Windows Analysis Report
dropper.exe

Source: C:\Users\user\Desktop\dropper.exe

Process token adjusted: Security

Source: System.evtx.23.dr	Binary string: \Device\HarddiskVolume4\Windows\SysWOW64\tzutil.exe
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.23.dr	Binary string: 1\Device\HarddiskVolume4\Windows\SysWOW64\curl.exe?\Device\HarddiskVolume4\Program Files (x86)\AutoIt3\AutoIt3.exeD
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.23.dr	Binary string: 1\Device\HarddiskVolume4\Windows\SysWOW64\curl.exe?\Device\HarddiskVolume4\Program Files (x86)\AutoIt3\AutoIt3.exed
Source: System.evtx.23.dr	Binary string: C:\Device\HarddiskVolume4K
Source: Microsoft-Windows-SMBServer%4Operational.evtx.23.dr	Binary string: \Device\NetbiosSmb
Source: System.evtx.23.dr	Binary string: \\?\Volume{cb7fdaf7-d8ae-4a24-98ab-ca007942ac33}\Device\HarddiskVolume1m
Source: Microsoft-Windows-SMBServer%4Operational.evtx.23.dr	Binary string: computer WORKGROUP:\Device\NetBT_Tcpip_{68C65ED0-D5FC-471F-BF0F-95C04D2E3B08}
Source: System.evtx.23.dr	Binary string: \Device\HarddiskVolume4\Program Files (x86)\AutoIt3\AutoIt3.exe
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.23.dr	Binary string: 1\Device\HarddiskVolume4\Windows\SysWOW64\curl.exe?\Device\HarddiskVolume4\Program Files (x86)\AutoIt3\AutoIt3.exe
Source: Microsoft-Windows-Diagnostics-Performance%4Operational.evtx.23.dr	Binary string: \\?\Volume{cb7fdaf7-d8ae-4a24-98ab-ca007942ac33}\Device\HarddiskVolume1an
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.23.dr	Binary string: 1\Device\HarddiskVolume4\Windows\System32\curl.exe?\Device\HarddiskVolume4\Program Files (x86)\AutoIt3\AutoIt3.exe
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.23.dr	Binary string: 1\Device\HarddiskVolume4\Windows\System32\curl.exe?\Device\HarddiskVolume4\Program Files (x86)\AutoIt3\AutoIt3.exeo
Source: Microsoft-Windows-Diagnostics-Performance%4Operational.evtx.23.dr	Binary string: C:\Device\HarddiskVolume4
Source: Microsoft-Windows-CodeIntegrity%4Operational.evtx.23.dr	Binary string: J\Device\HarddiskVolume4\Program Files (x86)\Joebox\driver\joeboxdriver.sys
Source: System.evtx.23.dr	Binary string: \\?\Volume{cb7fdaf7-d8ae-4a24-98ab-ca007942ac33}\Device\HarddiskVolume1iceV
Source: Security.evtx.23.dr	Binary string: \Device\HarddiskVolume4\Program Files (x86)\Joebox\driver\joeboxdriver.sys
Source: Security.evtx.23.dr	Binary string: \Device\HarddiskVolume4\Windows\System32\drivers\filetrace.syscom
Source: System.evtx.23.dr	Binary string: .\Device\HarddiskVolume2\EFI\Microsoft\Boot\BCD~
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.23.dr	Binary string: 1\Device\HarddiskVolume4\Windows\SysWOW64\curl.exe?\Device\HarddiskVolume4\Program Files (x86)\AutoIt3\AutoIt3.exeo
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.23.dr	Binary string: 1\Device\HarddiskVolume4\Windows\SysWOW64\curl.exe?\Device\HarddiskVolume4\Program Files (x86)\AutoIt3\AutoIt3.exeT_AH**
Source: Microsoft-Windows-CodeIntegrity%4Operational.evtx.23.dr	Binary string: >\Device\HarddiskVolume4\Windows\System32\drivers\filetrace.sys
Source: Microsoft-Windows-SmbClient%4Connectivity.evtx.23.dr	Binary string: :\Device\NetBT_Tcpip_{68C65ED0-D5FC-471F-BF0F-95C04D2E3B08}

Source: classification engine

Classification label: mal84.evad.winEXE@7/60@0/1

Source: C:\Windows\System32\cmd.exe

Code function: 3_2_0000018B3C4175B0 NtWriteFile,WaitForSingleObject,RtlNtStatusToDosError,GetModuleHandleW,FormatMessageW,GetLastError,

3_2_0000018B3C4175B0

Source: C:\Windows\System32\cmd.exe	Code function: 3_2_0000018B3C400CA0 OutputDebugStringW,LsaOpenPolicy,GetCurrentProcess,OpenProcessToken,GetTokenInformation,LsaAddAccountRights,LsaClose,LsaClose,LsaClose,memset,OutputDebugStringW,memset,OutputDebugStringW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,memset,OutputDebugStringW,memset,memset,OutputDebugStringW,OutputDebugStringW,		3_2_0000018B3C400CA0
Source: C:\Windows\System32\cmd.exe	Code function: 3_2_00007FFBFD5C0CA0 OutputDebugStringW,LsaOpenPolicy,GetCurrentProcess,OpenProcessToken,GetTokenInformation,LsaAddAccountRights,LsaClose,LsaClose,LsaClose,memset,OutputDebugStringW,memset,OutputDebugStringW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,memset,OutputDebugStringW,memset,memset,OutputDebugStringW,OutputDebugStringW,		3_2_00007FFBFD5C0CA0

Source: C:\Users\user\Desktop\dropper.exe

Code function: 0_2_00007FF71C077DF0 memset,OutputDebugStringW,memset,OutputDebugStringW,memset,OutputDebugStringW,CreateToolhelp32Snapshot,memset,OutputDebugStringW,Module32FirstW,memset,memset,OutputDebugStringW,memset,OutputDebugStringW,OutputDebugStringW,memset,memset,OutputDebugStringW,OutputDebugStringW,memset,OutputDebugStringW,memset,memset,OutputDebugStringW,OutputDebugStringW,memset,OutputDebugStringW,memset,OutputDebugStringW,memset,OutputDebugStringW,memcmp,memcmp,memcmp,memset,memset,OutputDebugStringW,memset,memset,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,Module32NextW,memset,OutputDebugStringW,NtClose,memset,OutputDebugStringW,

0_2_00007FF71C077DF0

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8428:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:8800:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8576:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:8800:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8576:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8428:120:WilError_03

Source: C:\Users\user\Desktop\dropper.exe

File created: C:\Windows\Temp\tempdll.dll

Source: dropper.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\dropper.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: dropper.exe

Virustotal: Detection: 12%

Source: unknown	Process created: C:\Users\user\Desktop\dropper.exe "C:\Users\user\Desktop\dropper.exe"
Source: C:\Users\user\Desktop\dropper.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\dropper.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\lsass.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\dropper.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe"	Jump to behavior

Source: C:\Users\user\Desktop\dropper.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\dropper.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\dropper.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\dropper.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: wscapi.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: sppc.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: dropper.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: dropper.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: dropper.exe

Static file information: File size 3219456 > 1048576

Source: dropper.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x15e000
Source: dropper.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x1a7400

Source: dropper.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: dropper.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\36C00AF489401A26639ABBA698DE76062\winload_prod.pdbTCDE.@ source: svchost.exe, 00000016.00000000.1980287685.000001FE41048000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000002.3721582776.000001FE41048000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\36C00AF489401A26639ABBA698DE76062\winload_prod.pdb source: svchost.exe, 00000016.00000000.1980287685.000001FE41048000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000002.3721582776.000001FE41048000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: dropper.pdb source: dropper.exe
Source:	Binary string: rnlmp.pdbxC4 source: svchost.exe, 00000016.00000002.3723062033.000001FE41057000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000000.1980368839.000001FE41057000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: WINLOA~1.PDBwinload_prod.pdb source: svchost.exe, 00000016.00000002.3723062033.000001FE41057000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000000.1980368839.000001FE41057000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: *@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\47114209A62F3B9930F6B8998DFD4A991\ntkrnlmp.pdb source: svchost.exe, 00000016.00000000.1980206855.000001FE4102A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000002.3719951023.000001FE4102A000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: dll.pdb source: dropper.exe, 00000000.00000003.1855774737.00000236C9808000.00000004.00000020.00020000.00000000.sdmp, dropper.exe, 00000000.00000002.1857886263.00000236C9857000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.3723910614.0000018B3C42B000.00000002.00000001.01000000.00000005.sdmp, cmd.exe, 00000003.00000002.3713846370.0000018B3A167000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.3731019737.00007FFBFD5EB000.00000002.00000001.01000000.00000005.sdmp, tempdll.dll.0.dr
Source:	Binary string: ntkrnlmp.pdb source: svchost.exe, 00000016.00000002.3723062033.000001FE41057000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000000.1980368839.000001FE41057000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\36C00AF489401A26639ABBA698DE76062.pdb source: svchost.exe, 00000016.00000000.1980287685.000001FE41048000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000002.3721582776.000001FE41048000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\47114209A62F3B9930F6B8998DFD4A991 source: svchost.exe, 00000016.00000000.1980287685.000001FE41048000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000002.3721582776.000001FE41048000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\36C00AF489401A26639ABBA698DE76062\download.error source: svchost.exe, 00000016.00000000.1980287685.000001FE41048000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000002.3721582776.000001FE41048000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: .@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 00000016.00000002.3723062033.000001FE41057000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000000.1980368839.000001FE41057000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: *@\??\C:\Users\user\AppData\Local\Temp\symsrv.dllp.pdb source: svchost.exe, 00000016.00000000.1980482592.000001FE4106C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000002.3725498971.000001FE4106C000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: *@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 00000016.00000002.3723062033.000001FE41057000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000000.1980368839.000001FE41057000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\36C00AF489401A26639ABBA698DE76062\download.errorj source: svchost.exe, 00000016.00000000.1980287685.000001FE41048000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000002.3721582776.000001FE41048000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: dll.pdb' source: dropper.exe, 00000000.00000003.1855774737.00000236C9808000.00000004.00000020.00020000.00000000.sdmp, dropper.exe, 00000000.00000002.1857886263.00000236C9857000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.3723910614.0000018B3C42B000.00000002.00000001.01000000.00000005.sdmp, cmd.exe, 00000003.00000002.3713846370.0000018B3A167000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.3731019737.00007FFBFD5EB000.00000002.00000001.01000000.00000005.sdmp, tempdll.dll.0.dr
Source:	Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 00000016.00000002.3723062033.000001FE41057000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000000.1980368839.000001FE41057000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\47114209A62F3B9930F6B8998DFD4A991\ntkrnlmp.pdb source: svchost.exe, 00000016.00000000.1980206855.000001FE4102A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000002.3719951023.000001FE4102A000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\47114209A62F3B9930F6B8998DFD4A991\download.error source: svchost.exe, 00000016.00000000.1980206855.000001FE4102A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000002.3719951023.000001FE4102A000.00000004.00000001.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\dropper.exe

File created: C:\Windows\Temp\tempdll.dll

Jump to dropped file

Source: C:\Users\user\Desktop\dropper.exe

File created: C:\Windows\Temp\tempdll.dll

Jump to dropped file

Source: C:\Windows\System32\cmd.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinDefend

Tries to delay execution (extensive OutputDebugStringW loop)

Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Source: C:\Users\user\Desktop\dropper.exe	Section loaded: OutputDebugStringW count: 1228
Source: C:\Windows\System32\cmd.exe	Section loaded: OutputDebugStringW count: 1973

Source: C:\Users\user\Desktop\dropper.exe

Dropped PE file which has not been started: C:\Windows\Temp\tempdll.dll

Jump to dropped file

Source: C:\Windows\System32\cmd.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_3-11435

Source: C:\Windows\System32\svchost.exe TID: 2444

Thread sleep time: -30000s >= -30000s

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\System32\cmd.exe

Code function: 3_2_0000018B3C417090 OutputDebugStringW,CloseHandle,memset,FindFirstFileW,FindClose,

3_2_0000018B3C417090

Source: lsass.exe, 00000006.00000002.3723138243.000001F2E18A6000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: pvmicshutdownNT SERVICE
Source: svchost.exe, 00000017.00000002.3721796406.00000174A5442000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000000.1984815923.00000174A5442000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: @Microsoft-Windows-Hyper-V-Hypervisor
Source: lsass.exe, 00000006.00000002.3723138243.000001F2E18A6000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: pvmicvssNT SERVICE
Source: svchost.exe, 00000007.00000002.3755225460.000002818667E000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: vmicshutdown
Source: svchost.exe, 0000000C.00000000.1922864973.0000022F57C2A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3772917471.0000022F57C2A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWp
Source: svchost.exe, 00000007.00000000.1912424622.0000028185C35000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: $@vmicheartbeat
Source: svchost.exe, 00000007.00000000.1912424622.0000028185C35000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: vmicvss
Source: svchost.exe, 0000000C.00000000.1922864973.0000022F57C2A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3772917471.0000022F57C2A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000022.00000002.3771718250.000001EA4FE6A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000022.00000002.3771358684.000001EA4FE2B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000022.00000000.2025380455.000001EA4FE6A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000022.00000002.3773189917.000001EA4FEA2000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000022.00000000.2025317936.000001EA4FE2B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002B.00000002.3722940511.000002ED9A05E000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002B.00000000.2061981874.000002ED9A05E000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000020.00000000.2019711355.000001F362600000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
Source: lsass.exe, 00000006.00000002.3723138243.000001F2E18A6000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: pvmicheartbeatNT SERVICE
Source: svchost.exe, 00000007.00000000.1912424622.0000028185C35000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: @vmicshutdown
Source: lsass.exe, 00000006.00000002.3717662966.000001F2E1813000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000006.00000000.1906220696.000001F2E1813000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.3715759126.0000023634813000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000000.1926273911.0000023634813000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.3717941517.000001EA7E22B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000000.1963378516.000001EA7E22B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.3717173017.0000027621429000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000000.1964854274.0000027621429000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000013.00000000.1970766916.00000147A345A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.3723906951.00000147A345A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000002.3721796406.00000174A5442000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: svchost.exe, 00000007.00000002.3755225460.000002818667E000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: vmicheartbeat
Source: svchost.exe, 00000007.00000000.1912424622.0000028185C35000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: @vmicheartbeat

Source: C:\Windows\System32\cmd.exe

Process information queried: ProcessInformation

Source: C:\Windows\System32\svchost.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\dropper.exe

Code function: 0_2_00007FF71C1C6E94 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF71C1C6E94

Source: C:\Windows\System32\cmd.exe

Code function: 3_2_0000018B3C400CA0 OutputDebugStringW,LsaOpenPolicy,GetCurrentProcess,OpenProcessToken,GetTokenInformation,LsaAddAccountRights,LsaClose,LsaClose,LsaClose,memset,OutputDebugStringW,memset,OutputDebugStringW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,memset,OutputDebugStringW,memset,memset,OutputDebugStringW,OutputDebugStringW,

3_2_0000018B3C400CA0

Source: C:\Users\user\Desktop\dropper.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\dropper.exe	Code function: 0_2_00007FF71C1C6E94 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF71C1C6E94
Source: C:\Windows\System32\cmd.exe	Code function: 3_2_0000018B3C42726C IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_0000018B3C42726C
Source: C:\Windows\System32\cmd.exe	Code function: 3_2_00007FFBFD5E726C IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_00007FFBFD5E726C

Source: C:\Users\user\Desktop\dropper.exe

Memory allocated: page read and write | page guard

Allocates memory in foreign processes

HIPS / PFW / Operating System Protection Evasion

Source: C:\Users\user\Desktop\dropper.exe

Memory allocated: C:\Windows\System32\cmd.exe base: 18B3A020000 protect: page read and write

Creates a thread in another existing process (thread injection)

Source: C:\Users\user\Desktop\dropper.exe	Thread created: C:\Windows\System32\cmd.exe EIP: 191604F0	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Thread created: unknown EIP: 191604F0	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Thread created: unknown EIP: 191604F0	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Thread created: unknown EIP: 191604F0	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Thread created: unknown EIP: 191604F0	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Thread created: unknown EIP: 191604F0	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Thread created: unknown EIP: 191604F0	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Thread created: unknown EIP: 191604F0	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Thread created: unknown EIP: 191604F0	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Thread created: unknown EIP: 191604F0	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Thread created: unknown EIP: 191604F0	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Thread created: unknown EIP: 191604F0	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Thread created: unknown EIP: 191604F0	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Thread created: unknown EIP: 191604F0	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Thread created: unknown EIP: 191604F0	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Thread created: unknown EIP: 191604F0	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Thread created: unknown EIP: 191604F0	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Thread created: unknown EIP: 191604F0	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Thread created: unknown EIP: 191604F0	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Thread created: unknown EIP: 191604F0	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Thread created: unknown EIP: 191604F0	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Thread created: unknown EIP: 191604F0	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Thread created: unknown EIP: 191604F0	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Thread created: unknown EIP: 191604F0	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Thread created: unknown EIP: 191604F0	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Thread created: unknown EIP: 191604F0	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Thread created: unknown EIP: 191604F0	Jump to behavior

