dec 19, 2024 15:41:55.713289022 CET	49758	80	192.168.11.20	195.133.1.117
Dec 19, 2024 15:41:55.990901947 CET	80	49758	195.133.1.117	192.168.11.20
Dec 19, 2024 15:41:55.990911007 CET	80	49758	195.133.1.117	192.168.11.20
Dec 19, 2024 15:41:56.032957077 CET	49758	80	192.168.11.20	195.133.1.117
Dec 19, 2024 15:41:57.260992050 CET	49758	80	192.168.11.20	195.133.1.117
Dec 19, 2024 15:41:57.538981915 CET	80	49758	195.133.1.117	192.168.11.20
Dec 19, 2024 15:41:57.539099932 CET	49758	80	192.168.11.20	195.133.1.117
Dec 19, 2024 15:41:57.860241890 CET	80	49758	195.133.1.117	192.168.11.20
Dec 19, 2024 15:42:00.138701916 CET	49757	80	192.168.11.20	18.160.64.42
Dec 19, 2024 15:42:00.280102968 CET	80	49757	18.160.64.42	192.168.11.20
Dec 19, 2024 15:42:00.280391932 CET	49757	80	192.168.11.20	18.160.64.42
Dec 19, 2024 15:42:02.545475006 CET	49759	80	192.168.11.20	18.160.64.42
Dec 19, 2024 15:42:02.686377048 CET	80	49759	18.160.64.42	192.168.11.20
Dec 19, 2024 15:42:02.686674118 CET	49759	80	192.168.11.20	18.160.64.42
Dec 19, 2024 15:42:02.686830044 CET	49759	80	192.168.11.20	18.160.64.42
Dec 19, 2024 15:42:02.827644110 CET	80	49759	18.160.64.42	192.168.11.20
Dec 19, 2024 15:42:03.129012108 CET	80	49759	18.160.64.42	192.168.11.20
Dec 19, 2024 15:42:03.184937000 CET	49759	80	192.168.11.20	18.160.64.42
Dec 19, 2024 15:42:04.432037115 CET	49759	80	192.168.11.20	18.160.64.42
Dec 19, 2024 15:42:04.572978973 CET	80	49759	18.160.64.42	192.168.11.20
Dec 19, 2024 15:42:04.573255062 CET	49759	80	192.168.11.20	18.160.64.42
Dec 19, 2024 15:42:04.713995934 CET	80	49759	18.160.64.42	192.168.11.20
Dec 19, 2024 15:42:04.723700047 CET	80	49759	18.160.64.42	192.168.11.20
Dec 19, 2024 15:42:04.777787924 CET	49759	80	192.168.11.20	18.160.64.42
Dec 19, 2024 15:42:07.278419971 CET	49758	80	192.168.11.20	195.133.1.117
Dec 19, 2024 15:42:07.596458912 CET	80	49758	195.133.1.117	192.168.11.20
Dec 19, 2024 15:42:09.731229067 CET	49760	80	192.168.11.20	195.133.1.117
Dec 19, 2024 15:42:10.008742094 CET	80	49760	195.133.1.117	192.168.11.20
Dec 19, 2024 15:42:10.008950949 CET	49760	80	192.168.11.20	195.133.1.117
Dec 19, 2024 15:42:10.009160042 CET	49760	80	192.168.11.20	195.133.1.117
Dec 19, 2024 15:42:10.286362886 CET	80	49760	195.133.1.117	192.168.11.20
Dec 19, 2024 15:42:10.286572933 CET	80	49760	195.133.1.117	192.168.11.20
Dec 19, 2024 15:42:10.340267897 CET	49760	80	192.168.11.20	195.133.1.117
Dec 19, 2024 15:42:11.610146999 CET	49760	80	192.168.11.20	195.133.1.117
Dec 19, 2024 15:42:11.888114929 CET	80	49760	195.133.1.117	192.168.11.20
Dec 19, 2024 15:42:11.888330936 CET	49760	80	192.168.11.20	195.133.1.117
Dec 19, 2024 15:42:12.208750963 CET	80	49760	195.133.1.117	192.168.11.20
Dec 19, 2024 15:42:14.441087961 CET	49759	80	192.168.11.20	18.160.64.42
Dec 19, 2024 15:42:14.582000971 CET	80	49759	18.160.64.42	192.168.11.20
Dec 19, 2024 15:42:14.582303047 CET	49759	80	192.168.11.20	18.160.64.42
Dec 19, 2024 15:42:17.075828075 CET	49761	80	192.168.11.20	108.157.172.115
Dec 19, 2024 15:42:17.204616070 CET	80	49761	108.157.172.115	192.168.11.20
Dec 19, 2024 15:42:17.204844952 CET	49761	80	192.168.11.20	108.157.172.115
Dec 19, 2024 15:42:17.204992056 CET	49761	80	192.168.11.20	108.157.172.115
Dec 19, 2024 15:42:17.334049940 CET	80	49761	108.157.172.115	192.168.11.20
Dec 19, 2024 15:42:17.892144918 CET	80	49761	108.157.172.115	192.168.11.20
Dec 19, 2024 15:42:17.940290928 CET	49761	80	192.168.11.20	108.157.172.115
Dec 19, 2024 15:42:19.214903116 CET	49761	80	192.168.11.20	108.157.172.115
Dec 19, 2024 15:42:19.343643904 CET	80	49761	108.157.172.115	192.168.11.20
Dec 19, 2024 15:42:19.343888044 CET	49761	80	192.168.11.20	108.157.172.115
Dec 19, 2024 15:42:19.472620964 CET	80	49761	108.157.172.115	192.168.11.20
Dec 19, 2024 15:42:19.489932060 CET	80	49761	108.157.172.115	192.168.11.20
Dec 19, 2024 15:42:19.545209885 CET	49761	80	192.168.11.20	108.157.172.115
Dec 19, 2024 15:42:21.624021053 CET	49760	80	192.168.11.20	195.133.1.117
Dec 19, 2024 15:42:21.944767952 CET	80	49760	195.133.1.117	192.168.11.20
Dec 19, 2024 15:42:24.498581886 CET	49762	80	192.168.11.20	195.133.1.117
Dec 19, 2024 15:42:24.781302929 CET	80	49762	195.133.1.117	192.168.11.20
Dec 19, 2024 15:42:24.781430006 CET	49762	80	192.168.11.20	195.133.1.117
Dec 19, 2024 15:42:24.781586885 CET	49762	80	192.168.11.20	195.133.1.117
Dec 19, 2024 15:42:25.064235926 CET	80	49762	195.133.1.117	192.168.11.20
Dec 19, 2024 15:42:25.064577103 CET	80	49762	195.133.1.117	192.168.11.20
Dec 19, 2024 15:42:25.107566118 CET	49762	80	192.168.11.20	195.133.1.117
Dec 19, 2024 15:42:26.320166111 CET	49762	80	192.168.11.20	195.133.1.117
Dec 19, 2024 15:42:26.602932930 CET	80	49762	195.133.1.117	192.168.11.20
Dec 19, 2024 15:42:26.603110075 CET	49762	80	192.168.11.20	195.133.1.117
Dec 19, 2024 15:42:26.604619980 CET	49763	443	192.168.11.20	34.120.62.213
Dec 19, 2024 15:42:26.604643106 CET	443	49763	34.120.62.213	192.168.11.20
Dec 19, 2024 15:42:26.604841948 CET	49763	443	192.168.11.20	34.120.62.213
Dec 19, 2024 15:42:26.605259895 CET	49763	443	192.168.11.20	34.120.62.213
Dec 19, 2024 15:42:26.605272055 CET	443	49763	34.120.62.213	192.168.11.20
Dec 19, 2024 15:42:26.868411064 CET	443	49763	34.120.62.213	192.168.11.20
Dec 19, 2024 15:42:26.868632078 CET	49763	443	192.168.11.20	34.120.62.213
Dec 19, 2024 15:42:26.872175932 CET	49763	443	192.168.11.20	34.120.62.213
Dec 19, 2024 15:42:26.872185946 CET	443	49763	34.120.62.213	192.168.11.20
Dec 19, 2024 15:42:26.872421026 CET	443	49763	34.120.62.213	192.168.11.20
Dec 19, 2024 15:42:26.876563072 CET	49763	443	192.168.11.20	34.120.62.213
Dec 19, 2024 15:42:26.876616955 CET	443	49763	34.120.62.213	192.168.11.20
Dec 19, 2024 15:42:26.876631021 CET	49763	443	192.168.11.20	34.120.62.213
Dec 19, 2024 15:42:26.876686096 CET	443	49763	34.120.62.213	192.168.11.20
Dec 19, 2024 15:42:26.925975084 CET	80	49762	195.133.1.117	192.168.11.20
Dec 19, 2024 15:42:27.156244993 CET	443	49763	34.120.62.213	192.168.11.20
Dec 19, 2024 15:42:27.156368971 CET	443	49763	34.120.62.213	192.168.11.20
Dec 19, 2024 15:42:27.156651974 CET	49763	443	192.168.11.20	34.120.62.213
Dec 19, 2024 15:42:27.157502890 CET	49763	443	192.168.11.20	34.120.62.213
Dec 19, 2024 15:42:27.157531977 CET	443	49763	34.120.62.213	192.168.11.20
Dec 19, 2024 15:42:27.157691002 CET	49763	443	192.168.11.20	34.120.62.213
Dec 19, 2024 15:42:27.157718897 CET	443	49763	34.120.62.213	192.168.11.20
Dec 19, 2024 15:42:29.229202986 CET	49761	80	192.168.11.20	108.157.172.115
Dec 19, 2024 15:42:29.359354973 CET	80	49761	108.157.172.115	192.168.11.20
Dec 19, 2024 15:42:29.359518051 CET	49761	80	192.168.11.20	108.157.172.115
Dec 19, 2024 15:42:31.620532990 CET	49764	80	192.168.11.20	108.157.172.115
Dec 19, 2024 15:42:31.749270916 CET	80	49764	108.157.172.115	192.168.11.20
Dec 19, 2024 15:42:31.749428034 CET	49764	80	192.168.11.20	108.157.172.115
Dec 19, 2024 15:42:31.749531984 CET	49764	80	192.168.11.20	108.157.172.115
Dec 19, 2024 15:42:31.878091097 CET	80	49764	108.157.172.115	192.168.11.20
Dec 19, 2024 15:42:32.209522009 CET	80	49764	108.157.172.115	192.168.11.20
Dec 19, 2024 15:42:32.259820938 CET	49764	80	192.168.11.20	108.157.172.115
Dec 19, 2024 15:42:33.592750072 CET	49764	80	192.168.11.20	108.157.172.115
Dec 19, 2024 15:42:33.721560001 CET	80	49764	108.157.172.115	192.168.11.20
Dec 19, 2024 15:42:33.721709967 CET	49764	80	192.168.11.20	108.157.172.115
Dec 19, 2024 15:42:33.850513935 CET	80	49764	108.157.172.115	192.168.11.20
Dec 19, 2024 15:42:33.885438919 CET	80	49764	108.157.172.115	192.168.11.20
Dec 19, 2024 15:42:33.938620090 CET	49764	80	192.168.11.20	108.157.172.115
Dec 19, 2024 15:42:36.329739094 CET	49762	80	192.168.11.20	195.133.1.117
Dec 19, 2024 15:42:36.653924942 CET	80	49762	195.133.1.117	192.168.11.20
Dec 19, 2024 15:42:38.891997099 CET	49765	80	192.168.11.20	195.133.1.117
Dec 19, 2024 15:42:39.175332069 CET	80	49765	195.133.1.117	192.168.11.20
Dec 19, 2024 15:42:39.175568104 CET	49765	80	192.168.11.20	195.133.1.117
Dec 19, 2024 15:42:39.175698042 CET	49765	80	192.168.11.20	195.133.1.117
Dec 19, 2024 15:42:39.458796024 CET	80	49765	195.133.1.117	192.168.11.20
Dec 19, 2024 15:42:39.459016085 CET	80	49765	195.133.1.117	192.168.11.20
Dec 19, 2024 15:42:39.500984907 CET	49765	80	192.168.11.20	195.133.1.117
Dec 19, 2024 15:42:40.837131023 CET	49765	80	192.168.11.20	195.133.1.117
Dec 19, 2024 15:42:41.120515108 CET	80	49765	195.133.1.117	192.168.11.20
Dec 19, 2024 15:42:41.120707989 CET	49765	80	192.168.11.20	195.133.1.117
Dec 19, 2024 15:42:41.445990086 CET	80	49765	195.133.1.117	192.168.11.20
Dec 19, 2024 15:42:43.605541945 CET	49764	80	192.168.11.20	108.157.172.115
Dec 19, 2024 15:42:43.735296011 CET	80	49764	108.157.172.115	192.168.11.20
Dec 19, 2024 15:42:43.735539913 CET	49764	80	192.168.11.20	108.157.172.115
Dec 19, 2024 15:42:46.138020039 CET	49766	80	192.168.11.20	108.157.172.115
Dec 19, 2024 15:42:46.267353058 CET	80	49766	108.157.172.115	192.168.11.20
Dec 19, 2024 15:42:46.267517090 CET	49766	80	192.168.11.20	108.157.172.115
Dec 19, 2024 15:42:46.276832104 CET	49766	80	192.168.11.20	108.157.172.115
Dec 19, 2024 15:42:46.406071901 CET	80	49766	108.157.172.115	192.168.11.20
Dec 19, 2024 15:42:46.737844944 CET	80	49766	108.157.172.115	192.168.11.20
Dec 19, 2024 15:42:46.792325974 CET	49766	80	192.168.11.20	108.157.172.115
Dec 19, 2024 15:42:48.000873089 CET	49766	80	192.168.11.20	108.157.172.115
Dec 19, 2024 15:42:48.129545927 CET	80	49766	108.157.172.115	192.168.11.20
Dec 19, 2024 15:42:48.129723072 CET	49766	80	192.168.11.20	108.157.172.115
Dec 19, 2024 15:42:48.258433104 CET	80	49766	108.157.172.115	192.168.11.20
Dec 19, 2024 15:42:48.293513060 CET	80	49766	108.157.172.115	192.168.11.20
Dec 19, 2024 15:42:48.346801996 CET	49766	80	192.168.11.20	108.157.172.115
Dec 19, 2024 15:42:50.847348928 CET	49765	80	192.168.11.20	195.133.1.117
Dec 19, 2024 15:42:51.174083948 CET	80	49765	195.133.1.117	192.168.11.20
Dec 19, 2024 15:42:53.300390959 CET	49767	80	192.168.11.20	195.133.1.117
Dec 19, 2024 15:42:53.578140020 CET	80	49767	195.133.1.117	192.168.11.20
Dec 19, 2024 15:42:53.578465939 CET	49767	80	192.168.11.20	195.133.1.117
Dec 19, 2024 15:42:53.578612089 CET	49767	80	192.168.11.20	195.133.1.117
Dec 19, 2024 15:42:53.856296062 CET	80	49767	195.133.1.117	192.168.11.20
Dec 19, 2024 15:42:53.856395006 CET	80	49767	195.133.1.117	192.168.11.20
Dec 19, 2024 15:42:53.909127951 CET	49767	80	192.168.11.20	195.133.1.117
Dec 19, 2024 15:42:55.129507065 CET	49767	80	192.168.11.20	195.133.1.117
Dec 19, 2024 15:42:55.407239914 CET	80	49767	195.133.1.117	192.168.11.20
Dec 19, 2024 15:42:55.407401085 CET	49767	80	192.168.11.20	195.133.1.117
Dec 19, 2024 15:42:55.728756905 CET	80	49767	195.133.1.117	192.168.11.20
Dec 19, 2024 15:42:58.007376909 CET	49766	80	192.168.11.20	108.157.172.115
Dec 19, 2024 15:42:58.136250973 CET	80	49766	108.157.172.115	192.168.11.20
Dec 19, 2024 15:42:58.136533022 CET	49766	80	192.168.11.20	108.157.172.115
Dec 19, 2024 15:43:00.414330959 CET	49768	80	192.168.11.20	108.157.172.115
Dec 19, 2024 15:43:00.543126106 CET	80	49768	108.157.172.115	192.168.11.20
Dec 19, 2024 15:43:00.543397903 CET	49768	80	192.168.11.20	108.157.172.115
Dec 19, 2024 15:43:00.543528080 CET	49768	80	192.168.11.20	108.157.172.115
Dec 19, 2024 15:43:00.672347069 CET	80	49768	108.157.172.115	192.168.11.20
Dec 19, 2024 15:43:00.967614889 CET	80	49768	108.157.172.115	192.168.11.20
Dec 19, 2024 15:43:01.022304058 CET	49768	80	192.168.11.20	108.157.172.115
Dec 19, 2024 15:43:02.278930902 CET	49768	80	192.168.11.20	108.157.172.115
Dec 19, 2024 15:43:02.407695055 CET	80	49768	108.157.172.115	192.168.11.20
Dec 19, 2024 15:43:02.408456087 CET	49768	80	192.168.11.20	108.157.172.115
Dec 19, 2024 15:43:02.537235975 CET	80	49768	108.157.172.115	192.168.11.20
Dec 19, 2024 15:43:02.553746939 CET	80	49768	108.157.172.115	192.168.11.20
Dec 19, 2024 15:43:02.609219074 CET	49768	80	192.168.11.20	108.157.172.115
Dec 19, 2024 15:43:05.141127110 CET	49767	80	192.168.11.20	195.133.1.117
Dec 19, 2024 15:43:05.460975885 CET	80	49767	195.133.1.117	192.168.11.20
Dec 19, 2024 15:43:07.562700987 CET	49769	80	192.168.11.20	195.133.1.117
Dec 19, 2024 15:43:07.842305899 CET	80	49769	195.133.1.117	192.168.11.20
Dec 19, 2024 15:43:07.842464924 CET	49769	80	192.168.11.20	195.133.1.117
Dec 19, 2024 15:43:07.842649937 CET	49769	80	192.168.11.20	195.133.1.117
Dec 19, 2024 15:43:08.122102022 CET	80	49769	195.133.1.117	192.168.11.20
Dec 19, 2024 15:43:08.122116089 CET	80	49769	195.133.1.117	192.168.11.20
Dec 19, 2024 15:43:08.171719074 CET	49769	80	192.168.11.20	195.133.1.117
Dec 19, 2024 15:43:09.361943007 CET	49769	80	192.168.11.20	195.133.1.117
Dec 19, 2024 15:43:09.641323090 CET	80	49769	195.133.1.117	192.168.11.20
Dec 19, 2024 15:43:09.641448021 CET	49769	80	192.168.11.20	195.133.1.117
Dec 19, 2024 15:43:09.961997032 CET	80	49769	195.133.1.117	192.168.11.20
Dec 19, 2024 15:43:12.286637068 CET	49768	80	192.168.11.20	108.157.172.115
Dec 19, 2024 15:43:12.415741920 CET	80	49768	108.157.172.115	192.168.11.20
Dec 19, 2024 15:43:12.415888071 CET	49768	80	192.168.11.20	108.157.172.115
Dec 19, 2024 15:43:14.646923065 CET	49770	80	192.168.11.20	108.157.172.115
Dec 19, 2024 15:43:14.775676012 CET	80	49770	108.157.172.115	192.168.11.20
Dec 19, 2024 15:43:14.776045084 CET	49770	80	192.168.11.20	108.157.172.115
Dec 19, 2024 15:43:15.138123035 CET	49770	80	192.168.11.20	108.157.172.115
Dec 19, 2024 15:43:15.266830921 CET	80	49770	108.157.172.115	192.168.11.20
Dec 19, 2024 15:43:15.556468010 CET	80	49770	108.157.172.115	192.168.11.20
Dec 19, 2024 15:43:15.598289013 CET	49770	80	192.168.11.20	108.157.172.115

