Windows Analysis Report
dropper.exe

Source: C:\Users\user\Desktop\dropper.exe

Process token adjusted: Security

Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.20.dr	Binary string: 1\Device\HarddiskVolume4\Windows\SysWOW64\curl.exe?\Device\HarddiskVolume4\Program Files (x86)\AutoIt3\AutoIt3.exeD
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.20.dr	Binary string: 1\Device\HarddiskVolume4\Windows\SysWOW64\curl.exe?\Device\HarddiskVolume4\Program Files (x86)\AutoIt3\AutoIt3.exed
Source: System.evtx.20.dr	Binary string: C:\Device\HarddiskVolume4K
Source: System.evtx.20.dr	Binary string: \\?\Volume{cb7fdaf7-d8ae-4a24-98ab-ca007942ac33}\Device\HarddiskVolume1m
Source: Microsoft-Windows-SMBServer%4Operational.evtx.20.dr	Binary string: \Device\NetbiosSmb
Source: Microsoft-Windows-SMBServer%4Operational.evtx.20.dr	Binary string: computer WORKGROUP:\Device\NetBT_Tcpip_{68C65ED0-D5FC-471F-BF0F-95C04D2E3B08}
Source: System.evtx.20.dr	Binary string: \Device\HarddiskVolume4\Program Files (x86)\AutoIt3\AutoIt3.exe
Source: Microsoft-Windows-Diagnostics-Performance%4Operational.evtx.20.dr	Binary string: \\?\Volume{cb7fdaf7-d8ae-4a24-98ab-ca007942ac33}\Device\HarddiskVolume1an
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.20.dr	Binary string: 1\Device\HarddiskVolume4\Windows\SysWOW64\curl.exe?\Device\HarddiskVolume4\Program Files (x86)\AutoIt3\AutoIt3.exe
Source: Microsoft-Windows-CodeIntegrity%4Operational.evtx.20.dr	Binary string: J\Device\HarddiskVolume4\Program Files (x86)\Joebox\driver\joeboxdriver.sys
Source: Microsoft-Windows-Diagnostics-Performance%4Operational.evtx.20.dr	Binary string: C:\Device\HarddiskVolume4
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.20.dr	Binary string: 1\Device\HarddiskVolume4\Windows\System32\curl.exe?\Device\HarddiskVolume4\Program Files (x86)\AutoIt3\AutoIt3.exe
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.20.dr	Binary string: 1\Device\HarddiskVolume4\Windows\System32\curl.exe?\Device\HarddiskVolume4\Program Files (x86)\AutoIt3\AutoIt3.exeo
Source: System.evtx.20.dr	Binary string: \\?\Volume{cb7fdaf7-d8ae-4a24-98ab-ca007942ac33}\Device\HarddiskVolume1iceV
Source: Security.evtx.20.dr	Binary string: \Device\HarddiskVolume4\Program Files (x86)\Joebox\driver\joeboxdriver.sys
Source: System.evtx.20.dr	Binary string: .\Device\HarddiskVolume2\EFI\Microsoft\Boot\BCD~
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.20.dr	Binary string: 1\Device\HarddiskVolume4\Windows\SysWOW64\curl.exe?\Device\HarddiskVolume4\Program Files (x86)\AutoIt3\AutoIt3.exeo
Source: Security.evtx.20.dr	Binary string: \Device\HarddiskVolume4\Windows\System32\drivers\filetrace.sysrit
Source: Microsoft-Windows-CodeIntegrity%4Operational.evtx.20.dr	Binary string: >\Device\HarddiskVolume4\Windows\System32\drivers\filetrace.sys
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.20.dr	Binary string: 1\Device\HarddiskVolume4\Windows\SysWOW64\curl.exe?\Device\HarddiskVolume4\Program Files (x86)\AutoIt3\AutoIt3.exeT_AH**
Source: Microsoft-Windows-SmbClient%4Connectivity.evtx.20.dr	Binary string: :\Device\NetBT_Tcpip_{68C65ED0-D5FC-471F-BF0F-95C04D2E3B08}
Source: System.evtx.20.dr	Binary string: \Device\HarddiskVolume4\Windows\SysWOW64\tzutil.exeL

Source: classification engine

Classification label: mal76.evad.winEXE@5/60@0/1

Source: C:\Windows\System32\cmd.exe

Code function: 2_2_000001E9EC5E8620 NtWriteFile,WaitForSingleObject,RtlNtStatusToDosError,GetModuleHandleW,FormatMessageW,GetLastError,

2_2_000001E9EC5E8620

Source: C:\Windows\System32\cmd.exe	Code function: 2_2_000001E9EC5D64B0 OutputDebugStringW,LsaOpenPolicy,GetCurrentProcess,OpenProcessToken,GetTokenInformation,LsaAddAccountRights,LsaClose,LsaClose,LsaClose,memset,OutputDebugStringW,memset,OutputDebugStringW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,memset,OutputDebugStringW,memset,memset,OutputDebugStringW,OutputDebugStringW,		2_2_000001E9EC5D64B0
Source: C:\Windows\System32\cmd.exe	Code function: 2_2_00007FFE99AE64B0 OutputDebugStringW,LsaOpenPolicy,GetCurrentProcess,OpenProcessToken,GetTokenInformation,LsaAddAccountRights,LsaClose,LsaClose,LsaClose,memset,OutputDebugStringW,memset,OutputDebugStringW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,memset,OutputDebugStringW,memset,memset,OutputDebugStringW,OutputDebugStringW,		2_2_00007FFE99AE64B0

Source: C:\Users\user\Desktop\dropper.exe

Code function: 0_2_00007FF77F277CB0 memset,OutputDebugStringW,memset,OutputDebugStringW,memset,OutputDebugStringW,CreateToolhelp32Snapshot,memset,OutputDebugStringW,Module32FirstW,memset,memset,OutputDebugStringW,memset,OutputDebugStringW,OutputDebugStringW,memset,memset,OutputDebugStringW,OutputDebugStringW,memset,OutputDebugStringW,memset,memset,OutputDebugStringW,OutputDebugStringW,memset,OutputDebugStringW,memset,OutputDebugStringW,memset,OutputDebugStringW,memcmp,memcmp,memcmp,memset,memset,OutputDebugStringW,memset,memset,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,Module32NextW,memset,OutputDebugStringW,NtClose,memset,OutputDebugStringW,

0_2_00007FF77F277CB0

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4360:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4360:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5844:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5844:120:WilError_03

Source: C:\Users\user\Desktop\dropper.exe

File created: C:\Windows\Temp\tempdll.dll

Source: dropper.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\dropper.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Tries to delay execution (extensive OutputDebugStringW loop)

Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\dropper.exe "C:\Users\user\Desktop\dropper.exe"
Source: C:\Users\user\Desktop\dropper.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\dropper.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\dropper.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe"	Jump to behavior

Source: C:\Users\user\Desktop\dropper.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\dropper.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\dropper.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\dropper.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: uxtheme.dll	Jump to behavior

Source: dropper.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: dropper.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: dropper.exe

Static file information: File size 3247104 > 1048576

Source: dropper.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x15da00
Source: dropper.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x1ad800

Source: dropper.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: dropper.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: dropper.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: dropper.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: dropper.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: dropper.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: dropper.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: dropper.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\36C00AF489401A26639ABBA698DE76062\download.errorWt source: svchost.exe, 00000012.00000000.1910798877.0000015B91647000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.3678032834.0000015B91647000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\36C00AF489401A26639ABBA698DE76062\winload_prod.pdb source: svchost.exe, 00000012.00000000.1910798877.0000015B91647000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.3678032834.0000015B91647000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: dropper.pdb source: dropper.exe
Source:	Binary string: *@C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\36C00AF489401A26639ABBA698DE76062\winload_prod.pdb source: svchost.exe, 00000012.00000002.3676309771.0000015B9162A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000012.00000000.1910751932.0000015B9162A000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\36C00AF489401A26639ABBA698DE76062\download.errornp source: svchost.exe, 00000012.00000000.1910798877.0000015B91647000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.3678032834.0000015B91647000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: *@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\47114209A62F3B9930F6B8998DFD4A991\ntkrnlmp.pdb source: svchost.exe, 00000012.00000002.3676309771.0000015B9162A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000012.00000000.1910751932.0000015B9162A000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: *@\??\C:\Users\user\AppData\Local\Temp\TCDE709.tmp.pdb source: svchost.exe, 00000012.00000002.3679635107.0000015B91656000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000012.00000000.1910875331.0000015B91656000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: dll.pdb source: dropper.exe, 00000000.00000003.1801624709.000001230EE59000.00000004.00000020.00020000.00000000.sdmp, dropper.exe, 00000000.00000002.1803905185.000001230EEA9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.3686700641.00007FFE99B0C000.00000002.00000001.01000000.00000005.sdmp, cmd.exe, 00000002.00000002.3670963762.000001E9EA416000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.3679635109.000001E9EC5FC000.00000002.00000001.01000000.00000005.sdmp, tempdll.dll.0.dr
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\36C00AF489401A26639ABBA698DE76062\winload_prod.pdbTCDE&@ source: svchost.exe, 00000012.00000000.1910798877.0000015B91647000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.3678032834.0000015B91647000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ntkrnlmp.pdb source: svchost.exe, 00000012.00000002.3679635107.0000015B91656000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000012.00000000.1910875331.0000015B91656000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\47114209A62F3B9930F6B8998DFD4A991\download.error source: svchost.exe, 00000012.00000002.3676309771.0000015B9162A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000012.00000000.1910751932.0000015B9162A000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\36C00AF489401A26639ABBA698DE76062.pdb source: svchost.exe, 00000012.00000000.1910798877.0000015B91647000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.3678032834.0000015B91647000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 00000012.00000002.3680429632.0000015B9166B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000012.00000000.1910914394.0000015B9166B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\47114209A62F3B9930F6B8998DFD4A991 source: svchost.exe, 00000012.00000000.1910798877.0000015B91647000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.3678032834.0000015B91647000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: @C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\36C00AF489401A26639ABBA698DE76062\download.error source: svchost.exe, 00000012.00000002.3676309771.0000015B9162A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000012.00000000.1910751932.0000015B9162A000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: *@\??\C:\Users\user\AppData\Local\Temp\TCDE703.tmp.pdb source: svchost.exe, 00000012.00000002.3680429632.0000015B9166B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000012.00000000.1910914394.0000015B9166B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 00000012.00000002.3680429632.0000015B9166B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000012.00000000.1910914394.0000015B9166B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 00000012.00000002.3680429632.0000015B9166B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000012.00000000.1910914394.0000015B9166B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: dll.pdb( source: dropper.exe, 00000000.00000003.1801624709.000001230EE59000.00000004.00000020.00020000.00000000.sdmp, dropper.exe, 00000000.00000002.1803905185.000001230EEA9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.3686700641.00007FFE99B0C000.00000002.00000001.01000000.00000005.sdmp, cmd.exe, 00000002.00000002.3670963762.000001E9EA416000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.3679635109.000001E9EC5FC000.00000002.00000001.01000000.00000005.sdmp, tempdll.dll.0.dr
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\47114209A62F3B9930F6B8998DFD4A991\ntkrnlmp.pdb source: svchost.exe, 00000012.00000002.3676309771.0000015B9162A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000012.00000000.1910751932.0000015B9162A000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\47114209A62F3B9930F6B8998DFD4A991\download.error source: svchost.exe, 00000012.00000002.3676309771.0000015B9162A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000012.00000000.1910751932.0000015B9162A000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: WINWORD1.PDBwinload_prod.pdb source: svchost.exe, 00000012.00000002.3679635107.0000015B91656000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000012.00000000.1910875331.0000015B91656000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: (@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 00000012.00000002.3680429632.0000015B9166B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000012.00000000.1910914394.0000015B9166B000.00000004.00000001.00020000.00000000.sdmp

Source: dropper.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: dropper.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: dropper.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: dropper.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: dropper.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\dropper.exe

File created: C:\Windows\Temp\tempdll.dll

Jump to dropped file

Source: C:\Users\user\Desktop\dropper.exe

File created: C:\Windows\Temp\tempdll.dll

Jump to dropped file

Malware Analysis System Evasion

Source: C:\Users\user\Desktop\dropper.exe	Section loaded: OutputDebugStringW count: 1228
Source: C:\Windows\System32\cmd.exe	Section loaded: OutputDebugStringW count: 1973

Source: C:\Windows\System32\conhost.exe

Window / User API: threadDelayed 9118

Source: C:\Users\user\Desktop\dropper.exe

Dropped PE file which has not been started: C:\Windows\Temp\tempdll.dll

Jump to dropped file

Source: C:\Windows\System32\cmd.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_2-11189

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\System32\cmd.exe

Code function: 2_2_000001E9EC5E80E0 OutputDebugStringW,CloseHandle,memset,FindFirstFileExW,FindClose,

2_2_000001E9EC5E80E0

Source: lsass.exe, 00000006.00000000.1848773496.000001D5A0CA8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: pvmicshutdownNT SERVICE
Source: svchost.exe, 00000014.00000000.1918128496.0000024472040000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3681342964.0000024472040000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: @Microsoft-Windows-Hyper-V-Hypervisor
Source: lsass.exe, 00000006.00000000.1848773496.000001D5A0CA8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: pvmicvssNT SERVICE
Source: svchost.exe, 00000007.00000000.1854366097.000001C254800000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: vmicshutdown
Source: svchost.exe, 00000007.00000002.3691967229.000001C254013000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: vmicvss
Source: svchost.exe, 0000000A.00000000.1861897146.0000020295213000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.3732406775.0000020295213000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000022.00000002.3733618857.0000023DCECDA000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000022.00000000.1964395015.0000023DCECDA000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000022.00000000.1964042058.0000023DCEC24000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000022.00000002.3730778928.0000023DCEC24000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000025.00000002.3676836230.0000020206832000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000025.00000000.1974262335.0000020206832000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000020.00000002.3672044851.00000176A2C00000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
Source: lsass.exe, 00000006.00000000.1848773496.000001D5A0CA8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: pvmicheartbeatNT SERVICE
Source: svchost.exe, 00000007.00000002.3691967229.000001C254013000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: (@vmicshutdown
Source: svchost.exe, 0000000A.00000000.1861942504.000002029522A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.3732882937.000002029522A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`
Source: svchost.exe, 00000007.00000002.3691967229.000001C254013000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: @vmicshutdown
Source: lsass.exe, 00000006.00000000.1848541761.000001D5A0C13000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000006.00000002.3671476740.000001D5A0C13000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000B.00000000.1865068592.0000017A4FA13000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3670300175.0000017A4FA13000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000E.00000000.1902839830.0000023624C29000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3671063709.0000023624C29000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.3674201539.0000021074A2B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000F.00000000.1905255624.0000021074A2B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000014.00000000.1918128496.0000024472040000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3681342964.0000024472040000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000000.1928161645.000002624BA5A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: svchost.exe, 00000007.00000002.3691967229.000001C254013000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: @vmicheartbeat
Source: svchost.exe, 00000007.00000000.1854366097.000001C254800000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: vmicheartbeat

Source: C:\Windows\System32\cmd.exe

Process information queried: ProcessInformation

Source: C:\Windows\System32\svchost.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\dropper.exe

