Windows Analysis Report nV5Wu77N8J.dll

Overview

General Information

Sample Name:	nV5Wu77N8J.dll
Analysis ID:	553353
MD5:	a0306b7a6a12022e4fc8e586b0bc90ec
SHA1:	ee7d221826a725a2110bbddbea34bd14522b5ab4
SHA256:	9b1ca060b5a969f03c4c8d99ad487a454742e47fff97343a90afacb5da7d9589
Tags:	32dllexe
Infos:
Most interesting Screenshot:

Detection

Emotet

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Multi AV Scanner detection for submitted file

Yara detected Emotet

System process connects to network (likely due to code injection or exploit)

Changes security center settings (notifications, updates, antivirus, firewall)

Sigma detected: Suspicious Call by Ordinal

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

One or more processes crash

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Deletes files inside the Windows folder

May sleep (evasive loops) to hinder dynamic analysis

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Found evasive API chain (may stop execution after checking a module file name)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

AV process strings found (often used to terminate AV products)

PE file contains an invalid checksum

PE file contains strange resources

Tries to load missing DLLs

Contains functionality to read the PEB

Drops PE files to the windows directory (C:\Windows)

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Detected TCP or UDP traffic on non-standard ports

Checks if the current process is being debugged

Connects to several IPs in different countries

Potential key logger detected (key state polling based)

Registers a DLL

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Signatures

AV Detection:

Found malware configuration

Source: 21.2.rundll32.exe.4940000.0.raw.unpack

Malware Configuration Extractor: Emotet {"C2 list": ["45.138.98.34:80", "69.16.218.101:8080", "51.210.242.234:8080", "185.148.168.220:8080", "142.4.219.173:8080", "54.38.242.185:443", "191.252.103.16:80", "104.131.62.48:8080", "62.171.178.147:8080", "217.182.143.207:443", "168.197.250.14:80", "37.44.244.177:8080", "66.42.57.149:443", "210.57.209.142:8080", "159.69.237.188:443", "116.124.128.206:8080", "128.199.192.135:8080", "195.154.146.35:443", "185.148.168.15:8080", "195.77.239.39:8080", "207.148.81.119:8080", "85.214.67.203:8080", "190.90.233.66:443", "78.46.73.125:443", "78.47.204.80:443", "37.59.209.141:8080", "54.37.228.122:443"], "Public Key": ["RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0", "RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW"]}

Multi AV Scanner detection for submitted file

Source: nV5Wu77N8J.dll	Virustotal: Detection: 16%			Perma Link
Source: nV5Wu77N8J.dll	ReversingLabs: Detection: 13%

Compliance:

Uses 32bit PE files

Source: nV5Wu77N8J.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source:	Binary string: ws2_32.pdb source: WerFault.exe, 00000012.00000003.308936560.0000000005178000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.308991217.0000000005178000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 00000012.00000003.308936560.0000000005178000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.308991217.0000000005178000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000012.00000003.308919933.00000000055C1000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000012.00000003.304374143.00000000030C5000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.304124899.00000000030C5000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.308919933.00000000055C1000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.304021128.0000000004DA9000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000012.00000003.308936560.0000000005178000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.308991217.0000000005178000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000012.00000003.308927946.0000000005172000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 00000012.00000003.308936560.0000000005178000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.308991217.0000000005178000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000012.00000003.308919933.00000000055C1000.00000004.00000001.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000012.00000003.308919933.00000000055C1000.00000004.00000001.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 00000012.00000003.308936560.0000000005178000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.308991217.0000000005178000.00000004.00000040.sdmp
Source:	Binary string: nCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000012.00000002.320897103.0000000002D02000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000012.00000003.308927946.0000000005172000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.308983031.0000000005175000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000012.00000003.304577343.00000000030BF000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.308919933.00000000055C1000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.304118861.00000000030BF000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdbk source: WerFault.exe, 00000012.00000003.308927946.0000000005172000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.308983031.0000000005175000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000012.00000003.308936560.0000000005178000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.308991217.0000000005178000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000012.00000003.308919933.00000000055C1000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000012.00000003.308919933.00000000055C1000.00000004.00000001.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000012.00000003.308975405.0000000005170000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000012.00000003.308975405.0000000005170000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000012.00000003.308919933.00000000055C1000.00000004.00000001.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000012.00000003.308975405.0000000005170000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000012.00000003.308936560.0000000005178000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.308991217.0000000005178000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000012.00000003.308919933.00000000055C1000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.304133012.00000000030CB000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.304258466.00000000030CB000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdbk source: WerFault.exe, 00000012.00000003.308927946.0000000005172000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000012.00000003.304133012.00000000030CB000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.304258466.00000000030CB000.00000004.00000001.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000012.00000003.308975405.0000000005170000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000012.00000003.308975405.0000000005170000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000012.00000003.308919933.00000000055C1000.00000004.00000001.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000012.00000003.308936560.0000000005178000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.308991217.0000000005178000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 00000012.00000003.304374143.00000000030C5000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.304124899.00000000030C5000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000012.00000003.308936560.0000000005178000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.308991217.0000000005178000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000012.00000003.308919933.00000000055C1000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000012.00000003.308919933.00000000055C1000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000012.00000003.304577343.00000000030BF000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.304118861.00000000030BF000.00000004.00000001.sdmp