Disables Windows Defender (deletes autostart)

Source: C:\Windows\System32\cmd.exe

Registry value deleted: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender DisableAntiSpyware

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\Desktop\dropper.exe	NtUnmapViewOfSection: Direct from: 0x7FF71C07F895	Jump to behavior
Source: C:\Users\user\Desktop\dropper.exe	NtWriteVirtualMemory: Direct from: 0x7FF71C07D1CA	Jump to behavior
Source: C:\Users\user\Desktop\dropper.exe	NtAllocateVirtualMemory: Direct from: 0x7FF71C07D186	Jump to behavior
Source: C:\Users\user\Desktop\dropper.exe	NtUnmapViewOfSection: Direct from: 0x7FF71C079E44	Jump to behavior
Source: C:\Users\user\Desktop\dropper.exe	NtClose: Direct from: 0x7FF71C079F34
Source: C:\Users\user\Desktop\dropper.exe	NtProtectVirtualMemory: Direct from: 0x7FFC1A122651	Jump to behavior
Source: C:\Users\user\Desktop\dropper.exe	NtCreateFile: Direct from: 0x7FF71C1AE4B5	Jump to behavior
Source: C:\Users\user\Desktop\dropper.exe	NtAllocateVirtualMemory: Direct from: 0x7FF71C07F744	Jump to behavior
Source: C:\Users\user\Desktop\dropper.exe	NtClose: Direct from: 0x7FF71C1A86C5
Source: C:\Users\user\Desktop\dropper.exe	NtSetInformationThread: Direct from: 0x7FF71C1C6A77	Jump to behavior
Source: C:\Users\user\Desktop\dropper.exe	NtQueryInformationProcess: Direct from: 0x7FF71C07F72F	Jump to behavior
Source: C:\Users\user\Desktop\dropper.exe	NtProtectVirtualMemory: Direct from: 0x7FF71C07DD04	Jump to behavior
Source: C:\Users\user\Desktop\dropper.exe	NtWriteFile: Direct from: 0x7FF71C1AE647	Jump to behavior
Source: C:\Users\user\Desktop\dropper.exe	NtClose: Direct from: 0x7FF71C07C0A3
Source: C:\Users\user\Desktop\dropper.exe	NtCreateThreadEx: Direct from: 0x7FF71C07D41A	Jump to behavior
Source: C:\Users\user\Desktop\dropper.exe	NtMapViewOfSection: Direct from: 0x7FF71C07FC02	Jump to behavior
Source: C:\Users\user\Desktop\dropper.exe	NtAllocateVirtualMemory: Direct from: 0x7FF71C083E39	Jump to behavior

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Windows\System32\cmd.exe

Memory written: PID: 5000 base: 2D90000 value: 43

Writes to foreign memory regions

Source: C:\Users\user\Desktop\dropper.exe	Memory written: C:\Windows\System32\cmd.exe base: 18B3A020000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\winlogon.exe base: 217D54C0000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\lsass.exe base: 1F2E1F10000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\svchost.exe base: 28186B40000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\fontdrvhost.exe base: 2664CA80000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\fontdrvhost.exe base: 13D7E420000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\svchost.exe base: 22F57BF0000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\svchost.exe base: 23634780000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\dwm.exe base: 27375B10000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\svchost.exe base: 1F9BDA90000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\svchost.exe base: 1EA7E1E0000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\svchost.exe base: 276213D0000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\svchost.exe base: 17CF7270000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\svchost.exe base: 147A41E0000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHDCPSvc.exe base: 15E1D4E0000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\svchost.exe base: 2BCBDFE0000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\svchost.exe base: 1FE41EF0000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\svchost.exe base: 174A53F0000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A5DC270000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\DriverStore\FileRepository\cui_dch.inf_amd64_2e49f48165b8de10\igfxCUIService.exe base: 16695DE0000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHeciSvc.exe base: 1DA59730000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\svchost.exe base: 218305B0000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\svchost.exe base: 18FDB8C0000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\svchost.exe base: 24A877A0000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\svchost.exe base: 1F1365E0000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B0005F0000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\svchost.exe base: 1F363390000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\svchost.exe base: 1F716BC0000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\svchost.exe base: 1EA50670000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\svchost.exe base: 25D4D760000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\svchost.exe base: 29DAC1E0000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\svchost.exe base: 1C82FD20000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\svchost.exe base: 2428F430000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\svchost.exe base: 1E5211A0000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\svchost.exe base: 261E89D0000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\svchost.exe base: 14EC7EA0000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\svchost.exe base: 1E74B710000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\svchost.exe base: 2ED99FF0000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\svchost.exe base: 2633A390000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\spoolsv.exe base: 600000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\svchost.exe base: 1793BD30000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B89A750000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\svchost.exe base: 2C20FEF0000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD2AFC0000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\svchost.exe base: 2767ECF0000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A88ACA0000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\svchost.exe base: 1C659020000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\svchost.exe base: 276A72E0000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\svchost.exe base: 19A21740000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\DriverStore\FileRepository\igcc_dch.inf_amd64_78ff17a5ea060c5f\OneApp.IGCC.WinService.exe base: 2BE79EF0000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 1EBECEE0000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\svchost.exe base: 201793A0000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\DriverStore\FileRepository\dal.inf_amd64_ffc75848a6342fdf\jhi_service.exe base: 1DE56380000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\svchost.exe base: 1CD5C3B0000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\svchost.exe base: 24C0F740000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 26CF5F30000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\sihost.exe base: 18DC9C20000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\svchost.exe base: 1E73DC50000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe base: 1730000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\svchost.exe base: 1F5D6DE0000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D21E4E0000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\svchost.exe base: 220F8E20000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\svchost.exe base: 2C49DD90000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\ctfmon.exe base: 1D5CADF0000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\explorer.exe base: 2D90000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\DriverStore\FileRepository\cui_dch.inf_amd64_2e49f48165b8de10\igfxEM.exe base: 1AC38D60000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\svchost.exe base: 237ABA50000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe base: 1FBA9F50000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2BD913F0000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe base: 13685FD0000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1FE60EE0000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D227BC0000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D599050000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe base: 1472FBA0000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\SettingSyncHost.exe base: 16547A50000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe base: 1DF631D0000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1EF1DBD0000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\audiodg.exe base: 1EDF6860000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\dllhost.exe base: 177B1280000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1F9D0970000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\smartscreen.exe base: 18664C90000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe base: 600000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\svchost.exe base: 2C7370C0000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\svchost.exe base: 1E79B880000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 1F9A3570000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\ApplicationFrameHost.exe base: 1EE56C40000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\oobe\UserOOBEBroker.exe base: 2685ABB0000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\svchost.exe base: 24AD9080000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\svchost.exe base: 231C3350000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 1B0000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\conhost.exe base: 17246820000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\dllhost.exe base: 18A4F660000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\svchost.exe base: 1A5CC100000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 242AC3F0000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1ED267F0000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Program Files (x86)\xlhcdIWgLWGwuhJsFxDzcSHbAunxGDVrKhKIRJvwcGhPiH\dZnuwWDiBQtInGlCOSs.exe base: FE0000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Program Files (x86)\xlhcdIWgLWGwuhJsFxDzcSHbAunxGDVrKhKIRJvwcGhPiH\dZnuwWDiBQtInGlCOSs.exe base: 5B0000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Program Files (x86)\xlhcdIWgLWGwuhJsFxDzcSHbAunxGDVrKhKIRJvwcGhPiH\dZnuwWDiBQtInGlCOSs.exe base: C20000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Program Files (x86)\xlhcdIWgLWGwuhJsFxDzcSHbAunxGDVrKhKIRJvwcGhPiH\dZnuwWDiBQtInGlCOSs.exe base: 1070000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Program Files (x86)\xlhcdIWgLWGwuhJsFxDzcSHbAunxGDVrKhKIRJvwcGhPiH\dZnuwWDiBQtInGlCOSs.exe base: 590000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Program Files (x86)\xlhcdIWgLWGwuhJsFxDzcSHbAunxGDVrKhKIRJvwcGhPiH\dZnuwWDiBQtInGlCOSs.exe base: F50000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Program Files (x86)\xlhcdIWgLWGwuhJsFxDzcSHbAunxGDVrKhKIRJvwcGhPiH\dZnuwWDiBQtInGlCOSs.exe base: 7D0000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Program Files (x86)\xlhcdIWgLWGwuhJsFxDzcSHbAunxGDVrKhKIRJvwcGhPiH\dZnuwWDiBQtInGlCOSs.exe base: ED0000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Program Files (x86)\xlhcdIWgLWGwuhJsFxDzcSHbAunxGDVrKhKIRJvwcGhPiH\dZnuwWDiBQtInGlCOSs.exe base: 500000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Program Files (x86)\xlhcdIWgLWGwuhJsFxDzcSHbAunxGDVrKhKIRJvwcGhPiH\dZnuwWDiBQtInGlCOSs.exe base: DB0000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Program Files (x86)\xlhcdIWgLWGwuhJsFxDzcSHbAunxGDVrKhKIRJvwcGhPiH\dZnuwWDiBQtInGlCOSs.exe base: 970000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Program Files (x86)\xlhcdIWgLWGwuhJsFxDzcSHbAunxGDVrKhKIRJvwcGhPiH\dZnuwWDiBQtInGlCOSs.exe base: BB0000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Program Files (x86)\xlhcdIWgLWGwuhJsFxDzcSHbAunxGDVrKhKIRJvwcGhPiH\dZnuwWDiBQtInGlCOSs.exe base: 3B0000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Program Files (x86)\xlhcdIWgLWGwuhJsFxDzcSHbAunxGDVrKhKIRJvwcGhPiH\dZnuwWDiBQtInGlCOSs.exe base: 7F0000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Program Files (x86)\xlhcdIWgLWGwuhJsFxDzcSHbAunxGDVrKhKIRJvwcGhPiH\dZnuwWDiBQtInGlCOSs.exe base: DF0000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Program Files (x86)\xlhcdIWgLWGwuhJsFxDzcSHbAunxGDVrKhKIRJvwcGhPiH\dZnuwWDiBQtInGlCOSs.exe base: 1B0000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Program Files (x86)\xlhcdIWgLWGwuhJsFxDzcSHbAunxGDVrKhKIRJvwcGhPiH\dZnuwWDiBQtInGlCOSs.exe base: 500000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Program Files (x86)\xlhcdIWgLWGwuhJsFxDzcSHbAunxGDVrKhKIRJvwcGhPiH\dZnuwWDiBQtInGlCOSs.exe base: 1A0000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Program Files (x86)\xlhcdIWgLWGwuhJsFxDzcSHbAunxGDVrKhKIRJvwcGhPiH\dZnuwWDiBQtInGlCOSs.exe base: EF0000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Program Files (x86)\xlhcdIWgLWGwuhJsFxDzcSHbAunxGDVrKhKIRJvwcGhPiH\dZnuwWDiBQtInGlCOSs.exe base: 980000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Program Files (x86)\xlhcdIWgLWGwuhJsFxDzcSHbAunxGDVrKhKIRJvwcGhPiH\dZnuwWDiBQtInGlCOSs.exe base: 1330000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Program Files (x86)\xlhcdIWgLWGwuhJsFxDzcSHbAunxGDVrKhKIRJvwcGhPiH\dZnuwWDiBQtInGlCOSs.exe base: 690000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Program Files (x86)\xlhcdIWgLWGwuhJsFxDzcSHbAunxGDVrKhKIRJvwcGhPiH\dZnuwWDiBQtInGlCOSs.exe base: 1410000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Program Files (x86)\xlhcdIWgLWGwuhJsFxDzcSHbAunxGDVrKhKIRJvwcGhPiH\dZnuwWDiBQtInGlCOSs.exe base: A00000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Program Files (x86)\xlhcdIWgLWGwuhJsFxDzcSHbAunxGDVrKhKIRJvwcGhPiH\dZnuwWDiBQtInGlCOSs.exe base: 11B0000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Program Files (x86)\xlhcdIWgLWGwuhJsFxDzcSHbAunxGDVrKhKIRJvwcGhPiH\dZnuwWDiBQtInGlCOSs.exe base: 930000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Program Files (x86)\xlhcdIWgLWGwuhJsFxDzcSHbAunxGDVrKhKIRJvwcGhPiH\dZnuwWDiBQtInGlCOSs.exe base: 370000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Program Files (x86)\xlhcdIWgLWGwuhJsFxDzcSHbAunxGDVrKhKIRJvwcGhPiH\dZnuwWDiBQtInGlCOSs.exe base: 780000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Program Files (x86)\xlhcdIWgLWGwuhJsFxDzcSHbAunxGDVrKhKIRJvwcGhPiH\dZnuwWDiBQtInGlCOSs.exe base: 830000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Program Files (x86)\xlhcdIWgLWGwuhJsFxDzcSHbAunxGDVrKhKIRJvwcGhPiH\dZnuwWDiBQtInGlCOSs.exe base: 550000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Program Files (x86)\xlhcdIWgLWGwuhJsFxDzcSHbAunxGDVrKhKIRJvwcGhPiH\dZnuwWDiBQtInGlCOSs.exe base: 13F0000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Program Files (x86)\xlhcdIWgLWGwuhJsFxDzcSHbAunxGDVrKhKIRJvwcGhPiH\dZnuwWDiBQtInGlCOSs.exe base: 12E0000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Program Files (x86)\xlhcdIWgLWGwuhJsFxDzcSHbAunxGDVrKhKIRJvwcGhPiH\dZnuwWDiBQtInGlCOSs.exe base: D50000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Program Files (x86)\xlhcdIWgLWGwuhJsFxDzcSHbAunxGDVrKhKIRJvwcGhPiH\dZnuwWDiBQtInGlCOSs.exe base: 590000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Program Files (x86)\xlhcdIWgLWGwuhJsFxDzcSHbAunxGDVrKhKIRJvwcGhPiH\dZnuwWDiBQtInGlCOSs.exe base: 1330000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Program Files (x86)\xlhcdIWgLWGwuhJsFxDzcSHbAunxGDVrKhKIRJvwcGhPiH\dZnuwWDiBQtInGlCOSs.exe base: 780000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Program Files (x86)\xlhcdIWgLWGwuhJsFxDzcSHbAunxGDVrKhKIRJvwcGhPiH\dZnuwWDiBQtInGlCOSs.exe base: 500000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Program Files (x86)\xlhcdIWgLWGwuhJsFxDzcSHbAunxGDVrKhKIRJvwcGhPiH\dZnuwWDiBQtInGlCOSs.exe base: 10E0000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Program Files (x86)\xlhcdIWgLWGwuhJsFxDzcSHbAunxGDVrKhKIRJvwcGhPiH\dZnuwWDiBQtInGlCOSs.exe base: 370000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Program Files (x86)\xlhcdIWgLWGwuhJsFxDzcSHbAunxGDVrKhKIRJvwcGhPiH\dZnuwWDiBQtInGlCOSs.exe base: D50000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Program Files (x86)\xlhcdIWgLWGwuhJsFxDzcSHbAunxGDVrKhKIRJvwcGhPiH\dZnuwWDiBQtInGlCOSs.exe base: BB0000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Program Files (x86)\xlhcdIWgLWGwuhJsFxDzcSHbAunxGDVrKhKIRJvwcGhPiH\dZnuwWDiBQtInGlCOSs.exe base: AD0000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Program Files (x86)\xlhcdIWgLWGwuhJsFxDzcSHbAunxGDVrKhKIRJvwcGhPiH\dZnuwWDiBQtInGlCOSs.exe base: D00000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Program Files (x86)\xlhcdIWgLWGwuhJsFxDzcSHbAunxGDVrKhKIRJvwcGhPiH\dZnuwWDiBQtInGlCOSs.exe base: 610000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Program Files (x86)\xlhcdIWgLWGwuhJsFxDzcSHbAunxGDVrKhKIRJvwcGhPiH\dZnuwWDiBQtInGlCOSs.exe base: 1330000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Program Files (x86)\xlhcdIWgLWGwuhJsFxDzcSHbAunxGDVrKhKIRJvwcGhPiH\dZnuwWDiBQtInGlCOSs.exe base: F10000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Program Files (x86)\xlhcdIWgLWGwuhJsFxDzcSHbAunxGDVrKhKIRJvwcGhPiH\dZnuwWDiBQtInGlCOSs.exe base: 560000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Program Files (x86)\xlhcdIWgLWGwuhJsFxDzcSHbAunxGDVrKhKIRJvwcGhPiH\dZnuwWDiBQtInGlCOSs.exe base: 710000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Program Files (x86)\xlhcdIWgLWGwuhJsFxDzcSHbAunxGDVrKhKIRJvwcGhPiH\dZnuwWDiBQtInGlCOSs.exe base: 970000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Program Files (x86)\xlhcdIWgLWGwuhJsFxDzcSHbAunxGDVrKhKIRJvwcGhPiH\dZnuwWDiBQtInGlCOSs.exe base: E60000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Program Files (x86)\xlhcdIWgLWGwuhJsFxDzcSHbAunxGDVrKhKIRJvwcGhPiH\dZnuwWDiBQtInGlCOSs.exe base: 740000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Program Files (x86)\xlhcdIWgLWGwuhJsFxDzcSHbAunxGDVrKhKIRJvwcGhPiH\dZnuwWDiBQtInGlCOSs.exe base: 1350000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Program Files (x86)\xlhcdIWgLWGwuhJsFxDzcSHbAunxGDVrKhKIRJvwcGhPiH\dZnuwWDiBQtInGlCOSs.exe base: F80000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Program Files (x86)\xlhcdIWgLWGwuhJsFxDzcSHbAunxGDVrKhKIRJvwcGhPiH\dZnuwWDiBQtInGlCOSs.exe base: C00000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Program Files (x86)\xlhcdIWgLWGwuhJsFxDzcSHbAunxGDVrKhKIRJvwcGhPiH\dZnuwWDiBQtInGlCOSs.exe base: E40000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Program Files (x86)\xlhcdIWgLWGwuhJsFxDzcSHbAunxGDVrKhKIRJvwcGhPiH\dZnuwWDiBQtInGlCOSs.exe base: 1300000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Program Files (x86)\xlhcdIWgLWGwuhJsFxDzcSHbAunxGDVrKhKIRJvwcGhPiH\dZnuwWDiBQtInGlCOSs.exe base: E70000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Program Files (x86)\xlhcdIWgLWGwuhJsFxDzcSHbAunxGDVrKhKIRJvwcGhPiH\dZnuwWDiBQtInGlCOSs.exe base: A30000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Program Files (x86)\xlhcdIWgLWGwuhJsFxDzcSHbAunxGDVrKhKIRJvwcGhPiH\dZnuwWDiBQtInGlCOSs.exe base: 5D0000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Program Files (x86)\xlhcdIWgLWGwuhJsFxDzcSHbAunxGDVrKhKIRJvwcGhPiH\dZnuwWDiBQtInGlCOSs.exe base: B20000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Program Files (x86)\xlhcdIWgLWGwuhJsFxDzcSHbAunxGDVrKhKIRJvwcGhPiH\dZnuwWDiBQtInGlCOSs.exe base: 600000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Program Files (x86)\xlhcdIWgLWGwuhJsFxDzcSHbAunxGDVrKhKIRJvwcGhPiH\dZnuwWDiBQtInGlCOSs.exe base: D60000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Program Files (x86)\xlhcdIWgLWGwuhJsFxDzcSHbAunxGDVrKhKIRJvwcGhPiH\dZnuwWDiBQtInGlCOSs.exe base: D40000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Program Files (x86)\xlhcdIWgLWGwuhJsFxDzcSHbAunxGDVrKhKIRJvwcGhPiH\dZnuwWDiBQtInGlCOSs.exe base: 1080000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Program Files (x86)\xlhcdIWgLWGwuhJsFxDzcSHbAunxGDVrKhKIRJvwcGhPiH\dZnuwWDiBQtInGlCOSs.exe base: B10000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Program Files (x86)\xlhcdIWgLWGwuhJsFxDzcSHbAunxGDVrKhKIRJvwcGhPiH\dZnuwWDiBQtInGlCOSs.exe base: 740000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Program Files (x86)\xlhcdIWgLWGwuhJsFxDzcSHbAunxGDVrKhKIRJvwcGhPiH\dZnuwWDiBQtInGlCOSs.exe base: 1390000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Program Files (x86)\xlhcdIWgLWGwuhJsFxDzcSHbAunxGDVrKhKIRJvwcGhPiH\dZnuwWDiBQtInGlCOSs.exe base: E00000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Program Files (x86)\xlhcdIWgLWGwuhJsFxDzcSHbAunxGDVrKhKIRJvwcGhPiH\dZnuwWDiBQtInGlCOSs.exe base: 1400000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Program Files (x86)\xlhcdIWgLWGwuhJsFxDzcSHbAunxGDVrKhKIRJvwcGhPiH\dZnuwWDiBQtInGlCOSs.exe base: 1140000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Program Files (x86)\xlhcdIWgLWGwuhJsFxDzcSHbAunxGDVrKhKIRJvwcGhPiH\dZnuwWDiBQtInGlCOSs.exe base: 7A0000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Program Files (x86)\xlhcdIWgLWGwuhJsFxDzcSHbAunxGDVrKhKIRJvwcGhPiH\dZnuwWDiBQtInGlCOSs.exe base: F10000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Program Files (x86)\xlhcdIWgLWGwuhJsFxDzcSHbAunxGDVrKhKIRJvwcGhPiH\dZnuwWDiBQtInGlCOSs.exe base: 15C0000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Program Files (x86)\xlhcdIWgLWGwuhJsFxDzcSHbAunxGDVrKhKIRJvwcGhPiH\dZnuwWDiBQtInGlCOSs.exe base: 15A0000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Program Files (x86)\xlhcdIWgLWGwuhJsFxDzcSHbAunxGDVrKhKIRJvwcGhPiH\dZnuwWDiBQtInGlCOSs.exe base: DA0000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Program Files (x86)\xlhcdIWgLWGwuhJsFxDzcSHbAunxGDVrKhKIRJvwcGhPiH\dZnuwWDiBQtInGlCOSs.exe base: DA0000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Program Files (x86)\xlhcdIWgLWGwuhJsFxDzcSHbAunxGDVrKhKIRJvwcGhPiH\dZnuwWDiBQtInGlCOSs.exe base: 700000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Program Files (x86)\xlhcdIWgLWGwuhJsFxDzcSHbAunxGDVrKhKIRJvwcGhPiH\dZnuwWDiBQtInGlCOSs.exe base: A30000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Program Files (x86)\xlhcdIWgLWGwuhJsFxDzcSHbAunxGDVrKhKIRJvwcGhPiH\dZnuwWDiBQtInGlCOSs.exe base: 770000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Program Files (x86)\xlhcdIWgLWGwuhJsFxDzcSHbAunxGDVrKhKIRJvwcGhPiH\dZnuwWDiBQtInGlCOSs.exe base: FC0000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Program Files (x86)\xlhcdIWgLWGwuhJsFxDzcSHbAunxGDVrKhKIRJvwcGhPiH\dZnuwWDiBQtInGlCOSs.exe base: 7C0000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Program Files (x86)\xlhcdIWgLWGwuhJsFxDzcSHbAunxGDVrKhKIRJvwcGhPiH\dZnuwWDiBQtInGlCOSs.exe base: 710000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Program Files (x86)\xlhcdIWgLWGwuhJsFxDzcSHbAunxGDVrKhKIRJvwcGhPiH\dZnuwWDiBQtInGlCOSs.exe base: B60000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Program Files (x86)\xlhcdIWgLWGwuhJsFxDzcSHbAunxGDVrKhKIRJvwcGhPiH\dZnuwWDiBQtInGlCOSs.exe base: 1040000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Program Files (x86)\xlhcdIWgLWGwuhJsFxDzcSHbAunxGDVrKhKIRJvwcGhPiH\dZnuwWDiBQtInGlCOSs.exe base: 1200000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Program Files (x86)\xlhcdIWgLWGwuhJsFxDzcSHbAunxGDVrKhKIRJvwcGhPiH\dZnuwWDiBQtInGlCOSs.exe base: DD0000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Program Files (x86)\xlhcdIWgLWGwuhJsFxDzcSHbAunxGDVrKhKIRJvwcGhPiH\dZnuwWDiBQtInGlCOSs.exe base: 3C0000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 194B1A60000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Program Files\Windows Defender\MpCmdRun.exe base: 2819CD40000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 22F57B70000	Jump to behavior