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 19, 2024 15:41:16.644102097 CET	54439	53	192.168.11.20	1.1.1.1
Dec 19, 2024 15:41:16.817531109 CET	53	54439	1.1.1.1	192.168.11.20
Dec 19, 2024 15:41:21.810903072 CET	65384	53	192.168.11.20	1.1.1.1
Dec 19, 2024 15:41:21.986443043 CET	53	65384	1.1.1.1	192.168.11.20
Dec 19, 2024 15:42:16.895333052 CET	59436	53	192.168.11.20	1.1.1.1
Dec 19, 2024 15:42:17.074992895 CET	53	59436	1.1.1.1	192.168.11.20

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 19, 2024 15:41:16.644102097 CET	192.168.11.20	1.1.1.1	0xdadf	Standard query (0)	d2np1vqkcxhde6.cloudfront.net	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:41:21.810903072 CET	192.168.11.20	1.1.1.1	0x7662	Standard query (0)	o4508128816857088.ingest.de.sentry.io	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:42:16.895333052 CET	192.168.11.20	1.1.1.1	0x7828	Standard query (0)	d2np1vqkcxhde6.cloudfront.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Dec 19, 2024 15:41:16.817531109 CET	1.1.1.1	192.168.11.20	0xdadf	No error (0)	d2np1vqkcxhde6.cloudfront.net	18.160.64.42	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:41:16.817531109 CET	1.1.1.1	192.168.11.20	0xdadf	No error (0)	d2np1vqkcxhde6.cloudfront.net	18.160.64.26	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:41:16.817531109 CET	1.1.1.1	192.168.11.20	0xdadf	No error (0)	d2np1vqkcxhde6.cloudfront.net	18.160.64.137	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:41:16.817531109 CET	1.1.1.1	192.168.11.20	0xdadf	No error (0)	d2np1vqkcxhde6.cloudfront.net	18.160.64.149	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:41:21.986443043 CET	1.1.1.1	192.168.11.20	0x7662	No error (0)	o4508128816857088.ingest.de.sentry.io	34.120.62.213	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:42:17.074992895 CET	1.1.1.1	192.168.11.20	0x7828	No error (0)	d2np1vqkcxhde6.cloudfront.net	108.157.172.115	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:42:17.074992895 CET	1.1.1.1	192.168.11.20	0x7828	No error (0)	d2np1vqkcxhde6.cloudfront.net	108.157.172.58	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:42:17.074992895 CET	1.1.1.1	192.168.11.20	0x7828	No error (0)	d2np1vqkcxhde6.cloudfront.net	108.157.172.206	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:42:17.074992895 CET	1.1.1.1	192.168.11.20	0x7828	No error (0)	d2np1vqkcxhde6.cloudfront.net	108.157.172.59	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