Code function: 0_2_00007FF77F3C7054 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF77F3C7054

Source: C:\Windows\System32\cmd.exe

Code function: 2_2_000001E9EC5CCAF0 OutputDebugStringW,GetLastError,GetLastError,memset,memset,OutputDebugStringW,GetLastError,OutputDebugStringW,

2_2_000001E9EC5CCAF0

Source: C:\Users\user\Desktop\dropper.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\dropper.exe	Code function: 0_2_00007FF77F3C7054 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF77F3C7054
Source: C:\Windows\System32\cmd.exe	Code function: 2_2_000001E9EC5F823C IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_000001E9EC5F823C
Source: C:\Windows\System32\cmd.exe	Code function: 2_2_00007FFE99B0823C IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00007FFE99B0823C

Source: C:\Users\user\Desktop\dropper.exe

Memory allocated: page read and write | page guard

Allocates memory in foreign processes

HIPS / PFW / Operating System Protection Evasion

Source: C:\Users\user\Desktop\dropper.exe

Memory allocated: C:\Windows\System32\cmd.exe base: 1E9EA1F0000 protect: page read and write

Creates a thread in another existing process (thread injection)

Source: C:\Users\user\Desktop\dropper.exe	Thread created: C:\Windows\System32\cmd.exe EIP: AAA804F0	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Thread created: unknown EIP: AAA804F0	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Thread created: unknown EIP: AAA804F0	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Thread created: unknown EIP: AAA804F0	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Thread created: unknown EIP: AAA804F0	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Thread created: unknown EIP: AAA804F0	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Thread created: unknown EIP: AAA804F0	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Thread created: unknown EIP: AAA804F0	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Thread created: unknown EIP: AAA804F0	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Thread created: unknown EIP: AAA804F0	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Thread created: unknown EIP: AAA804F0	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Thread created: unknown EIP: AAA804F0	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Thread created: unknown EIP: AAA804F0	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Thread created: unknown EIP: AAA804F0	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Thread created: unknown EIP: AAA804F0	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Thread created: unknown EIP: AAA804F0	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Thread created: unknown EIP: AAA804F0	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Thread created: unknown EIP: AAA804F0	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Thread created: unknown EIP: AAA804F0	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Thread created: unknown EIP: AAA804F0	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Thread created: unknown EIP: AAA804F0	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Thread created: unknown EIP: AAA804F0	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Thread created: unknown EIP: AAA804F0	Jump to behavior

Disables Windows Defender (deletes autostart)

Source: C:\Windows\System32\cmd.exe

Registry value deleted: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender DisableAntiSpyware

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\Desktop\dropper.exe	NtCreateFile: Direct from: 0x7FF77F3AE785	Jump to behavior
Source: C:\Users\user\Desktop\dropper.exe	NtClose: Direct from: 0x7FF77F279E04
Source: C:\Users\user\Desktop\dropper.exe	NtProtectVirtualMemory: Direct from: 0x7FF77F27DBFB	Jump to behavior
Source: C:\Users\user\Desktop\dropper.exe	NtUnmapViewOfSection: Direct from: 0x7FF77F279D14	Jump to behavior
Source: C:\Users\user\Desktop\dropper.exe	NtClose: Direct from: 0x7FF77F3A8991
Source: C:\Users\user\Desktop\dropper.exe	NtSetInformationThread: Direct from: 0x7FF77F3C6C37	Jump to behavior
Source: C:\Users\user\Desktop\dropper.exe	NtProtectVirtualMemory: Direct from: 0x7FFEABF42651	Jump to behavior
Source: C:\Users\user\Desktop\dropper.exe	NtAllocateVirtualMemory: Direct from: 0x7FF77F27F694	Jump to behavior
Source: C:\Users\user\Desktop\dropper.exe	NtWriteVirtualMemory: Direct from: 0x7FF77F27D0BA	Jump to behavior
Source: C:\Users\user\Desktop\dropper.exe	NtAllocateVirtualMemory: Direct from: 0x7FF77F27D076	Jump to behavior
Source: C:\Users\user\Desktop\dropper.exe	NtMapViewOfSection: Direct from: 0x7FF77F27FAF4	Jump to behavior
Source: C:\Users\user\Desktop\dropper.exe	NtQueryInformationProcess: Direct from: 0x7FF77F27F67F	Jump to behavior
Source: C:\Users\user\Desktop\dropper.exe	NtClose: Direct from: 0x7FF77F27BF83
Source: C:\Users\user\Desktop\dropper.exe	NtWriteFile: Direct from: 0x7FF77F3AE917	Jump to behavior
Source: C:\Users\user\Desktop\dropper.exe	NtAllocateVirtualMemory: Direct from: 0x7FF77F286BF3	Jump to behavior
Source: C:\Users\user\Desktop\dropper.exe	NtCreateThreadEx: Direct from: 0x7FF77F27D30A	Jump to behavior
Source: C:\Users\user\Desktop\dropper.exe	NtUnmapViewOfSection: Direct from: 0x7FF77F27F7E5	Jump to behavior

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Windows\System32\cmd.exe

Memory written: PID: 5028 base: 9E30000 value: 43

Writes to foreign memory regions

Source: C:\Users\user\Desktop\dropper.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E9EA1F0000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\winlogon.exe base: 22EA0F30000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\lsass.exe base: 1D5A12C0000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\svchost.exe base: 1C2547E0000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\fontdrvhost.exe base: 2D165ED0000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\fontdrvhost.exe base: 15A02590000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\svchost.exe base: 202954F0000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\svchost.exe base: 17A4FD10000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\dwm.exe base: 203C25A0000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\svchost.exe base: 210B17B0000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\svchost.exe base: 23625470000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\svchost.exe base: 210752F0000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHDCPSvc.exe base: 20132040000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\svchost.exe base: 25A61170000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\svchost.exe base: 15B925D0000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\svchost.exe base: 1E527CD0000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\svchost.exe base: 24471FF0000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\svchost.exe base: 2624C1F0000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A512710000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHeciSvc.exe base: 13C98A30000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\DriverStore\FileRepository\cui_dch.inf_amd64_2e49f48165b8de10\igfxCUIService.exe base: 1A7C60C0000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\svchost.exe base: 15A415E0000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\svchost.exe base: 2B8023E0000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\svchost.exe base: 16F945E0000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\svchost.exe base: 18130BF0000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\svchost.exe base: 18A357F0000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\svchost.exe base: 176A39A0000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\svchost.exe base: 26D9CBF0000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\svchost.exe base: 23DCEBE0000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\svchost.exe base: 1C21B810000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\svchost.exe base: 2B6742F0000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\svchost.exe base: 20207560000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\svchost.exe base: 20C362C0000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\svchost.exe base: 202DE5C0000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\svchost.exe base: 23332A00000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\svchost.exe base: 24D9AC90000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\svchost.exe base: 273114F0000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\svchost.exe base: 2E2D45A0000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\spoolsv.exe base: 380000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\svchost.exe base: 1FF66FA0000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D388F80000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\svchost.exe base: 2BBDEF30000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\svchost.exe base: 1E8AD970000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\svchost.exe base: 21FEF4C0000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\svchost.exe base: 1C4DAF90000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\svchost.exe base: 2008E430000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\svchost.exe base: 1CE82070000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\svchost.exe base: 1620F440000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\DriverStore\FileRepository\igcc_dch.inf_amd64_78ff17a5ea060c5f\OneApp.IGCC.WinService.exe base: 1F32D400000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\DriverStore\FileRepository\dal.inf_amd64_ffc75848a6342fdf\jhi_service.exe base: 1B09BCE0000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\svchost.exe base: 15BF5370000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 246D20C0000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\svchost.exe base: 21290350000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D861D60000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\svchost.exe base: 24F383E0000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 25D417C0000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\sihost.exe base: 280B6990000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\svchost.exe base: 1FD0F310000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\svchost.exe base: 1E374BA0000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe base: 700000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\svchost.exe base: 1CBDEC80000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\svchost.exe base: 1F1A68B0000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\svchost.exe base: 20DCEFE0000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\ctfmon.exe base: 1D2EDCD0000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\explorer.exe base: 9E30000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\DriverStore\FileRepository\cui_dch.inf_amd64_2e49f48165b8de10\igfxEM.exe base: 2A1B2970000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\svchost.exe base: 24274250000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe base: 2E75E930000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1E4E89D0000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe base: 210C33F0000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 18035870000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\svchost.exe base: 1FBC6F10000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\svchost.exe base: 2382AEB0000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\SettingSyncHost.exe base: 1C79D3A0000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\svchost.exe base: 21DEAFD0000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 14DFF1A0000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\dllhost.exe base: 1CD12040000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe base: 204BDDA0000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\audiodg.exe base: 1DA251A0000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 27DD4FC0000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\smartscreen.exe base: 1F217020000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe base: 4D0000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\svchost.exe base: 1BA63E20000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\svchost.exe base: 175748A0000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 282CAFC0000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\ApplicationFrameHost.exe base: 279ECD60000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\oobe\UserOOBEBroker.exe base: 255D5AD0000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\svchost.exe base: 2266FBE0000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\svchost.exe base: 23236FC0000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 2BB0000	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\conhost.exe base: 28438CA0000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 20295500000	Jump to behavior

Source: dwm.exe, 0000000C.00000000.1880891638.00000203C0FB8000.00000004.00000001.00020000.00000000.sdmp, dwm.exe, 0000000C.00000002.3769113737.00000203C0FB8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: winlogon.exe, 00000005.00000002.3700153476.0000022EA18E0000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000005.00000000.1846935380.0000022EA18E0000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 0000000C.00000002.3738435099.00000203BA570000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: winlogon.exe, 00000005.00000002.3700153476.0000022EA18E0000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000005.00000000.1846935380.0000022EA18E0000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 0000000C.00000002.3738435099.00000203BA570000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: winlogon.exe, 00000005.00000002.3700153476.0000022EA18E0000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000005.00000000.1846935380.0000022EA18E0000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 0000000C.00000002.3738435099.00000203BA570000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: RProgram Manager
Source: winlogon.exe, 00000005.00000002.3700153476.0000022EA18E0000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000005.00000000.1846935380.0000022EA18E0000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 0000000C.00000002.3738435099.00000203BA570000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\Windows\Temp\tempdll.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\Windows\Temp\tempdll.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\Windows\Temp\tempdll.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\Windows\Temp\tempdll.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\Windows\Temp\tempdll.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\Windows\Temp\tempdll.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\Windows\Temp\tempdll.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\Windows\Temp\tempdll.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\Windows\Temp\tempdll.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\Windows\Temp\tempdll.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\Windows\Temp\tempdll.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\Windows\Temp\tempdll.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\Windows\Temp\tempdll.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\Windows\Temp\tempdll.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\Windows\Temp\tempdll.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\Windows\Temp\tempdll.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\Windows\Temp\tempdll.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\Windows\Temp\tempdll.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\Windows\Temp\tempdll.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\Windows\Temp\tempdll.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\Windows\Temp\tempdll.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\Windows\Temp\tempdll.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\Windows\Temp\tempdll.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\Windows\Temp\tempdll.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\Windows\Temp\tempdll.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\Windows\Temp\tempdll.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\Windows\Temp\tempdll.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\Windows\Temp\tempdll.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\Windows\Temp\tempdll.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\Windows\Temp\tempdll.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\Windows\Temp\tempdll.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\Windows\Temp\tempdll.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\Windows\Temp\tempdll.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\Windows\Temp\tempdll.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\Windows\Temp\tempdll.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\Windows\Temp\tempdll.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\Windows\Temp\tempdll.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\Windows\Temp\tempdll.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\Windows\Temp\tempdll.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\Windows\Temp\tempdll.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\Windows\Temp\tempdll.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\Windows\Temp\tempdll.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\Windows\Temp\tempdll.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\Windows\Temp\tempdll.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\Windows\Temp\tempdll.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\Windows\Temp\tempdll.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\Windows\Temp\tempdll.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\Windows\Temp\tempdll.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\Windows\Temp\tempdll.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\Windows\Temp\tempdll.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\Windows\Temp\tempdll.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\Windows\Temp\tempdll.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\Windows\Temp\tempdll.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\dropper.exe

Code function: 0_2_00007FF77F3C6F2C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF77F3C6F2C

Lowering of HIPS / PFW / Operating System Security Settings

Changes security center settings (notifications, updates, antivirus, firewall)

Source: C:\Windows\System32\cmd.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center FirewallOverride

Disable Windows Defender real time protection (registry)

Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender	Registry value created: DisableAntiSpyware 1	Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender	Registry value created: DisableAntiVirus 1	Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine	Registry value created: MpEnablePus 1	Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableBehaviorMonitoring 1	Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableIOAVProtection 1	Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableOnAccessProtection 1	Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableRealtimeMonitoring 1	Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableScanOnRealtimeEnable 1	Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting	Registry value created: DisableEnhancedNotifications 1	Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet	Registry value created: DisableBlockAtFirstSeen 1	Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet	Registry value created: SpynetReporting 1	Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet	Registry value created: SubmitSamplesConsent 1	Jump to behavior

Source: Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx.20.dr

Binary or memory string: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2108.7-0\MsMpEng.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 LSASS Driver	1 Access Token Manipulation	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	42 Process Injection	12 Virtualization/Sandbox Evasion	LSASS Memory	51 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Abuse Elevation Control Mechanism	31 Disable or Modify Tools	Security Account Manager	12 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 LSASS Driver	1 Access Token Manipulation	NTDS	3 Process Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 DLL Side-Loading	42 Process Injection	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 Bypass User Account Control	1 Abuse Elevation Control Mechanism	Cached Domain Credentials	1 Remote System Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	1 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Bypass User Account Control	Proc Filesystem	22 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
dropper.exe	4%	Virustotal		Browse