Source: winlogon.exe, 00000005.00000002.3741583459.00000217D60B0000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000005.00000000.1903787911.00000217D60B0000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 0000000E.00000002.3779215296.000002736D770000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: winlogon.exe, 00000005.00000002.3741583459.00000217D60B0000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000005.00000000.1903787911.00000217D60B0000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 0000000E.00000002.3779215296.000002736D770000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: NProgram Manager
Source: winlogon.exe, 00000005.00000002.3741583459.00000217D60B0000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000005.00000000.1903787911.00000217D60B0000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 0000000E.00000002.3779215296.000002736D770000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: dwm.exe, 0000000E.00000000.1945726898.0000027375289000.00000004.00000001.00020000.00000000.sdmp, dwm.exe, 0000000E.00000002.3818930873.0000027375289000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Program Managerx
Source: winlogon.exe, 00000005.00000002.3741583459.00000217D60B0000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000005.00000000.1903787911.00000217D60B0000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 0000000E.00000002.3779215296.000002736D770000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\Windows\Temp\tempdll.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\Windows\Temp\tempdll.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\Windows\Temp\tempdll.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\Windows\Temp\tempdll.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\Windows\Temp\tempdll.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\Windows\Temp\tempdll.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\Windows\Temp\tempdll.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\Windows\Temp\tempdll.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\Windows\Temp\tempdll.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\Windows\Temp\tempdll.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\Windows\Temp\tempdll.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\Windows\Temp\tempdll.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\Windows\Temp\tempdll.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\Windows\Temp\tempdll.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\Windows\Temp\tempdll.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\Windows\Temp\tempdll.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\Windows\Temp\tempdll.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\Windows\Temp\tempdll.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\Windows\Temp\tempdll.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\Windows\Temp\tempdll.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\Windows\Temp\tempdll.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\Windows\Temp\tempdll.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\Windows\Temp\tempdll.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\Windows\Temp\tempdll.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\Windows\Temp\tempdll.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\Windows\Temp\tempdll.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\Windows\Temp\tempdll.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\Windows\Temp\tempdll.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\Windows\Temp\tempdll.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\Windows\Temp\tempdll.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\Windows\Temp\tempdll.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\Windows\Temp\tempdll.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\Windows\Temp\tempdll.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\Windows\Temp\tempdll.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\Windows\Temp\tempdll.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\Windows\Temp\tempdll.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\Windows\Temp\tempdll.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\Windows\Temp\tempdll.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\Windows\Temp\tempdll.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\Windows\Temp\tempdll.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\Windows\Temp\tempdll.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\Windows\Temp\tempdll.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\Windows\Temp\tempdll.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\Windows\Temp\tempdll.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\Windows\Temp\tempdll.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\Windows\Temp\tempdll.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\dropper.exe

Code function: 0_2_00007FF71C1C6D6C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF71C1C6D6C

Lowering of HIPS / PFW / Operating System Security Settings

Changes security center settings (notifications, updates, antivirus, firewall)

Source: C:\Windows\System32\cmd.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center FirewallOverride

Disable Windows Defender real time protection (registry)

Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender	Registry value created: DisableAntiSpyware 1	Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender	Registry value created: DisableAntiVirus 1	Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine	Registry value created: MpEnablePus 1	Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableBehaviorMonitoring 1	Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableIOAVProtection 1	Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableOnAccessProtection 1	Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableRealtimeMonitoring 1	Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableScanOnRealtimeEnable 1	Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting	Registry value created: DisableEnhancedNotifications 1	Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet	Registry value created: DisableBlockAtFirstSeen 1	Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet	Registry value created: SpynetReporting 1	Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet	Registry value created: SubmitSamplesConsent 1	Jump to behavior

Source: Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx.23.dr	Binary or memory string: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2108.7-0\MsMpEng.exe
Source: MpCmdRun.exe, 00000009.00000003.1922664711.000002819C54A000.00000004.00000001.00020000.00000000.sdmp, MpCmdRun.exe, 00000009.00000003.1921725510.000002819C552000.00000004.00000001.00020000.00000000.sdmp, MpCmdRun.exe, 00000009.00000002.1924123066.000002819C54A000.00000004.00000001.00020000.00000000.sdmp, MpCmdRun.exe, 00000009.00000003.1922229934.000002819C552000.00000004.00000001.00020000.00000000.sdmp, MpCmdRun.exe, 00000009.00000003.1921379425.000002819C54A000.00000004.00000001.00020000.00000000.sdmp, MpCmdRun.exe, 00000009.00000002.1924123066.000002819C552000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Program Files\Windows Defender\MpCmdRun.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 Windows Service	1 Access Token Manipulation	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	1 LSASS Driver	1 Windows Service	13 Virtualization/Sandbox Evasion	LSASS Memory	61 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	42 Process Injection	31 Disable or Modify Tools	Security Account Manager	13 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Abuse Elevation Control Mechanism	1 Access Token Manipulation	NTDS	3 Process Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 LSASS Driver	42 Process Injection	LSA Secrets	1 Remote System Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	1 Bypass User Account Control	1 DLL Side-Loading	DCSync	22 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Bypass User Account Control	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
dropper.exe	12%	Virustotal		Browse

Source	Detection	Scanner	Label
https://excel.office.comSRD1%	0%	Avira URL Cloud	safe
https://powerpoint.office.comSRD13	0%	Avira URL Cloud	safe
http://schemas.micro	0%	Avira URL Cloud	safe
https://word.office.com.com	0%	Avira URL Cloud	safe
https://outlook.comcom	0%	Avira URL Cloud	safe
https://outlook.comSRD1-	0%	Avira URL Cloud	safe
https://word.office.comSRD1#	0%	Avira URL Cloud	safe
http://ns.adobe.	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
https://word.office.com	svchost.exe, 0000002A.00000000.2057998047.000001E74C168000.00000004.00000001.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702	lsass.exe, 00000006.00000000.1906270895.000001F2E182E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000006.00000002.3718575754.000001F2E182E000.00000004.00000001.00020000.00000000.sdmp	false		high
https://windows.msn.com/shell	svchost.exe, 00000007.00000000.1915700291.0000028186CAF000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.3769748764.0000028186CAF000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2524514466.0000028186CAF000.00000004.00000001.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/09/policy	lsass.exe, 00000006.00000000.1906270895.000001F2E182E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000006.00000002.3718575754.000001F2E182E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000006.00000002.3720198630.000001F2E1850000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000006.00000000.1906371373.000001F2E1850000.00000004.00000001.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/erties	lsass.exe, 00000006.00000000.1906270895.000001F2E182E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000006.00000002.3718575754.000001F2E182E000.00000004.00000001.00020000.00000000.sdmp	false		high
https://wns2-ch1p.notify.windows.com/?token=AwYAAACOo%2bDpegMJ4mimyuZb31GqC7oXjlMabDDVUR8qnW8cVhNR3Y	Microsoft-Windows-PushNotification-Platform%4Operational.evtx.23.dr	false		high
https://outlook.comcom	svchost.exe, 0000002A.00000000.2051366875.000001E74AE65000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://docs.rs/getrandom#nodejs-es-module-support	dropper.exe, tempdll.dll.0.dr	false		high
https://www.office.com/pwaimages	svchost.exe, 0000002A.00000002.3757690094.000001E74BA23000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002A.00000000.2053698567.000001E74BA23000.00000004.00000001.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust	lsass.exe, 00000006.00000002.3720198630.000001F2E1850000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000006.00000000.1906371373.000001F2E1850000.00000004.00000001.00020000.00000000.sdmp	false		high
http://schemas.micro	svchost.exe, 0000001B.00000002.3734901120.000002182FDD0000.00000002.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://outlook.com	svchost.exe, 0000002A.00000000.2051366875.000001E74AE65000.00000004.00000001.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy	lsass.exe, 00000006.00000000.1906270895.000001F2E182E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000006.00000002.3718575754.000001F2E182E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000006.00000002.3720198630.000001F2E1850000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000006.00000000.1906371373.000001F2E1850000.00000004.00000001.00020000.00000000.sdmp	false		high
https://word.office.com.com	svchost.exe, 0000002A.00000000.2057998047.000001E74C168000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://excel.office.comSRD1%	svchost.exe, 0000002A.00000000.2058607590.000001E74C423000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002A.00000002.3778892876.000001E74C423000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/wsdl/soap12/	lsass.exe, 00000006.00000002.3718575754.000001F2E182E000.00000004.00000001.00020000.00000000.sdmp	false		high
https://spclient.wg.spotify.com/v1/live-tile-xml?region=	svchost.exe, 00000007.00000000.1913080338.0000028186600000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.3750551577.0000028186600000.00000004.00000001.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/	lsass.exe, 00000006.00000000.1906270895.000001F2E182E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000006.00000002.3718575754.000001F2E182E000.00000004.00000001.00020000.00000000.sdmp	false		high
https://powerpoint.office.comSRD13	svchost.exe, 0000002A.00000000.2058607590.000001E74C423000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002A.00000002.3778892876.000001E74C423000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/wsdl/soap12/P	lsass.exe, 00000006.00000000.1906270895.000001F2E182E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000006.00000002.3718575754.000001F2E182E000.00000004.00000001.00020000.00000000.sdmp	false		high
https://outlook.comSRD1-	svchost.exe, 0000002A.00000000.2052912145.000001E74B900000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002A.00000003.3114422886.000001E74B903000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002A.00000000.2058607590.000001E74C423000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002A.00000003.3114855996.000001E74B92D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002A.00000002.3749777532.000001E74B931000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002A.00000002.3778892876.000001E74C423000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://windows.msn.cn/shellRESP	svchost.exe, 00000007.00000000.1915700291.0000028186CAF000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.3769748764.0000028186CAF000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2524514466.0000028186CAF000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.quovadis.bm0	lsass.exe, 00000006.00000003.3217007845.000001F2E2094000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000006.00000002.3739196122.000001F2E2095000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000006.00000000.1907351514.000001F2E2095000.00000004.00000001.00020000.00000000.sdmp, dwm.exe, 0000000E.00000000.1930929743.000002736F820000.00000004.00000001.00020000.00000000.sdmp, dwm.exe, 0000000E.00000002.3787235451.000002736F820000.00000004.00000001.00020000.00000000.sdmp	false		high
https://word.office.comSRD1#	svchost.exe, 0000002A.00000002.3725499698.000001E74AE77000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002A.00000000.2051421492.000001E74AE77000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002A.00000000.2058607590.000001E74C423000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002A.00000000.2054757075.000001E74BBEF000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002A.00000002.3778892876.000001E74C423000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://wns2-ch1p.notify.windows.com/?token=AwYAAABRgjxu7x%2fdyWqbOoAAI8Gcd5ckhbCzw7F7Uxfu5MqaJ5M0DU	Microsoft-Windows-PushNotification-Platform%4Operational.evtx.23.dr	false		high
http://docs.oasis-open.org/ws-sx/ws-trust/200512	lsass.exe, 00000006.00000002.3720198630.000001F2E1850000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000006.00000000.1906371373.000001F2E1850000.00000004.00000001.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd	lsass.exe, 00000006.00000000.1906270895.000001F2E182E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000006.00000002.3718575754.000001F2E182E000.00000004.00000001.00020000.00000000.sdmp	false		high
http://ns.adobe.	dropper.exe	false	Avira URL Cloud: safe	unknown
https://ocsp.quovadisoffshore.com0	lsass.exe, 00000006.00000003.3217007845.000001F2E2094000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000006.00000002.3739196122.000001F2E2095000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000006.00000000.1907351514.000001F2E2095000.00000004.00000001.00020000.00000000.sdmp, dwm.exe, 0000000E.00000000.1930929743.000002736F820000.00000004.00000001.00020000.00000000.sdmp, dwm.exe, 0000000E.00000002.3787235451.000002736F820000.00000004.00000001.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
1.1.1.1	unknown	Australia		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1582958
Start date and time:	2025-01-01 05:35:52 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 11m 40s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 128, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	37
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	dropper.exe
Detection:	MAL
Classification:	mal84.evad.winEXE@7/60@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
1.1.1.1	6fW0GedR6j.xls	Get hash	malicious	Unknown	Browse	1.1.1.1/ctrl/playback.php
	PO-230821_pdf.exe	Get hash	malicious	FormBook, NSISDropper	Browse	www.974dp.com/sn26/?kJBLpb8=qaEGeuQorcUQurUZCuE8d9pas+Z0M0brqtX248JBolEfq8j8F1R9i1jKZexhxY54UlRG&ML0tl=NZlpi
	AFfv8HpACF.exe	Get hash	malicious	Unknown	Browse	1.1.1.1/
	INVOICE_90990_PDF.exe	Get hash	malicious	FormBook	Browse	www.quranvisor.com/usvr/?mN9d3vF=HHrW7cA9N4YJlebHFvlsdlDciSnnaQItEG8Ccfxp291VjnjcuwoPACt7EOqEq4SWjIf8&Pjf81=-Zdd-V5hqhM4p2S
	Go.exe	Get hash	malicious	Unknown	Browse	1.1.1.1/