o4508128816857088.ingest.de.sentry.io

d2np1vqkcxhde6.cloudfront.net

195.133.1.117

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.11.20	49745	18.160.64.42	80	836	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Dec 19, 2024 15:41:16.960803032 CET	170	OUT	GET /ws HTTP/1.1 Host: d2np1vqkcxhde6.cloudfront.net Connection: Upgrade Upgrade: websocket Sec-WebSocket-Version: 13 Sec-WebSocket-Key: UYOzZ2YAtcs1i13x87Kc+g==
Dec 19, 2024 15:41:17.366375923 CET	363	IN	HTTP/1.1 101 Switching Protocols Connection: upgrade upgrade: websocket sec-websocket-accept: pPaxMxozuWprJY50JKm0906vjQo= date: Thu, 19 Dec 2024 14:41:17 GMT X-Cache: Miss from cloudfront Via: 1.1 339161fcedc527e4835cc6e81141de5c.cloudfront.net (CloudFront) X-Amz-Cf-Pop: ATL59-P1 X-Amz-Cf-Id: Ke1qr1TixdVBLjoExaa7AkCrp2mqzK8rj0QtdebZC4k8NKlpQOzFtw==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.11.20	49750	18.160.64.42	80	8220	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Dec 19, 2024 15:41:19.751956940 CET	170	OUT	GET /ws HTTP/1.1 Host: d2np1vqkcxhde6.cloudfront.net Connection: Upgrade Upgrade: websocket Sec-WebSocket-Version: 13 Sec-WebSocket-Key: Mw1Z/LTqLgkNLRnkhKQaTA==
Dec 19, 2024 15:41:20.190294981 CET	363	IN	HTTP/1.1 101 Switching Protocols Connection: upgrade upgrade: websocket sec-websocket-accept: a3ixL+QnbCpe0n+Sp2m19Z9gYcg= date: Thu, 19 Dec 2024 14:41:19 GMT X-Cache: Miss from cloudfront Via: 1.1 991cd5258e37cadb4872c02ccf777324.cloudfront.net (CloudFront) X-Amz-Cf-Pop: ATL59-P1 X-Amz-Cf-Id: huBMzeu3xIm8A-fX30IusiXZuLaI2VmCD2B9gBdosMHcxfCjQBO42A==
Dec 19, 2024 15:41:21.508755922 CET	235	OUT	Data Raw: 82 fe 00 e3 52 8c 84 7d 52 8a c5 0f 26 e4 f1 0f 5a db b5 4d 64 b8 db 4d 61 84 d3 4c 62 ba b0 22 62 bf 85 4e 09 de b4 20 72 de c0 29 01 cf a8 5d 60 ac e2 1c 3b e0 a8 5d 66 ac e2 1c 3b e0 a8 5d 64 ac e2 1c 3b e0 a8 5d 6a ac e2 1c 3b e0 a8 5d 63 be Data Ascii: R}R&ZMdMaLb"bN r)]`;]f;]d;]j;]c3$!1&=Qr&; aSfQr?<63.!;'SbL3;;3LrNcfJkfI4E6`NaL\|O3
Dec 19, 2024 15:41:21.649586916 CET	6	OUT	Data Raw: 89 80 54 10 95 7a Data Ascii: Tz
Dec 19, 2024 15:41:21.799252033 CET	2	IN	Data Raw: 88 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.11.20	49753	195.133.1.117	80	8220	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Dec 19, 2024 15:41:27.100353956 CET	154	OUT	GET /ws HTTP/1.1 Host: 195.133.1.117 Connection: Upgrade Upgrade: websocket Sec-WebSocket-Version: 13 Sec-WebSocket-Key: CBXXvEsoITtUTt+BOyKsUQ==
Dec 19, 2024 15:41:27.377870083 CET	166	IN	HTTP/1.1 101 Switching Protocols connection: upgrade upgrade: websocket sec-websocket-accept: v0AbAkZ8no4VD9gwmeg8lr5T/lA= date: Thu, 19 Dec 2024 14:41:27 GMT
Dec 19, 2024 15:41:28.723632097 CET	235	OUT	Data Raw: 82 fe 00 e3 5a 93 02 2e 5a 95 43 5c 2e fb 77 5c 52 c4 33 1e 6c a7 5d 1e 69 9b 55 1f 6a a5 36 71 6a a0 03 1d 01 c1 32 73 7a c1 46 7a 09 d0 2e 0e 68 b3 64 4f 33 ff 2e 0e 6e b3 64 4f 33 ff 2e 0e 6c b3 64 4f 33 ff 2e 0e 62 b3 64 4f 33 ff 2e 0e 6b a1 Data Ascii: Z.ZC\.w\R3l]iUj6qj2szFz.hdO3.ndO3.ldO3.bdO3.k"H;nFvG,p[)QK9pG.VA5qzm\.AB3lZqZa[(vWi2n;zm\7lo>CY;g}n[)lZ3k\/3jp;fh3gY;nzdk;Jn:c`Hn1<2>`Kh4it,;
Dec 19, 2024 15:41:29.001384974 CET	2	IN	Data Raw: 88 00 Data Ascii:
Dec 19, 2024 15:41:29.001565933 CET	6	OUT	Data Raw: 89 80 c7 c9 68 65 Data Ascii: he

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.11.20	49754	18.160.64.42	80	8220	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Dec 19, 2024 15:41:34.150073051 CET	170	OUT	GET /ws HTTP/1.1 Host: d2np1vqkcxhde6.cloudfront.net Connection: Upgrade Upgrade: websocket Sec-WebSocket-Version: 13 Sec-WebSocket-Key: ZUAtcwQnAf5wRYRkfuHSuw==
Dec 19, 2024 15:41:34.559561014 CET	363	IN	HTTP/1.1 101 Switching Protocols Connection: upgrade upgrade: websocket sec-websocket-accept: mwlDUGhT6TIcDWNxyU5r3sGsvX0= date: Thu, 19 Dec 2024 14:41:34 GMT X-Cache: Miss from cloudfront Via: 1.1 97019997b7cf0778100102dc3dcb2ebe.cloudfront.net (CloudFront) X-Amz-Cf-Pop: ATL59-P1 X-Amz-Cf-Id: lby3ArcgrgrGRx8VdkJdd962f3gRpCTAKFaSKRhNVQt4Royt5yrQCA==
Dec 19, 2024 15:41:35.877975941 CET	235	OUT	Data Raw: 82 fe 00 e3 f5 7f fd 4f f5 79 bc 3d 81 17 88 3d fd 28 cc 7f c3 4b a2 7f c6 77 aa 7e c5 49 c9 10 c5 4c fc 7c ae 2d cd 12 d5 2d b9 1b a6 3c d1 6f c7 5f 9b 2e 9c 13 d1 6f c1 5f 9b 2e 9c 13 d1 6f c3 5f 9b 2e 9c 13 d1 6f cd 5f 9b 2e 9c 13 d1 6f c4 4d Data Ascii: Oy==(Kw~IL\|--<o_.o_.o_.o_.oM)'&:P& c9=#;;:6QaJc1=R8/:>;=aI~8~\|H+FxL)M{HwLG\|~O}
Dec 19, 2024 15:41:36.019335985 CET	6	OUT	Data Raw: 89 80 19 04 e6 1b Data Ascii:
Dec 19, 2024 15:41:36.153346062 CET	2	IN	Data Raw: 88 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.11.20	49755	195.133.1.117	80	8220	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Dec 19, 2024 15:41:41.442650080 CET	154	OUT	GET /ws HTTP/1.1 Host: 195.133.1.117 Connection: Upgrade Upgrade: websocket Sec-WebSocket-Version: 13 Sec-WebSocket-Key: MzNHV3ANNZeYTEtbeWl93Q==
Dec 19, 2024 15:41:41.720027924 CET	166	IN	HTTP/1.1 101 Switching Protocols connection: upgrade upgrade: websocket sec-websocket-accept: iz7rovgczSwya3w5Dy9yCbjkPbw= date: Thu, 19 Dec 2024 14:41:41 GMT
Dec 19, 2024 15:41:42.993484974 CET	235	OUT	Data Raw: 82 fe 00 e3 89 c3 62 86 89 c5 23 f4 fd ab 17 f4 81 94 53 b6 bf f7 3d b6 ba cb 35 b7 b9 f5 56 d9 b9 f0 63 b5 d2 91 52 db a9 91 26 d2 da 80 4e a6 bb e3 04 e7 e0 af 4e a6 bd e3 04 e7 e0 af 4e a6 bf e3 04 e7 e0 af 4e a6 b1 e3 04 e7 e0 af 4e a6 b8 f1 Data Ascii: b#S=5VcR&NNNNNB16!R[#S[ZQRTdLb
Dec 19, 2024 15:41:43.271136999 CET	2	IN	Data Raw: 88 00 Data Ascii:
Dec 19, 2024 15:41:43.271399975 CET	6	OUT	Data Raw: 89 80 29 b0 43 03 Data Ascii: )C

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.11.20	49757	18.160.64.42	80	8220	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Dec 19, 2024 15:41:48.419586897 CET	170	OUT	GET /ws HTTP/1.1 Host: d2np1vqkcxhde6.cloudfront.net Connection: Upgrade Upgrade: websocket Sec-WebSocket-Version: 13 Sec-WebSocket-Key: svHsmLZe5HtY16UWgdWrqg==
Dec 19, 2024 15:41:48.860482931 CET	363	IN	HTTP/1.1 101 Switching Protocols Connection: upgrade upgrade: websocket sec-websocket-accept: yTUgxrI8008FVdrxLC7GuqFen5A= date: Thu, 19 Dec 2024 14:41:48 GMT X-Cache: Miss from cloudfront Via: 1.1 f47495a264710eda031284d475b7c21e.cloudfront.net (CloudFront) X-Amz-Cf-Pop: ATL59-P1 X-Amz-Cf-Id: CLYV4MGJKxOBuGRdhgZbLacgpUX6lQE_beM8SNRsmNY1OtJbDOUTtw==
Dec 19, 2024 15:41:50.136029959 CET	235	OUT	Data Raw: 82 fe 00 e3 0d 6c 31 e7 0d 6a 70 95 79 04 44 95 05 3b 00 d7 3b 58 6e d7 3e 64 66 d6 3d 5a 05 b8 3d 5f 30 d4 56 3e 01 ba 2d 3e 75 b3 5e 2f 1d c7 3f 4c 57 86 64 00 1d c7 39 4c 57 86 64 00 1d c7 3b 4c 57 86 64 00 1d c7 35 4c 57 86 64 00 1d c7 3c 5e Data Ascii: l1jpyD;;Xn>df=Z=_0V>->u^/?LWd9LWd;LWd5LWd<^l]LE{C~CbnCyebB-*^yrd_EB^RE>B9Y-"^`_iAplTH<]~-_dXx=ZClUdTl]-W<[9U4_S9^k[i_S?T>l7#\ll1
Dec 19, 2024 15:41:50.276638985 CET	6	OUT	Data Raw: 89 80 7b 04 75 aa Data Ascii: {u
Dec 19, 2024 15:41:50.426175117 CET	2	IN	Data Raw: 88 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.11.20	49758	195.133.1.117	80	8220	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Dec 19, 2024 15:41:55.713289022 CET	154	OUT	GET /ws HTTP/1.1 Host: 195.133.1.117 Connection: Upgrade Upgrade: websocket Sec-WebSocket-Version: 13 Sec-WebSocket-Key: X+G109X9tM81+sMbtrX9YQ==
Dec 19, 2024 15:41:55.990911007 CET	166	IN	HTTP/1.1 101 Switching Protocols connection: upgrade upgrade: websocket sec-websocket-accept: 8efoMc2Duzlw4Nq2LhPPeJwXHEE= date: Thu, 19 Dec 2024 14:41:55 GMT
Dec 19, 2024 15:41:57.260992050 CET	235	OUT	Data Raw: 82 fe 00 e3 5d 09 95 fb 5d 0f d4 89 29 61 e0 89 55 5e a4 cb 6b 3d ca cb 6e 01 c2 ca 6d 3f a1 a4 6d 3a 94 c8 06 5b a5 a6 7d 5b d1 af 0e 4a b9 db 6f 29 f3 9a 34 65 b9 db 69 29 f3 9a 34 65 b9 db 6b 29 f3 9a 34 65 b9 db 65 29 f3 9a 34 65 b9 db 6c 3b Data Ascii: ]])aU^k=nm?m:[}[Jo)4ei)4ek)4ee)4el;<`g+`.&>\|)p2e}O)`4lfl/`n'i<}G0h9$<{Y.H4(zm?<g4{<e}ll>i0d:i;;>9:o1ns9<
Dec 19, 2024 15:41:57.538981915 CET	2	IN	Data Raw: 88 00 Data Ascii:
Dec 19, 2024 15:41:57.539099932 CET	6	OUT	Data Raw: 89 80 30 51 93 80 Data Ascii: 0Q