Source	Detection	Scanner	Label
http://ocsp.digice	0%	Avira URL Cloud	safe
http://schemas.micro	0%	Avira URL Cloud	safe
https://excel.office.comSRD1%	0%	Avira URL Cloud	safe
https://word.office.com.com	0%	Avira URL Cloud	safe
https://powerpoint.office.comSRD13	0%	Avira URL Cloud	safe
https://outlook.comSRD1-	0%	Avira URL Cloud	safe
https://word.office.comSRD1#	0%	Avira URL Cloud	safe
http://ns.adobe.	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
https://word.office.com	svchost.exe, 0000002A.00000002.3732021382.0000027311EF4000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002A.00000000.1997217968.0000027311EF4000.00000004.00000001.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702	lsass.exe, 00000006.00000002.3672345313.000001D5A0C2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000006.00000000.1848580244.000001D5A0C2F000.00000004.00000001.00020000.00000000.sdmp	false		high
https://windows.msn.com/shell	svchost.exe, 00000007.00000002.3680147591.000001C253E43000.00000004.00000001.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/09/policy	lsass.exe, 00000006.00000002.3672345313.000001D5A0C2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000006.00000002.3673991180.000001D5A0C50000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000006.00000000.1848580244.000001D5A0C2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000006.00000000.1848644587.000001D5A0C50000.00000004.00000001.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/erties	lsass.exe, 00000006.00000002.3672345313.000001D5A0C2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000006.00000000.1848580244.000001D5A0C2F000.00000004.00000001.00020000.00000000.sdmp	false		high
https://docs.rs/getrandom#nodejs-es-module-support	dropper.exe, tempdll.dll.0.dr	false		high
https://wns2-ch1p.notify.windows.com/?token=AwYAAACt0b4o2pzQr1ELEoEWZ1n5e%2fjr1V5ATEwWpquZtZOnf%2bYC	Microsoft-Windows-PushNotification-Platform%4Operational.evtx.20.dr	false		high
https://www.office.com/pwaimages	svchost.exe, 0000002A.00000003.3120063713.0000027311D4D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002A.00000003.3120212964.0000027311D4F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002A.00000000.1996163246.0000027311D3C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002A.00000003.3120999826.0000027311D63000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002A.00000003.3121060601.0000027311D65000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002A.00000000.1993155866.0000027311800000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002A.00000002.3741937602.0000027312323000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002A.00000003.3120297979.0000027311D53000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002A.00000003.3119200705.0000027311D46000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002A.00000002.3715415088.0000027311800000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002A.00000003.3119901157.0000027311D4B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002A.00000003.3120816818.0000027311D60000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002A.00000003.3119813685.0000027311D48000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002A.00000003.3119103835.0000027311D44000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002A.00000003.3121525964.0000027311D6C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002A.00000003.3122326950.0000027311D70000.00000004.00000001.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust	lsass.exe, 00000006.00000002.3673991180.000001D5A0C50000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000006.00000000.1848644587.000001D5A0C50000.00000004.00000001.00020000.00000000.sdmp	false		high
http://schemas.micro	svchost.exe, 0000001B.00000000.1947513300.0000015A41530000.00000002.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.digice	lsass.exe, 00000006.00000002.3708539701.000001D5A165C000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000006.00000000.1850078314.000001D5A165C000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy	lsass.exe, 00000006.00000002.3672345313.000001D5A0C2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000006.00000002.3673991180.000001D5A0C50000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000006.00000000.1848580244.000001D5A0C2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000006.00000000.1848644587.000001D5A0C50000.00000004.00000001.00020000.00000000.sdmp	false		high
https://wns2-ch1p.notify.windows.com/?token=AwYAAABke4skwiuYfe49X%2f7MqWUvS4wAMAkNCdvIJKn2T%2fzGuskS	Microsoft-Windows-PushNotification-Platform%4Operational.evtx.20.dr	false		high
https://word.office.com.com	svchost.exe, 0000002A.00000002.3732021382.0000027311EF4000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002A.00000000.1997217968.0000027311EF4000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://excel.office.comSRD1%	svchost.exe, 0000002A.00000000.1997961869.0000027311F8E000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002A.00000000.1997895867.0000027311F7C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002A.00000002.3736012639.0000027311F7C000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/wsdl/soap12/	lsass.exe, 00000006.00000002.3672345313.000001D5A0C2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000006.00000000.1848580244.000001D5A0C2F000.00000004.00000001.00020000.00000000.sdmp	false		high
https://spclient.wg.spotify.com/v1/live-tile-xml?region=	svchost.exe, 00000007.00000002.3710184662.000001C25487D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000007.00000000.1854630671.000001C25487D000.00000004.00000001.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/	lsass.exe, 00000006.00000002.3672345313.000001D5A0C2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000006.00000000.1848580244.000001D5A0C2F000.00000004.00000001.00020000.00000000.sdmp	false		high
https://powerpoint.office.comSRD13	svchost.exe, 0000002A.00000000.1997961869.0000027311F8E000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://outlook.comSRD1-	svchost.exe, 0000002A.00000000.1997961869.0000027311F8E000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002A.00000002.3681957337.0000027310CA5000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002A.00000000.1991269822.0000027310C9E000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002A.00000003.3122932540.0000027310CA4000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://windows.msn.cn/shellRESP	svchost.exe, 00000007.00000002.3680147591.000001C253E43000.00000004.00000001.00020000.00000000.sdmp	false		high
https://wns2-ch1p.notify.windows.com/?token=AwYAAAA2HYHBNF6KtGfOq6LmRDRnRsE0C1NizUPB%2b9TW%2b0Tv9LLJ	Microsoft-Windows-PushNotification-Platform%4Operational.evtx.20.dr	false		high
http://www.quovadis.bm0	lsass.exe, 00000006.00000000.1849428437.000001D5A1493000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000006.00000002.3694892536.000001D5A1493000.00000004.00000001.00020000.00000000.sdmp, dwm.exe, 0000000C.00000002.3747894161.00000203BC760000.00000004.00000001.00020000.00000000.sdmp, dwm.exe, 0000000C.00000000.1869914301.00000203BC760000.00000004.00000001.00020000.00000000.sdmp	false		high
https://wns2-ch1p.notify.windows.com/?token=AwYAAABApC73HrwE9gKV%2f4KYF6Kztns9Qz6WwYIs10FB2fwJYW985N	Microsoft-Windows-PushNotification-Platform%4Operational.evtx.20.dr	false		high
https://word.office.comSRD1#	svchost.exe, 0000002A.00000000.1997961869.0000027311F8E000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002A.00000002.3725685333.0000027311D3C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002A.00000000.1998134965.0000027312200000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002A.00000000.1996163246.0000027311D3C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002A.00000002.3737548261.0000027312200000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://Passport.NET/tb	Microsoft-Windows-LiveId%4Operational.evtx.20.dr	false		high
http://docs.oasis-open.org/ws-sx/ws-trust/200512	lsass.exe, 00000006.00000002.3673991180.000001D5A0C50000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000006.00000000.1848644587.000001D5A0C50000.00000004.00000001.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd	lsass.exe, 00000006.00000002.3672345313.000001D5A0C2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000006.00000000.1848580244.000001D5A0C2F000.00000004.00000001.00020000.00000000.sdmp	false		high
http://ns.adobe.	dropper.exe	false	Avira URL Cloud: safe	unknown
https://ocsp.quovadisoffshore.com0	lsass.exe, 00000006.00000000.1849428437.000001D5A1493000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000006.00000002.3694892536.000001D5A1493000.00000004.00000001.00020000.00000000.sdmp, dwm.exe, 0000000C.00000002.3747894161.00000203BC760000.00000004.00000001.00020000.00000000.sdmp, dwm.exe, 0000000C.00000000.1869914301.00000203BC760000.00000004.00000001.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
1.1.1.1	unknown	Australia		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1583673
Start date and time:	2025-01-03 10:10:28 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 11m 49s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 128, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	37
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	dropper.exe
Detection:	MAL
Classification:	mal76.evad.winEXE@5/60@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, conhost.exe
Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
1.1.1.1	6fW0GedR6j.xls	Get hash	malicious	Unknown	Browse	1.1.1.1/ctrl/playback.php
	PO-230821_pdf.exe	Get hash	malicious	FormBook, NSISDropper	Browse	www.974dp.com/sn26/?kJBLpb8=qaEGeuQorcUQurUZCuE8d9pas+Z0M0brqtX248JBolEfq8j8F1R9i1jKZexhxY54UlRG&ML0tl=NZlpi
	AFfv8HpACF.exe	Get hash	malicious	Unknown	Browse	1.1.1.1/
	INVOICE_90990_PDF.exe	Get hash	malicious	FormBook	Browse	www.quranvisor.com/usvr/?mN9d3vF=HHrW7cA9N4YJlebHFvlsdlDciSnnaQItEG8Ccfxp291VjnjcuwoPACt7EOqEq4SWjIf8&Pjf81=-Zdd-V5hqhM4p2S
	Go.exe	Get hash	malicious	Unknown	Browse	1.1.1.1/

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	ebjtOH70jl.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	188.114.97.3
	W2k2NLSvja.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	FACT0987789000900.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	Setup.msi	Get hash	malicious	Unknown	Browse	104.21.32.1
	PO_B2W984.com	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	104.21.67.152
	http://4.nscqn.dashboradcortx.xyz/4hbVgI3060FFjU163rczgakrldw288HJUBSXEIQRWLNTA425583MYLP8076x12	Get hash	malicious	Unknown	Browse	1.1.1.1
	ogVinh0jhq.exe	Get hash	malicious	DCRat	Browse	104.20.4.235
	https://myburbank-uat.3didemo.com	Get hash	malicious	HTMLPhisher	Browse	104.26.13.57
	hiwA7Blv7C.exe	Get hash	malicious	Xmrig	Browse	172.67.19.24
	http://hotelyetipokhara.com	Get hash	malicious	Unknown	Browse	104.21.96.1

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.317357507089542
Encrypted:	false
SSDEEP:	192:D8V7IF0RuqHQOnbgpib8AtYl+HDJ86PL+2SSD2Czp0gy16ZcC0/oUhQXzgwPtFqL:QhkyHQOLt5jR7zpkYQ9z+/TG6OtiY
MD5:	CA05A8EF9EFA541820B9A3D1D6E4D607
SHA1:	F7F15473CA3C1536AE571827FCB340D67C229799
SHA-256:	DB10F633289A65E7B927C2535B9B7AF208C1350DE3F9432C2F077F266876B97B
SHA-512:	0D71A18608A6551E5C01C869914F38782248AA669D295300C4989B69BA2B66F6F410791DBFCFDF7DAF94CA62F29374486E983D80107A15D5672BBEADFB193F9B
Malicious:	false
Preview:	ElfChnk.u...............u.............................vx......................................................................R_................0.......................X...=...........................................................................................................................f...............?...........................m...................M...F...............................................................&...............................9...........................).......................**......u.........K.i........./X.P&......./X.P...P&.C..:.v........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppModel-Runtime%4Admin.evtx

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.471085771951786
Encrypted:	false
SSDEEP:	384:ZIhBNimLN3UN3pNINcN3uN36ZN3fcN3dN3xzN3lN3RN3sN3YN3zN3TN3JN3xN3kM:+AaC30SyTx57f6u5Z3/y2Fpwswk
MD5:	45583ED41855344DB67C5897C583269B
SHA1:	159826E30931D94FE11E3668A2DF3298D2EF298C
SHA-256:	CD303FFD25A30F80DF7000DE805781FDF9B598153AB198D9CF5F8D9EE75FD84A
SHA-512:	E8BA5A87140307D7F5770B7E83D249B309D2871C9BC5579030B6A669D1513163066BFB1797EE17996175FC8F822FE629300DE85A6D7AAA2494178CD9129CE500
Malicious:	false
Preview:	ElfChnk._.......y......._.......y............G..xI... .x....................................................................%.5................,.......................T...=...........................................................................................................................f...............?...........................m...................M...F...............................................................&...................................................................................**......_..........f,........./X.P&......./X.P...P&.C..:.v........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppXDeployment%4Operational.evtx

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	69240
Entropy (8bit):	4.323948789348342
Encrypted:	false
SSDEEP:	384:SVHVdnV4V9VjVVVVhKVQV7VdVdEV/jVAVjVKV+VsV6VxVpV5mVmVoVJVsVuVSVRp:bfpq6
MD5:	38669967D478013212CE4ED4AB58C678
SHA1:	FB42791F75EA973A51C20B465102F96BE7A8ED0D
SHA-256:	4D56E20E3D9D303CEBB640B5C59CDF711483E715C7CBCED81DBFD6FF412BBCBF
SHA-512:	3491E9271BB5D1A5F5689D123CEE552922A40109EEE19BBEF1616C26BEDE0635AE0B5EC2E8DF9CD00A49ACEB826BB61516444FB1D718528E0A4FC80D071797FC
Malicious:	false
Preview:	ElfChnk.\|(.......(......\|(.......(..........8\|...~....3e........................................................................................0.......................X...=...........................................................................................................................f...............?...........................m...................M...F...............................................................&............................................&...............................#.............(.......<..]......../X.P&...............................................................@.......X...a.!.....E..........@.<..]......]......]..8...l....(...................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.A.p.p.X.D.e.p.l.o.y.m.e.n.t...'..Y.J.R>:..=_M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.A.p.p.X.D.e.p.l.o.y.m.e.n.t./.O.p.e.r.a.t.i.o.n.a.l...f.d.........N...M.i.c.r.o.s.o.f.t...W.i.n.d.o.w.s...S.e.a.r.c.h._.c.w.5.n.1.h.2.t.x.y.e.w.y.....s.............(........=..]......../X

C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.3946742616331385
Encrypted:	false
SSDEEP:	1536:JY1fni2TDyiWAZfBzB6BbB2e7CBC23KDi/OyazwNJCmikDw:KfjDyGA
MD5:	8C584F0C2548065D96ECD20CDF399B93
SHA1:	70B546F843562BD8EC14D27DA0D258C98162DCD7
SHA-256:	841D8A202ED20FF90F8C821A405185A2BD92B2664259BB1ADF7DDD17452CC6A7
SHA-512:	F30A622357A3376E8E0FBC2F8522B5D76FCC15E59B97A322F68305B8D9DAD9A9493DB4078FA7897A7E358122FBFC813F95CD3E8DBD42FBA15CB1F052E1501949
Malicious:	false
Preview:	ElfChnk..'.......'.......'.......(.................R.....................................................................m/'.................J.......................r...=...........................................................................................................................f...............?...........................m...................M...F...............................3W..#>.......................N..&........................................8...;.......@......;5...........`..........**.......'........~........./X.P&......./X.P...P&.C..:.v........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.340052085018986
Encrypted:	false
SSDEEP:	384:rhm+iMNEi1itiXiYiAiQiCiYiXiviCiriMiKiYili+iciSiVciji/DiQisiKi7i4:r8
MD5:	99669F5266647966B480D0F4BF617990
SHA1:	680D1F4A75F3974808719C0D8F6FC8732C9C8BD9
SHA-256:	B3C5A2E0EFE60C841A6C9D5E871F4A7533DC286CD8F036C0DAAEDB960F2A2129
SHA-512:	CEE0318611F43ECB227F80ED4E36882709AB3A0E32EC301459DC7FC9C710F56E009F6B239780DE01D6B132C822EE46C073358D5782D6E40DF96CE9DE7E95B12D
Malicious:	false
Preview:	ElfChnk.........3...............3........... z..h\|....?.....................................................................@'..............................................=...........................................................................................................................f...............?...................................b...........M...F...........................................................&.......................................................................................**..X..............w............>.&.........>..'.W.U2..9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Telemetry.evtx

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.448777410500309
Encrypted:	false
SSDEEP:	384:8hI3c6dh3O3Km30v3635B33H353X3g3J3N33Lv3j3j3A3730j3ue3H3T39z3IM3U:8kqL+Tl5qhdWFgwc4MElvawvMLoo
MD5:	02952C86F9B4D292381FDC4ADEE3BB27
SHA1:	F9C2E6FC882EB94C0CBB9E58453185F649FD2AD1
SHA-256:	21E51C5F4F136BBC03A070485A582860C70F28BF0258437C70741CC265B2827B
SHA-512:	2ED7FC1335ECD17FDFB31EE9E863AB4329859E813E80EBDB0FB2956D4B989DBFCF1D963DC2AB0A1307ED30635C8AEB972769181528151280B196958584F81EFB
Malicious:	false
Preview:	ElfChnk.........^...............^...........`.........I.....................................................................]...............................................=...............u...........................................................................................................H...............?...............................................M...F...........................................&................9......................................................................j...............*.................T.........B...&.......B...._.X.$.]...+........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Audio%4Operational.evtx