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	1.ps1	Get hash	malicious	Unknown	Browse	172.67.144.62
	https://gogl.to/3HGT	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	188.114.97.3
	setup.exe	Get hash	malicious	Unknown	Browse	104.21.30.45
	U1jaLbTw1f.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	104.21.38.84
	rename_me_before.exe	Get hash	malicious	Python Stealer, Exela Stealer	Browse	162.159.128.233
	Loader.exe	Get hash	malicious	LummaC	Browse	104.21.48.1
	https://thetollroads.com-wfmo.xyz/us	Get hash	malicious	Unknown	Browse	104.17.25.14
	http://img1.wsimg.com/blobby/go/9b6ed793-452c-4f8f-8f80-6847f4d114d7/downloads/71318864754.pdf	Get hash	malicious	Unknown	Browse	104.16.123.96
	decrypt.exe	Get hash	malicious	Unknown	Browse	104.21.16.1
	decrypt.exe	Get hash	malicious	Unknown	Browse	104.21.16.1

Process:	C:\Program Files\Windows Defender\MpCmdRun.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	modified
Size (bytes):	41762
Entropy (8bit):	3.240653854231866
Encrypted:	false
SSDEEP:	384:L+7H+hH+hR+hM+hJ+hS+hh+hB+h3+hV+h4+hU+hV+hy+hRU3+h5U8W+hnw:GV83w
MD5:	68900116987BA4A9FAE2B7A3FE156C74
SHA1:	5E4D6BDA13569ED306976E5C12F65EFE742CFE80
SHA-256:	72A09926F99207102030A1AC471A98AE363CBD199A18D01ED70A2238A2D27C65
SHA-512:	F7B4A93B36EAF38A4A7F76841FDFCC09737895959E89919D5F577BE6B6F271BF3D3980F826416546A5181BE2AFEF993DAEDBB253236105AC8EC6E4797239FEBC
Malicious:	false
Preview:	..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. S.a.t. .. A.u.g. .. 0.5. .. 2.0.2.3. .2.2.:.0.4.:.5.2.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e........................................ .W.S.C. .S.t.a.t.e. .I.n.f.o. ................................................................. .A.n.t.i.V.i.r.u.s.P.r.o.d.u.c.t. ..............................d.i.s.p.l.a.y.N.a.m.e. .=. .[.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.].....p.a.t.h.T.o.S.i.g.n.e.d.P.r.o.d.u.c.t.E.x.e. .=. .[.w.i.n.d.o.w.s.d.

C:\Windows\System32\winevt\Logs\Microsoft-Client-Licensing-Platform%4Admin.evtx

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.319528316227881
Encrypted:	false
SSDEEP:	192:Cf8V7IF0RuqHQOnbgpib8AtYl+HDJ86PL+2SSD2Czp0gy16ZcC0/oUhQXzgwPtFt:dhkyHQOLt5jR7zpkYQ9+M/TG6OtiY
MD5:	D4672A4FF2FAD33B30F7DB9459BE77C7
SHA1:	58B66708E4ABDD64CCB7BC0F80E6EDE20FDF633D
SHA-256:	A4B7E010FEC2B54853C8A94C97140DCAE7AF81E07CB6CD823FB48CBC99866200
SHA-512:	FC288D186A31DDDC1F180BC3B493ECEAD3BEBA69BF7127D17312CBD37BAD3B49C37F71891448F8029C681219EDBA95F69EF48F06B934695BAF3EE89EE6BD69F7
Malicious:	false
Preview:	ElfChnk.u...............u............................O!.........................................................................................0.......................X...=...........................................................................................................................f...............?...........................m...................M...F...............................................................&...............................9...........................).......................**......u.........K.i........./X.P&......./X.P...P&.C..:.v........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppModel-Runtime%4Admin.evtx

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.4716976636035206
Encrypted:	false
SSDEEP:	384:IhBNimLN3UN3pNINcN3uN36ZN3fcN3dN3xzN3lN3RN3sN3YN3zN3TN3JN3xN3kNa:IAaC30SyTx57f6u5Z3/y2FpwsDZ0c
MD5:	A8000F250409496B9A7F5BD597D5ABD8
SHA1:	8ABB504A7782DD64253EFB3F25DCEFF077ECC054
SHA-256:	9F1A6231FEB657782C6F48692424FCC375464652041ED05656147126CABC3454
SHA-512:	AAFF5A590477880886C84E7889B7903BFABF85B3A40DFFFE09EE1CD72769CD8FA48B48229011FE8444EC4AA7B0344CB57D0ABD8A698736ED3A2D957D68B8713A
Malicious:	false
Preview:	ElfChnk._.......y......._.......y............G..xI.....q...................................................................../.................,.......................T...=...........................................................................................................................f...............?...........................m...................M...F...............................................................&...................................................................................**......_..........f,........./X.P&......./X.P...P&.C..:.v........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppXDeployment%4Operational.evtx

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.331054699031641
Encrypted:	false
SSDEEP:	384:4hKVQV7VdVdEV/jVAVjVKV+VsV6VxVpV5mVmVoVJVsVuVSVRVLViVfV3VFVd1Vtd:4f6tRq6
MD5:	A55F8FE23CE5534171D362488404A038
SHA1:	4D37770F8C1AC150CB96D6FF334C4ECD8544725A
SHA-256:	4B760E945407E37F03019186E44A4AB1831D95FA6E07BEF1ED59483772E93D53
SHA-512:	934786A1A185B4941F3943ADCF474BBA5440122940FF47F12816DA0E8ADF8BF28C47F2E6A30DBFBC0E82F086319C7F6D56CD901681C9D21446FCCCCF85D455CC
Malicious:	false
Preview:	ElfChnk.\|(.......(......\|(.......(..........hj..0l.../.....................................................................P.4P................0.......................X...=...........................................................................................................................f...............?...........................m...................M...F...............................................................&............................................&...............................#......**......\|(........<Q.9......../X.P&......./X.P...P&.C..:.v........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.393617986341297
Encrypted:	false
SSDEEP:	1536:Jl1fni2TDyiWAZfBzB6BbB2e7KBa23KDi/OyazwNJCmikDw:tfjDyeA
MD5:	684F8C8E5B777AE473F6D8AC6AB6E4CE
SHA1:	BB634D7D1397B7B822C33E07E08850A43775FA88
SHA-256:	B07928E2E9AC6AEB8D8363D49BADABDF9F5943676373E623DD0FC96FC5D26F79
SHA-512:	29650A5F0CB1CE6A28A98D251B97308FF0A82AAE9AA6E48D84C8727D1083607148F70F4620801F36618070A9AECBE1059691A15B1BF3864FD9D7E08CD3AFD6FA
Malicious:	false
Preview:	ElfChnk..'.......'.......'.......(..........................................................................................9.................J.......................r...=...........................................................................................................................f...............?...........................m...................M...F...............................3W..#>.......................N..&........................................8...;.......@......;5...........`..........**.......'........~........./X.P&......./X.P...P&.C..:.v........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.339644599529794
Encrypted:	false
SSDEEP:	384:Whm+iMNEi1itiXiYiAiQiCiYiXiviCiriMiKiYili+iciSiVciji/DiQisiKi7iX:W8
MD5:	28598A748F427C73513FC87068EA82DC
SHA1:	AE7D5EDE9D2A8240F2215186F602CB00C3B9C765
SHA-256:	7B09A1235F2CC8CAF0EFF9B84BA168D9F46D09A6B50C3E334D9BF82CBC3A8688
SHA-512:	4FBC3222E003E693A489833D1641A7F23450DE58FFA456EAD9A9CECD5793DD101048516FBD48FDE06F322F4FB4E5A0A9284E8E07242208F9EDCB209D5A843486
Malicious:	false
Preview:	ElfChnk.........3...............3........... z..h\|...Nu.....................................................................W/S.............................................=...........................................................................................................................f...............?...................................b...........M...F...........................................................&.......................................................................................**..X..............w............>.&.........>..'.W.U2..9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Telemetry.evtx

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.451479939821543
Encrypted:	false
SSDEEP:	384:8hI3c6dh3O3Km30v3635B33H353X3g3J3N33Lv3j3j3A3730j3ue3H3T39z3IM3g:8kqL+Tl5qhdWFgwc4MElvawvMLkA
MD5:	A043D303D4C9DA5A22FC14B661C4A393
SHA1:	E149DBA3095BC8BA07CD0F5CFE09F4B7ACDCCF42
SHA-256:	6593B544BC940CD488D47B0D36C31D0269871E42F71CD5AC2774D78D3C5B5F7D
SHA-512:	8D607A1095C7B02876A1AE19EBF37864E9B057D79EAA57062535A24CEADC5B482D8210374A995E64CB1C29C450C3E4B1E36729A48930B3DE751499D50C7A9089
Malicious:	false
Preview:	ElfChnk.........^...............^...........`.......,Yb.....................................................................0i..............................................=...............u...........................................................................................................H...............?...............................................M...F...........................................&................9......................................................................j...............*.................T.........B...&.......B...._.X.$.]...+........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Audio%4Operational.evtx

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.226677464865844
Encrypted:	false
SSDEEP:	768:ePcpk0+dC1RzsZrczv9ezTjlRLD1xzzmfgO5WJ:Z4PTjX
MD5:	FC8CA3DFF09ADBEDE628B106B4597313
SHA1:	B0AD82EE2CFF205CCA2C5B1D3CA791FC23F9D5F6
SHA-256:	6472E3A750522192B679E582BF92BD37C4EF4DCBF1EEF5191223D759D9A57215
SHA-512:	EA11AA30021EB02BAC718D84E4074AD8A20B40D0E4FEE658165B12B90EC125219D6BDA00889096008072A5FB5D30A95EDC04F597BEB08F69C4D2D32DFE0FA10C
Malicious:	false
Preview:	ElfChnk......................................&...(..........................................................................U..........................................4...=...........................................................................................................................f...............?...........................m...................M...F...............................................................&...................................................................................**...............q..f........./X.P&......./X.P...P&.C..:.v........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-CloudStore%4Operational.evtx

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.9544721950362107
Encrypted:	false
SSDEEP:	768:Nl/LLKiILbXvvvD7rrXuXtPPrzbvjPH7bP3:SiZX
MD5:	C8B3960B94D7F6EDAA166EF1202406F3
SHA1:	F5591DEE9A209D016B692615143C9730AA9D55D0
SHA-256:	C25D251B2D4AE5EE578A9577E5C8B0AC03C52AFBF59734A2B28176C2E7E26DDC
SHA-512:	EE2DB1F7F731588EDE16BFDC4CEF1289F65E90107EABD1E02E7A60D78A0B7811CC831799777D432BAFB0C2E5AC5420B3818B73904ED4B663AA27B524B8CFF057
Malicious:	false
Preview:	ElfChnk.........................................p....6?"....................................................................._n................0.......................X...=...........................................................................................................................f...............?...........................m...................M...F...............................................................&...................................................................................**.................g,........./X.P&......./X.P...P&.C..:.v........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	67560
Entropy (8bit):	2.501237128881698
Encrypted:	false
SSDEEP:	384:FoOKxioshuoS9VoryorOoroortorVorVorNorrmo4oruorlIoreorNorworgorDY:xsWqGO
MD5:	3E77A28B0BFCE52470724A95E6BCDD4E
SHA1:	C259387A8268FE547AB71BC87FE098F58502D38A
SHA-256:	F7363078A70C7E344C3769D8C456EF74621778FE3AA42EA32A9E4E09D4676A63
SHA-512:	31DD6A64E3BD8676A4ABB7806BC65ED0ECE5DD2B6A1A0CEF0281BD2DC87F84462F96B679E8B0390EA17550E53018B04A9B013C1BF71D53B8E81375910E752080
Malicious:	false
Preview:	ElfChnk.........M...............M............}......\j.!........................................................................................:.......................b...=...........................................................................................................................f...............?...........................m...................M...F...................................................................................................................E{..............................**......L............\......../X.P................................................................>.......V...X.!..e...................\.....7.[.....7.[..........L....................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.C.o.d.e.I.n.t.e.g.r.i.t.y..k.N.<.D..97d>7.M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.C.o.d.e.I.n.t.e.g.r.i.t.y./.O.p.e.r.a.t.i.o.n.a.l...!>.E{......!>....[.U.....i...........\|...:....A..3...b...%....=.......F.i.l.e.N.a.m.e.L.e.n.g.t.h.......A..3...b...%....=.......F.i.l.e.N

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Containers-BindFlt%4Operational.evtx

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.2039706117410094
Encrypted:	false
SSDEEP:	384:DhNPmP1PKPvPZl5P8P7PAPt/PU+PKP1PEPNPaPQPiPqPFDPhP6PwPXPaPZ8PWPC/:DDlvUGLpF
MD5:	01661CE82111D233D0EDD419D5119BE8
SHA1:	D353582E7C5A15D58F1CC0B61F84C9CB36DB5D56
SHA-256:	F63A28F35F0A819019B94902F2D1AD2EAA3F1BD882F52743576794F5CC2C6C1E
SHA-512:	4AB3A013426A5539FC24C3187862AFB3DAF182A87DF3F325F2134100B80B42620665B6B754F847E870391B9BCD1960ABF1CB750069A8F67B62B362812775453C
Malicious:	false
Preview:	ElfChnk.........G...............G........... t...u....y^....................................................................slG.................N...........................=...........................................................................................................................f...............?...........................m...................M...F.......................&...................................................................................................'.......................**..x...........B...S...........w.&.........w..._.\|.1+O.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Containers-Wcifs%4Operational.evtx