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.11.20	49759	18.160.64.42	80	8220	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Dec 19, 2024 15:42:02.686830044 CET	170	OUT	GET /ws HTTP/1.1 Host: d2np1vqkcxhde6.cloudfront.net Connection: Upgrade Upgrade: websocket Sec-WebSocket-Version: 13 Sec-WebSocket-Key: PEvQylND7d43XUNT3qvEVg==
Dec 19, 2024 15:42:03.129012108 CET	363	IN	HTTP/1.1 101 Switching Protocols Connection: upgrade upgrade: websocket sec-websocket-accept: px1rzX9KSP85mxMaK6UjVuHZRp8= date: Thu, 19 Dec 2024 14:42:02 GMT X-Cache: Miss from cloudfront Via: 1.1 69292d7067d80cd4699c5ef33de94644.cloudfront.net (CloudFront) X-Amz-Cf-Pop: ATL59-P1 X-Amz-Cf-Id: B4ee_vUirTzsfktg9CddP8rmn3Qay3eHD0Gy84cpyuzQ4m_xIpJFlA==
Dec 19, 2024 15:42:04.432037115 CET	235	OUT	Data Raw: 82 fe 00 e3 db 99 07 e4 db 9f 46 96 af f1 72 96 d3 ce 36 d4 ed ad 58 d4 e8 91 50 d5 eb af 33 bb eb aa 06 d7 80 cb 37 b9 fb cb 43 b0 88 da 2b c4 e9 b9 61 85 b2 f5 2b c4 ef b9 61 85 b2 f5 2b c4 ed b9 61 85 b2 f5 2b c4 e3 b9 61 85 b2 f5 2b c4 ea ab Data Ascii: Fr6XP37C+a+a+a+a+'ksuTuSthDitds7>hiFbkin6ucbka>?e47e1)
Dec 19, 2024 15:42:04.573255062 CET	6	OUT	Data Raw: 89 80 f9 8c a7 8c Data Ascii:
Dec 19, 2024 15:42:04.723700047 CET	2	IN	Data Raw: 88 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.11.20	49760	195.133.1.117	80	8220	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Dec 19, 2024 15:42:10.009160042 CET	154	OUT	GET /ws HTTP/1.1 Host: 195.133.1.117 Connection: Upgrade Upgrade: websocket Sec-WebSocket-Version: 13 Sec-WebSocket-Key: roWtbVmk63b2Bs9SFiY8Ag==
Dec 19, 2024 15:42:10.286572933 CET	166	IN	HTTP/1.1 101 Switching Protocols connection: upgrade upgrade: websocket sec-websocket-accept: aSjQpK7I3I4RyHGZSFeAiy77z6E= date: Thu, 19 Dec 2024 14:42:09 GMT
Dec 19, 2024 15:42:11.610146999 CET	235	OUT	Data Raw: 82 fe 00 e3 92 a2 ed a0 92 a4 ac d2 e6 ca 98 d2 9a f5 dc 90 a4 96 b2 90 a1 aa ba 91 a2 94 d9 ff a2 91 ec 93 c9 f0 dd fd b2 f0 a9 f4 c1 e1 c1 80 a0 82 8b c1 fb ce c1 80 a6 82 8b c1 fb ce c1 80 a4 82 8b c1 fb ce c1 80 aa 82 8b c1 fb ce c1 80 a3 90 Data Ascii:
Dec 19, 2024 15:42:11.888114929 CET	2	IN	Data Raw: 88 00 Data Ascii:
Dec 19, 2024 15:42:11.888330936 CET	6	OUT	Data Raw: 89 80 fd e8 1a 4b Data Ascii: K

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.11.20	49761	108.157.172.115	80	8220	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Dec 19, 2024 15:42:17.204992056 CET	170	OUT	GET /ws HTTP/1.1 Host: d2np1vqkcxhde6.cloudfront.net Connection: Upgrade Upgrade: websocket Sec-WebSocket-Version: 13 Sec-WebSocket-Key: a6fF2qAv8dn0cmuFp5hYiQ==
Dec 19, 2024 15:42:17.892144918 CET	362	IN	HTTP/1.1 101 Switching Protocols Connection: upgrade upgrade: websocket sec-websocket-accept: XstNteVH3wgn0OtbS2MSfXqCDqA= date: Thu, 19 Dec 2024 14:42:17 GMT X-Cache: Miss from cloudfront Via: 1.1 d6c3d8e2bcf9b0f41a443121af4c96bc.cloudfront.net (CloudFront) X-Amz-Cf-Pop: MIA3-P3 X-Amz-Cf-Id: Pe6V_NLVVgTXtPDGS4pBcUIu2aOM-6UtuwP0nBOmZ8jOsUCAXCD3eQ==
Dec 19, 2024 15:42:19.214903116 CET	235	OUT	Data Raw: 82 fe 00 e3 13 7a fc 42 13 7c bd 30 67 12 89 30 1b 2d cd 72 25 4e a3 72 20 72 ab 73 23 4c c8 1d 23 49 fd 71 48 28 cc 1f 33 28 b8 16 40 39 d0 62 21 5a 9a 23 7a 16 d0 62 27 5a 9a 23 7a 16 d0 62 25 5a 9a 23 7a 16 d0 62 2b 5a 9a 23 7a 16 d0 62 22 48 Data Ascii: zB\|0g0-r%Nr rs#L#IqH(3(@9b!Z#zb'Z#zb%Z#zb+Z#zb"H$rR+e7`U'p+g-\|n3<0g.z6[6@7a; Tl'On340~wW5rV7`;6z0fl#Lsrz5rs3q"M&'Cu*I$'HvuMzwI'!Bq zs=Jprz
Dec 19, 2024 15:42:19.343888044 CET	6	OUT	Data Raw: 89 80 9c d8 b0 3a Data Ascii: :
Dec 19, 2024 15:42:19.489932060 CET	2	IN	Data Raw: 88 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.11.20	49762	195.133.1.117	80	8220	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Dec 19, 2024 15:42:24.781586885 CET	154	OUT	GET /ws HTTP/1.1 Host: 195.133.1.117 Connection: Upgrade Upgrade: websocket Sec-WebSocket-Version: 13 Sec-WebSocket-Key: UNO1ZzRG/JrA31KSleNmIA==
Dec 19, 2024 15:42:25.064577103 CET	166	IN	HTTP/1.1 101 Switching Protocols connection: upgrade upgrade: websocket sec-websocket-accept: 77IqwApVXneD+vsqQTbdI5QrIAM= date: Thu, 19 Dec 2024 14:42:24 GMT
Dec 19, 2024 15:42:26.320166111 CET	235	OUT	Data Raw: 82 fe 00 e3 9c 5d f7 4f 9c 5b b6 3d e8 35 82 3d 94 0a c6 7f aa 69 a8 7f af 55 a0 7e ac 6b c3 10 ac 6e f6 7c c7 0f c7 12 bc 0f b3 1b cf 1e db 6f ae 7d 91 2e f5 31 db 6f a8 7d 91 2e f5 31 db 6f aa 7d 91 2e f5 31 db 6f a4 7d 91 2e f5 31 db 6f ad 6f Data Ascii: ]O[=5=iU~kn\|o}.1o}.1o}.1o}.1oo)4'3&4:r(&$ 1c=4#8;2;8:46sahc=<p8/:;+=.ak~3/81~8\|j+dxn)o{jwne\|]~m}]
Dec 19, 2024 15:42:26.602932930 CET	2	IN	Data Raw: 88 00 Data Ascii:
Dec 19, 2024 15:42:26.603110075 CET	6	OUT	Data Raw: 89 80 7a 17 92 78 Data Ascii: zx

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.11.20	49764	108.157.172.115	80	8220	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Dec 19, 2024 15:42:31.749531984 CET	170	OUT	GET /ws HTTP/1.1 Host: d2np1vqkcxhde6.cloudfront.net Connection: Upgrade Upgrade: websocket Sec-WebSocket-Version: 13 Sec-WebSocket-Key: VPk9YnZ8d1WtxvcoozGrKQ==
Dec 19, 2024 15:42:32.209522009 CET	362	IN	HTTP/1.1 101 Switching Protocols Connection: upgrade upgrade: websocket sec-websocket-accept: IQ1cgCfeptdHQxADGmPww1z86s8= date: Thu, 19 Dec 2024 14:42:31 GMT X-Cache: Miss from cloudfront Via: 1.1 ad49ff8ff03d68efb9eb939751d77c56.cloudfront.net (CloudFront) X-Amz-Cf-Pop: MIA3-P3 X-Amz-Cf-Id: w4-uzxV5gtDdSV7TSy9a-4ZZEzpyoeuoUYNff1Yjy_JH3nqWPJkszA==
Dec 19, 2024 15:42:33.592750072 CET	235	OUT	Data Raw: 82 fe 00 e3 1d 0d 44 52 1d 0b 05 20 69 65 31 20 15 5a 75 62 2b 39 1b 62 2e 05 13 63 2d 3b 70 0d 2d 3e 45 61 46 5f 74 0f 3d 5f 00 06 4e 4e 68 72 2f 2d 22 33 74 61 68 72 29 2d 22 33 74 61 68 72 2b 2d 22 33 74 61 68 72 25 2d 22 33 74 61 68 72 2c 3f Data Ascii: DR ie1 Zub+9b.c-;p->EaF_t=_NNhr/-"3tahr)-"3tahr+-"3tahr%-"3tahr,?d4\|d(:\c0;kd6'n"7~x6;it=ra7~=K+ id>th&Ub7&Nh''od0+.#t\|)8}~=C+ ply %\|!X]('nL*&t{- h~u\|-;6c\|c t!%\|a(c=h"a,:}6)4\|e$>&4)?wf{:tjy>&7/5ra.Bc3=j`\|D
Dec 19, 2024 15:42:33.721709967 CET	6	OUT	Data Raw: 89 80 23 7f 7e b6 Data Ascii: #~
Dec 19, 2024 15:42:33.885438919 CET	2	IN	Data Raw: 88 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.11.20	49765	195.133.1.117	80	8220	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Dec 19, 2024 15:42:39.175698042 CET	154	OUT	GET /ws HTTP/1.1 Host: 195.133.1.117 Connection: Upgrade Upgrade: websocket Sec-WebSocket-Version: 13 Sec-WebSocket-Key: 04MegWaZAmHDpRsK84dP6Q==
Dec 19, 2024 15:42:39.459016085 CET	166	IN	HTTP/1.1 101 Switching Protocols connection: upgrade upgrade: websocket sec-websocket-accept: ZfZxvm81Bwa4MzRAf3L9AqyMfJo= date: Thu, 19 Dec 2024 14:42:39 GMT
Dec 19, 2024 15:42:40.837131023 CET	235	OUT	Data Raw: 82 fe 00 e3 8c 00 75 39 8c 06 34 4b f8 68 00 4b 84 57 44 09 ba 34 2a 09 bf 08 22 08 bc 36 41 66 bc 33 74 0a d7 52 45 64 ac 52 31 6d df 43 59 19 be 20 13 58 e5 6c 59 19 b8 20 13 58 e5 6c 59 19 ba 20 13 58 e5 6c 59 19 b4 20 13 58 e5 6c 59 19 bd 32 Data Ascii: u94KhKWD4*"6Af3tREdR1mCY XlY XlY XlY XlY2U_iQnPiL/&\uPy!VlFKi6UeMoMeLi@.E5LNKax-4NrjPLAMvKsD6nrNle7L]9M3_2F7E3\8Cs0[u
Dec 19, 2024 15:42:41.120515108 CET	2	IN	Data Raw: 88 00 Data Ascii:
Dec 19, 2024 15:42:41.120707989 CET	6	OUT	Data Raw: 89 80 45 34 77 7e Data Ascii: E4w~