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.22642484283712
Encrypted:	false
SSDEEP:	768:mPcpk0+dX1RzsZrczv9ezTjlRLD1xzzmfgO5WJ:04PTjX
MD5:	71D8B347FC36E3BBF82BFA7B67D30C51
SHA1:	40B3183F8BC2DC7B59F644A44064B121E92CCA89
SHA-256:	21399E3BDF55D542EF6CD6C0CCC2825593C73F570800D7383D0EA388A37E011F
SHA-512:	5A00AEFC1769DF324663D8C2F6D3959B9F7A10D270C94F0581E9FA0DB7821226D9B63EEAA4E8D03FA0F54B18759DDF652B9D993950C90E1995171E6C7F7C226D
Malicious:	false
Preview:	ElfChnk......................................&...(..=.Tv.....................................................................w..........................................4...=...........................................................................................................................f...............?...........................m...................M...F...............................................................&...................................................................................**...............q..f........./X.P&......./X.P...P&.C..:.v........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-CloudStore%4Operational.evtx

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.953892112941886
Encrypted:	false
SSDEEP:	768:Bl/LLKiILbXvvvD7rrXuXtPPrzbvjPH7b3z:uiZX
MD5:	51F287C19FD8D718665AE93755E49789
SHA1:	9C1D5D078F0F8846E01CE340AA5DF6DC840BD7AB
SHA-256:	26E592666A18E69B371F7F40EC0E1A942A8665819FB056C9A1210E8BF21EEBB6
SHA-512:	F882E84AA94FAF611ED552770438A7815988B67519B00473E6B67CC70C34D2D37D344D458E772328CA2FCFD860B1476E63750E8BE1B2A583122496C751DAF7F7
Malicious:	false
Preview:	ElfChnk.........................................p.....Uf....................................................................j.q`................0.......................X...=...........................................................................................................................f...............?...........................m...................M...F...............................................................&...................................................................................**.................g,........./X.P&......./X.P...P&.C..:.v........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	67560
Entropy (8bit):	2.5012553886847404
Encrypted:	false
SSDEEP:	384:BoOKxcojhuoS9VoryorOoroortorVorVorNorrmo4oruorlIoreorNorworgorDp:QsWqGO
MD5:	4BFAF011F8D43F0B64B613C0251AC723
SHA1:	C0353E09527F7EA18E5FBD47FA7C6297A9C3B927
SHA-256:	1C86F7E62C13A8922F5CA02ED44BFDDAED738B5D0BA9676B454351F4270D68B4
SHA-512:	1CFD8581BBEB9B35EB859DE227228F29B89718B00A46C8D3FF5E6A321651E59C29347704C1D636D2F0C2DD9069502FF9A1C218E7D915CCCA4593007837862D72
Malicious:	false
Preview:	ElfChnk.........M...............M............}......9......................................................................M..x................:.......................b...=...........................................................................................................................f...............?...........................m...................M...F...................................................................................................................E{..............................**......L........:)..]......../X.P................................................................>.......V...X.!..e...............:)..]......]......]......X...L....................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.C.o.d.e.I.n.t.e.g.r.i.t.y..k.N.<.D..97d>7.M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.C.o.d.e.I.n.t.e.g.r.i.t.y./.O.p.e.r.a.t.i.o.n.a.l...!>.E{......!>....[.U.....i...........\|...:....A..3...b...%....=.......F.i.l.e.N.a.m.e.L.e.n.g.t.h.......A..3...b...%....=.......F.i.l.e.N

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Containers-BindFlt%4Operational.evtx

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.2039623428900272
Encrypted:	false
SSDEEP:	384:DhNPmP1PKPvPZl5P8P7PAPt/PU+PKP1PEPNPaPQPiPqPFDPhP6PwPXPaPZ8PWPCn:DDlvUGLpF
MD5:	BF839F61B8509D2BA013E21D5EFB64AB
SHA1:	22668868E83DDB0F6225A0EEC6E52151E3582413
SHA-256:	066A01D0D8102CFEA34B5DB728F61D39D8909E508877456D64FDACA1693EBC80
SHA-512:	B93F0251372B6D082C3292E1F68A52889E9EC22556A9B8243D43D5217606E5171248210C1B1439DBCEF8DA7BF8E50699CD7066A86E8BB895F9D6F617829D8F0B
Malicious:	false
Preview:	ElfChnk.........G...............G........... t...u...7.....................................................................-.K^................N...........................=...........................................................................................................................f...............?...........................m...................M...F.......................&...................................................................................................'.......................**..x...........B...S...........w.&.........w..._.\|.1+O.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Containers-Wcifs%4Operational.evtx

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.1777142048205946
Encrypted:	false
SSDEEP:	768:qDbHtuYYZAqRidVY4HdYWgML/chv4PzSw05Wt19M6vz73mA4+9AxNAVBBBxZvaV4:N27
MD5:	C6D0CD72D59A5899D41AA26A905F0CF4
SHA1:	21F28930C56543BA30AEA04CF498B95DC74C8D26
SHA-256:	A769F4AA35805D622753C6728EE3F31C147019C21162A14E61EB2E63207CB6CA
SHA-512:	21648DB20C6520D2F46D24587032F5535E6059B3E94D9814B15BBCDC2EACB9827B887D173DE3A02F68DAC0B1998A96C193E7C0805C6F0A0DE4971BD37CCD45A2
Malicious:	false
Preview:	ElfChnk.........G...............G............q..ps..2k.\........................................................................................F...........................=...........................................................................................................................f...............?...........................m...................M...F.......................&...........................................................................................................................**..p...........!\|..S...........w.&.........w..._.\|.1+O.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.728529992742437
Encrypted:	false
SSDEEP:	384:/hch15hHh0hUh4hlhhhFhhNhPhLh1hthlh6hah+hFh1hVhEhUhMhFhJhKhthPFhM:/yyoA
MD5:	3A209D72BB7CD82F33F122164465B8DC
SHA1:	A56A595132E7EB8A87CDD428995D2B9FFC42828F
SHA-256:	A2B80E54420E53556E4462B39272AECE4718864DC68563CBCC03B09AFC792338
SHA-512:	71873924BD3A7B8C944D9E1273192AD0EC1C5FB222A147D4C115139ABDFFB6961151F49D35FB46DE68661FA53112E9794135CD27C0B331A65EDDD61FB6D68FFE
Malicious:	false
Preview:	ElfChnk.....................................h...X....N$l.......................................................................(................(.......................P...=...........................................................................................................................f...............?...........................m...................M...F...................................................!i..........&...................................................................................**..X........................./X.P&......./X.P...P&.C..:.v........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Crypto-NCrypt%4Operational.evtx

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8002646739086935
Encrypted:	false
SSDEEP:	384:A6h7YJVYV4YcYIjYkYVpYsqYVyYV3YVfYVRYVSY:bfvzDWeM
MD5:	2BA39549B106C8FC4FE0F1D272FFCBB7
SHA1:	F9EC0BE60CF59315AA07748A5555B2FCC8DAAA44
SHA-256:	2733C048E5F142D564C96C7D40D965F86EDB98B5E0E1449479F4B6000124715E
SHA-512:	BBCAA661B8F128C9F0DE05E84878C54BFFA4B532610F799D8D8F584C9A4135BD08983BDBA429DA2A9314FA7208F678A6EEDE474C18D9D3E121571C2B2E71E53C
Malicious:	false
Preview:	ElfChnk.z...............z...................@!.. #..,.^.....................................................................m.7m................,.......................T...=...........................................................................................................................f...............?...........................m...................M...F...............................................................&...................................................................................**..h...z.........i._........./X.P&......./X.P...P&.C..:.v........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.699669825530658
Encrypted:	false
SSDEEP:	384:nhDCq2cCp1Cz2TCLqCM2CZCjiCsCblCnC/iCsCe5CECOwCFCkUCXCUoCjCtorCrx:nUEJ2R
MD5:	7C383F220CCF7AE5BFC75FC4C087D1E8
SHA1:	C954003C698498CC0002459700A1A67741634777
SHA-256:	9719EBAEABC138DFE9172C3D9D0400C17918172535D9676772391DC31AF9E49E
SHA-512:	19C405E18A58232417F50D7030ED37CEDB1C7FE9B3FA5B52D422B9D5C6A9A859D91EB6EBBEB1973F514B9DBA0A31C843C5597E80439D0E8014E87BB97AB7F487
Malicious:	false
Preview:	ElfChnk.m...............m............................Sy....................................................................E.$.............................................=...........................................................................................................................f...............?...........................m...................M...F...............................................................&...................................................................................*.. ...m.........13........./X.P&......./X.P...P&.C..:.v........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.953822970614976
Encrypted:	false
SSDEEP:	768:oey39iM13dtfbSqyYcQGXrlhmQHZHm43/0YOb5IMSm/OAwuM2eWE:YSE
MD5:	8CDE65568AA84CAD5EFFA67C34EE0598
SHA1:	D5D301DE2FEB829D26F01700BFAD2B3BC082955E
SHA-256:	6213E07EDC1449EA17833C80A9B9BB699CEF267CBB6E0B339BAF3160FEEFC402
SHA-512:	0748F6372930EA9BE259DC733F6FE449AD8F9119DEBA5D0202F7F23FAD7EAB7B11D4362412BBF466F513C508F6B663EE5BB154F94B8B05A25939531C1FFE7F71
Malicious:	false
Preview:	ElfChnk.........F...............F...................IG......................................................................'.n.................,.......................T...=...........................................................................................................................f...............?...........................m...................M...F...................................................................................................................................................**..x...........&............./X.P&......./X.P...P&.C..:.v........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.472701761912705
Encrypted:	false
SSDEEP:	384:Eh8kbAP1gjk+Jk+yk/3Suhfmk+Adk+AkKuIk+2hk+Dk+rk+4k+ik+8k+4k+Uk+R7:ENAP1EHDzS0SpmjmoToEEltkV48m
MD5:	3D7BF6131B2BF1CAFC71AB0E6F87F170
SHA1:	9E16D96BDA70506DA07294615FB8CDBC61B46D7E
SHA-256:	866F56B9C85CDAA38C082E62B8AAE5472254150E95625D4B87BAE2B649670C0D
SHA-512:	11276CC04623E4E9778E338EB3781DECE976873DA04D1C65949A39ACC215D86ECC16A0290A93FBBFE8F884195FD4DDB48D71DFDFEE4BDF6015AF2E865D5E1B64
Malicious:	false
Preview:	ElfChnk......................................I...K............................................................................`................b...........................=...........................................................................................................................f...............?...........................m...................M...F.......................&.......................................~...................................U...............;...............................**..x............Ft.i...........w.&.........w..._.\|.1+O.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.445319870654315
Encrypted:	false
SSDEEP:	384:GhaEdEqXAEJVvOEJSvEqEBEENEuDEaExEOEAE7EmEizEJ6ExEZEX/+EaEF5EOcE4:GVXmIBqr97fAI6XNMJlpO
MD5:	6D3C0546E8E757F5165167BD707752B2
SHA1:	5C7B5D53F2BD6B9D35E94A1DAB435977DA6A6F3D
SHA-256:	32520504B280A16110A920CBE1819E42CC19E84197111914B61CA7DBB7E1E0A0
SHA-512:	9CA45F17836F3BF0976A213B41A92EAF66A329CE808D23A1C656347F2C367F1B85141E00AD8FBE94B013F198771031957F56B788E8DC9DABB22C8C2515B5DD97
Malicious:	false
Preview:	ElfChnk.....................................P........'.v....................................................................1.9.................$.......................L...=...........................................................................................................................f...............?...........................m...................M...F....................#...............!...9..=................O...=...........A...?.......;..ME..........}....................'..........5...........**...............2...9......../X.P&......./X.P...P&.C..:.v........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-HelloForBusiness%4Operational.evtx

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.3995297065421424
Encrypted:	false
SSDEEP:	384:JhPFKlcLBKalKuDGK1GKgkKClKvQKqlKlaKu7dKrXK7CK53HKstKoIK8eKugGKIz:Jz8
MD5:	AEDBC66370D37B0736385E9DF81F2189
SHA1:	353E6833D8C54695EED688BF7D18388D2BC06636
SHA-256:	2C68161836C61E4B4FFB9AA8B6563921C9A5DA858CADC85C7F7DE6AFFC67B4DB
SHA-512:	E719260CB8EDD26DDB35EDA6CDB4495CE467A354910652C6A64BE63DC87222A6D56980BE81677128DB090D1408AE4C954CD9A3C159140B44B3B41911473E2B33
Malicious:	false
Preview:	ElfChnk.=...............=....................x..0z..(........................................................................Q.................H.......................,...=...........................................................................................................................f...............?...........................m...................M...F...............................................................&...........................................................!.......................**..x...=.......m............./X.P&......./X.P...P&.C..:.v........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-Boot%4Operational.evtx

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.102452801956487
Encrypted:	false
SSDEEP:	384:dh+DEfbDisDTDqDPD1DPDXDuDTDGD8DMDRDcDvDhDlDEJDpDmXDyDsD6DwDKDODQ:drqyaBHYPi
MD5:	D6AB266F8146081CC5B39581B63419B6
SHA1:	03B2ED65ED60282561C37C60850ADE53113AFD45
SHA-256:	AEFDE4777F3C4A579828AE80981BE2714227BA624163765BDE1A908144E5B108
SHA-512:	08DCEFDA403CF3BD15C125606596FA07296371309229F88519B59CFCBCC579B480C959C11B3A805C83D803BBE53AB5D749F3496CBE6F600F9B568F389FA153AF
Malicious:	false
Preview:	ElfChnk.........<...............<...........8.......b.X\.......................................................................$................$.......................L...=...........................................................................................................................f...............?...........................m...................M...F...............................................................&...................................................................................**..............F_G.4........./X.P&......./X.P...P&.C..:.v........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.1951183317588985
Encrypted:	false
SSDEEP:	384:phdzpzAzKzyzIzazrzRztzPzxaz9OzJznzfzXz4zdz/znzYx3z9zrzmzYzwzYzXA:pK8WxvZ
MD5:	1E9AA0568D589B2B72C7FBA5DA357CE5
SHA1:	C3147DDE26420D49439FA9FE2D217B71ABC42539
SHA-256:	DF94EA2970ED1AF6334B6127D014AEE24E6660D6ED56648C239E84B2DA6BF404
SHA-512:	AACF138137D7EC96223ADEDE96B4EE6E90389A861D3680C080B5135AE2DE78D08EEDEC8FA3F37A1FE018E791DB0EDC33BDE726BB8CECEB033263D22E38C78B8A
Malicious:	false
Preview:	ElfChnk.....................................@...0....q?!.......................................................................................<.......................d...=...........................................................................................................................f...............?...........................m...................M...F...............................................................&...................................................................................**..............,o.{........../X.P&......./X.P...P&.C..:.v........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WHEA%4Operational.evtx