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.17749851276607
Encrypted:	false
SSDEEP:	768:LDbHtuYYZAqRidVY4HdYWgML/chv4PzSw05Wt19M6vz73mA4+9AxNAVBBBxZvaVL:M27
MD5:	2377A2986E7562AE209B0C7B1A9FB116
SHA1:	4100CDE39988A94E0F2C2E567A318A3072152C93
SHA-256:	F386C4F023E9249BFD51CFC86DA2F37A92C3A3D23706E13C8542642E06FCE35A
SHA-512:	FA9CC58025A745C55293FEBB0E25A4A3951F530219089E7FFCDB4DF48D175DB46889A1F6E47E67BB7CBD5C0E3C328B50E973DF1FBF7C99D37D2C4AFADF3485EE
Malicious:	false
Preview:	ElfChnk.........G...............G............q..ps....Y2....................................................................ZTUd................F...........................=...........................................................................................................................f...............?...........................m...................M...F.......................&...........................................................................................................................**..p...........!\|..S...........w.&.........w..._.\|.1+O.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.726256666452321
Encrypted:	false
SSDEEP:	384:vhch15hHh0hUh4hlhhhFhhNhPhLh1hthlh6hah+hFh1hVhEhUhMhFhJhKhthPFhz:vyyi
MD5:	58B669122D78B3DBC15B26B13AF24F1F
SHA1:	52C2EC46954527FADF36B293332C2CCE523777BE
SHA-256:	B67D0314B2BA9EA66FB0C9FB2CC2D2E05A96FA214D111C37A8D3BE64911E393C
SHA-512:	31F9EFE9996C1BD72A41695551224BD25EB5CF404CB084B71224C010BBF2B7F0BC69D14E6E4D1FF08A73FC22E528D0CD52F0A20335CEA8E1D658FA9A5E392747
Malicious:	false
Preview:	ElfChnk.....................................h...X...H.;......................................................................U..................(.......................P...=...........................................................................................................................f...............?...........................m...................M...F...................................................!i..........&...................................................................................**..X........................./X.P&......./X.P...P&.C..:.v........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Crypto-NCrypt%4Operational.evtx

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8000892145505037
Encrypted:	false
SSDEEP:	384:Agh7YJVYV4YcYIjYkYVpYsqYVyYV3YVfYVRYVIY:hfvzDWeM
MD5:	FB8EF4A38E3FDC0525A34D554965F5DB
SHA1:	A94D7E99F0C785FA7E8700735D612B24A61F0A0D
SHA-256:	AEE82412CDCD6B69164AE9131AEDA1D7C1316EC37C362C7F5F786B15CF116DB2
SHA-512:	221CE10A5DB5F0C7A9EAC4C29C40F804916F95E385907402FBF69CA5F2E528A31B4CB4BE921C92DF06C036ACF7BE7FB0BEA9EDE8DB72B56AB8B561CDEA9CC93B
Malicious:	false
Preview:	ElfChnk.z...............z...................@!.. #...c......................................................................(.$.................,.......................T...=...........................................................................................................................f...............?...........................m...................M...F...............................................................&...................................................................................**..h...z.........i._........./X.P&......./X.P...P&.C..:.v........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.7003053530983316
Encrypted:	false
SSDEEP:	384:4hDCq2cCp1Cz2TCLqCM2CZCjiCsCblCnC/iCsCe5CECOwCFCkUCXCUoCjCtorCrd:4UEJ2R
MD5:	C139622E93B5FD9CFDD9861EBDEBB7D7
SHA1:	7A96E25885C5667A9022273ACB5BE12FC467F18E
SHA-256:	12994B3B000A318C63A1EA41B34820B84186111C8E4AA4ADDEA949A0D873A01A
SHA-512:	E1BC89BCE5C12B6725DB9A451C90D1315AEF81D347F2E726C1BC9339DAA86C0785DC9DB68CC619A6268264449166A86F34D45AC1222FD14BD8B29150557BCFC3
Malicious:	false
Preview:	ElfChnk.m...............m...........................1.5......................................................................B&............................................=...........................................................................................................................f...............?...........................m...................M...F...............................................................&...................................................................................*.. ...m.........13........./X.P&......./X.P...P&.C..:.v........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.954738911318435
Encrypted:	false
SSDEEP:	768:Gey39iM13dtfbSqyYcQGXrlhmQHZHm43/0YOb5UAqw/OAwuM2eWE:qSE
MD5:	95A466B0BE361D1512D025A2838AEE69
SHA1:	2008DD4422B6179F7BC616DA8C95E38656EA890D
SHA-256:	E7F45E387F04CADA57890034DFEFBAC8549877E2F9E84BD2CDA04E623D94E153
SHA-512:	E45129A9C4ADE748EA1428168C20D32D950E445942274378F7AEA91FCAD03AF88A2D85CE152CD9D855A8E128432A08DDD3D0ACD24043BE240D02B25EA35B896A
Malicious:	false
Preview:	ElfChnk.........F...............F...................z.........................................................................4.................,.......................T...=...........................................................................................................................f...............?...........................m...................M...F...................................................................................................................................................**..x...........&............./X.P&......./X.P...P&.C..:.v........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.4726235874707605
Encrypted:	false
SSDEEP:	384:bh8kbAP1gjk+Jk+yk/3Suhfmk+Adk+AkKuIk+2hk+Dk+rk+4k+ik+8k+4k+Uk+Rh:bNAP1EHDzS0IpmjmoToEEltkV48m
MD5:	AC26D50D2D3912FE86A16EA4CBCB5F9A
SHA1:	312BCCC2C32A6CA888D0C61E3A7D665981196861
SHA-256:	4A27E235296E1A88F972B757A9C5FB8541B9690E15440283BB65AE87490D4EC3
SHA-512:	180F745B00315C2AD63F6EB1E211516336318C635DC2B2D71828FB7276ABDFC901019FED6C069187BBC067988FCCBE23BE24A911487E5A1B7EBD55AECB80E779
Malicious:	false
Preview:	ElfChnk......................................I...K..`K..........................................................................................b...........................=...........................................................................................................................f...............?...........................m...................M...F.......................&.......................................~...................................U...............;...............................**..x............Ft.i...........w.&.........w..._.\|.1+O.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.442282810864905
Encrypted:	false
SSDEEP:	384:2haEdEqXAEJVvOEJSvEqEBEENEuDEaExEOEAE7EmEizEJ6ExEZEX/+EaEF5EOcEI:2VXmIBqr97fAIiTtgT8GpO
MD5:	FA055F1875DD2C27B841F49DBAADB63C
SHA1:	949E19B4C447DD5C85BE2252866E95C57B3BADC1
SHA-256:	6D5BEAAB36A3B9775AB3F64C44E12F1A076384C2A63C8B4A0A4C456914DA5CB1
SHA-512:	51687B5B6EB2E8EBE482F2006DB2E08F1C6A6A7A153BC3A1A53C43839134F4CA835A273BF1DF5F446F970BB9AE9B56F6E24DABB2B64A43EDB8CAC815308472FE
Malicious:	false
Preview:	ElfChnk.....................................P.......%.........................................................................x................$.......................L...=...........................................................................................................................f...............?...........................m...................M...F....................#...............!...9..=................O...=...........A...?.......;..ME..........}....................'..........5...........**...............2...9......../X.P&......./X.P...P&.C..:.v........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-HelloForBusiness%4Operational.evtx

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.403731301560645
Encrypted:	false
SSDEEP:	384:MhPFKlcLBKalKuDGK1GKgkKClKvQKqlKlaKu7dKrXK7CK53HKstKoIK8eKugGKID:Mz8
MD5:	06EC284BBE790B4A4EB25BFB420AA9CA
SHA1:	507F4753DCB98236B69D16A6DF4E7F60663996EF
SHA-256:	30EEE8BD2523D9AA31518247C2B07587AD16340F5D2FAC30321F4CF218D99FCC
SHA-512:	A89E0C41F6368512F39017361AD64C69F44D935DCA7D81427093B769249962394E975D9DA6A32CC224142970B642A45DB58B68063935CDBD50B08CA7E13879E8
Malicious:	false
Preview:	ElfChnk.=...............=....................x..0z.........................................................................e^..................H.......................,...=...........................................................................................................................f...............?...........................m...................M...F...............................................................&...........................................................!.......................**..x...=.......m............./X.P&......./X.P...P&.C..:.v........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-Boot%4Operational.evtx

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.101474498980763
Encrypted:	false
SSDEEP:	384:fh+DEfbDisDTDqDPD1DPDXDuDTDGD8DMDRDcDvDhDlDEJDpDmXDyDsD6DwDKDOD0:frqyaBHYPi
MD5:	8EBCD9D9ECD23CD1DAEF3EEC565599BD
SHA1:	96C2138B19B3C09D72F86317B471ADF8006ED01D
SHA-256:	2C0074D6B13635455D703154BCD6479B6E45DFCF4A2DD99336AE8F37968F9C7F
SHA-512:	36571B4A172C43033BE635E3F8C3F960A30FF7150C404646057BE23988A2CE9C165CA2EF57E5115611D94AF2478AD0355D90A3FB18C3054AD65699461A9374B7
Malicious:	false
Preview:	ElfChnk.........<...............<...........8........\|c.....................................................................A...................$.......................L...=...........................................................................................................................f...............?...........................m...................M...F...............................................................&...................................................................................**..............F_G.4........./X.P&......./X.P...P&.C..:.v........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.195979376606352
Encrypted:	false
SSDEEP:	384:3hdzpzAzKzyzIzazrzRztzPzxaz9OzJznzfzXz4zdz/znzYx3z9zrzmzYzwzYzXz:3K8WxvZ
MD5:	653A924524DAEBB7B128DF31FC7DBE43
SHA1:	0CA1C9DE5816405164F729D73217B069E412445C
SHA-256:	27567E3F1B1F16D6737D3BB03501E7972E6EDAF02E82FD0F1BDCF635EF9ACFE1
SHA-512:	C58997476D261F354C2DFBD43B1743A80B42D4EB9114606C7F269A98F1594064EC96E029AC4AB11C8FB6C93D4E362953A3558ABCAC5260A96E8B3A2A1B82C4CB
Malicious:	false
Preview:	ElfChnk.....................................@...0...'i%.....................................................................h>\.................<.......................d...=...........................................................................................................................f...............?...........................m...................M...F...............................................................&...................................................................................**..............,o.{........../X.P&......./X.P...P&.C..:.v........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WHEA%4Operational.evtx

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.7323103950661578
Encrypted:	false
SSDEEP:	384:ghXIVUtIgUIiw7jI0eICpImAIp7ITIII/IaI/I7I26pCIQvILINIhIkI8IDITI0o:gQ0V6
MD5:	3ACE10EB22C2787464DC588D04E84316
SHA1:	C94BF7631234321A4273BE7FB78EA80A8735F5E6
SHA-256:	9B3AB119DED3474A29711345FBFC2561F4C802895B8506032AB958D246CF1C3D
SHA-512:	61C743528949F327BADA2566F454AD04E7FE6396C3E7821E339757658F477DD81C37CD06F067585EF349A01C6912C67FE1423BF9A548AA1554662B7E15FB12E8
Malicious:	false
Preview:	ElfChnk.............................................,........................................................................W.e................$.......................L...=...........................................................................................................................f...............?...........................m...................M...F............................................................h......................................................................................**...9..............9......../X.P&......./X.P...P&.C..:.v........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-LiveId%4Operational.evtx

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	75520
Entropy (8bit):	5.500876324947242
Encrypted:	false
SSDEEP:	384:MhZa5k3ia5q/a5Ia5aSa5xa5Oa59a5Ta53a5aGa5Qa5la5ta5qa5Ua5aea5qa5+j:M45TMdt
MD5:	CAA4DBB0AE6C57EDF19AFDB016979AA2
SHA1:	2BF3256C90D7D0E34037EA6D0E599F4C8A84DC18
SHA-256:	7013F164ED680547DF6644356DA3CB3C41A4A0CF267AD0565996CC8596D8CC7D
SHA-512:	5C6C2EC70664C8CD93916251F21BBC2BB3B7C32A439463D31E9B8D2651D415DD00FE724D5826F772D386EADF17A7F13A741A3DBDB650E8326B8F76A053343DA3
Malicious:	false
Preview:	ElfChnk..................................... #...$...........................................................................P./........................................8...=...........................................................................................................................f...............?...........................m...................M...F...............................................................&.......................!...........................................................**................mE.[......../X.P&......./X.P...P&.C..:.v........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-NCSI%4Operational.evtx

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.1077370972874387
Encrypted:	false
SSDEEP:	384:/h0QMqHM3EbMYFMOuM0cMn71MuMMxsM98M0n4MBHMovMmXMqQMrdMlOMZzMWHMBc:/ZWa
MD5:	31B4C50E440B12DE611B83FB80016602
SHA1:	4B65015C5696AB55B6A8AA904D8C5DEB01D89466
SHA-256:	14B007ED8B93B30280FC00050D0885A0F90AE539FC7C0BF258DCB7CD235E6449
SHA-512:	4DE718CC642B7C1956F53F04CE8F2F9A1CBA500239941CB58D12B9138DDE29C0F6344C008544D1B89DBB9942CB30F3C43168CC81D61B9727EAE918D131895417
Malicious:	false
Preview:	ElfChnk.........@...............@............l..Pn...1....................................................................V}.5........................................>...=...........................................................................................................................f...............?...........................m...................M...F.......................&...........................................................................................................................**..............)..S...........w.&.........w..._.\|.1+O.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkProfile%4Operational.evtx

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	3.283328643162027
Encrypted:	false
SSDEEP:	384:rhb1Sh151f21Q1c161J1fA1eE1cj1/q1f+1Cz1410C1F1f81H111f210111X1fIx:r6vPCDe2v/bgrJlrxbz3t3fAQmWW
MD5:	7F7307E6C86FE9F132853D1E323F2975
SHA1:	5A78B31DEA4BDA58F85C0E6368619EBBCA6D4D97
SHA-256:	10FB8A8A5B182302C8929149D8019A362056B120CFB42B6BC36EFA9B8175F949
SHA-512:	0A525DB71FBDF951D54A827D4BC6B0499CC2182C1181613B9D51889D4E3BE3ED412840769DA4FFFBBBD2F45D5955C79C7A2F04686FC921C69447E0AD0EA5DCC7
Malicious:	false
Preview:	ElfChnk.0...............0...................`.......@;.........................................................................~................0.......................X...=...........................................................................................................................f...............?...........................m...................M...F...........................................................................................1.......................................................**......0...........]........./X.P&......./X.P...P&.C..:.v........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Ntfs%4Operational.evtx

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.323491793210398
Encrypted:	false
SSDEEP:	384:ChnIFwI1IcIIIEI1InI0IXInICIWIzIOILIqIhIXIJIrIPIMIiIMI/InIFIxImIp:CuxxVaJRr
MD5:	F33DFD304C991F70CF569E3EBC08BE06
SHA1:	2373312AAC629F3FCEC47C5279C096628B663B4F
SHA-256:	9A65B5D927E01AB85F97EBD7CB445A3C3A06A421ADCF452D9F2F843A21891250
SHA-512:	2A526957145E702E64DB4B7E10B770B24E8726AC2DD01D09D4DD54659537DE4153C5E4DA0567E2814009ED468A31436BBA5C0AB0AD5A36772D5FF50C161FC5C3
Malicious:	false
Preview:	ElfChnk..................................... ........4.......................................................................E?.........................................0...=...........................................................................................................................f...............?...........................m...................M...F...............................................................&...................................................................................**..h...........r.........../X.P&......./X.P...P&.C..:.v........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Ntfs%4WHC.evtx

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.1542505361248714
Encrypted:	false
SSDEEP:	384:Z9hqILI6I6IUI+I4IZIhISCI3hUICIOIDIMIfINIEdImIDIXIjlII+I/IAIiIkIg:/HZhxKkDBhT
MD5:	3CEC1D686413B8E98FCBD789A56DDBE8
SHA1:	FA31F4C44F815458EEFAA9CC27F0DE2B4C2509A6
SHA-256:	85E45458806E48C42D4010DE1FBF208282294204CD3F93D808E77CE43BD49118
SHA-512:	4AD5C020A1949DDA42344DB8BEDE56A4799550F2670955631C9175290557516675934B8E49253BEB2C7747D94C58A54BC6E5E34F6352B1FCC965BD8AD7AB9046
Malicious:	false
Preview:	ElfChnk.........Q...............Q............o...q..-......................................................................................................................=...........................................................................................................................f...............?...........................m...................M...F.......................&...........................................................................................................................**..................S...........w.&.........w..._.\|.1+O.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Partition%4Diagnostic.evtx

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	3.8996910875015867
Encrypted:	false
SSDEEP:	768:/41WS5OAT1rPgAT0nH15T0nr15T0nQ15T0nW15T0nr15T0nB15T0nh15T0nb15TT:dScA
MD5:	C44DE5E83424639B94A2A90268429E27
SHA1:	CF4EC67079E164F36E1002A27E727A65FA3E8FF7
SHA-256:	A6F0097EFCFE930E5DAB17B0528052C87E89411A24E3D385183DE1E40836FA0D
SHA-512:	9897510A9F38CAD487EE2DF982A64E6F1660693A206FB5E2891AEA61AB2CF2FABA1157F18008F8346B274358FFA27BFE3CE65A81BBCAC3F4D5BECF10F6E15BE1
Malicious:	false
Preview:	ElfChnk.Y.......[.......Y.......[............'.../.........................................................................I..Z........................................B...=...........................................................................................................................f...............?...........................m...................M...F...............................................................&...................................................................................**..8...Y........n_I.9......../X.P&......./X.P...P&.C..:.v........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-PushNotification-Platform%4Operational.evtx