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.11.20	49766	108.157.172.115	80	8220	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Dec 19, 2024 15:42:46.276832104 CET	170	OUT	GET /ws HTTP/1.1 Host: d2np1vqkcxhde6.cloudfront.net Connection: Upgrade Upgrade: websocket Sec-WebSocket-Version: 13 Sec-WebSocket-Key: yge8Pu/UtqSnKQ38gEEGkw==
Dec 19, 2024 15:42:46.737844944 CET	362	IN	HTTP/1.1 101 Switching Protocols Connection: upgrade upgrade: websocket sec-websocket-accept: LR4b9BaDtibW7X7V0fy6Ps4us2M= date: Thu, 19 Dec 2024 14:42:46 GMT X-Cache: Miss from cloudfront Via: 1.1 b071197ca0cdda2953c667503cd2c778.cloudfront.net (CloudFront) X-Amz-Cf-Pop: MIA3-P3 X-Amz-Cf-Id: L7y2Ba1H-VUhjzCc-o-txQLedfvoEyqSgyutNl94e5ojHVpaxS2A7g==
Dec 19, 2024 15:42:48.000873089 CET	235	OUT	Data Raw: 82 fe 00 e3 4c 38 c4 c4 4c 3e 85 b6 38 50 b1 b6 44 6f f5 f4 7a 0c 9b f4 7f 30 93 f5 7c 0e f0 9b 7c 0b c5 f7 17 6a f4 99 6c 6a 80 90 1f 7b e8 e4 7e 18 a2 a5 25 54 e8 e4 78 18 a2 a5 25 54 e8 e4 7a 18 a2 a5 25 54 e8 e4 74 18 a2 a5 25 54 e8 e4 7d 0a Data Ascii: L8L>8PDoz0\|\|jlj{~%Tx%Tz%Tt%T}-QV:Q?/M8A#Tl~8Q%]W]>Qxlv!Y(-Jh?y%N9K\|-V%J-Tl]}xux*(~8b-8
Dec 19, 2024 15:42:48.129723072 CET	6	OUT	Data Raw: 89 80 27 e5 97 c2 Data Ascii: '
Dec 19, 2024 15:42:48.293513060 CET	2	IN	Data Raw: 88 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.11.20	49767	195.133.1.117	80	8220	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Dec 19, 2024 15:42:53.578612089 CET	154	OUT	GET /ws HTTP/1.1 Host: 195.133.1.117 Connection: Upgrade Upgrade: websocket Sec-WebSocket-Version: 13 Sec-WebSocket-Key: +qGA7SKr5nFHYVsovqWR7A==
Dec 19, 2024 15:42:53.856395006 CET	166	IN	HTTP/1.1 101 Switching Protocols connection: upgrade upgrade: websocket sec-websocket-accept: NkLVW7qi4UKR1Zl+d8a0NQBFsho= date: Thu, 19 Dec 2024 14:42:53 GMT
Dec 19, 2024 15:42:55.129507065 CET	235	OUT	Data Raw: 82 fe 00 e3 7c 91 b0 b2 7c 97 f1 c0 08 f9 c5 c0 74 c6 81 82 4a a5 ef 82 4f 99 e7 83 4c a7 84 ed 4c a2 b1 81 27 c3 80 ef 5c c3 f4 e6 2f d2 9c 92 4e b1 d6 d3 15 fd 9c 92 48 b1 d6 d3 15 fd 9c 92 4a b1 d6 d3 15 fd 9c 92 44 b1 d6 d3 15 fd 9c 92 4d a3 Data Ascii: \|\|tJOLL'\/NHJDM=\4/OH\9L\MHEHNOR
Dec 19, 2024 15:42:55.407239914 CET	2	IN	Data Raw: 88 00 Data Ascii:
Dec 19, 2024 15:42:55.407401085 CET	6	OUT	Data Raw: 89 80 e8 e4 1f 7a Data Ascii: z

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.11.20	49768	108.157.172.115	80	8220	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Dec 19, 2024 15:43:00.543528080 CET	170	OUT	GET /ws HTTP/1.1 Host: d2np1vqkcxhde6.cloudfront.net Connection: Upgrade Upgrade: websocket Sec-WebSocket-Version: 13 Sec-WebSocket-Key: jQUG6hvrh79opMqDTR/cgw==
Dec 19, 2024 15:43:00.967614889 CET	362	IN	HTTP/1.1 101 Switching Protocols Connection: upgrade upgrade: websocket sec-websocket-accept: RUkseXiwzDMpSW4kVSdqXI9fbMs= date: Thu, 19 Dec 2024 14:43:00 GMT X-Cache: Miss from cloudfront Via: 1.1 21d03b2221803a81f507c74be4779a0c.cloudfront.net (CloudFront) X-Amz-Cf-Pop: MIA3-P3 X-Amz-Cf-Id: GSnlDUhsEYhd3m5ysgUZjRyjLsnT2J49XB63WQL-z5ePRfOczOkUXQ==
Dec 19, 2024 15:43:02.278930902 CET	235	OUT	Data Raw: 82 fe 00 e3 19 fd bf 1a 19 fb fe 68 6d 95 ca 68 11 aa 8e 2a 2f c9 e0 2a 2a f5 e8 2b 29 cb 8b 45 29 ce be 29 42 af 8f 47 39 af fb 4e 4a be 93 3a 2b dd d9 7b 70 91 93 3a 2d dd d9 7b 70 91 93 3a 2f dd d9 7b 70 91 93 3a 21 dd d9 7b 70 91 93 3a 28 cf Data Ascii: hmh/+)E))BG9NJ:+{p:-{p:/{p:!{p:(\|xrXsoojzsmuv69hmvpnQnJokc4-69ht[}mxI\ojnphl4)+x\pmx+9)(~-- \|-."}+)*+7(x
Dec 19, 2024 15:43:02.408456087 CET	6	OUT	Data Raw: 89 80 ac e0 18 f4 Data Ascii:
Dec 19, 2024 15:43:02.553746939 CET	2	IN	Data Raw: 88 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.11.20	49769	195.133.1.117	80	8220	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Dec 19, 2024 15:43:07.842649937 CET	154	OUT	GET /ws HTTP/1.1 Host: 195.133.1.117 Connection: Upgrade Upgrade: websocket Sec-WebSocket-Version: 13 Sec-WebSocket-Key: fVxH0q9LuJWk6ISi5xwM6w==
Dec 19, 2024 15:43:08.122116089 CET	166	IN	HTTP/1.1 101 Switching Protocols connection: upgrade upgrade: websocket sec-websocket-accept: yJcBiPmoGyIIHp+xQqOKZV+mEtw= date: Thu, 19 Dec 2024 14:43:07 GMT
Dec 19, 2024 15:43:09.361943007 CET	235	OUT	Data Raw: 82 fe 00 e3 ce f4 b0 03 ce f2 f1 71 ba 9c c5 71 c6 a3 81 33 f8 c0 ef 33 fd fc e7 32 fe c2 84 5c fe c7 b1 30 95 a6 80 5e ee a6 f4 57 9d b7 9c 23 fc d4 d6 62 a7 98 9c 23 fa d4 d6 62 a7 98 9c 23 f8 d4 d6 62 a7 98 9c 23 f6 d4 d6 62 a7 98 9c 23 ff c6 Data Ascii: qq332\0^W#b#b#b#b#ekjvfjl/qowwvz-/qBtPvwq-2Et20g4e7;f021
Dec 19, 2024 15:43:09.641323090 CET	2	IN	Data Raw: 88 00 Data Ascii:
Dec 19, 2024 15:43:09.641448021 CET	6	OUT	Data Raw: 89 80 09 ff 40 91 Data Ascii: @

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.11.20	49770	108.157.172.115	80	8220	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Dec 19, 2024 15:43:15.138123035 CET	170	OUT	GET /ws HTTP/1.1 Host: d2np1vqkcxhde6.cloudfront.net Connection: Upgrade Upgrade: websocket Sec-WebSocket-Version: 13 Sec-WebSocket-Key: VXIHAh+XO4HCn9ufP09slA==
Dec 19, 2024 15:43:15.556468010 CET	362	IN	HTTP/1.1 101 Switching Protocols Connection: upgrade upgrade: websocket sec-websocket-accept: NS4F7pbBgf/lzAuNRI45WVEUfcc= date: Thu, 19 Dec 2024 14:43:15 GMT X-Cache: Miss from cloudfront Via: 1.1 f9f02d3907f9c06631bedd83ea6a3cf6.cloudfront.net (CloudFront) X-Amz-Cf-Pop: MIA3-P3 X-Amz-Cf-Id: dNyfa_hNAkB3CfYW-gsE5zF2rFBh29HtGRthkV1B9Ldz6KypEW09ww==