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.7393244733469149
Encrypted:	false
SSDEEP:	384:phXIVbIEIiNjI0IlIkI2IrIQIPIiIHI7I267WI+vILINIhIkI8IDITI0IfImIlI:pQjP0
MD5:	37BF6F02816D21A96D244C4CCE776B30
SHA1:	C90E7EDDD004AC2C3B0CC7051012F84948DFF890
SHA-256:	C584262439F9D8CF9CFCF7347FF0A4B2848AF9CD7F03CC5F66DD798EF30BA687
SHA-512:	8005777CD298969F1A6FDCEC9C9F51C2002DBC8BF34C90AB56B2F965E481D179A55104A1B5BC81D551C41B28AF2EBCF198C3C536C2F746938CB8F33978E752A9
Malicious:	false
Preview:	ElfChnk.............................................* .y....................................................................}.(W................$.......................L...=...........................................................................................................................f...............?...........................m...................M...F............................................................h......................................................................................**...9..............9......../X.P&......./X.P...P&.C..:.v........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-LiveId%4Operational.evtx

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	5.698981106820357
Encrypted:	false
SSDEEP:	384:xhPa5UAzIzyzka5raKxphpKWQOPM+2KX8oIa5uaa5E6H2K7zyzIzfa5zMzuzNz01:x6Wc1JvZe
MD5:	4A1A3E143E2C91F24E727C42EBEF74C8
SHA1:	C5EC8F8F1B115376EA815439B44AC78FDF64DA78
SHA-256:	909753801FB877443B44492397F74FEEC9C219981C33ED80198447436CCD878E
SHA-512:	FA45A8276241D5FA89096855F6F2DCAE097597FB5FCAE24FBD44B50809D279E906D789AFBA80724F5556FBCBB8B21188FBAE4A9B7328AACB4336E1CCE0ACB0CD
Malicious:	false
Preview:	ElfChnk.h.......p.......h.......p............`...b..Y&......................................................................w..p........................................8...=...........................................................................................................................f...............?...........................m...................M...F...............................................................&.......................................................................y!..........**......h.......6..<.]......../X.P&......./X.P...P&.C..:.v........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-NCSI%4Operational.evtx

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.1078194442473146
Encrypted:	false
SSDEEP:	384:2h0QMqHM3EbMYFMOuM0cMn71MuMMxsM98M0n4MBHMovMmXMqQMrdMlOMZzMWHMBW:2ZWa
MD5:	6E827C3A14ADE71EE1A590B0B589C32D
SHA1:	3F2F1B997FE929C4901B5CB4797975E608C92004
SHA-256:	B8579BBB00FE585C98279986D456AB7FFCC745215B610AD3CF91164AC54ED757
SHA-512:	A78E3E12E8EFC9F713E3587B83F1709027EE8197CB6A8978C034D07523A169817762F6968CFC935C21540232EB520802F7C541593FB2FB816228115597578091
Malicious:	false
Preview:	ElfChnk.........@...............@............l..Pn..Y..`....................................................................k...........................................>...=...........................................................................................................................f...............?...........................m...................M...F.......................&...........................................................................................................................**..............)..S...........w.&.........w..._.\|.1+O.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkProfile%4Operational.evtx

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	3.282506379130842
Encrypted:	false
SSDEEP:	384:Lhb1Sh151f21Q1c161J1fA1eE1cj1/q1f+1Cz1410C1F1f81H111f210111X1fI8:L6vPCDe2v/bgrJlrxbz3t3fAQmLm
MD5:	FBCD26FDD21DE9A9A37D977967F3E435
SHA1:	3215A571E100BEE2B4A0786E8870415FC0460B83
SHA-256:	B5395AC0D74FA4F7F7E8E7C0EF6E3C0F1E57031EC88BE035024FDB096A013ECF
SHA-512:	E57FC724432F900C57B9B410F2C2589A00717B4C0927467C6A883B234E906CBEB6087088FCAB0373C8A125FD836833F4F64DCB6C922D118D786C6872ACCA7165
Malicious:	false
Preview:	ElfChnk.0...............0...................`......../M.......................................................................x.................0.......................X...=...........................................................................................................................f...............?...........................m...................M...F...........................................................................................1.......................................................**......0...........]........./X.P&......./X.P...P&.C..:.v........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Ntfs%4Operational.evtx

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.323432355165814
Encrypted:	false
SSDEEP:	384:yhnIFwI1IcIIIEI1InI0IXInICIWIzIOILIqIhIXIJIrIPIMIiIMI/InIFIxImIV:yuxxVIRr
MD5:	F737596F7B40F88F8118EDB58EEFFA37
SHA1:	BB21B3F84EBFB93D98A3808D85DF56337A1DCD46
SHA-256:	CF6E3590B51C3506EE36C092F6E12C30B117767C39FF54218D040332815E9B45
SHA-512:	A971647EE9028E3F5A5169BAF518C7C678AC430D9C740823A9EFAF45304FB1E2577168E9FA8190454B88209880CA584FDC44EB0DF76690A68F88DE40BCEA130E
Malicious:	false
Preview:	ElfChnk..................................... .................................................................................}.........................................0...=...........................................................................................................................f...............?...........................m...................M...F...............................................................&...................................................................................**..h...........r.........../X.P&......./X.P...P&.C..:.v........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Ntfs%4WHC.evtx

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.1541116692842
Encrypted:	false
SSDEEP:	384:8hqILI6I6IUI+I4IZIhISCI3hUICIOIDIMIfINIEdImIDIXIjlII+I/IAIiIkItY:8HZhxKkDBhT
MD5:	AB1E696BF5A8671E47A66DCE5F1A43DC
SHA1:	9A2623F28CAF13D5600FFC6F93BA507955AB9D0F
SHA-256:	8A50DBCA8693D81535DB8E4E4D0BD2E9C33981EACA9E924C8981CC9F966DE219
SHA-512:	24CFBCAD1F26F6EF5A30A9EF25872C1498223F0E5D6236DD62E063F7BA9F56C4DF2FB76BE050D3A35B15CB44C6492D2BDE2366B629CA5DA4B25D242F8E496F99
Malicious:	false
Preview:	ElfChnk.........Q...............Q............o...q...........................................................................@!.............................................=...........................................................................................................................f...............?...........................m...................M...F.......................&...........................................................................................................................**..................S...........w.&.........w..._.\|.1+O.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Partition%4Diagnostic.evtx

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	3.8998803290277757
Encrypted:	false
SSDEEP:	768:141WS5OAT1rPgAT0nH15T0n915T0nQ15T0nW15T0nr15T0nB15T0nh15T0nb15TT:XScA
MD5:	6F2DDEA5E2C93524F07EC17890A247CF
SHA1:	45832DB838E1378DC96D1142C867EF5007671DF3
SHA-256:	160178BB9FFB551F1195982325645229F3534C2E0E6C2753952C57BDA2BFD87B
SHA-512:	EDEEA26ECC9675AE6C0937A44C5ED44369CA2E50BA438DAE06C3CF32D284F75DECB81CF4FB9EA6F9DC400665FA5D56C8B86B4FE06689EFF281B6D0BD675B23BB
Malicious:	false
Preview:	ElfChnk.Y.......[.......Y.......[............'.../..?..k................................................................................................................B...=...........................................................................................................................f...............?...........................m...................M...F...............................................................&...................................................................................**..8...Y........n_I.9......../X.P&......./X.P...P&.C..:.v........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-PushNotification-Platform%4Operational.evtx

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	103632
Entropy (8bit):	4.9748872305581155
Encrypted:	false
SSDEEP:	768:ERwcWmH+43Nj0G8hyDV4B1WgvOPN3Az4wcWmH+43Nj0G8hyDV4B1l:E/N3t0vsDVNPN3vN3t0vsDVG
MD5:	E619DFD4FD97C8A61946A44AE456BF15
SHA1:	BC403AFC1F8E9C719E0E8C33FFEFCFBCE2C9EC13
SHA-256:	875ABFA1E63E97E5C7BF8A2AE2A235816563F67FCA426A3B544BDD72649C7481
SHA-512:	DE852B142B56C81B20FCC52DD989637A8B25D997E30947E8177C866CC79D7E1CAFBD697A4BFADCE9514307D3757521AACD09BA23C457C405BE5C8849E1668C41
Malicious:	false
Preview:	ElfChnk.{.............{.........................P.(......................................................................e................n...........................=...........................................................................................................................f...............?...........................m...................M...F........................,...................x..........G........n.......).......%...............................................{..............W...*..8...{......`.n..]......../X.P&......./X.P...P&.C..:.v........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReadyBoost%4Operational.evtx

Process:	C:\Windows\System32\svchost.exe
File Type:	DIY-Thermocam raw data (Lepton 2.x), scale 4-8, spot sensor temperature 0.000000, unit celsius, color scheme 0, calibration: offset 0.000000, slope 10384593717069655257060992658440192.000000
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.053649827115195
Encrypted:	false
SSDEEP:	384:Zho8N8M8p8d8I8K8t8v681o8t8K8aI848s8D828P8N8285818n8U858w8v8yt8+m:Zj31lT
MD5:	5F53E0F9E97DF09A3D6B41D97E368058
SHA1:	167E112D214AEBB96A3C3E8FB804565EBBF35F07
SHA-256:	34B1F24FC914161D35BE2AB7342E8EC966D2DBA9FC67292D9CEDB18F38243CAE
SHA-512:	8287038E44CAECE033727FA4B50102449A4265B2D4ACF8D8F258CEDD243B4BA02B71D051FABC9B6D2F079ED6DF901B823443FAF21B272DD8726DF43BAA4B4335
Malicious:	false
Preview:	ElfChnk.........@...............@...........8f...g....Ig.....................................................................$..........................................V...=...........................................................................................................................f...............?...........................m...................M...F.......................&...........................................................................................................................**..(...........e...S...........w.&.........w..._.\|.1+O.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.2229180413645775
Encrypted:	false
SSDEEP:	384:OhuvnvmvJvBvdvrvwvSvovl+v4v6vvvmvcMvOyv4vCvAvTvGvP+v5vRvH8vUv5vC:ONzTEejRRTt2
MD5:	BDBB2FF15C1B180C7B13590E3E02DBBD
SHA1:	2989F4396A4277D203C79F0FBB3DD68630CE64DB
SHA-256:	E49AC7A0299A0252079DA7900FD16461E299E1F9C5D9E8FC21D459B6763F611F
SHA-512:	545AD7A3777A01497007ECDD46A2360214F9A203A05B748D684AB2E79CA442DFFFED46FDCFA70557928E9AB55F8B1B565AC435F6605B2C6E1CE1F27BF3AD246F
Malicious:	false
Preview:	ElfChnk.........................................P...`..0.....................................................................j.................v...........................=...........................................................................................................................f...............?...........................m...................M...F.......................&.......................................f ..........................................................O.......................**..............l..-T...........w.&.........w..._.\|.1+O.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-SMBServer%4Operational.evtx

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	3.09283426805895
Encrypted:	false
SSDEEP:	768:WS/Bp+UdTU8UqOUyGUwaUpcuUvKUruU6DUZ5UtaUKOUpSUv2UwLiUIeU7bUhCUrp:b7rw
MD5:	FBCF55B27308A765B6D514AD9E3F975E
SHA1:	C1B35022A1690FEB22836A5858EDE7F003B2AA06
SHA-256:	D0E486FCFDD73BFB154EF9BA7412F010AF3172289705132F93959FE18B7377B9
SHA-512:	8F64ED00CE3BCDFBC246C7BF6B425EC91482017D051B81764C143709CF473182583ABC778E50ABAA78C038E4AE10E405FA700312493ECF133DB83792FD558108
Malicious:	false
Preview:	ElfChnk.....................................8...h....{.V........................................................................................C...........................=...................................}.......................<...............................................................f...............?...............................................M...F...........................................................&.......................................................................................**..h.............h............>.&.........>..'.W.U2..9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Security-SPP-UX-Notifications%4ActionCenter.evtx

Process:	C:\Windows\System32\svchost.exe
File Type:	MS Windows Vista Event Log, 1 chunks (no. 0 in use), next record no. 7, DIRTY
Category:	dropped
Size (bytes):	71160
Entropy (8bit):	0.8572927173515907
Encrypted:	false
SSDEEP:	384:aJhRiBmiriGi/i6ieibhRiBmiriGi/i6iei:ikDk
MD5:	82F661D9877F6F88624801634D77F6FF
SHA1:	A4107575C2372B597188CC2D89C20945FB37000B
SHA-256:	FC0453DB9A22C67332F6A56DE1A85EA3694AF1822F38188DDBF1D7620FB5EDF1
SHA-512:	7E930C4A2CA17D22DDF4600E8F0ECE6B5FF1B008379D4D7FA6FFCA2374189150CD3E05D20C35A179A8B6F5C6F31928A006FB08BA83E91DFA22FCB3625E1A59A0
Malicious:	false
Preview:	ElfFile......................................................................................................................O.+ElfChnk.........................................x............................................................................t................\|...........................=...........................................................................................................................f...............?...........................m...................M...F.......................&.......................................................U...................................................................**..............<k}/T...........w.&.........w..._.\|.1+O.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d.