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	90928
Entropy (8bit):	5.041339025991445
Encrypted:	false
SSDEEP:	768:OucC5TweYiQBFEm8wcK1vrvLcucC5TweYiQBFEz:yefQaOrDMefQA
MD5:	DE6AF47D6A42B858B97F61666B4BA938
SHA1:	BF9E4C8531B6459479F2397D64E109C87E0E8749
SHA-256:	E6177D5D150B222713F917F330E0AE4F603A1D5988FA185921C867801EC68363
SHA-512:	9D6B1B29C05A1A7F633A9EDB20A8E6081F568BD6EB1C450C47D0FD20A3CE44B966493FAB545B691E371B7107FD0F30EF4128B4574A5EF139DBBEA1F52C6DDE15
Malicious:	false
Preview:	ElfChnk..................................W..(Z............................................................................q.................^...........................=...........................................................................................................................f...............?...........................m...................M...F...........................................OG...................B..................................................7............K..................*..x..........X..e.[......../X.P&......./X.P...P&.C..:.v........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReadyBoost%4Operational.evtx

Process:	C:\Windows\System32\svchost.exe
File Type:	DIY-Thermocam raw data (Lepton 2.x), scale 4-8, spot sensor temperature 0.000000, unit celsius, color scheme 0, calibration: offset 0.000000, slope 10384593717069655257060992658440192.000000
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.0537278914911363
Encrypted:	false
SSDEEP:	384:xho8N8M8p8d8I8K8t8v681o8t8K8aI848s8D828P8N8285818n8U858w8v8yt8+w:xj31lT
MD5:	1820A0CC0157994DF1DE154990FF97A3
SHA1:	01D1E6DEDDC8F90BD6A95EB2E0029375A0DC10F6
SHA-256:	E715D3E2583E8E1CA7FEA44C0C15F139468BD1C3521DB27B6EB030216659FDC1
SHA-512:	1192793EFF5505948626915C0EB2377AED22239E4668C6D851432DD40869A14231192DE31464FF8051735802F22893CEB98C67EE2359FED7F02D6E0C759EB2B0
Malicious:	false
Preview:	ElfChnk.........@...............@...........8f...g...G(...............................................................................................................V...=...........................................................................................................................f...............?...........................m...................M...F.......................&...........................................................................................................................**..(...........e...S...........w.&.........w..._.\|.1+O.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.222976581592769
Encrypted:	false
SSDEEP:	384:ahuvnvmvJvBvdvrvwvSvovl+v4v6vvvmvcMvOyv4vCvAvTvGvP+v5vRvH8vUv5v+:aNzTEejRRTR2
MD5:	898BE7155AF8C5210FCC3E2791555582
SHA1:	C1707B34EA7DBBAE820BBB46E89F07BC62D6B057
SHA-256:	364616EDD194F52E5BDFE5FE8DC84315A1D8083425B35477432FF2C257B46E66
SHA-512:	923C46440BE007B42EA6F846C0DD7608E5C5688DF6738C49DCE3BFD0DD7CAC3E957402B30FDE422AE218AD7AF02C5A829CD0E17E4EF2B07EF836D09865ADCA31
Malicious:	false
Preview:	ElfChnk.........................................P...',.........................................................................1................v...........................=...........................................................................................................................f...............?...........................m...................M...F.......................&.......................................f ..........................................................O.......................**..............l..-T...........w.&.........w..._.\|.1+O.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-SMBServer%4Operational.evtx

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	3.0928339855882148
Encrypted:	false
SSDEEP:	768:JS/Bp+UdTU8UqOUyGUwaUpcuUvKUruU6DUZ5UtaUKOUpSUv2UwLiUIeU7bUhCUrq:Q7rw
MD5:	E5E5CB492BDAFD78681C8FD31E7AF796
SHA1:	642AB8A4CEEE204110C55CAD1595DD56CE962933
SHA-256:	0505C443132FE0270224E4E107361F3D89BE1E7FE744D2EB1A13E6C0A8054120
SHA-512:	8C04C3B0C1AAE779639F41E760C2BDB7B4EF24A153232D8C5F5734C567425048064BCB324F985A2B90F23A876D365F1FF70E4549E2BD33543541D67F214F3532
Malicious:	false
Preview:	ElfChnk.....................................8...h..........................................................................A...................C...........................=...................................}.......................<...............................................................f...............?...............................................M...F...........................................................&.......................................................................................**..h.............h............>.&.........>..'.W.U2..9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-SettingSync%4Debug.evtx

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	modified
Size (bytes):	112240
Entropy (8bit):	4.305862504474589
Encrypted:	false
SSDEEP:	768:lGCHg0B0cWK5Pc6isrzhiGCHg0B0cWKyzR:QKGcWOPnzRKGcWDzR
MD5:	3E9E48F2B5F9FD54EE07B5D1EB5DA87D
SHA1:	F705007809C302FA95A0975D069436F890ACC4F9
SHA-256:	2FB086D790CE4CD94E7A4CFC79FED3F3234ACFEEF452742D4C68B8991F69AD36
SHA-512:	5CC2E7EF6A2B146434B57436C8C720D861358CC7D43F9CA847F59CBFE11E5E10666B8F2A10647607A94FD269BB5607B4401A4E48451E3D60FDC19B3D73BF6F2B
Malicious:	false
Preview:	ElfChnk.<.......s.......P...................h...p.... 2.....................................................................g.F.................(.......................P...=...........................................................................................................................f...............?...........................m...................M...F...........................!b..................................&............................................................;......................**.. ...P........v...9......../X.P&......./X.P...P&.C..:.v........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-Core%4AppDefaults.evtx

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	3.4160175146429084
Encrypted:	false
SSDEEP:	1536:YjtJTcmXTfu/hD9ouzDZx+DWQeD8yiM4C0BYEeKee6lFY99PXg95RA2IektFNEfk:Y5JTcmXTfu/hD9ouzDZx+DWQeD8yiM45
MD5:	723728B119BF371929EEBC4AF7DD8E23
SHA1:	9790467B8924422CE9420E04A23282995D0E6BE3
SHA-256:	86A5E0A0563A4B9A748881D677E3FD97C71B9815F8853569278CE6E5B85365E7
SHA-512:	0D65F1405BD0CF40A82974561DD2F29545A612CBA4A4FCA0D61EE073C149490F672C1B1A742EE82A388853740CB9DD3C6B956D4250F31928FE35CACE8F5A8133
Malicious:	false
Preview:	ElfChnk.~...............~.......................x......5.....................................................................h..................0.......................X...=...........................................................................................................................f...............?...........................m...................M...F...............................................................&...................................................................................**......~.......=............./X.P&......./X.P...P&.C..:.v........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-Core%4Operational.evtx

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.462065794352662
Encrypted:	false
SSDEEP:	1536:yxRoE7CvraD3EfhdzvOpA8ZD7AlTEhHogHv874qYpihWbkKkj3fnBePkTiNVwWF/:yxRoE7CvraD3EfhdzvOpA8ZD7AlTEhIG
MD5:	634B7D0140C5BCDC5E09EF6A157D3CA9
SHA1:	FCEF7B231BF1BBB70422F3346937DF3498604A7D
SHA-256:	16FC44C60A15808F3D3088A7B5CA8C19293D10E2EA18C3ABB2E75FEDD49F3F08
SHA-512:	1742730C73164655FE80ECE6F66D4A9F899E214D7D2AEFD80B9FB0E9F96C0DF6A3411F449009DEA9761DC50204AF9BF679C9C849ABAFB54E63A47BE7F720A7CF
Malicious:	false
Preview:	ElfChnk.0&.......&......0&.......&..................s.. ....................................................................t...................0.......................X...=...........................................................................................................................f...............?...........................m...................M...F......................................................................................................................a~...y......................**......0&......\[.>.[......../X.P&......./X.P...P&.C..:.v........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-ShellCommon-StartLayoutPopulation%4Operational.evtx

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.95495667152001
Encrypted:	false
SSDEEP:	384:hhq7v7l7UZ7r7B7c7li7x/7Z7Z747A7rK7Rx7fy7P7C7I7F7W7DX7z7C7B7Z7f7b:hGzb8
MD5:	207070F55BDD6C076F86FE1F94267FAF
SHA1:	4A72985E1A32E99C4DE40D5C0927DDE4A878BA21
SHA-256:	E3E26612DA5AD020AEF05E58C6CA078A8F0A1157419D0E8F97D90D4CD784338B
SHA-512:	2CF76ED0C5ACC824D5E53AE10AD75AA98EBB3DD18806288AE203E22FC1F191E90DBE2D9366A6B55DB6A6424C5CE1B24F7C96BC91B3466C9E54917BD0FC338FA4
Malicious:	false
Preview:	ElfChnk.........2...............4............\...^..0........................................................................I.I........................................0...=...........................................................................................................................f...............?...........................m...................M...F...........................................m!..................&...........................................................e.......................**............................/X.P&......./X.P...P&.C..:.v........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-SmbClient%4Connectivity.evtx

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.25845726685135
Encrypted:	false
SSDEEP:	384:jhwuTDFbuJuuDu/uVuuvu7uu6uOuU/ueuu/uFuuVuauUmuPuuAutuu2kuzjuUaur:jHawuFBoRW3L463zLKxWNmu16S
MD5:	3C6A30703741417619F7462E41CE2BE8
SHA1:	5F2EC46813F9DE24921D080B6A9E91C116E378EF
SHA-256:	B04CFC40D01C41748662302C062156C8E1D1C840397A2613C650576626A90688
SHA-512:	E8F335DB3A8706DADB6788EA60F37F67BBC0C0FE6F1D09DCA6032AB1864AD6E4E626D2E714364884DF568BAA8E720F9D75056CE0BAE6139AC81812AB149D3CD9
Malicious:	false
Preview:	ElfChnk.6...............=...................8.......4.$d....................................................................H.nP........................................F...=...........................................................................................................................f...............?...........................m...................M...F...............................................................&...................................................o...............................*......=..................../X.P&......./X.P...P&.C..:.v........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-SmbClient%4Security.evtx

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.344847625579545
Encrypted:	false
SSDEEP:	384:1heu/uSuWugu5uGuFu5ut1u7su+uPudu3uxuIuTuxufvuIUubuMuBuquZu/uKu9U:1P6ZDGl
MD5:	8C42E74E8C66ABCDB2D6F760472D2230
SHA1:	A51D713DD43DDC5E6A3C13261A0A0021F3DCC5A9
SHA-256:	0FCC0A933EEBF5C555865DD686BD91F804B2F7344F7A241C59D43453E50AAFCF
SHA-512:	571089787893446D0C34C6A9D54D975D130921BD41C980388616F01C040D34C300044F1B40A79B522455C852AC7E1B7A269E98BA690815B1809A62D500B77728
Malicious:	false
Preview:	ElfChnk.........H...............H............z.. \|..th./.....................................................................8..................$.......................L...=...........................................................................................................................f...............?...........................m...................M...F.......................&...........................................................................................................................**..............%,H(T...........w.&.........w..._.\|.1+O.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-StateRepository%4Operational.evtx

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	3.2934272914022573
Encrypted:	false
SSDEEP:	384:4ahPAodANA9APA7SjAkxArIvjA2UlA/A3AnA7ATAnALAlAfMAYQAgiA/ABAxAsAP:4a9SNmIvvfek9kOj
MD5:	4670D6CB2003839F80297A663BDCD516
SHA1:	C0F7D8BD2AA6BCD0E64A5B600AEBA1993B58F5AC
SHA-256:	A75A797378A25BC32A19447409D149F84DDE2E12863310EAD51E67FD37DD88C8
SHA-512:	08E649ED0E553EBFA6A89F71AF1B195FA71202A4CD8FEC4CDF460C5E177B04A6B36230E5F72A7E2CFC94489752DF1A55387630636CFF3E30E66305A4B7C4ACAF
Malicious:	false
Preview:	ElfChnk.........r...............r...........8.......L..P....................................................................o.:.................4.......................\...=...........................................................................................................................f...............?...........................m...................M...F...........................M........................%..........&...................................................................................**..............}y.._........./X.P&......./X.P...P&.C..:.v........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storage-Storport%4Health.evtx

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.4235578493494723
Encrypted:	false
SSDEEP:	384:Thk+pUYnpdo4pd+pdnpdwpdVpd+pdrpd4pdRpd/pdqpd9pdopdKpdXpd8pddpddB:TI
MD5:	F73A1176C1C3480A891DE6E261F5C6FF
SHA1:	51C172AC2988571B01854B05D9C529E5D28792BC
SHA-256:	06BC7D1A33F115D8AB755EBA74A5143077BD41A34E02543138C0F17385305D5E
SHA-512:	246B38C086949B9D9D9AA30D0D91E75049FD7A60DD1EF54B3D59CBF78CA1BEFB17A0DCE9147E3F50CDCC9DF05BA67D3751A94472807E686FB03B5D55522CB830
Malicious:	false
Preview:	ElfChnk.&.......L.......&.......L............... ...........................................................................yk2........................................:...=...........................................................................................................................f...............?...........................m...................M...F...............................................................&...................................................................................**......&.......yN..^........./X.P&......./X.P...P&.C..:.v........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storage-Storport%4Operational.evtx

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.1165076074122675
Encrypted:	false
SSDEEP:	384:ehmCpaKpmpL6pAsUpfwpAbdpABApAGQpTVp2LMpIJpAbWpW8pAWWpAJap8kpAE0E:ee
MD5:	D3ED7D15A868022FF51427F09AE9DF78
SHA1:	5C581BB0CB2FC5FFDD5421EDC8385E499B8E94F2
SHA-256:	BA1E741BDC4BE33B4990F0FC1C5EAAC2694C97E75FE5CE44FD9E259A634E2DA8
SHA-512:	32A5BE3C5DDC94F337AECDD6531801FCDFBF000EE74C29238A7399037747EA407E8852EBEF5713D20BF60B43133A505A3D1188D40711560A9D0E9EE45DC2BFF2
Malicious:	false
Preview:	ElfChnk.........R...............R...............X...Oq.................................................................................................................D...=...........................................................................................................................f...............?...........................m...................M...F...............................................................&...............................i'..E...............................................**..............a...f........./X.P&......./X.P...P&.C..:.v........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.23578961372723
Encrypted:	false
SSDEEP:	384:nhoCKCQC8CUCLCYC7CFCuC2C+CxC1Cl0Ct4CCC2C7CLCtCeCeCiCmjC0zCpDCMCY:n+fNJCRxkjZHTUL
MD5:	FD12E39BDD53B4F6C68308373B84AE82
SHA1:	F4C8B45887BA886C67B7653DC82199ABE6C03DDB
SHA-256:	88E417E6EA6A692171ED218CC22FCC633B490A2CC10D1E75A3BA1A80149F89E2
SHA-512:	0D3B6C926BF67624C1527EE849E65F3EA22C34723FF858F252E909CA25AF94815EEA64A91B163A0B8E24C217BB4A35B2A2DAB495124D114E2C550D855BFA2766
Malicious:	false
Preview:	ElfChnk.........P...............P....................8sC........................................................................................V.......................~...=...........................................................................................................................f...............?...........................m...................M...F.......................&........................................%............................................................................../...**..@.............1.S...........w.&.........w..._.\|.1+O.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Store%4Operational.evtx

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	77176
Entropy (8bit):	4.6717979422113025
Encrypted:	false
SSDEEP:	768:Z9snCS/9snCSTB0Fpby22wbyDEbyN/mbyZ:+CSMCSmnfigm/yk
MD5:	D16535BD6FC6044336C00F2DB5D4F36B
SHA1:	E279AB5E8079B38F6D71409A05159C227AB8FB82
SHA-256:	DBC9CC807201AF4CE51CFB685C077F2E988F56A6B3F27111CE7774A7E40BAF1F
SHA-512:	10E39ED5DDF6C4D99D810C3DF710C37C6EC2A29A2402BCEBDB0D22E00B9714792A1369774FC9B633ACC0F6741764ADF10A052BBF0C019785D0C6B0FC0EEA9EDC
Malicious:	false
Preview:	ElfChnk.M.......Z.......M.......Z...........@+..x-..........................................................................=.~........................................4...=...........................................................................................................................f...............?...........................m...................M...F...............................................................&...................................................................................*..p...M............\......../X.P&......./X.P...P&.C..:.v........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storsvc%4Diagnostic.evtx