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.11.20	49751	34.120.62.213	443	8220	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-19 14:41:22 UTC	286	OUT	POST /api/4508128821837904/envelope/ HTTP/1.1 x-sentry-auth: Sentry sentry_key=d9163996e0bda3370ab4e6b347b338e4, sentry_version=7, sentry_timestamp=1734619276.6109421, sentry_client=sentry.rust/0.34.0 accept: / host: o4508128816857088.ingest.de.sentry.io content-length: 11466
2024-12-19 14:41:22 UTC	11466	OUT	Data Raw: 7b 22 65 76 65 6e 74 5f 69 64 22 3a 22 35 62 37 63 63 36 61 31 2d 65 64 34 62 2d 34 30 36 30 2d 38 32 36 37 2d 64 30 32 38 31 30 36 36 33 66 31 32 22 7d 0a 7b 22 74 79 70 65 22 3a 22 65 76 65 6e 74 22 2c 22 6c 65 6e 67 74 68 22 3a 31 31 33 38 31 7d 0a 7b 22 65 76 65 6e 74 5f 69 64 22 3a 22 35 62 37 63 63 36 61 31 65 64 34 62 34 30 36 30 38 32 36 37 64 30 32 38 31 30 36 36 33 66 31 32 22 2c 22 6d 65 73 73 61 67 65 22 3a 22 45 72 72 28 43 75 73 74 6f 6d 20 7b 20 6b 69 6e 64 3a 20 4f 74 68 65 72 2c 20 65 72 72 6f 72 3a 20 5c 22 43 6c 6f 73 65 64 5c 22 20 7d 29 22 2c 22 70 6c 61 74 66 6f 72 6d 22 3a 22 6e 61 74 69 76 65 22 2c 22 74 69 6d 65 73 74 61 6d 70 22 3a 31 37 33 34 36 31 39 32 38 31 2e 30 37 31 38 37 30 38 2c 22 73 65 72 76 65 72 5f 6e 61 6d 65 22 3a Data Ascii: {"event_id":"5b7cc6a1-ed4b-4060-8267-d02810663f12"}{"type":"event","length":11381}{"event_id":"5b7cc6a1ed4b40608267d02810663f12","message":"Err(Custom { kind: Other, error: \"Closed\" })","platform":"native","timestamp":1734619281.0718708,"server_name":
2024-12-19 14:41:22 UTC	672	IN	HTTP/1.1 429 Too Many Requests server: nginx date: Thu, 19 Dec 2024 14:41:22 GMT content-type: application/json retry-after: 60 x-sentry-rate-limits: 60:default;error;security;attachment:organization:error_usage_exceeded vary: origin, access-control-request-method, access-control-request-headers,accept-encoding access-control-allow-origin: * access-control-expose-headers: x-sentry-error,x-sentry-rate-limits,retry-after cross-origin-resource-policy: cross-origin strict-transport-security: max-age=31536000; includeSubDomains; preload via: 1.1 google Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close Transfer-Encoding: chunked
2024-12-19 14:41:22 UTC	209	IN	Data Raw: 63 36 0d 0a 7b 22 64 65 74 61 69 6c 22 3a 22 53 65 6e 74 72 79 20 64 72 6f 70 70 65 64 20 64 61 74 61 20 64 75 65 20 74 6f 20 61 20 71 75 6f 74 61 20 6f 72 20 69 6e 74 65 72 6e 61 6c 20 72 61 74 65 20 6c 69 6d 69 74 20 62 65 69 6e 67 20 72 65 61 63 68 65 64 2e 20 54 68 69 73 20 77 69 6c 6c 20 6e 6f 74 20 61 66 66 65 63 74 20 79 6f 75 72 20 61 70 70 6c 69 63 61 74 69 6f 6e 2e 20 53 65 65 20 68 74 74 70 73 3a 2f 2f 64 6f 63 73 2e 73 65 6e 74 72 79 2e 69 6f 2f 70 72 6f 64 75 63 74 2f 61 63 63 6f 75 6e 74 73 2f 71 75 6f 74 61 73 2f 20 66 6f 72 20 6d 6f 72 65 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 2e 22 7d 0d 0a 30 0d 0a 0d 0a Data Ascii: c6{"detail":"Sentry dropped data due to a quota or internal rate limit being reached. This will not affect your application. See https://docs.sentry.io/product/accounts/quotas/ for more information."}0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.11.20	49763	34.120.62.213	443	8220	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-19 14:42:26 UTC	286	OUT	POST /api/4508128821837904/envelope/ HTTP/1.1 x-sentry-auth: Sentry sentry_key=d9163996e0bda3370ab4e6b347b338e4, sentry_version=7, sentry_timestamp=1734619276.6109421, sentry_client=sentry.rust/0.34.0 accept: / host: o4508128816857088.ingest.de.sentry.io content-length: 12561
2024-12-19 14:42:26 UTC	12561	OUT	Data Raw: 7b 22 65 76 65 6e 74 5f 69 64 22 3a 22 61 34 62 30 65 64 31 36 2d 35 34 64 62 2d 34 36 30 31 2d 39 66 30 62 2d 64 31 66 30 32 63 66 38 61 33 32 66 22 7d 0a 7b 22 74 79 70 65 22 3a 22 65 76 65 6e 74 22 2c 22 6c 65 6e 67 74 68 22 3a 31 32 34 37 36 7d 0a 7b 22 65 76 65 6e 74 5f 69 64 22 3a 22 61 34 62 30 65 64 31 36 35 34 64 62 34 36 30 31 39 66 30 62 64 31 66 30 32 63 66 38 61 33 32 66 22 2c 22 6d 65 73 73 61 67 65 22 3a 22 45 72 72 28 43 75 73 74 6f 6d 20 7b 20 6b 69 6e 64 3a 20 4f 74 68 65 72 2c 20 65 72 72 6f 72 3a 20 5c 22 43 6c 6f 73 65 64 5c 22 20 7d 29 22 2c 22 70 6c 61 74 66 6f 72 6d 22 3a 22 6e 61 74 69 76 65 22 2c 22 74 69 6d 65 73 74 61 6d 70 22 3a 31 37 33 34 36 31 39 33 34 35 2e 38 37 34 34 32 35 34 2c 22 73 65 72 76 65 72 5f 6e 61 6d 65 22 3a Data Ascii: {"event_id":"a4b0ed16-54db-4601-9f0b-d1f02cf8a32f"}{"type":"event","length":12476}{"event_id":"a4b0ed1654db46019f0bd1f02cf8a32f","message":"Err(Custom { kind: Other, error: \"Closed\" })","platform":"native","timestamp":1734619345.8744254,"server_name":
2024-12-19 14:42:27 UTC	672	IN	HTTP/1.1 429 Too Many Requests server: nginx date: Thu, 19 Dec 2024 14:42:27 GMT content-type: application/json retry-after: 60 x-sentry-rate-limits: 60:default;error;security;attachment:organization:error_usage_exceeded vary: origin, access-control-request-method, access-control-request-headers,accept-encoding access-control-allow-origin: * access-control-expose-headers: x-sentry-error,x-sentry-rate-limits,retry-after cross-origin-resource-policy: cross-origin strict-transport-security: max-age=31536000; includeSubDomains; preload via: 1.1 google Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close Transfer-Encoding: chunked
2024-12-19 14:42:27 UTC	209	IN	Data Raw: 63 36 0d 0a 7b 22 64 65 74 61 69 6c 22 3a 22 53 65 6e 74 72 79 20 64 72 6f 70 70 65 64 20 64 61 74 61 20 64 75 65 20 74 6f 20 61 20 71 75 6f 74 61 20 6f 72 20 69 6e 74 65 72 6e 61 6c 20 72 61 74 65 20 6c 69 6d 69 74 20 62 65 69 6e 67 20 72 65 61 63 68 65 64 2e 20 54 68 69 73 20 77 69 6c 6c 20 6e 6f 74 20 61 66 66 65 63 74 20 79 6f 75 72 20 61 70 70 6c 69 63 61 74 69 6f 6e 2e 20 53 65 65 20 68 74 74 70 73 3a 2f 2f 64 6f 63 73 2e 73 65 6e 74 72 79 2e 69 6f 2f 70 72 6f 64 75 63 74 2f 61 63 63 6f 75 6e 74 73 2f 71 75 6f 74 61 73 2f 20 66 6f 72 20 6d 6f 72 65 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 2e 22 7d 0d 0a 30 0d 0a 0d 0a Data Ascii: c6{"detail":"Sentry dropped data due to a quota or internal rate limit being reached. This will not affect your application. See https://docs.sentry.io/product/accounts/quotas/ for more information."}0

Target ID:	0
Start time:	09:41:07
Start date:	19/12/2024
Path:	C:\Windows\System32\loaddll64.exe
Wow64 process (32bit):	false
Commandline:	loaddll64.exe "C:\Users\user\Desktop\8N8j6QojHn.dll"
Imagebase:	0x7ff7be210000
File size:	165'888 bytes
MD5 hash:	763455F9DCB24DFEECC2B9D9F8D46D52
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	09:41:07
Start date:	19/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff715ca0000
File size:	875'008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	09:41:07
Start date:	19/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\8N8j6QojHn.dll",#1
Imagebase:	0x7ff63aad0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	09:41:07
Start date:	19/12/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\8N8j6QojHn.dll,DllMain
Imagebase:	0x7ff63d420000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	09:41:07
Start date:	19/12/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\8N8j6QojHn.dll",#1
Imagebase:	0x7ff63d420000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	09:41:10
Start date:	19/12/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\8N8j6QojHn.dll,ServiceMain
Imagebase:	0x7ff63d420000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	09:41:13
Start date:	19/12/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\8N8j6QojHn.dll,get_hostfxr_path
Imagebase:	0x7ff63d420000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	09:41:15
Start date:	19/12/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 1424 -s 428
Imagebase:	0x7ff6af730000
File size:	568'632 bytes
MD5 hash:	5C06542FED8EE68994D43938E7326D75
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	09:41:16
Start date:	19/12/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\8N8j6QojHn.dll",DllMain
Imagebase:	0x7ff63d420000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	09:41:16
Start date:	19/12/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\8N8j6QojHn.dll",ServiceMain
Imagebase:	0x7ff63d420000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	09:41:16
Start date:	19/12/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\8N8j6QojHn.dll",get_hostfxr_path
Imagebase:	0x7ff63d420000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	09:41:21
Start date:	19/12/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 8204 -s 428
Imagebase:	0x7ff6af730000
File size:	568'632 bytes
MD5 hash:	5C06542FED8EE68994D43938E7326D75
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	1.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	22%
Total number of Nodes:	59
Total number of Limit Nodes:	1

Non-executed Functions

Function 00007FFA11471730 Relevance: 9.1, APIs: 6, Instructions: 146
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

accept.WS2_32 ref: 00007FFA11471785
WSAGetLastError.WS2_32 ref: 00007FFA114717CD
closesocket.WS2_32 ref: 00007FFA11471852
bind.WS2_32 ref: 00007FFA1147190A
WSAGetLastError.WS2_32 ref: 00007FFA11471925
closesocket.WS2_32 ref: 00007FFA11471938

Memory Dump Source

Source File: 00000006.00000002.18358248809.00007FFA111D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFA111D0000, based on PE: true

Associated: 00000006.00000002.18358222261.00007FFA111D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.18358937095.00007FFA114AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.18359087029.00007FFA1153D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.18359114582.00007FFA11540000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffa111d0000_rundll32.jbxd

Similarity

API ID: ErrorLastclosesocket$acceptbind
String ID:
API String ID: 1804377370-0
Opcode ID: c7b51e8292a29a5a90fcb79761d37cf21f9b0f0c8f198b9ace2e4d1acedf13af
Instruction ID: 071c893bf255e977dd1068d7c19cedd3e3640db926032c9abc3ccfef25b88ec7
Opcode Fuzzy Hash: c7b51e8292a29a5a90fcb79761d37cf21f9b0f0c8f198b9ace2e4d1acedf13af
Instruction Fuzzy Hash: 5551E36191898182E7768B15F0412BEB3E5EF85FA4F01D135EADE03690EB3CE4A1CB40

Function 00007FFA1148FC00 Relevance: 6.0, APIs: 4, Instructions: 39
timethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FFA1148FC2C
GetCurrentThreadId.KERNEL32 ref: 00007FFA1148FC3A
GetCurrentProcessId.KERNEL32 ref: 00007FFA1148FC46
QueryPerformanceCounter.KERNEL32 ref: 00007FFA1148FC56

Memory Dump Source

Source File: 00000006.00000002.18358248809.00007FFA111D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFA111D0000, based on PE: true

Associated: 00000006.00000002.18358222261.00007FFA111D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.18358937095.00007FFA114AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.18359087029.00007FFA1153D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.18359114582.00007FFA11540000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffa111d0000_rundll32.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 12fd8a9f89629ea2447222c8c74297c2fbcce32a864f8b5c802af7c08dfa3724
Instruction ID: 558d41c8c7d3957b706a7b250b9171b47a68ece698e7fff8977de9c93a6069a3
Opcode Fuzzy Hash: 12fd8a9f89629ea2447222c8c74297c2fbcce32a864f8b5c802af7c08dfa3724
Instruction Fuzzy Hash: 2B111F66B14F018AEB019F60E8542B833A8FB59B68F450E31DA6D467A4DF78E1A48740

Function 00007FFA1149ED40 Relevance: 5.7, Strings: 4, Instructions: 688
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

uespemos, xrefs: 00007FFA1149F054
modnarod, xrefs: 00007FFA1149F066
setybdet, xrefs: 00007FFA1149F08A
arenegyl, xrefs: 00007FFA1149F078

Memory Dump Source

Source File: 00000006.00000002.18358248809.00007FFA111D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFA111D0000, based on PE: true

Associated: 00000006.00000002.18358222261.00007FFA111D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.18358937095.00007FFA114AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.18359087029.00007FFA1153D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.18359114582.00007FFA11540000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffa111d0000_rundll32.jbxd

Similarity

API ID:
String ID: arenegyl$modnarod$setybdet$uespemos
API String ID: 0-66988881
Opcode ID: d3daacb50e6a5e86a45ee54e19aca212472062c4860bb173f1bcb69688a0aab6
Instruction ID: b59a94bd648f15ad3718031f6f8fc649bdf6d27ea2c9ad7859a6cfe3f26b77c5
Opcode Fuzzy Hash: d3daacb50e6a5e86a45ee54e19aca212472062c4860bb173f1bcb69688a0aab6
Instruction Fuzzy Hash: 6A4259A2B18F8982EB118B69A4006696766F78ABF4F51D332DEAD137D5EF3CC151C700

Function 00007FFA1149F7F0 Relevance: 5.6, Strings: 4, Instructions: 593
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

setybdet, xrefs: 00007FFA1149FA15
arenegyl, xrefs: 00007FFA1149FA03
uespemos, xrefs: 00007FFA1149F9DF
modnarod, xrefs: 00007FFA1149F9F1

Memory Dump Source

Source File: 00000006.00000002.18358248809.00007FFA111D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFA111D0000, based on PE: true

Associated: 00000006.00000002.18358222261.00007FFA111D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.18358937095.00007FFA114AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.18359087029.00007FFA1153D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.18359114582.00007FFA11540000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffa111d0000_rundll32.jbxd