C:\Windows\System32\winevt\Logs\Microsoft-Windows-SettingSync%4Debug.evtx

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	modified
Size (bytes):	112240
Entropy (8bit):	4.295073254607269
Encrypted:	false
SSDEEP:	384:JChd2h2x2z2W2q2Ez2S2h2HC1C+CACA2q282vo2Q2f2j2S42N262W2kCwCaCZLjL:0GCyLBWpfPc6isrzh4GCyLBWp+u
MD5:	259F7B168C26DC917FE7D9929A0FC14C
SHA1:	89C4882321E1ADAA23EDAB7C59599A350E3F58CE
SHA-256:	D0B1C57E305ADA2D665512DE23F66485059DF18372428BF995FD538B54765526
SHA-512:	BA3E4C4770BB756E012EA322AE4805FE26338768CDF016B5194328675CF466C587AB2792C0BE03A13CE140BE541C889EA08C8B74E44EBF6C15AFCD3B5A5FCC17
Malicious:	false
Preview:	ElfChnk.<.......s.......P...................h...p......<....................................................................M.F.................(.......................P...=...........................................................................................................................f...............?...........................m...................M...F...........................!b..................................&............................................................;......................**.. ...P........v...9......../X.P&......./X.P...P&.C..:.v........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-Core%4AppDefaults.evtx

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	3.415346248247045
Encrypted:	false
SSDEEP:	1536:jtJTcmXTfu/hD9ouzDZx+DWQeD8yiM4C0BYEeKee6lFY99PXg95RA2IektFNEfJ7:5JTcmXTfu/hD9ouzDZx+DWQeD8yiM4CZ
MD5:	79E319114B3EDCE65E6008FFCF8E6C4D
SHA1:	168F4EDF140DED590DCA93A95EA5B061FBA6222B
SHA-256:	0885B77A81A3F6C8F127876A0699EC9F6DB6A0C516B7787B4A4C07240502BD74
SHA-512:	46D2A05AC7DB5DACA3935D1989F51BDB463245DDD31CD569F8A8DEC33463A52ED4BA740ECAB75FC0D6FCA59AD7FF469D159ACA7D17AAABADE6BA9378227A110C
Malicious:	false
Preview:	ElfChnk.~...............~.......................x......q.....................................................................U,.................0.......................X...=...........................................................................................................................f...............?...........................m...................M...F...............................................................&...................................................................................**......~.......=............./X.P&......./X.P...P&.C..:.v........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-Core%4Operational.evtx

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.473355136480431
Encrypted:	false
SSDEEP:	1536:Cv8uGpQtJAd1WVXrBNg/Sf2uGyywH3cIKkkZkpagW2Dwaz2JXD6kdEHTmsCnvYbM:Cv8uGpQtJAd1WVXrBNg/Sf2uGyywXcI2
MD5:	263EEA3261C771F3BAD4918FFAACD3B3
SHA1:	3E8160BAF2FA49C5B5657611C711B1869F88F0F2
SHA-256:	89CC7AF7AD6C7EF037B289CDFB84352BA81453BA8A8494F8AA6063CAD3551DBE
SHA-512:	C1C1FA1E2249D138ECB7DBB6069A7F66BF7026DE9CC3F4B61E45F50648D2E371C35E1FB2DBCC5EC00C53C10309EF7DB43D2870C8CFDCA0F9633A8BB8FF632095
Malicious:	false
Preview:	ElfChnk.0&.......&......0&.......&..................0.........................................................................).................0.......................X...=...........................................................................................................................f...............?...........................m...................M...F......................................................................................................................a~...y......................**......0&......N...]......../X.P&......./X.P...P&.C..:.v........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-ShellCommon-StartLayoutPopulation%4Operational.evtx

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.9554289307699784
Encrypted:	false
SSDEEP:	384:ihq7v7l7UZ7r7B7c7li7x/7Z7Z747A7rK7Rx7fy7P7C7I7F7W7DX7z7C7B7Z7f7H:iGzb
MD5:	2C17148B09B6B77C7CBE1EF79F2E0DA0
SHA1:	7290371228D62E2FC08D05DA4A1DF7B3F47EA851
SHA-256:	4C75036C4709C4BE048F986E67FF40CBBBE37018C5817FCDEAF8336B329E30D5
SHA-512:	E6B70D03B3FE3E781757F4E72B43FFDCD90695CFAA6EDB535351DA2824A5C8F82237040243F9F803D4F662904A154CFDD7E0C991C333A62D0BDED3ACB893EE0E
Malicious:	false
Preview:	ElfChnk.........2...............4............\...^.."..".....................................................................S\.........................................0...=...........................................................................................................................f...............?...........................m...................M...F...........................................m!..................&...........................................................e.......................**............................/X.P&......./X.P...P&.C..:.v........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-SmbClient%4Connectivity.evtx

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.258875318932236
Encrypted:	false
SSDEEP:	384:M8hwuTDFbuJuuDu/uVuuvu7uu6uOuU/ueuu/uFuuVuauUmuPuuAutuu2kuzjuUa2:M8HawuFBoRW3L463zLKxWFmu16S
MD5:	F0AE98EB279C50FC1D2A4FE3C598C405
SHA1:	4D555B1880C7B0F75688C157A7C752C3C854177F
SHA-256:	50BAF1B339B0326697A6760ED2B3E962A813B704AF9FD876058AAA592263226B
SHA-512:	2B7E9DE8E45EEBD1924FB64E4EA92F1A9A59BF41FCC1F5E63074DBE47FED68BB33E75DA3FB3EAB7FDD055C9B498456B98C7E1489A171D3F050DE57BE8AEAF597
Malicious:	false
Preview:	ElfChnk.6...............=............................o`.................................................................................................................F...=...........................................................................................................................f...............?...........................m...................M...F...............................................................&...................................................o...............................*......=..................../X.P&......./X.P...P&.C..:.v........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-SmbClient%4Security.evtx

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.3453030234141012
Encrypted:	false
SSDEEP:	384:Kheu/uSuWugu5uGuFu5ut1u7su+uPudu3uxuIuTuxufvuIUubuMuBuquZu/uKu9H:KP6ZDGl
MD5:	611FFBE1C80E5D28A7490CF7C55DC0AA
SHA1:	7AC79562942DF77EF8BCFB64DFC4F044937AC725
SHA-256:	C5C3C756447CB67D04115151674FF3778DC61FAF4CC751EC8F5B12C86C981AF3
SHA-512:	A53A47520AFF99363716F9D692E63067A823F8E7A7E1F8B7B14D7E2F5909DA0490BC7A971E21A81BA355B6FA962C9D0E8B422B3FDA8070CC989B8B62E05873D0
Malicious:	false
Preview:	ElfChnk.........H...............H............z.. \|....R.....................................................................W.L................$.......................L...=...........................................................................................................................f...............?...........................m...................M...F.......................&...........................................................................................................................**..............%,H(T...........w.&.........w..._.\|.1+O.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-StateRepository%4Operational.evtx

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	3.298985438907344
Encrypted:	false
SSDEEP:	384:2ahPAodANA9APA7SjAkxArIvjA2UlA/A3AnA7ATAnALAlAfMAYQAgiA/ABAxAsAz:2a9SNmIvvfek9kOG
MD5:	FBE31E45BEE6A41C17FA69BA3ACE038E
SHA1:	E207C6A6AF78878C7B30F34F7D8B8B4A95687FB1
SHA-256:	7EFC10299E5832FC49DA06B985D83883B1931B6FDAA9E5EA24BB1CEE3DD00CAB
SHA-512:	BB06451E4912E404E846C8312A5B4ACD576013471BB62976E35B4311DCE66D17CE12C21D452B78C8A4A0E1878BD830CD6FC8DBB257CEA8D86077ACA891CB5CC7
Malicious:	false
Preview:	ElfChnk.........r...............r...........8.......X..y....................................................................)...................4.......................\...=...........................................................................................................................f...............?...........................m...................M...F...........................M........................%..........&...................................................................................**..............}y.._........./X.P&......./X.P...P&.C..:.v........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storage-Storport%4Health.evtx

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.4245834313194634
Encrypted:	false
SSDEEP:	384:Yhk+pUYnpdo4pd+pdnpdwpdVpd+pdrpd4pdRpd/pdqpd9pdopdKpdXpd8pddpddh:YIAz69
MD5:	C9EA969B9079CC8119796DB7CABABA3D
SHA1:	FF6FA77A0C3DAA3BB6F30BDDF892954A158F9A8D
SHA-256:	8E724EA6C1DAEE8E81871A215AB2632F03BEEEB7BE6F78F216350EA962D92F6F
SHA-512:	F8C170283AC815C6A2E8740E4849AF80CB420184223C36CD0B360F6DB9D46240199859FC08DC0B0190FCD27FF4B8489C61EF12FAEC107215C9151BEDCD3EB9D5
Malicious:	false
Preview:	ElfChnk.&.......L.......&.......L............... .....2.................................................................................................................:...=...........................................................................................................................f...............?...........................m...................M...F...............................................................&...................................................................................**......&.......yN..^........./X.P&......./X.P...P&.C..:.v........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storage-Storport%4Operational.evtx

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.121653993559385
Encrypted:	false
SSDEEP:	384:IhmCpaKpmpL6pAsUpfwpAbdpABApAGQpTVp2LMpIJpAbWpW8pAWWpAJap8kpAE0E:ICX8T/ke
MD5:	836292A8B200CCA648A675131A7FBAD4
SHA1:	D3BF3EF8B2D9A632C4B2C9C93F2C2FF047DA353E
SHA-256:	931C964A1969042377DC7EAC1F1274143D867DFDAD45D8E389517CCE32CF44E3
SHA-512:	DB8D9C8FEA94C82DFB889439BF10F43DEC489EC8189F3345744A1AC581AD146553E9F50C526281922651C3BA1D940768628A911C96FD064DEFE9D2F0BECC9D24
Malicious:	false
Preview:	ElfChnk.........R...............R...............X...oH7L................................................................................................................D...=...........................................................................................................................f...............?...........................m...................M...F...............................................................&...............................i'..E...............................................**..............a...f........./X.P&......./X.P...P&.C..:.v........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.236353710304171
Encrypted:	false
SSDEEP:	384:6hoCKCQC8CUCLCYC7CFCuC2C+CxC1Cl0Ct4CCC2C7CLCtCeCeCiCmjC0zCpDCMCc:6+fNJCRxkjZHbUL
MD5:	0071D965F90F7978F469A2193A685FED
SHA1:	27CC4070CD630F93A7CBBEFE3DC99C596778AE2F
SHA-256:	61E1AC21458D10B942132149B089389C004A6BCB81C15F6BE9DE83C314000291
SHA-512:	23DD85FF846319E3145A0C93855516F846BD5324B85559F9CC64C30ED8F477B24439D6B95EEC17180F0C8CA56BB1B6B1059C80C3B51BD2D37CC2E3FE5097D2CA
Malicious:	false
Preview:	ElfChnk.........P...............P...................h.......................................................................m...................V.......................~...=...........................................................................................................................f...............?...........................m...................M...F.......................&........................................%............................................................................../...**..@.............1.S...........w.&.........w..._.\|.1+O.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Store%4Operational.evtx

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.697634260387277
Encrypted:	false
SSDEEP:	384:Uh54M5hM9MMeMVMsMhMIMkqMULbyKMXNbM9M/fpM0fMU+jMjMIMF6QMkIMaxMqMg:UfAby39f7Wp8bVBabyMbywGBcbyKJdAn
MD5:	216C060E8BC7718FE314681C4522C7AA
SHA1:	CA91FB84A06B77E96A3F09210A399C2781FBDF06
SHA-256:	278A2B71890198C09EC27121DCF0BC433F17229CE10C56B62B42D49E8FA868F5
SHA-512:	05CAA54D00E6C5F7DDA18B2A9ECDF2A84274BDE22298D02D95056B60B00971A0AE7C17C01A423FB508F385F46B8E5DD0767824B8CE8D2907F985A929F09AF7C8
Malicious:	false
Preview:	ElfChnk.O...............O.......................(......^.......................................................................F........................................D...=...........................................................................................................................f...............?...........................m...................M...F...............................e+..............................&........................................................H..........................**......O..........J.]......../X.P&......./X.P...P&.C..:.v........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storsvc%4Diagnostic.evtx

Process:	C:\Windows\System32\svchost.exe
File Type:	MS Windows Vista Event Log, 1 chunks (no. 0 in use), next record no. 64, DIRTY
Category:	dropped
Size (bytes):	108648
Entropy (8bit):	3.630708561580112
Encrypted:	false
SSDEEP:	768:SvgffnPNm/2sY3pLwIkJ2jLHbj9fr7w2imMFopTMFw3grHUP9qPvgffnPNm/2sYk:LGaYCGaY
MD5:	F1792F1F50C8F385B11B08C34767793A
SHA1:	02EE3215E5767AE15E6706F05C07CA80CE169C7C
SHA-256:	D2350D2AF119A5441F0BF408976E32FC6651F45A5F8FA79E5986E9B355D38DA0
SHA-512:	DB8FCEAC3BCAE10684FAFCE62AB4B27C5AEC0E0DD96124A70A05988B5ADC67342D7509160677F354991A9F9E925D02C129FA84CABE4D4B4D032EDB5E150050E2
Malicious:	false
Preview:	ElfFile.................@....................................................................................................d.BElfChnk.........@...............@...................BPh...................................................................................... .......................H...=...........................................................................................................................f...............?...........................m...................M...F.......................&.......................................fC...................................................................1..............**................8.S...........w.&.........w..._.\|.1+O.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d.

C:\Windows\System32\winevt\Logs\Microsoft-Windows-TZUtil%4Operational.evtx

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.203905497815097
Encrypted:	false
SSDEEP:	48:M0BW4CrP+MZQNRBEZWTENO4bpBdo4i/6FgVt:LoKNVaO8toh/6Fg
MD5:	73EFCA720203B38B5359CED08C224555
SHA1:	CEF8F27415EBC5AD15C854346EB8590217090DDB
SHA-256:	7A5B0B7BD92397B3C085F4AF3D674D072762ECB1DCCB111BFA957920C16A01A8
SHA-512:	95B8C386A16C53BC65E42D65076E93A28F197058FB2BC9F3B97AC6DD6FB07E4F4E082566506B30417950543858BC3828F2A415592AC396F6A6C508668CADA366
Malicious:	false
Preview:	ElfChnk......................................................................................................................k................ .......................H...=...........................................................................................................................f...............?...........................m...................M...F...............................................................&...................................................................................**................\|J.]......../X.P&......./X.P...P&.C..:.v........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-TaskScheduler%4Maintenance.evtx

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.298824401368957
Encrypted:	false
SSDEEP:	1536:ZKoKKK3KOKbKrK7KAKqKpK0KXKAK8KTK+KfKvKYKqK4KGKkKhKjK9KyKeKhK1KK7:ZKoKKK3KOKbKrK7KAKqKpK0KXKAK8KTg
MD5:	BE4737B80496B7E9F99E9FE82BA58F79
SHA1:	57550603B61895810546370E2904155D12A59C93
SHA-256:	157AF8FF86608132E7BC8B6A3508681616C4768F2A1D585F4F16837D9AFFCA14
SHA-512:	42D9E17D56289E28EE849F763B9A158708580ADB0A3DFDA9FA7D607BBDB766C19F7951189B3E484D77243CEBF16BCF87F5D3FB7B4695838D06A2EE23CC0A29C2
Malicious:	false
Preview:	ElfChnk.....................................X}......p6dt.......................................................................7................,...........................=...........................................................................................................................f...............?...........................m...................M...F...............................................................&...................................................................................**..H...........N..)........../X.P&......./X.P...P&.C..:.v........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.095984635925141
Encrypted:	false
SSDEEP:	384:Oh8i4i/yi6iDiDi5iwiliM1iNiUiXKbieifiGiOiOiIiIiBigi1iVinixiEiVciq:Op6xKo4KN
MD5:	64951A5836E8371CE0B1749B5BA7EB6E
SHA1:	CCF4E110C89C901FAFCAED03C598B6064A0CB6B9
SHA-256:	99F1A88E3F8C44DA8B960782B2F3DA4F483E0DC967000EC4ED209B11E89787A1
SHA-512:	B92F8C500CAD7AA8D927877D66E15FCA7B2FC7D286CF80DAC0502CB646577E21018ACBC1F5EF488E478991C7C0FBD2588BA9630D2E9802ED699F3F6F74D75494
Malicious:	false
Preview:	ElfChnk.....................................hQ..pS....F...................................................................................................................=...........................................................................................................................f...............?...............9.......B.......................M...F...........................................................&...............................................................q.......................*..................f...........>.&.........>..'.W.U2..9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.308707995715741
Encrypted:	false
SSDEEP:	768:uxSaa8NlaranavazaZa5agCadadaZadacaRaZasasaUaUaMacaIaYaEakaAagakL:yNA
MD5:	BC1BCC38E89B3483AAAF40BC3122D3AD
SHA1:	1D02ABC77061093A5867F3E259160B019444DFB7
SHA-256:	B24A4E4A935D6B689208D05D4E9F911BD34A9A6C456948E961EF52DDFA2D7AC5
SHA-512:	EF011A89D4123BF2D950E607E1D5564D6CFDDC3D0B7156744F336BB83E47D7FD0D5BEB2A7C08DC78DBD96283056E2C6ECCA5750161B20EBCB5585EFEAC35CDDB
Malicious:	false
Preview:	ElfChnk./.......x.......E.......................P...d$.,....................................................................?..%................`...........................=...........................................................................................................................f...............?...........................m...................M...F...............................................................&...............................................9...................................**..H...E.......3..Y.9......../X.P&......./X.P...P&.C..:.v........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-User Device Registration%4Admin.evtx