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	3.1233548013740915
Encrypted:	false
SSDEEP:	768:bvgffnPNm/2sY3pLwIkJ2jLHbj9fr7w2imMFopTMFw3grHUP90:EGaY
MD5:	18129A6AD9E0E2E9967A38CEE25610F7
SHA1:	660F0F224D114C6ED20719470863213729034AD3
SHA-256:	744B45C0DFB49E2B37EC61CA38D2F5C08C669B3D46863305155C550378F8FAEC
SHA-512:	2ACEF49A92DB67D284838E5EF439D70250F833FAD7599940CC368B3C42E7B04DB24E75D9F785558CBD760AB73E735CB805CC04419FA1A454927C96CCD8E2A46F
Malicious:	false
Preview:	ElfChnk.........@...............@..........................................................................................(z................. .......................H...=...........................................................................................................................f...............?...........................m...................M...F.......................&.......................................fC...................................................................1..............**................8.S...........w.&.........w..._.\|.1+O.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-TZUtil%4Operational.evtx

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.20363885681099977
Encrypted:	false
SSDEEP:	48:M4W4urP+MZQNRBEZWTENO4bpBdocjwi/6FgVt:NcKNVaO8tocV/6Fg
MD5:	8DF23D4FD33C7A96C88F8BEAA26D33A1
SHA1:	B08A40CB88ED5C8C0AD240FE4264F7782DB67323
SHA-256:	9E527CA6DF1111A2D5C858F34409F3A7BBEF323657B2F4A07535D11DCB58E733
SHA-512:	C597E0D4FFE0439C92376E8718C68CE9E391ADC0D660397D778AFAC3F38A72B726796B756FFDF2DCA410424514B1AED9C72EF5DB06F862D9F4A48641890F1F50
Malicious:	false
Preview:	ElfChnk..............................................c......................................................................8.C................. .......................H...=...........................................................................................................................f...............?...........................m...................M...F...............................................................&...................................................................................**...............f..[......../X.P&......./X.P...P&.C..:.v........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-TaskScheduler%4Maintenance.evtx

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.299026542539241
Encrypted:	false
SSDEEP:	1536:XKoKKK3KOKbKrK7KAKqKpK0KXKAK8KTK+KfKvKYKqK4KGKkKhKjK9KyKeKhK1KK0:XKoKKK3KOKbKrK7KAKqKpK0KXKAK8KTP
MD5:	655CF07B534499B5897A98445A773894
SHA1:	77CD90DD0E3F2560471A19F1CB3E5D00F7FB97FC
SHA-256:	757F246BA51102679DA2631750560EC4E616955CA1D70855E2F71B090AA87386
SHA-512:	921DE3EFEF314813CCFD9C1255DC22D33638CC76AC00914389093430AAFDAF043CB8542E78DA7515B33138169A7C77C7855BD6D575F4222BAE16B5EA21E6344F
Malicious:	false
Preview:	ElfChnk.....................................`}......V.......................................................................<H^.................,...........................=...........................................................................................................................f...............?...........................m...................M...F...............................................................&...................................................................................**..H...........N..)........../X.P&......./X.P...P&.C..:.v........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.095482706952696
Encrypted:	false
SSDEEP:	384:oh8i4i/yi6iDiDi5iwiliM1iNiUiXKbieifiGiOiOiIiIiBigi1iVinixiEiVcio:op6xKouKN
MD5:	8279286FA538299CEA5E1B7A67F7D6C2
SHA1:	23C59B87F261098A9D8F9D151C9DA58D89115C6D
SHA-256:	9D7410C5B451CEB4EACD2C4C85866C50509862F12FD297E1C08093D785577765
SHA-512:	D2CDBC8D312DBF1CA68C5EA1B17AB2323FD09349836B599EE4AB9920A995C0A04E0BA52006E5A2742301D7007490A759774AC917BBF014A2865F301E380B334B
Malicious:	false
Preview:	ElfChnk.....................................hQ..pS............................................................................$.............................................=...........................................................................................................................f...............?...............9.......B.......................M...F...........................................................&...............................................................q.......................**..................f...........>.&.........>..'.W.U2..9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.308195154185309
Encrypted:	false
SSDEEP:	768:cxSaa8NlaranavazaZa5agCadadaZadacaRaZasasaUaUaMacaIaYaEakaAagakz:wN+n
MD5:	E9DC69694D7EB393F765C92A061B1B05
SHA1:	BB187BF1A6C3A7597B086270B5D929625724F739
SHA-256:	4A8C24850B0BF12CB133D66527C22F60445FC630458852FD4639997A104298B3
SHA-512:	4FC135129CCB66F136CDA206D44A97951321D762E9E5DF44800AA3788BCA2CB56B3E5128F09FD0AEFBC271791346872EC032CEF6B5D68B1D3EAF0225A17C15E6
Malicious:	false
Preview:	ElfChnk./.......x.......E.......................P..........................................................................^..................`...........................=...........................................................................................................................f...............?...........................m...................M...F...............................................................&...............................................9...................................**..H...E.......3..Y.9......../X.P&......./X.P...P&.C..:.v........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-User Device Registration%4Admin.evtx

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	3.9299077888714704
Encrypted:	false
SSDEEP:	384:FhNXDcXxzXZXeX/XOXMXauXLiXCXVX1XYXZXeX+XiXfXuXFXRX9XsX5XLXzXgXy7:FyAgGHqOT
MD5:	76BA72EAE141C7FB6DE412773F565CAF
SHA1:	87B63EFC028914E34F6E2DF282B58617DCBC7CB3
SHA-256:	C38FD9C6EE166B208F582F077AAD80EED644C244BB513205A53523026531FBF8
SHA-512:	C41CD72B9EB96894065505BB0EEB71617AA718718C179CD30D61ECF229DA6C89DFFDF34D49007FD39A44BBC288C65603DC93B77BD3EF24BF95AD48CB78AA0A82
Malicious:	false
Preview:	ElfChnk.........J...............J...........8........Y-f....................................................................._..................j...........................=...........................................................................................................................f...............?...........................m...................M...F.......................&...........................................................C...............................................................**..............C..?T...........w.&.........w..._.\|.1+O.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-User Profile Service%4Operational.evtx

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.33351270240575
Encrypted:	false
SSDEEP:	384:7h2LmImemomHmOmamCm2m2m3mnBmGqmFmJmFmKmrm2mOmsmSmmmVmghmRmBmBSXy:7/fg
MD5:	A3CECA86515603ACD21A5619F5FA982F
SHA1:	500B2E9A12AF8777926BE38BC11D271587609701
SHA-256:	3C746E1A34EC9CC467DDB850D98FD6C78E4CD64B42902200B223264D58921BF8
SHA-512:	82ED8ABA2FEE142C939563E8F105A00699CF39B87A3C1950CCC15AE83323264CE814018118CE6F7920F07B42CB603400C223D6CF8FFB00383C07D19E1948900B
Malicious:	false
Preview:	ElfChnk.........................................P....4.b.....................................................................L).................Z...........................=...........................................................................................................................f...............?...........................m...................M...F...............................................................&...............3...................................................................**................y........../X.P&......./X.P...P&.C..:.v........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.9858077593970604
Encrypted:	false
SSDEEP:	384:/h0h21c2kS27W2VP2en32x2U2x2V2d2N26A2q242R2V2Y2w25vb2C2k2o2g2s2Ix:/2C5
MD5:	EBB898FA488ABABDAB76F93EAFF3A7B4
SHA1:	664A9CB2580B91B05557A782EC6BB10F796B157F
SHA-256:	C3664CA813702F10B279E763DBA0A80AEC287C478C07883D1B385342EFD01110
SHA-512:	24FE4811C011BC133711BA3916F8A18C6F7D12AA2BB0875683CECC0E8A992735D9BA7BFF0CE4CCAB2D1D4DB8029254D1317278DDC7029C6AF54D6B4A8C8CAF8B
Malicious:	false
Preview:	ElfChnk......................................]..._..^.I.....................................................................)..t................L.......................t...=...........................................................................................................................f...............?...........................m...................M...F...............................%...............................&...................................................................................**................+.g........./X.P&......./X.P...P&.C..:.v........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-WMI-Activity%4Operational.evtx

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	116936
Entropy (8bit):	4.302524617140346
Encrypted:	false
SSDEEP:	384:UVhpR+daRsRjRQRPRZX8R6R/aRXRsRqRbR2R7RoR/RlR9R/RlRlRaRMR0lbRLRzH:eLlK4bLlK4R
MD5:	C44624B88E73C18E8DE18E55BDD1CCD1
SHA1:	45B102A717E24283885422BF679DE892554B96E1
SHA-256:	49045A895B9E750EB0EC22ECAF12EF0064C9C485BBE6168E8587E83C172FC2C8
SHA-512:	6F9DCE53B937FCB9402B7CC5F3ADE0AB700AC03CC0FED3C856539D2ECC0F9EC5AC1F1CFE1358974486A14D15A7CE2141B420C46B864D4B154BFE4CA74A9D4505
Malicious:	false
Preview:	ElfChnk.Z...............Z...........................#.S............................................................................................2.......@..............=..........................................S.......................%...........................J...........................f...Z...........?......................................?.......M...F...a...........}...................................y.......&.....................................................................................**..X...Z........;..9..........>.&.........>..'.W.U2..9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Wcmsvc%4Operational.evtx

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.386346226032655
Encrypted:	false
SSDEEP:	384:YhCh7whqhvh4h/hMNhihhiVqhXhPh5Vh+hth0qhPdh4zshS3hi9uhiZhhpYhAThc:YkMfO1mDIH4
MD5:	5F4B2BE9E85F278346DFE1CAF76BBCCF
SHA1:	0BADD0B3FC1924FE4A3AD5BB40ED1960551394DA
SHA-256:	23F4F1F14256E404CEE78CDC9EFB49C1B51E0C42FC9E44F463FE5FC91E593418
SHA-512:	D1FD10530785355578066AF943598248D46AE8C9CEDD0FD9D4FC6BAFDCF9C701E55135008BD4073D19C96BA5DA6C18A8B34B45BCD0393212428A42C6123654FC
Malicious:	false
Preview:	ElfChnk.........6...............6...........X....... .........................................................................Z.........................................l...=...........................................................................................................................f...............?...........................m...................M...F...........................................A...................&...................................................................9...............**..@...............,........./X.P&......./X.P...P&.C..:.v........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-WebAuthN%4Operational.evtx

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	3.5472730164672246
Encrypted:	false
SSDEEP:	384:Ch2VaVYVtVbVwVoVTVJVgVZVrVdVfVKVHVl/V+VnkVkgVOVEVRVtVsVCVFVhfV5i:CWIreU7U7enh
MD5:	CC82A81AD0A78245AA328420E38F641E
SHA1:	370920E7A1718C0E2C2A5FEB2B63B703E7A16BD3
SHA-256:	A694AD5D2CBC8CE32A73382A5FF90762729298D812F99D317D3F15A0C474CB5E
SHA-512:	8C51DD6D07930259B2DD00BD3461F53EA609440966DBCB0E429F68A3CC8B800EF8BB7AA7EB48A3BCD73FEFC0015E083F4B6EF174B48F35BDE9A4EBAFCAB135E5
Malicious:	false
Preview:	ElfChnk...............................................E....................................................................,..R................&...........................=...........................................................................................................................f...............?...........................m...................M...F.......................&...........................................................................................................................**..P...........F~..S...........w.&.........w..._.\|.1+O.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.28835624131716
Encrypted:	false
SSDEEP:	384:AhuZBwBQ/lrBwB7/FBwBK8bV5BwB5dYBwBkBwBHBwB/BwBGBwBkBwBd5BwBJ+Bwo:A58bSH9
MD5:	EC462CF0445EB4D0861CC62BE0588B64
SHA1:	127547AB89EE1AF7D0562BC5DBDC65E8E2242B77
SHA-256:	3B12D08D43163A5424C53B78CD053CA0170CBF53E96D4BA08411D32224772727
SHA-512:	A8FDCAC3465AD13094EDCC11B4B4DAB4C6E245D12CFE519B8496CB4F55470423973F875374D9AF5A21D29B4ACEA046E72644F7F2B92847BA78B64023B2D32650
Malicious:	false
Preview:	ElfChnk.............................................\|5.......................................................................PS............................................=...........................................................................................................................f...............?...........................m...................M...F...........................W...................................&..................................................................................*..............6\. ^........./X.P&......./X.P...P&.C..:.v........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Winlogon%4Operational.evtx

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.399143402450045
Encrypted:	false
SSDEEP:	384:Bh1wUEFUEmUEMUEgUENUEqUEqUEWUEvUESUE4UE4UE3UEbUEpUEpUE9UEgUExUEZ:BLuWRqXJQe
MD5:	0A6EA9FFB36FCE1CA5FC391F71CCBB07
SHA1:	3EC7C009F99DFDCA0F928EEE8D5BD1DEAA5D9974
SHA-256:	9501E606B0391138F39CCC472E00804C5F6138732F63AD4F24535A9F6C13CCE7
SHA-512:	60B6AD91EF3F78108D847C9B7F1E527AA6C159FBF5A52054630EC16EB594CE22A577B021113C078CA4CC078A90B5C31075F4615C45A4CE24CEA980B9875EADCF
Malicious:	false
Preview:	ElfChnk.........+...............+...........x}......s.tU........................................................................................(.......................P...=...........................................................................................................................f...............?...........................m...................M...F...............................................................&....5.......................................................3......................**.............. 2^O.9......../X.P&......./X.P...P&.C..:.v........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\OneApp_IGCC.evtx

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	3.4408471966964385
Encrypted:	false
SSDEEP:	384:pw0+VsWZttC95UZhVhRoSxHJUBvv3R2ipPR7odz6L7RPLfVXYgXcIycjd52T42Si:p3sfo/0NQhxf27SVSVTuziNpBg12U
MD5:	44092C364E8D55775B9DDFC8D91AE97D
SHA1:	A19690BA05C8B6009B8F4CE070BCD4ABC8BC39BA
SHA-256:	0A5058FE3DC424573205F96E939213E251FD63FD2AA06F764B15C5CCF1692C63
SHA-512:	96D0DCF022A2A6B41241A8C820E27D5F59A5331916FFFBB36315FB943A17DC43EBB8DA4F63456BDA658AD441774D22B3079E66A09177598C1AAD762DA9C1455F
Malicious:	false
Preview:	ElfChnk.........+...............+............Y...Z..'<.......................................................................~.L............................................=...........................................................................................................................w...............P...........................~...................M...m...........................x...............................................................&.......................................................**..x............Bo.,.........\|.=O&.......\|.=O.s.Q...W.E........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..j............{..P.r.o.v.i.d.e.r...G....=.......K...N.a.m.e.......O.n.e.A.p.p._.I.G.C.C._.W.i.n.S.e.r.v.i.c.e..A..M............a..E.v.e.n.t.I.D...'............)...Q.u.a.l.i.f.i.e.r.s................"...............V

C:\Windows\System32\winevt\Logs\Security.evtx

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	69768
Entropy (8bit):	4.375857894739811
Encrypted:	false
SSDEEP:	384:utvFRAB9otxXtvFRAB9otx7oN0ooXooo5m8o5mAo5mXTo5mDo5m6oZeojKo5mfoR:sNAMNAmeEX1
MD5:	FA8BC037D057D9D3334D46D7F4BF4838
SHA1:	3ED570DFC2F3FDD5802C62DCABA75CFB3C97CC2E
SHA-256:	D216AE1017998735F234CF018CA38A9C2DB680202B8D39CF1A4B366271646AAE
SHA-512:	4699621E1BCDB0318FCC4DA63F8C30CCD3EC084644218F938AF2A0BA94C168E3BE976D72159FCC703F13CD44965D24084734F4D2F5E893A5BA927F59A0083D44
Malicious:	false
Preview:	ElfChnk..................~.......~...................3x........................................................................X................Z...s...h...................=...................................................N...............................................w.......4.......................-...................................[...........).......M...R...:...........................&...............................>.......................3...........................................................**.......~......<1...\............&...........0.P\...3.Du?.......A..3...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.....\...........oT..S.y.s.t.e.m....A...............{..P.r.o.v.i.d.e.r.......F=.......K...N.a.m.e.......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.E.v.e.n.t.l.o.g..........)...G.u.i.d.....&.{.f.c.6.5.d.d.d.8.-.d.6.e.f.-.4.9.6.2.-.8.3.d.5.-.6.e.5.c.f.e.9.c.e.1.

C:\Windows\System32\winevt\Logs\System.evtx

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	69616
Entropy (8bit):	4.4118460786111955
Encrypted:	false
SSDEEP:	768:MQvKhR8XwKiYI/fNb+tpt5dGE2LcWkW+TVid:PKz8XwK+apTW+Rid
MD5:	3E79B44B6FAC155318CE3D717D99A300
SHA1:	D8FCBCD9B625C4E9629F91A43C0DF5C48FE541DA
SHA-256:	DF43123880C6D39E98E42D709A886563FDF6BBABD64DC224E5C0348F3E84B9BE
SHA-512:	4D1738A39E286702D38F2D2C394611B5585AA401EC6B90F954B9B6DA30A06C341604BD6F5DAC92832F1832F5209632FD1B8A36D2620B351BCA5DEC5501F3FF6B
Malicious:	false
Preview:	ElfChnk..................0.......0..................7.Ag....................................................................%'kJ....................s...h...............N...=...................................................N...............................................w.......0.......................E...................................W...........).......M...3...:...................................................................&...........................................................................**.......0......h.u..\.........}.T&........}.TA.P[J.......;.......A../...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.....X...........oT..S.y.s.t.e.m....A...............{..P.r.o.v.i.d.e.r.......F=.......K...N.a.m.e.......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.E.v.e.n.t.l.o.g..........)...G.u.i.d.....&.{.f.c.6.5.d.d.d.8.-.d.6.e.f.-.4.9.6.2.-.8.3.d.5.-.6.e.5.c.f.e.9.c.e.1.