Similarity

API ID:
String ID: arenegyl$modnarod$setybdet$uespemos
API String ID: 0-66988881
Opcode ID: d3ea4d561a59784e363e8fb81793ac518c78f1528762f10beb5af92a7ea12c20
Instruction ID: d4d7bcb88c2d4cc4614b3c8c9d4765715f7ca3812e42af1595a9182ab96a1010
Opcode Fuzzy Hash: d3ea4d561a59784e363e8fb81793ac518c78f1528762f10beb5af92a7ea12c20
Instruction Fuzzy Hash: FB3237A2B18F8542EB118F68A4106B96B65FB8ABA4F45D331DEAE177C5EF3CD151C300

Function 00007FFA112E1DA0 Relevance: 5.1, Strings: 4, Instructions: 98
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

modnarod, xrefs: 00007FFA112E1DB2
uespemos, xrefs: 00007FFA112E1DA5
setybdet, xrefs: 00007FFA112E1DCC
arenegyl, xrefs: 00007FFA112E1DBF

Memory Dump Source

Source File: 00000006.00000002.18358248809.00007FFA111D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFA111D0000, based on PE: true

Associated: 00000006.00000002.18358222261.00007FFA111D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.18358937095.00007FFA114AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.18359087029.00007FFA1153D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.18359114582.00007FFA11540000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffa111d0000_rundll32.jbxd

Similarity

API ID:
String ID: arenegyl$modnarod$setybdet$uespemos
API String ID: 0-66988881
Opcode ID: 6913041949bbfa74934f3464e567d6e1aeceb7576476e4ec240618c533d55c3a
Instruction ID: c5f9a3704b9b2d5fba707ddcab22d6fc22925276d0901ea23b6436d898760fac
Opcode Fuzzy Hash: 6913041949bbfa74934f3464e567d6e1aeceb7576476e4ec240618c533d55c3a
Instruction Fuzzy Hash: 683137E6B08B8042FE54D7E4787536B9212A7457D0F90E136EE4E9BF1EDE2DD2424640

Function 00007FFA1148A0B0 Relevance: 1.6, Strings: 1, Instructions: 395
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

+NaNinf00e00E0, xrefs: 00007FFA1148A0B6

Memory Dump Source

Source File: 00000006.00000002.18358248809.00007FFA111D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFA111D0000, based on PE: true

Associated: 00000006.00000002.18358222261.00007FFA111D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.18358937095.00007FFA114AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.18359087029.00007FFA1153D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.18359114582.00007FFA11540000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffa111d0000_rundll32.jbxd

Similarity

API ID:
String ID: +NaNinf00e00E0
API String ID: 0-248423880
Opcode ID: e03af7eff98612d667f33974eb37de08fb45994ebcffc1666481443cf5da295c
Instruction ID: de1115d1ce58261966537a80f7fb5dcdbea5016b2e21f933c8fd67ffcdee4b22
Opcode Fuzzy Hash: e03af7eff98612d667f33974eb37de08fb45994ebcffc1666481443cf5da295c
Instruction Fuzzy Hash: 66D1AEA2B19B6643EF1A8B9594183782789E795FD4F62C031CE6F23784DE7CD951CB00

Function 00007FFA114896B0 Relevance: .7, Instructions: 687COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.18358248809.00007FFA111D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFA111D0000, based on PE: true

Associated: 00000006.00000002.18358222261.00007FFA111D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.18358937095.00007FFA114AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.18359087029.00007FFA1153D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.18359114582.00007FFA11540000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffa111d0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bab29372ec92fbae8efa6dbd3038f7da46f969cff221e93ee9050bb7b0832caa
Instruction ID: e34bb9dafadaa6107d602682e77a12dd4650cc93224ef259d9f661412a3b8ce2
Opcode Fuzzy Hash: bab29372ec92fbae8efa6dbd3038f7da46f969cff221e93ee9050bb7b0832caa
Instruction Fuzzy Hash: F83299A2B18EA583EB158F95E4046A9B755FB85FD4F468032EE5E03B84EF3CD456CB00

Function 00007FFA11306290 Relevance: .5, Instructions: 493COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.18358248809.00007FFA111D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFA111D0000, based on PE: true

Associated: 00000006.00000002.18358222261.00007FFA111D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.18358937095.00007FFA114AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.18359087029.00007FFA1153D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.18359114582.00007FFA11540000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffa111d0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a017d8804a63d04de05a9711d122f9e0bc106880c5135b1f55579b37da2064c
Instruction ID: d63926e741b649d58db3d9b51dd1978f272b4c67317491ef62ff58831d486f89
Opcode Fuzzy Hash: 2a017d8804a63d04de05a9711d122f9e0bc106880c5135b1f55579b37da2064c
Instruction Fuzzy Hash: 72026BE6A18EA142E7968B05941033A6AD5FB457B4F228234EE6E07BDCDF3CD550AB00

Function 00007FFA1147D500 Relevance: .4, Instructions: 440COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.18358248809.00007FFA111D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFA111D0000, based on PE: true

Associated: 00000006.00000002.18358222261.00007FFA111D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.18358937095.00007FFA114AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.18359087029.00007FFA1153D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.18359114582.00007FFA11540000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffa111d0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d7175cec44c224e48e43834ba5561a362b647d0e764ba630f27001171134d04
Instruction ID: 6cf13d6eb401a1269ad9830d08dfc66fe98b78c10b2cf723340b2f1b1d9e81d7
Opcode Fuzzy Hash: 5d7175cec44c224e48e43834ba5561a362b647d0e764ba630f27001171134d04
Instruction Fuzzy Hash: A5F12663A1DAC485E7228B19A4403BEABA4F796BE4F055231EFCE07B85CE3CD551CB40

Function 00007FFA1147FFC0 Relevance: .4, Instructions: 386COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.18358248809.00007FFA111D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFA111D0000, based on PE: true

Associated: 00000006.00000002.18358222261.00007FFA111D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.18358937095.00007FFA114AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.18359087029.00007FFA1153D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.18359114582.00007FFA11540000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffa111d0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a22a0c3fd6392f679b495935aa4e693aa355b445f221fe7fda6bc2de31b2a85
Instruction ID: c5077feebea73d3148375fda9bdb93daf2d2e55743718ba74594e62d045fad2c
Opcode Fuzzy Hash: 5a22a0c3fd6392f679b495935aa4e693aa355b445f221fe7fda6bc2de31b2a85
Instruction Fuzzy Hash: 3DD16CD6E39FA201F723437964022B55604AFA7BF4E01D336FDBD71AD1DB29E2429204

Function 00007FFA1148D8D0 Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.18358248809.00007FFA111D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFA111D0000, based on PE: true

Associated: 00000006.00000002.18358222261.00007FFA111D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.18358937095.00007FFA114AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.18359087029.00007FFA1153D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.18359114582.00007FFA11540000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffa111d0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 036802706531865e5570e64f8283e59ddce21b84422b5488a72e525fcd92dd1f
Instruction ID: 5a0daf58d89837ca013bc10d7936a864d2824f7b0cc554cedad8b1bc64900c28
Opcode Fuzzy Hash: 036802706531865e5570e64f8283e59ddce21b84422b5488a72e525fcd92dd1f
Instruction Fuzzy Hash: EFA1E3A2A0AAA181E7128B51E54037DB769EB56BB8F55C130DFED07784DF7DE0A1CB00

Function 00007FFA1148D1E0 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.18358248809.00007FFA111D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFA111D0000, based on PE: true

Associated: 00000006.00000002.18358222261.00007FFA111D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.18358937095.00007FFA114AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.18359087029.00007FFA1153D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.18359114582.00007FFA11540000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffa111d0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2bd652908c75aa979a606a0e4842c07362165e146ae5281e308133284a8b7d1
Instruction ID: 248d3104d8b4cd170a637e8cb71b1c722b36d5978be8ce594738961048debb28
Opcode Fuzzy Hash: b2bd652908c75aa979a606a0e4842c07362165e146ae5281e308133284a8b7d1
Instruction Fuzzy Hash: AF514EB2F4AE3642E7678BB59840A7C3599DB53FB0F16C131D9BD432D0DD39A9624600

Function 00007FFA111D19E0 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.18358248809.00007FFA111D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFA111D0000, based on PE: true

Associated: 00000006.00000002.18358222261.00007FFA111D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.18358937095.00007FFA114AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.18359087029.00007FFA1153D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.18359114582.00007FFA11540000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffa111d0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ed2d7372d4f894844fe00e08bcffc0e33f805a48858a06d2047e8f50a3f0315
Instruction ID: ec934ea8bbc0dd2b098f8e313374be64a72cd0d764c7b5e01a82cbd580ad9ba6
Opcode Fuzzy Hash: 2ed2d7372d4f894844fe00e08bcffc0e33f805a48858a06d2047e8f50a3f0315
Instruction Fuzzy Hash: 89514922B54D5582FF62CB19E8083AAA765FB0A7E0F068436EE8D53794DA7CD5C0CB01

Function 00007FFA112E25B0 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.18358248809.00007FFA111D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFA111D0000, based on PE: true

Associated: 00000006.00000002.18358222261.00007FFA111D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.18358937095.00007FFA114AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.18359087029.00007FFA1153D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.18359114582.00007FFA11540000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffa111d0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7997d90d201108601e5e04c1bdf788b68eed1205965ec5a9109319a4425342cb
Instruction ID: 8ca46c4d2c2736b18cdddd1140bd1ef93882beb0af79bfb200efe9f715c42c43
Opcode Fuzzy Hash: 7997d90d201108601e5e04c1bdf788b68eed1205965ec5a9109319a4425342cb
Instruction Fuzzy Hash: F6412562F45A6146FB1ACB51E674E782619F392FE0F029132CD1B23B80CE78D996C740

Function 00007FFA11470F70 Relevance: 10.6, APIs: 7, Instructions: 64
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSASocketW.WS2_32 ref: 00007FFA11470FA7
WSAGetLastError.WS2_32 ref: 00007FFA11470FBA
WSASocketW.WS2_32 ref: 00007FFA11470FEA
SetHandleInformation.KERNEL32 ref: 00007FFA11471007
GetLastError.KERNEL32 ref: 00007FFA11471011
closesocket.WS2_32 ref: 00007FFA11471024
WSAGetLastError.WS2_32 ref: 00007FFA1147102F

Memory Dump Source

Source File: 00000006.00000002.18358248809.00007FFA111D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFA111D0000, based on PE: true

Associated: 00000006.00000002.18358222261.00007FFA111D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.18358937095.00007FFA114AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.18359087029.00007FFA1153D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.18359114582.00007FFA11540000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffa111d0000_rundll32.jbxd

Similarity

API ID: ErrorLast$Socket$HandleInformationclosesocket
String ID:
API String ID: 3114377017-0
Opcode ID: e8fc91bdb7b020b4beb853b3fa1f019e79ab85ee67a59c7c9f006a5cf786e774
Instruction ID: 118235acd36a927f3337c707a3a02dc28a80aef3fd1a4cc4412ceb0e03c9f244
Opcode Fuzzy Hash: e8fc91bdb7b020b4beb853b3fa1f019e79ab85ee67a59c7c9f006a5cf786e774
Instruction Fuzzy Hash: E211D2B1B088A543F7620B34B41872A1695BB86FF4F1A8330DDAE53BD4CE7D58964B00

Function 00007FFA114AB350 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WaitOnAddress.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00007FFA114AB3D3
GetLastError.KERNEL32 ref: 00007FFA114AB3DA

Strings

Box<dyn Any>fatal runtime error: the global allocator may not use TLS with destructors, xrefs: 00007FFA114AB354

Memory Dump Source

Source File: 00000006.00000002.18358248809.00007FFA111D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFA111D0000, based on PE: true

Associated: 00000006.00000002.18358222261.00007FFA111D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.18358937095.00007FFA114AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.18359087029.00007FFA1153D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.18359114582.00007FFA11540000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffa111d0000_rundll32.jbxd