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	3.930395201431989
Encrypted:	false
SSDEEP:	384:QhNXDcXxzXZXeX/XOXMXauXLiXCXVX1XYXZXeX+XiXfXuXFXRX9XsX5XLXzXgXyV:QyAggHqOT
MD5:	AEC70E63BB17473F5BC05BBA7A24C4D5
SHA1:	DC60A92CD17B66D662548F761194417584C19EFD
SHA-256:	735D6547ED68F051448721EF4CB6696DFDC7366C7A3E23E7C0C1EB0081CF7BE8
SHA-512:	A288DA11D3A53F20EB724C0762B4D33569C37177816BA0B5752AF98DB26F49B2F0F01EF7B5C13713845F1F897A7391812B082D8DD3A30D9E373E6029D1CE4B5F
Malicious:	false
Preview:	ElfChnk.........J...............J...........8.........=+.......................................................................7................j...........................=...........................................................................................................................f...............?...........................m...................M...F.......................&...........................................................C...............................................................**..............C..?T...........w.&.........w..._.\|.1+O.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-User Profile Service%4Operational.evtx

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.3349408445986155
Encrypted:	false
SSDEEP:	384:Sh2LmImemomHmOmamCm2m2m3mnBmGqmFmJmFmKmrm2mOmsmSmmmVmghmRmBmBSXR:S/fh
MD5:	FAD7BB2A2B6A8C323F3952EA20528956
SHA1:	34E4AC310CFAD511D469F47EDC4A81A7D171911E
SHA-256:	7AFA780036429AFD4BB39B40602F2A2E05CD658A27AB9689886FB5647F04A23E
SHA-512:	57FAF63B3F33AFD47A764F85597C488DB1A9845A1C4CE7449797F9E15FECEBB03BC5872811615757C98D70410CA6389AF6DB73A4A4B2AB0375893712847A09B7
Malicious:	false
Preview:	ElfChnk.........................................P...&.e.......................................................................................Z...........................=...........................................................................................................................f...............?...........................m...................M...F...............................................................&...............3...................................................................**................y........../X.P&......./X.P...P&.C..:.v........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.9842713779193972
Encrypted:	false
SSDEEP:	384:ph0h21c2kS27W2VP2en32x2U2x2V2d2N26A2q242R2V2Y2w25vb2C2k2o2g2s2Il:p2C5U9
MD5:	A965BDA2233DA2A8FD340A35622A2F2C
SHA1:	EC5CE408DC8A459526BF1F72A55A3021DFCD1AC6
SHA-256:	1F40EF724D3AD0C6E4A24EB44E0F4A927821476567897425BD8402F57E240B84
SHA-512:	DEF27213078BD95F1A8BC5B0ED4B8BC2A4F376DB82A85ADF3DC796494E873901C7AE1BCA819ABEB383773476D3D9FC85C2AF8A441B989E09324400CB100153D5
Malicious:	false
Preview:	ElfChnk......................................]..._..n..........................................................................................L.......................t...=...........................................................................................................................f...............?...........................m...................M...F...............................%...............................&...................................................................................**................+.g........./X.P&......./X.P...P&.C..:.v........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-WMI-Activity%4Operational.evtx

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	116936
Entropy (8bit):	4.305238089129907
Encrypted:	false
SSDEEP:	384:lVhpR+daRsRjRQRPRZX8R6R/aRXRsRqRbR2R7RoR/RlR9R/RlRlRaRMR0lbRLRz7:XLlKhLlKL
MD5:	7EE4AF4C98A33ACAEBFABBA419B7593B
SHA1:	86FE6BC4E1E802E6686D075CC038863ECF282846
SHA-256:	CF1749580C9BA08D0A7E3C6CC91AD9C9D1E98CE590F025F370879B8DFB39FE63
SHA-512:	62A3C36F67751AA5C4BDA6FBB80C2F3336BF6689FF0944401B5AB070DF60A27A41E260882441800AB77F64F64335B38DBFADD7190B02A38930EBC6C70DE7A0A7
Malicious:	false
Preview:	ElfChnk.Z...............Z.............................1}....................................................................3.].....................2.......@..............=..........................................S.......................%...........................J...........................f...Z...........?......................................?.......M...F...a...........}...................................y.......&.....................................................................................**..X...Z........;..9..........>.&.........>..'.W.U2..9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Wcmsvc%4Operational.evtx

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.386946820408639
Encrypted:	false
SSDEEP:	384:DhCh7whqhvh4h/hMNhihhiVqhXhPh5Vh+hth0qhPdh4zshS3hi9uhiZhhpYhAThQ:DkMfO1mGJH4
MD5:	3E622F165DF1E886EB21AC83D841DE75
SHA1:	54C49818AC2E54382B0464BAAFF783B41293241C
SHA-256:	7FB7021A710A938CF2161BE50EA60A44DBD54307362689E1F31B4E8C403DAE55
SHA-512:	214C6FDD608720E0DE650B439FABD36502419480C7916CD401D27B574EEF831C3AD0C3C32BDF3EB8DDF4DD42B3BF3CC98858C4992554E9F68300257F41B1BAF0
Malicious:	false
Preview:	ElfChnk.........6...............6...........X........~.......................................................................\.........................................l...=...........................................................................................................................f...............?...........................m...................M...F...........................................A...................&...................................................................9...............**..@...............,........./X.P&......./X.P...P&.C..:.v........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-WebAuthN%4Operational.evtx

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	3.5479414424934914
Encrypted:	false
SSDEEP:	384:Yh2VaVYVtVbVwVoVTVJVgVZVrVdVfVKVHVl/V+VnkVkgVOVEVRVtVsVCVFVhfV5H:YWIreU7U7enh
MD5:	6BE3FF89E0B0AC2F6A490446FFAD2125
SHA1:	F3FCD69C56C6B1278639029AC453A13519E75838
SHA-256:	DE0829B9E7CA1CC6D3714B38A37B1006FBB36856FEBE22C79EAE850540BC1418
SHA-512:	E4AF47980E9828024A2DAC470A582CA7EACAF6631A3220E2FEDC1903E09FBC530A7BC9EAD9FE7C249E3B5E5D5C90269FC3A862944DB798DD7D19BCA68684FCCF
Malicious:	false
Preview:	ElfChnk...............................................,.....................................................................1.9.................&...........................=...........................................................................................................................f...............?...........................m...................M...F.......................&...........................................................................................................................**..P...........F~..S...........w.&.........w..._.\|.1+O.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.287346959251621
Encrypted:	false
SSDEEP:	384:EhuZBwBQ/lrBwB7/FBwBK8bV5BwB5dYBwBkBwBHBwB/BwBGBwBkBwBd5BwBJ+Bwy:E58bSRI+9
MD5:	7255088B156B431467259A0C49A3E473
SHA1:	869D7E51C6410425D33666F952B28844EF4D6899
SHA-256:	6D4391C38D01D963F48BF5E3F2E5950ED5B4CA016AA2ABD5657B733B5DB7C84F
SHA-512:	CA16514578F0F9B656E598B0B3C43FD884761821B5CD6A9C364FA6F262CD9CF7C6609908706489D2A2B3889BD112F9DBB66A14357A1144375A8B02D23FDBA0E0
Malicious:	false
Preview:	ElfChnk.............................................)./Y....................................................................q..{............................................=...........................................................................................................................f...............?...........................m...................M...F...........................W...................................&..................................................................................*..............6\. ^........./X.P&......./X.P...P&.C..:.v........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Winlogon%4Operational.evtx

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.39952452267522
Encrypted:	false
SSDEEP:	384:/h1wUEFUEmUEMUEgUENUEqUEqUEWUEvUESUE4UE4UE3UEbUEpUEpUE9UEgUExUEa:/LFWRqXJQe
MD5:	E865587D71A9766D06794EC44AB39AF0
SHA1:	2D050B53BC35A25B1817C10AB0ECF37BAF7C141B
SHA-256:	C25BB4C3C9F7A21F234974F00446CC0BBE3DC659849A14EF3C0A2FA5F3B99D00
SHA-512:	8B33BB597306094BAB452E0F6C254275D75E5CFB9F37AE277F3A6A309C7A6BF32DFFAA1EC45C18A5A5F14B12B01D4E6E7DA2BD3AF61234DBA6F1763C6F0D89A5
Malicious:	false
Preview:	ElfChnk.........+...............+...........x}......C..3....................................................................&...................(.......................P...=...........................................................................................................................f...............?...........................m...................M...F...............................................................&....5.......................................................3......................**.............. 2^O.9......../X.P&......./X.P...P&.C..:.v........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\OneApp_IGCC.evtx

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	3.441999444093931
Encrypted:	false
SSDEEP:	384:dw0+VsWZttC95UZhVhRoSxHJUBvv3R2ipndD7odz6L7RPLfVXYgXcIycjd52T42p:d3sfo/0pQhxf27SVSVTuziNpBg12U
MD5:	796968E761F163D89878F1178926BF7B
SHA1:	3129B6AF0EFEBA2AA31CA7FD0A37DA56642C42F6
SHA-256:	F1A859690B482532EC068248BDC7E4000EB4E146FAFDFE22D45DEE2678DDC3FA
SHA-512:	56158178B7C5855F2D9F29A64C78222E8637AC0A193937FD5E8D7CC9EB640BD7C55388D484A7F565AE05800B7BDFA5A2EE5E7DE1A6B309D0F9B604E70AB1A9F8
Malicious:	false
Preview:	ElfChnk.........+...............+............Y...Z....Z........................................................................6............................................=...........................................................................................................................w...............P...........................~...................M...m...........................x...............................................................&.......................................................**..x............Bo.,.........\|.=O&.......\|.=O.s.Q...W.E........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..j............{..P.r.o.v.i.d.e.r...G....=.......K...N.a.m.e.......O.n.e.A.p.p._.I.G.C.C._.W.i.n.S.e.r.v.i.c.e..A..M............a..E.v.e.n.t.I.D...'............)...Q.u.a.l.i.f.i.e.r.s................"...............V

C:\Windows\System32\winevt\Logs\Security.evtx

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	69768
Entropy (8bit):	4.421656343113753
Encrypted:	false
SSDEEP:	384:Z+NvFRaBootxn+NvFRaBootxv+doJ+VpvnQzodMtBFopMt1ov2olKoLZovbolToJ:qNSWNSuh1rG
MD5:	04C0A072414A9BCBAECDC787BF426A41
SHA1:	8EE79CE5BCB6C71DEF949E6C34662CB803081E7B
SHA-256:	804FFAFDF9E6D468B5AC15F50FDEFD01C6234D84083A77753E06E08B0CF1713A
SHA-512:	6FB1E2C781663F1AECA39E1ADBD5B827B21A7ECB82058205159E32707558090BE7DDFCB35C646C5FE8EAA5C4892B81D369FCCC652905B9EAF420A319074970B8
Malicious:	false
Preview:	ElfChnk.........................................................................................................................................Z...s...h...................=...................................................N...............................................w.......4.......................-...................................[...........).......M...R...:...........................&...............................>.......................3...........................................................**..............3..]............&...........0.P\...3.Du?.......A..3...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.....\...........oT..S.y.s.t.e.m....A...............{..P.r.o.v.i.d.e.r.......F=.......K...N.a.m.e.......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.E.v.e.n.t.l.o.g..........)...G.u.i.d.....&.{.f.c.6.5.d.d.d.8.-.d.6.e.f.-.4.9.6.2.-.8.3.d.5.-.6.e.5.c.f.e.9.c.e.1.

C:\Windows\System32\winevt\Logs\System.evtx

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	69624
Entropy (8bit):	4.424086358239701
Encrypted:	false
SSDEEP:	384:AFRrffFRrflw2SwXwFwfwI6wawSwfwLwZw3wEh2HJ9bPDda/8yQ9+9s9NvisQDyC:2jnKhR8XwKiYI/fNPYqp56YMn0Ry2
MD5:	BCBB16FFA2F7994AD04D141B550CDC54
SHA1:	A565867C6ACB77A1AC8994703A70C404067C296F
SHA-256:	8A2480F5C38CCE7103EF23A2497C4BFD1F4E18B389C4F805E094C9F5AE575506
SHA-512:	F4E87CF2972DFE8FB26E89277735D819FEE5FF6158EDCDB0230F39CF6651E358F124B02FFD53A60AD0EE7308072086C2313D94A8D1B3AD6FBDAE1F1DDEC91DD9
Malicious:	false
Preview:	ElfChnk..................0.......0...................k6.....................................................................C.:.....................s...h...............N...=...................................................N...............................................w.......0.......................E...................................W...........).......M...3...:...................................................................&...........................................................................**..@....0......3..].........}.T&........}.TA.P[J.......;.......A../...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.....X...........oT..S.y.s.t.e.m....A...............{..P.r.o.v.i.d.e.r.......F=.......K...N.a.m.e.......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.E.v.e.n.t.l.o.g..........)...G.u.i.d.....&.{.f.c.6.5.d.d.d.8.-.d.6.e.f.-.4.9.6.2.-.8.3.d.5.-.6.e.5.c.f.e.9.c.e.1.

C:\Windows\Temp\tempdll.dll

Process:	C:\Users\user\Desktop\dropper.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	331776
Entropy (8bit):	6.318956070460591
Encrypted:	false
SSDEEP:	6144:lfSlVZvlVqQ+fv7M89ro8SaPKGOfOdScGYB5Zcxqo4HN3v/VUVcdt6:l6lVZvlVqFH7M89NSaPKLfFc5poA09
MD5:	26B19337F05A6BAEA7E49D38366A5C2F
SHA1:	E4A033997595013D65D7E46E0D179C80262038CA
SHA-256:	911CE2E95F00831E88F802FDB64DB2EDBCCC8FB0396C4264B5EC07220111B3BF
SHA-512:	C137125F80A20D09C7CE634E4A9891B5627D6A2A06D74FEEA2217D485C9E6D5C7BAF9C94594530F44D40290378B6B59D24692C72894690931881CBECCB53E86D
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........vS....................R.......R.......R.......R..........d............R.......R......Rich............................PE..d...U.wg.........." ...&.....l......L}.......................................P............`.........................................`...D.................... ...............@..........T.......................(...`...@...............P............................text.............................. ..`.rdata..`A.......B..................@..@.data...............................@....pdata....... ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32+ executable (console) x86-64, for MS Windows
Entropy (8bit):	7.1035106668168675
TrID:	Win64 Executable Console (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	dropper.exe
File size:	3'247'104 bytes
MD5:	762bf8c0fa7791e6b1d4fc4fd9750514
SHA1:	b21efafaff42b9cb5d2a375a47236371610cd0d4
SHA256:	8e01f0fce89a1f8ff1ce56ce426f289bccdb375fcaf68490237f59655dc50061
SHA512:	ff24ab783c8d33edb25e5886f4a0dc54c7458f589104b368ed9654460c942550952a80551465f5fc864a6536769c8b50682dcad148978ea8efe1abedaf3cc248
SSDEEP:	49152:9shTzuPwbSgzcyJcqoWJuZYzey+H1P0JvPm0gWWbCWc+oqMKpm2+:9pWHzdM6vBDWbAP
TLSH:	88E5AD16B64658ADD06AC478834A4A73AA3674CE0B3579FF05D482393FA9FE51F3C708
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......l.F/(.(\|(.(\|(.(\|!..\|$.(\|..)}.(\|..-}?.(\|..,}!.(\|..+}+.(\|Z.)}-.(\|(.)\|..(\|(.(\|..(\|E..\|).(\|E.}).(\|Rich(.(\|................PE..d..