C:\Windows\Temp\tempdll.dll

Process:	C:\Users\user\Desktop\dropper.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	327168
Entropy (8bit):	6.316591750729637
Encrypted:	false
SSDEEP:	6144:JuSz+RPxUiZ2qXwEhGSGvdu0n+OQmVQ6fypHixVPlnUjb9vCiH2J:JfCRPxUiZ2qAEw1vI0+O42VdSX
MD5:	373F9ABE64CA95F655601617BF7BCF0A
SHA1:	1B268C5E0D5F6D4850B317509EC7F1990A8D453C
SHA-256:	0B0D6A4118E25C3F4C8BEEE210F0306DC71925FF6FB952CE3F44E8A55785EDF1
SHA-512:	9F8F84D00492E2EDD6A059BE0F652FA269D69DC9B05B1341366A22F2179EDAD522F819484D45CD0712DA679349C271C2D97DBF0A57053148540DD0B48BC2B9FE
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........R.................................................z........................Rich...........PE..d.....tg.........." ...).....^.......m.......................................0............`.........................................0...D...t...................p............ ..h...@...T.......................(.......@...............P............................text............................... ..`.rdata...3.......4..................@..@.data...............................@....pdata..p...........................@..@.reloc..h.... ......................@..B................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32+ executable (console) x86-64, for MS Windows
Entropy (8bit):	7.101883395513586
TrID:	Win64 Executable Console (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	dropper.exe
File size:	3'219'456 bytes
MD5:	a2d2d6a7f9b52b27a32a93bb3bca4d47
SHA1:	9c2c72f0f8c3faffb3601b9e5762a7c97afebcf5
SHA256:	c138bac3528a45a5a1fd624fd0b9526d61503dc5a7674aef195fa3cf33c44f71
SHA512:	cfc443e576b86c584575116341bb22bdf1d973069ac2a8f10295733fb82c31790015d505c0d0fee3cf500e2a6581912a01cd856d53b3f65d430bc7c9bf45bb40
SSDEEP:	49152:dKMfxFX/0Yaej+4sCTbi0BrK1IuNpEbdCrfAKkkhpY1uD8G9T3bgVI+DKt20MJ:dFHkeAjIBv8pYk8GxbgWt
TLSH:	DEE5AE16BA4659ACC05AC074834A8A73AA3574CE4B35B9FF05D486383FA9FE41F3C719
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........C...-...-...-.......-..y,...-..y....-..y)...-..y(...-.M.,...-...,.F.-...-.}.-..x/...-.Rich..-.........PE..d.....tg.........."

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x140156a80
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x6774C31B [Wed Jan 1 04:22:51 2025 UTC]
TLS Callbacks:	0x40140a20, 0x1
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	1ee790a9e24dcc377114ebcc153f87f0

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F33CCB50558h
dec eax
add esp, 28h
jmp 00007F33CCB500E7h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
nop word ptr [eax+eax+00000000h]
dec eax
sub esp, 10h
dec esp
mov dword ptr [esp], edx
dec esp
mov dword ptr [esp+08h], ebx
dec ebp
xor ebx, ebx
dec esp
lea edx, dword ptr [esp+18h]
dec esp
sub edx, eax
dec ebp
cmovb edx, ebx
dec esp
mov ebx, dword ptr [00000010h]
dec ebp
cmp edx, ebx
jnc 00007F33CCB50288h
inc cx
and edx, 8D4DF000h
wait
add al, dh

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x305474	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x308000	0xa53c	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x313000	0x1e44	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x2e4120	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x2e4180	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x2e3fe0	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x15f000	0x400	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x15df1f	0x15e000	d91fe1065e959bd46bd03ad2737e5e83	False	0.44827078683035715	data	6.330800773355482	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x15f000	0x1a73a6	0x1a7400	44cf17829938fca02b01fec552166f65	False	0.7778865410883048	COM executable for DOS	7.39075622308576	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x307000	0x4a0	0x200	1cfce2dac0df4bde52a55f55d337956f	False	0.349609375	data	2.7863635849126176	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x308000	0xa53c	0xa600	2173f48ab50d83738d29d443bbaa745e	False	0.5125658885542169	data	6.1296309036082635	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x313000	0x1e44	0x2000	20161976af0e2cfc77c411b569a72db9	False	0.485107421875	data	5.351032841751557	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
api-ms-win-core-synch-l1-2-0.dll	WaitOnAddress, WakeByAddressAll, WakeByAddressSingle
bcryptprimitives.dll	ProcessPrng
bcrypt.dll	BCryptGenRandom
ADVAPI32.dll	LsaAddAccountRights, SystemFunction036, AdjustTokenPrivileges, LookupPrivilegeValueW, LsaClose, GetTokenInformation, OpenProcessToken, LsaOpenPolicy
kernel32.dll	GetStdHandle, GetCurrentProcessId, QueryPerformanceFrequency, GetEnvironmentVariableW, lstrlenW, ReleaseMutex, GetCurrentDirectoryW, CreateFileW, SetLastError, GetConsoleMode, RtlVirtualUnwind, RtlLookupFunctionEntry, RtlCaptureContext, GetFullPathNameW, MultiByteToWideChar, WriteConsoleW, WideCharToMultiByte, CreateThread, GetProcAddress, GetSystemInfo, QueryPerformanceCounter, WaitForSingleObject, WaitForSingleObjectEx, LoadLibraryA, CreateMutexA, SwitchToThread, GetCurrentThread, SetThreadStackGuarantee, AddVectoredExceptionHandler, GetCurrentThreadId, GetSystemTimeAsFileTime, FormatMessageW, LoadLibraryExA, InitializeSListHead, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, HeapFree, HeapAlloc, GetProcessHeap, GetModuleFileNameW, Module32NextW, Module32FirstW, CreateToolhelp32Snapshot, GetProcessId, CloseHandle, GetLastError, GetCurrentProcess, GetModuleHandleA, VirtualQuery, GetModuleHandleW, OutputDebugStringW, SetFileInformationByHandle, HeapReAlloc, IsProcessorFeaturePresent
oleaut32.dll	GetErrorInfo, SysStringLen, SysFreeString
api-ms-win-core-winrt-error-l1-1-0.dll	RoOriginateErrorW
ntdll.dll	NtWriteFile, RtlNtStatusToDosError
VCRUNTIME140.dll	memcmp, memcpy, _CxxThrowException, __CxxFrameHandler3, __current_exception, memset, __current_exception_context, memmove, __C_specific_handler
api-ms-win-crt-string-l1-1-0.dll	strlen, wcslen
api-ms-win-crt-math-l1-1-0.dll	roundf, truncf, ceil, exp2f, __setusermatherr
api-ms-win-crt-runtime-l1-1-0.dll	_initterm, _initterm_e, exit, _exit, __p___argc, __p___argv, _cexit, terminate, _c_exit, _initialize_narrow_environment, _register_thread_local_exe_atexit_callback, _configure_narrow_argv, _set_app_type, _seh_filter_exe, _initialize_onexit_table, _crt_atexit, _register_onexit_function, _get_initial_narrow_environment
api-ms-win-crt-stdio-l1-1-0.dll	__p__commode, _set_fmode
api-ms-win-crt-locale-l1-1-0.dll	_configthreadlocale
api-ms-win-crt-heap-l1-1-0.dll	free, _set_new_mode

Target ID:	0
Start time:	23:37:59
Start date:	31/12/2024
Path:	C:\Users\user\Desktop\dropper.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\dropper.exe"
Imagebase:	0x7ff71c070000
File size:	3'219'456 bytes
MD5 hash:	A2D2D6A7F9B52B27A32A93BB3BCA4D47
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	1
Start time:	23:37:59
Start date:	31/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66ddc0000
File size:	875'008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	3
Start time:	23:38:00
Start date:	31/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe"
Imagebase:	0x7ff6cd170000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Target ID:	4
Start time:	23:38:00
Start date:	31/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66ddc0000
File size:	875'008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Target ID:	5
Start time:	23:38:05
Start date:	31/12/2024
Path:	C:\Windows\System32\winlogon.exe
Wow64 process (32bit):	false
Commandline:	winlogon.exe
Imagebase:	0x7ff76c770000
File size:	944'128 bytes
MD5 hash:	A987B43E6A8E8F894B98A3DF022DB518
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Target ID:	6
Start time:	23:38:05
Start date:	31/12/2024
Path:	C:\Windows\System32\lsass.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\lsass.exe
Imagebase:	0x7ff694dd0000
File size:	59'448 bytes
MD5 hash:	15A556DEF233F112D127025AB51AC2D3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Target ID:	7
Start time:	23:38:06
Start date:	31/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k DcomLaunch -p
Imagebase:	0x7ff72ee70000
File size:	57'360 bytes
MD5 hash:	F586835082F632DC8D9404D83BC16316
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Target ID:	8
Start time:	23:38:06
Start date:	31/12/2024
Path:	C:\Windows\System32\fontdrvhost.exe
Wow64 process (32bit):	false
Commandline:	"fontdrvhost.exe"
Imagebase:	0x7ff6a9570000
File size:	830'520 bytes
MD5 hash:	AB7AB4CF816D091EEE234C1D9BC4FD13
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Target ID:	9
Start time:	23:38:06
Start date:	31/12/2024
Path:	C:\Program Files\Windows Defender\MpCmdRun.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Imagebase:	0x7ff657e30000
File size:	468'120 bytes
MD5 hash:	B3676839B2EE96983F9ED735CD044159
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	10
Start time:	23:38:07
Start date:	31/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66ddc0000
File size:	875'008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	11
Start time:	23:38:07
Start date:	31/12/2024
Path:	C:\Windows\System32\fontdrvhost.exe
Wow64 process (32bit):	false
Commandline:	"fontdrvhost.exe"
Imagebase:	0x7ff6a9570000
File size:	830'520 bytes
MD5 hash:	AB7AB4CF816D091EEE234C1D9BC4FD13
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Target ID:	12
Start time:	23:38:07
Start date:	31/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k RPCSS -p
Imagebase:	0x7ff72ee70000
File size:	57'360 bytes
MD5 hash:	F586835082F632DC8D9404D83BC16316
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	13
Start time:	23:38:07
Start date:	31/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
Imagebase:	0x7ff72ee70000
File size:	57'360 bytes
MD5 hash:	F586835082F632DC8D9404D83BC16316
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	14
Start time:	23:38:07
Start date:	31/12/2024
Path:	C:\Windows\System32\dwm.exe
Wow64 process (32bit):	false
Commandline:	"dwm.exe"
Imagebase:	0x7ff6ac9c0000
File size:	94'720 bytes
MD5 hash:	5C27608411832C5B39BA04E33D53536C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	15
Start time:	23:38:11
Start date:	31/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
Imagebase:	0x7ff72ee70000
File size:	57'360 bytes
MD5 hash:	F586835082F632DC8D9404D83BC16316
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	16
Start time:	23:38:11
Start date:	31/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
Imagebase:	0x7ff72ee70000
File size:	57'360 bytes
MD5 hash:	F586835082F632DC8D9404D83BC16316
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	17
Start time:	23:38:11
Start date:	31/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Imagebase:	0x7ff72ee70000
File size:	57'360 bytes
MD5 hash:	F586835082F632DC8D9404D83BC16316
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	18
Start time:	23:38:11
Start date:	31/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
Imagebase:	0x7ff72ee70000
File size:	57'360 bytes
MD5 hash:	F586835082F632DC8D9404D83BC16316
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	19
Start time:	23:38:11
Start date:	31/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
Imagebase:	0x7ff72ee70000
File size:	57'360 bytes
MD5 hash:	F586835082F632DC8D9404D83BC16316
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	20
Start time:	23:38:12
Start date:	31/12/2024
Path:	C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHDCPSvc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHDCPSvc.exe
Imagebase:	0x7ff62f000000
File size:	365'360 bytes
MD5 hash:	B6BAD2BD8596D9101874E9042B8E2D63
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	21
Start time:	23:38:12
Start date:	31/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
Imagebase:	0x7ff72ee70000
File size:	57'360 bytes
MD5 hash:	F586835082F632DC8D9404D83BC16316
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	22
Start time:	23:38:12
Start date:	31/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
Imagebase:	0x7ff72ee70000
File size:	57'360 bytes
MD5 hash:	F586835082F632DC8D9404D83BC16316
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	23
Start time:	23:38:13
Start date:	31/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
Imagebase:	0x7ff72ee70000
File size:	57'360 bytes
MD5 hash:	F586835082F632DC8D9404D83BC16316
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	24
Start time:	23:38:14
Start date:	31/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
Imagebase:	0x7ff72ee70000
File size:	57'360 bytes
MD5 hash:	F586835082F632DC8D9404D83BC16316
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	25
Start time:	23:38:14
Start date:	31/12/2024
Path:	C:\Windows\System32\DriverStore\FileRepository\cui_dch.inf_amd64_2e49f48165b8de10\igfxCUIService.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\DriverStore\FileRepository\cui_dch.inf_amd64_2e49f48165b8de10\igfxCUIService.exe
Imagebase:	0x7ff70b6d0000
File size:	399'664 bytes
MD5 hash:	91038D45A86B5465E8B7E5CD63187150
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	26
Start time:	23:38:14
Start date:	31/12/2024
Path:	C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHeciSvc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHeciSvc.exe
Imagebase:	0x7ff7c4d20000
File size:	521'536 bytes
MD5 hash:	3B0DF35583675DE5A08E8D4C1271CEC0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	27
Start time:	23:38:15
Start date:	31/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
Imagebase:	0x7ff72ee70000
File size:	57'360 bytes
MD5 hash:	F586835082F632DC8D9404D83BC16316
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	28
Start time:	23:38:15
Start date:	31/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
Imagebase:	0x7ff72ee70000
File size:	57'360 bytes
MD5 hash:	F586835082F632DC8D9404D83BC16316
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	29
Start time:	23:38:16
Start date:	31/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
Imagebase:	0x7ff72ee70000
File size:	57'360 bytes
MD5 hash:	F586835082F632DC8D9404D83BC16316
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	30
Start time:	23:38:16
Start date:	31/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
Imagebase:	0x7ff72ee70000
File size:	57'360 bytes
MD5 hash:	F586835082F632DC8D9404D83BC16316
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	31
Start time:	23:38:16
Start date:	31/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
Imagebase:	0x7ff72ee70000
File size:	57'360 bytes
MD5 hash:	F586835082F632DC8D9404D83BC16316
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	32
Start time:	23:38:16
Start date:	31/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
Imagebase:	0x7ff72ee70000
File size:	57'360 bytes
MD5 hash:	F586835082F632DC8D9404D83BC16316
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	33
Start time:	23:38:17
Start date:	31/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache
Imagebase:	0x7ff72ee70000
File size:	57'360 bytes
MD5 hash:	F586835082F632DC8D9404D83BC16316
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	34
Start time:	23:38:17
Start date:	31/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
Imagebase:	0x7ff72ee70000
File size:	57'360 bytes
MD5 hash:	F586835082F632DC8D9404D83BC16316
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	35
Start time:	23:38:17
Start date:	31/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
Imagebase:	0x7ff72ee70000
File size:	57'360 bytes
MD5 hash:	F586835082F632DC8D9404D83BC16316
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	36
Start time:	23:38:18
Start date:	31/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
Imagebase:	0x7ff72ee70000
File size:	57'360 bytes
MD5 hash:	F586835082F632DC8D9404D83BC16316
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	37
Start time:	23:38:18
Start date:	31/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
Imagebase:	0x7ff72ee70000
File size:	57'360 bytes
MD5 hash:	F586835082F632DC8D9404D83BC16316
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	38
Start time:	23:38:18
Start date:	31/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
Imagebase:	0x7ff72ee70000
File size:	57'360 bytes
MD5 hash:	F586835082F632DC8D9404D83BC16316
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	39
Start time:	23:38:19
Start date:	31/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
Imagebase:	0x7ff72ee70000
File size:	57'360 bytes
MD5 hash:	F586835082F632DC8D9404D83BC16316
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	40
Start time:	23:38:19
Start date:	31/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
Imagebase:	0x7ff72ee70000
File size:	57'360 bytes
MD5 hash:	F586835082F632DC8D9404D83BC16316
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	41
Start time:	23:38:19
Start date:	31/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
Imagebase:	0x7ff72ee70000
File size:	57'360 bytes
MD5 hash:	F586835082F632DC8D9404D83BC16316
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	42
Start time:	23:38:20
Start date:	31/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
Imagebase:	0x7ff72ee70000
File size:	57'360 bytes
MD5 hash:	F586835082F632DC8D9404D83BC16316
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	43
Start time:	23:38:21
Start date:	31/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
Imagebase:	0x7ff72ee70000
File size:	57'360 bytes
MD5 hash:	F586835082F632DC8D9404D83BC16316
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false