Similarity

API ID: AddressErrorLastWait
String ID: Box<dyn Any>fatal runtime error: the global allocator may not use TLS with destructors
API String ID: 1574541344-2368852436
Opcode ID: 95888f0208f9d67d365d0e94685335c9533744bf90259d2b06c0b209b77beb84
Instruction ID: f913cfb242e9dae1762712a91c172be3d747a9ddd54f058a88e0265cefdd22d7
Opcode Fuzzy Hash: 95888f0208f9d67d365d0e94685335c9533744bf90259d2b06c0b209b77beb84
Instruction Fuzzy Hash: F011E772A0849144EB764B15341027D7B869B63F74F4FC934DEDE076C8CA1D98D28F00

Function 00007FFA111D1E0B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

closesocket.WS2_32 ref: 00007FFA111D1E32
closesocket.WS2_32 ref: 00007FFA111D1E39

Strings

H, xrefs: 00007FFA111D1E0B

Memory Dump Source

Source File: 00000006.00000002.18358248809.00007FFA111D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFA111D0000, based on PE: true

Associated: 00000006.00000002.18358222261.00007FFA111D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.18358937095.00007FFA114AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.18359087029.00007FFA1153D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.18359114582.00007FFA11540000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffa111d0000_rundll32.jbxd

Similarity

API ID: closesocket
String ID: H
API String ID: 2781271927-2852464175
Opcode ID: 2b32ab530bf5a1cb137be957e997bed42ea83a23db5125ec291894482d05d486
Instruction ID: 95434419e7c6eb9f455157ac6c869610f8fb0811169c133440c3e85118f82e1a
Opcode Fuzzy Hash: 2b32ab530bf5a1cb137be957e997bed42ea83a23db5125ec291894482d05d486
Instruction Fuzzy Hash: 83E0A06670990141FF539B11F54427D93516F83BE4F49C434DE4D07689CD3DE4814B00

Source: global traffic	HTTP traffic detected: POST /api/4508128821837904/envelope/ HTTP/1.1x-sentry-auth: Sentry sentry_key=d9163996e0bda3370ab4e6b347b338e4, sentry_version=7, sentry_timestamp=1734619276.6109421, sentry_client=sentry.rust/0.34.0accept: /host: o4508128816857088.ingest.de.sentry.iocontent-length: 11466
Source: global traffic	HTTP traffic detected: POST /api/4508128821837904/envelope/ HTTP/1.1x-sentry-auth: Sentry sentry_key=d9163996e0bda3370ab4e6b347b338e4, sentry_version=7, sentry_timestamp=1734619276.6109421, sentry_client=sentry.rust/0.34.0accept: /host: o4508128816857088.ingest.de.sentry.iocontent-length: 12561
Source: global traffic	HTTP traffic detected: GET /ws HTTP/1.1Host: d2np1vqkcxhde6.cloudfront.netConnection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: UYOzZ2YAtcs1i13x87Kc+g==
Source: global traffic	HTTP traffic detected: GET /ws HTTP/1.1Host: d2np1vqkcxhde6.cloudfront.netConnection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: Mw1Z/LTqLgkNLRnkhKQaTA==
Source: global traffic	HTTP traffic detected: GET /ws HTTP/1.1Host: 195.133.1.117Connection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: CBXXvEsoITtUTt+BOyKsUQ==
Source: global traffic	HTTP traffic detected: GET /ws HTTP/1.1Host: d2np1vqkcxhde6.cloudfront.netConnection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: ZUAtcwQnAf5wRYRkfuHSuw==
Source: global traffic	HTTP traffic detected: GET /ws HTTP/1.1Host: 195.133.1.117Connection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: MzNHV3ANNZeYTEtbeWl93Q==
Source: global traffic	HTTP traffic detected: GET /ws HTTP/1.1Host: d2np1vqkcxhde6.cloudfront.netConnection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: svHsmLZe5HtY16UWgdWrqg==
Source: global traffic	HTTP traffic detected: GET /ws HTTP/1.1Host: 195.133.1.117Connection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: X+G109X9tM81+sMbtrX9YQ==
Source: global traffic	HTTP traffic detected: GET /ws HTTP/1.1Host: d2np1vqkcxhde6.cloudfront.netConnection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: PEvQylND7d43XUNT3qvEVg==
Source: global traffic	HTTP traffic detected: GET /ws HTTP/1.1Host: 195.133.1.117Connection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: roWtbVmk63b2Bs9SFiY8Ag==
Source: global traffic	HTTP traffic detected: GET /ws HTTP/1.1Host: d2np1vqkcxhde6.cloudfront.netConnection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: a6fF2qAv8dn0cmuFp5hYiQ==
Source: global traffic	HTTP traffic detected: GET /ws HTTP/1.1Host: 195.133.1.117Connection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: UNO1ZzRG/JrA31KSleNmIA==
Source: global traffic	HTTP traffic detected: GET /ws HTTP/1.1Host: d2np1vqkcxhde6.cloudfront.netConnection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: VPk9YnZ8d1WtxvcoozGrKQ==
Source: global traffic	HTTP traffic detected: GET /ws HTTP/1.1Host: 195.133.1.117Connection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: 04MegWaZAmHDpRsK84dP6Q==
Source: global traffic	HTTP traffic detected: GET /ws HTTP/1.1Host: d2np1vqkcxhde6.cloudfront.netConnection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: yge8Pu/UtqSnKQ38gEEGkw==
Source: global traffic	HTTP traffic detected: GET /ws HTTP/1.1Host: 195.133.1.117Connection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: +qGA7SKr5nFHYVsovqWR7A==
Source: global traffic	HTTP traffic detected: GET /ws HTTP/1.1Host: d2np1vqkcxhde6.cloudfront.netConnection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: jQUG6hvrh79opMqDTR/cgw==
Source: global traffic	HTTP traffic detected: GET /ws HTTP/1.1Host: 195.133.1.117Connection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: fVxH0q9LuJWk6ISi5xwM6w==
Source: global traffic	HTTP traffic detected: GET /ws HTTP/1.1Host: d2np1vqkcxhde6.cloudfront.netConnection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: VXIHAh+XO4HCn9ufP09slA==

Source: Joe Sandbox View	ASN Name: AMAZON-02US AMAZON-02US
Source: Joe Sandbox View	ASN Name: MIT-GATEWAYSUS MIT-GATEWAYSUS
Source: Joe Sandbox View	ASN Name: MTW-ASRU MTW-ASRU

Source: global traffic	HTTP traffic detected: GET /ws HTTP/1.1Host: d2np1vqkcxhde6.cloudfront.netConnection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: UYOzZ2YAtcs1i13x87Kc+g==
Source: global traffic	HTTP traffic detected: GET /ws HTTP/1.1Host: d2np1vqkcxhde6.cloudfront.netConnection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: Mw1Z/LTqLgkNLRnkhKQaTA==
Source: global traffic	HTTP traffic detected: GET /ws HTTP/1.1Host: 195.133.1.117Connection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: CBXXvEsoITtUTt+BOyKsUQ==
Source: global traffic	HTTP traffic detected: GET /ws HTTP/1.1Host: d2np1vqkcxhde6.cloudfront.netConnection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: ZUAtcwQnAf5wRYRkfuHSuw==
Source: global traffic	HTTP traffic detected: GET /ws HTTP/1.1Host: 195.133.1.117Connection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: MzNHV3ANNZeYTEtbeWl93Q==
Source: global traffic	HTTP traffic detected: GET /ws HTTP/1.1Host: d2np1vqkcxhde6.cloudfront.netConnection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: svHsmLZe5HtY16UWgdWrqg==
Source: global traffic	HTTP traffic detected: GET /ws HTTP/1.1Host: 195.133.1.117Connection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: X+G109X9tM81+sMbtrX9YQ==
Source: global traffic	HTTP traffic detected: GET /ws HTTP/1.1Host: d2np1vqkcxhde6.cloudfront.netConnection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: PEvQylND7d43XUNT3qvEVg==
Source: global traffic	HTTP traffic detected: GET /ws HTTP/1.1Host: 195.133.1.117Connection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: roWtbVmk63b2Bs9SFiY8Ag==
Source: global traffic	HTTP traffic detected: GET /ws HTTP/1.1Host: d2np1vqkcxhde6.cloudfront.netConnection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: a6fF2qAv8dn0cmuFp5hYiQ==
Source: global traffic	HTTP traffic detected: GET /ws HTTP/1.1Host: 195.133.1.117Connection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: UNO1ZzRG/JrA31KSleNmIA==
Source: global traffic	HTTP traffic detected: GET /ws HTTP/1.1Host: d2np1vqkcxhde6.cloudfront.netConnection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: VPk9YnZ8d1WtxvcoozGrKQ==
Source: global traffic	HTTP traffic detected: GET /ws HTTP/1.1Host: 195.133.1.117Connection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: 04MegWaZAmHDpRsK84dP6Q==
Source: global traffic	HTTP traffic detected: GET /ws HTTP/1.1Host: d2np1vqkcxhde6.cloudfront.netConnection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: yge8Pu/UtqSnKQ38gEEGkw==
Source: global traffic	HTTP traffic detected: GET /ws HTTP/1.1Host: 195.133.1.117Connection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: +qGA7SKr5nFHYVsovqWR7A==
Source: global traffic	HTTP traffic detected: GET /ws HTTP/1.1Host: d2np1vqkcxhde6.cloudfront.netConnection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: jQUG6hvrh79opMqDTR/cgw==
Source: global traffic	HTTP traffic detected: GET /ws HTTP/1.1Host: 195.133.1.117Connection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: fVxH0q9LuJWk6ISi5xwM6w==
Source: global traffic	HTTP traffic detected: GET /ws HTTP/1.1Host: d2np1vqkcxhde6.cloudfront.netConnection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: VXIHAh+XO4HCn9ufP09slA==

Source: global traffic	DNS traffic detected: DNS query: d2np1vqkcxhde6.cloudfront.net
Source: global traffic	DNS traffic detected: DNS query: o4508128816857088.ingest.de.sentry.io

Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.1.117
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.1.117
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.1.117
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.1.117
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.1.117
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.1.117
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.1.117
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.1.117
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.1.117
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.1.117
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.1.117
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.1.117
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.1.117
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.1.117
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.1.117
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.1.117
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.1.117
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.1.117
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.1.117
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.1.117
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.1.117
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.1.117
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.1.117
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.1.117
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.1.117
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.1.117
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.1.117
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.1.117
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.1.117
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.1.117
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.1.117
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.1.117
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.1.117
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.1.117
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.1.117
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.1.117
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.1.117
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.1.117
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.1.117
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.1.117
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.1.117
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.1.117
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.1.117
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.1.117
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.1.117
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.1.117
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.1.117
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.1.117
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.1.117
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.1.117

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 8N8j6QojHn.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_8N8_227981c0f83afa88f5535c5c353a7cf1b92740eb_28fdd4fb_0552533c-2f0a-4297-9945-863846b0ca38\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_8N8_227981c0f83afa88f5535c5c353a7cf1b92740eb_28fdd4fb_920365fd-1804-4983-87e1-96076e6e39b4\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER152.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1A1.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1D1.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WEREA11.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WEREABE.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WEREAEE.tmp.xml

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Windows Analysis Report
8N8j6QojHn.dll

Function 00007FFA11471730 Relevance: 9.1, APIs: 6, Instructions: 146
networkCOMMON

Function 00007FFA1148FC00 Relevance: 6.0, APIs: 4, Instructions: 39
timethreadCOMMON

Function 00007FFA1149ED40 Relevance: 5.7, Strings: 4, Instructions: 688
COMMON

Function 00007FFA1149F7F0 Relevance: 5.6, Strings: 4, Instructions: 593
COMMON

Function 00007FFA112E1DA0 Relevance: 5.1, Strings: 4, Instructions: 98
COMMON

Function 00007FFA1148A0B0 Relevance: 1.6, Strings: 1, Instructions: 395
COMMON