File Icon


Icon Hash:	f0ecd6ce8d8e878b

Static PE Info

General

Entrypoint:	0x140156c40
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x6777A6B1 [Fri Jan 3 08:58:25 2025 UTC]
TLS Callbacks:	0x40140dc0, 0x1
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	0f026d0bef75c6cbd3ab3d29123202f8

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F25B0C205C8h
dec eax
add esp, 28h
jmp 00007F25B0C20157h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
nop word ptr [eax+eax+00000000h]
dec eax
sub esp, 10h
dec esp
mov dword ptr [esp], edx
dec esp
mov dword ptr [esp+08h], ebx
dec ebp
xor ebx, ebx
dec esp
lea edx, dword ptr [esp+18h]
dec esp
sub edx, eax
dec ebp
cmovb edx, ebx
dec esp
mov ebx, dword ptr [00000010h]
dec ebp
cmp edx, ebx
jnc 00007F25B0C202F8h
inc cx
and edx, 8D4DF000h
wait
add al, dh

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x30b724	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x319000	0xc00	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x30e000	0xa5d8	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x31a000	0x2100	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x2ea820	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x2ea880	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x2ea6e0	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x15f000	0x400	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x15d91f	0x15da00	dc091c1e8b00bebef983255a277cf6d7	False	0.4546109671076153	data	6.336391184236192	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x15f000	0x1ad656	0x1ad800	e80307459e46f3d7b763b8e041768024	False	0.772115332144936	data	7.37975922298643	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x30d000	0x4a8	0x200	e52013ecbde41d2830e5277e4947239f	False	0.34765625	data	2.785226409213346	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x30e000	0xa5d8	0xa600	8dbea7c30af0583454c08d7ef307ee4c	False	0.5136248117469879	data	6.142562583718053	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x319000	0xc00	0xc00	d47c4fd012b19c01e5a32ab71ff56ab2	False	0.7421875	data	6.00972549379838	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x31a000	0x2100	0x2200	ebfd53c3bd59f7878f5067c8e74f857b	False	0.4831112132352941	data	5.401399256200194	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x3190c0	0xb28	Device independent bitmap graphic, 21 x 64 x 32, image size 2688, resolution 3779 x 3779 px/m	English	United States	0.7629551820728291
RT_GROUP_ICON	0x319be8	0x14	data	English	United States	1.1

Imports

DLL	Import
api-ms-win-core-synch-l1-2-0.dll	WaitOnAddress, WakeByAddressAll, WakeByAddressSingle
bcryptprimitives.dll	ProcessPrng
bcrypt.dll	BCryptGenRandom
ADVAPI32.dll	LsaAddAccountRights, SystemFunction036, AdjustTokenPrivileges, LookupPrivilegeValueW, LsaClose, GetTokenInformation, OpenProcessToken, LsaOpenPolicy
kernel32.dll	GetEnvironmentVariableW, GetStdHandle, GetCurrentProcessId, GetCurrentDirectoryW, QueryPerformanceFrequency, SetLastError, HeapReAlloc, lstrlenW, ReleaseMutex, RtlVirtualUnwind, CreateFileW, RtlLookupFunctionEntry, GetConsoleMode, RtlCaptureContext, GetSystemInfo, GetFullPathNameW, MultiByteToWideChar, WriteConsoleW, WideCharToMultiByte, CreateThread, GetProcAddress, QueryPerformanceCounter, WaitForSingleObject, WaitForSingleObjectEx, LoadLibraryA, CreateMutexA, SwitchToThread, GetCurrentThread, SetThreadStackGuarantee, AddVectoredExceptionHandler, GetCurrentThreadId, GetSystemTimeAsFileTime, FormatMessageW, LoadLibraryExA, InitializeSListHead, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, HeapAlloc, HeapFree, GetProcessHeap, GetModuleFileNameW, Module32NextW, Module32FirstW, CreateToolhelp32Snapshot, GetProcessId, CloseHandle, GetLastError, GetCurrentProcess, GetModuleHandleA, VirtualQuery, GetModuleHandleW, OutputDebugStringW, SetFileInformationByHandle, IsProcessorFeaturePresent
oleaut32.dll	SysFreeString, GetErrorInfo, SysStringLen
api-ms-win-core-winrt-error-l1-1-0.dll	RoOriginateErrorW
ntdll.dll	NtWriteFile, RtlNtStatusToDosError
VCRUNTIME140.dll	memcmp, memcpy, __C_specific_handler, __CxxFrameHandler3, __current_exception, memset, __current_exception_context, memmove, _CxxThrowException
api-ms-win-crt-string-l1-1-0.dll	wcslen, strlen
api-ms-win-crt-math-l1-1-0.dll	roundf, truncf, exp2f, ceil, __setusermatherr
api-ms-win-crt-runtime-l1-1-0.dll	_initterm_e, exit, _exit, __p___argc, __p___argv, _cexit, _c_exit, _register_thread_local_exe_atexit_callback, _initterm, _get_initial_narrow_environment, _initialize_narrow_environment, _initialize_onexit_table, _register_onexit_function, _crt_atexit, terminate, _set_app_type, _seh_filter_exe, _configure_narrow_argv
api-ms-win-crt-stdio-l1-1-0.dll	__p__commode, _set_fmode
api-ms-win-crt-locale-l1-1-0.dll	_configthreadlocale
api-ms-win-crt-heap-l1-1-0.dll	free, _set_new_mode

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	04:12:36
Start date:	03/01/2025
Path:	C:\Users\user\Desktop\dropper.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\dropper.exe"
Imagebase:	0x7ff77f270000
File size:	3'247'104 bytes
MD5 hash:	762BF8C0FA7791E6B1D4FC4FD9750514
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	1
Start time:	04:12:36
Start date:	03/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff79f0e0000
File size:	875'008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	2
Start time:	04:12:36
Start date:	03/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe"
Imagebase:	0x7ff64bab0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Target ID:	4
Start time:	04:12:36
Start date:	03/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff79f0e0000
File size:	875'008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Target ID:	5
Start time:	04:12:41
Start date:	03/01/2025
Path:	C:\Windows\System32\winlogon.exe
Wow64 process (32bit):	false
Commandline:	winlogon.exe
Imagebase:	0x7ff6b20e0000
File size:	944'128 bytes
MD5 hash:	A987B43E6A8E8F894B98A3DF022DB518
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Target ID:	6
Start time:	04:12:41
Start date:	03/01/2025
Path:	C:\Windows\System32\lsass.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\lsass.exe
Imagebase:	0x7ff7f6350000
File size:	59'448 bytes
MD5 hash:	15A556DEF233F112D127025AB51AC2D3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Target ID:	7
Start time:	04:12:41
Start date:	03/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k DcomLaunch -p
Imagebase:	0x7ff659430000
File size:	57'360 bytes
MD5 hash:	F586835082F632DC8D9404D83BC16316
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Target ID:	8
Start time:	04:12:42
Start date:	03/01/2025
Path:	C:\Windows\System32\fontdrvhost.exe
Wow64 process (32bit):	false
Commandline:	"fontdrvhost.exe"
Imagebase:	0x7ff6934c0000
File size:	830'520 bytes
MD5 hash:	AB7AB4CF816D091EEE234C1D9BC4FD13
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Target ID:	9
Start time:	04:12:42
Start date:	03/01/2025
Path:	C:\Windows\System32\fontdrvhost.exe
Wow64 process (32bit):	false
Commandline:	"fontdrvhost.exe"
Imagebase:	0x7ff6934c0000
File size:	830'520 bytes
MD5 hash:	AB7AB4CF816D091EEE234C1D9BC4FD13
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Target ID:	10
Start time:	04:12:42
Start date:	03/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k RPCSS -p
Imagebase:	0x7ff659430000
File size:	57'360 bytes
MD5 hash:	F586835082F632DC8D9404D83BC16316
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Target ID:	11
Start time:	04:12:43
Start date:	03/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
Imagebase:	0x7ff659430000
File size:	57'360 bytes
MD5 hash:	F586835082F632DC8D9404D83BC16316
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	12
Start time:	04:12:43
Start date:	03/01/2025
Path:	C:\Windows\System32\dwm.exe
Wow64 process (32bit):	false
Commandline:	"dwm.exe"
Imagebase:	0x7ff731b80000
File size:	94'720 bytes
MD5 hash:	5C27608411832C5B39BA04E33D53536C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	13
Start time:	04:12:46
Start date:	03/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
Imagebase:	0x7ff659430000
File size:	57'360 bytes
MD5 hash:	F586835082F632DC8D9404D83BC16316
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	14
Start time:	04:12:46
Start date:	03/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Imagebase:	0x7ff659430000
File size:	57'360 bytes
MD5 hash:	F586835082F632DC8D9404D83BC16316
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	15
Start time:	04:12:47
Start date:	03/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
Imagebase:	0x7ff659430000
File size:	57'360 bytes
MD5 hash:	F586835082F632DC8D9404D83BC16316
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	16
Start time:	04:12:47
Start date:	03/01/2025
Path:	C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHDCPSvc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHDCPSvc.exe
Imagebase:	0x7ff616210000
File size:	365'360 bytes
MD5 hash:	B6BAD2BD8596D9101874E9042B8E2D63
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	17
Start time:	04:12:47
Start date:	03/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
Imagebase:	0x7ff659430000
File size:	57'360 bytes
MD5 hash:	F586835082F632DC8D9404D83BC16316
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	18
Start time:	04:12:47
Start date:	03/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
Imagebase:	0x7ff659430000
File size:	57'360 bytes
MD5 hash:	F586835082F632DC8D9404D83BC16316
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	19
Start time:	04:12:48
Start date:	03/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
Imagebase:	0x7ff659430000
File size:	57'360 bytes
MD5 hash:	F586835082F632DC8D9404D83BC16316
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	20
Start time:	04:12:48
Start date:	03/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
Imagebase:	0x7ff659430000
File size:	57'360 bytes
MD5 hash:	F586835082F632DC8D9404D83BC16316
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	23
Start time:	04:12:49
Start date:	03/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
Imagebase:	0x7ff659430000
File size:	57'360 bytes
MD5 hash:	F586835082F632DC8D9404D83BC16316
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	24
Start time:	04:12:50
Start date:	03/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
Imagebase:	0x7ff659430000
File size:	57'360 bytes
MD5 hash:	F586835082F632DC8D9404D83BC16316
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	25
Start time:	04:12:50
Start date:	03/01/2025
Path:	C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHeciSvc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHeciSvc.exe
Imagebase:	0x7ff6039c0000
File size:	521'536 bytes
MD5 hash:	3B0DF35583675DE5A08E8D4C1271CEC0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	26
Start time:	04:12:50
Start date:	03/01/2025
Path:	C:\Windows\System32\DriverStore\FileRepository\cui_dch.inf_amd64_2e49f48165b8de10\igfxCUIService.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\DriverStore\FileRepository\cui_dch.inf_amd64_2e49f48165b8de10\igfxCUIService.exe
Imagebase:	0x7ff60d660000
File size:	399'664 bytes
MD5 hash:	91038D45A86B5465E8B7E5CD63187150
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	27
Start time:	04:12:51
Start date:	03/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
Imagebase:	0x7ff659430000
File size:	57'360 bytes
MD5 hash:	F586835082F632DC8D9404D83BC16316
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	28
Start time:	04:12:51
Start date:	03/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
Imagebase:	0x7ff659430000
File size:	57'360 bytes
MD5 hash:	F586835082F632DC8D9404D83BC16316
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	29
Start time:	04:12:51
Start date:	03/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
Imagebase:	0x7ff659430000
File size:	57'360 bytes
MD5 hash:	F586835082F632DC8D9404D83BC16316
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	30
Start time:	04:12:52
Start date:	03/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
Imagebase:	0x7ff659430000
File size:	57'360 bytes
MD5 hash:	F586835082F632DC8D9404D83BC16316
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	31
Start time:	04:12:52
Start date:	03/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
Imagebase:	0x7ff659430000
File size:	57'360 bytes
MD5 hash:	F586835082F632DC8D9404D83BC16316
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	32
Start time:	04:12:52
Start date:	03/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
Imagebase:	0x7ff659430000
File size:	57'360 bytes
MD5 hash:	F586835082F632DC8D9404D83BC16316
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	33
Start time:	04:12:52
Start date:	03/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache
Imagebase:	0x7ff659430000
File size:	57'360 bytes
MD5 hash:	F586835082F632DC8D9404D83BC16316
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	34
Start time:	04:12:52
Start date:	03/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
Imagebase:	0x7ff659430000
File size:	57'360 bytes
MD5 hash:	F586835082F632DC8D9404D83BC16316
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	35
Start time:	04:12:53
Start date:	03/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
Imagebase:	0x7ff659430000
File size:	57'360 bytes
MD5 hash:	F586835082F632DC8D9404D83BC16316
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	36
Start time:	04:12:53
Start date:	03/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
Imagebase:	0x7ff659430000
File size:	57'360 bytes
MD5 hash:	F586835082F632DC8D9404D83BC16316
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	37
Start time:	04:12:53
Start date:	03/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
Imagebase:	0x7ff659430000
File size:	57'360 bytes
MD5 hash:	F586835082F632DC8D9404D83BC16316
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	38
Start time:	04:12:54
Start date:	03/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
Imagebase:	0x7ff659430000
File size:	57'360 bytes
MD5 hash:	F586835082F632DC8D9404D83BC16316
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	39
Start time:	04:12:54
Start date:	03/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
Imagebase:	0x7ff659430000
File size:	57'360 bytes
MD5 hash:	F586835082F632DC8D9404D83BC16316
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	40
Start time:	04:12:55
Start date:	03/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
Imagebase:	0x7ff659430000
File size:	57'360 bytes
MD5 hash:	F586835082F632DC8D9404D83BC16316
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	41
Start time:	04:12:55
Start date:	03/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
Imagebase:	0x7ff659430000
File size:	57'360 bytes
MD5 hash:	F586835082F632DC8D9404D83BC16316
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	42
Start time:	04:12:55
Start date:	03/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
Imagebase:	0x7ff659430000
File size:	57'360 bytes
MD5 hash:	F586835082F632DC8D9404D83BC16316
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	43
Start time:	04:12:56
Start date:	03/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
Imagebase:	0x7ff659430000
File size:	57'360 bytes
MD5 hash:	F586835082F632DC8D9404D83BC16316
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false