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2404332 ET CNC Feodo Tracker Reported CnC Server TCP group 17 192.168.2.4:49770 -> 45.138.98.34:80
Source: Traffic	Snort IDS: 2404338 ET CNC Feodo Tracker Reported CnC Server TCP group 20 192.168.2.4:49771 -> 69.16.218.101:8080

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 69.16.218.101 144			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 45.138.98.34 80			Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	IPs: 45.138.98.34:80
Source: Malware configuration extractor	IPs: 69.16.218.101:8080
Source: Malware configuration extractor	IPs: 51.210.242.234:8080
Source: Malware configuration extractor	IPs: 185.148.168.220:8080
Source: Malware configuration extractor	IPs: 142.4.219.173:8080
Source: Malware configuration extractor	IPs: 54.38.242.185:443
Source: Malware configuration extractor	IPs: 191.252.103.16:80
Source: Malware configuration extractor	IPs: 104.131.62.48:8080
Source: Malware configuration extractor	IPs: 62.171.178.147:8080
Source: Malware configuration extractor	IPs: 217.182.143.207:443
Source: Malware configuration extractor	IPs: 168.197.250.14:80
Source: Malware configuration extractor	IPs: 37.44.244.177:8080
Source: Malware configuration extractor	IPs: 66.42.57.149:443
Source: Malware configuration extractor	IPs: 210.57.209.142:8080
Source: Malware configuration extractor	IPs: 159.69.237.188:443
Source: Malware configuration extractor	IPs: 116.124.128.206:8080
Source: Malware configuration extractor	IPs: 128.199.192.135:8080
Source: Malware configuration extractor	IPs: 195.154.146.35:443
Source: Malware configuration extractor	IPs: 185.148.168.15:8080
Source: Malware configuration extractor	IPs: 195.77.239.39:8080
Source: Malware configuration extractor	IPs: 207.148.81.119:8080
Source: Malware configuration extractor	IPs: 85.214.67.203:8080
Source: Malware configuration extractor	IPs: 190.90.233.66:443
Source: Malware configuration extractor	IPs: 78.46.73.125:443
Source: Malware configuration extractor	IPs: 78.47.204.80:443
Source: Malware configuration extractor	IPs: 37.59.209.141:8080
Source: Malware configuration extractor	IPs: 54.37.228.122:443

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: AS-CHOOPAUS AS-CHOOPAUS
Source: Joe Sandbox View	ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 207.148.81.119 207.148.81.119
Source: Joe Sandbox View	IP Address: 104.131.62.48 104.131.62.48

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.3:49749 -> 69.16.218.101:8080

Connects to several IPs in different countries

Source: unknown

Network traffic detected: IP country count 11

Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.98.34
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.98.34
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.98.34
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101

Source: svchost.exe, 0000001B.00000003.414114890.000001BC5678E000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","N equals www.facebook.com (Facebook)
Source: svchost.exe, 0000001B.00000003.414114890.000001BC5678E000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","N equals www.twitter.com (Twitter)
Source: svchost.exe, 0000001B.00000003.414140821.000001BC5679F000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.414114890.000001BC5678E000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-01-07T11:33:20.1626869Z\|\|.\|\|d5cdcec3-04df-404e-ba07-3240047c89f9\|\|1152921505694348672\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
Source: svchost.exe, 0000001B.00000003.414140821.000001BC5679F000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.414114890.000001BC5678E000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-01-07T11:33:20.1626869Z\|\|.\|\|d5cdcec3-04df-404e-ba07-3240047c89f9\|\|1152921505694348672\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab

Source: svchost.exe, 0000001B.00000002.429773370.000001BC56700000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 0000001B.00000002.429490850.000001BC560EA000.00000004.00000001.sdmp	String found in binary or memory: http://crl.ver)
Source: 77EC63BDA74BD0D0E0426DC8F80085060.23.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: rundll32.exe, 00000017.00000003.396902729.0000000005B92000.00000004.00000001.sdmp, rundll32.exe, 00000017.00000003.396161978.0000000005B8F000.00000004.00000001.sdmp, rundll32.exe, 00000017.00000003.396717468.0000000005B92000.00000004.00000001.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?c994095b652b9
Source: svchost.exe, 0000001B.00000003.410355876.000001BC5677A000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.409785448.000001BC56791000.00000004.00000001.sdmp	String found in binary or memory: http://help.disneyplus.com.
Source: Amcache.hve.18.dr	String found in binary or memory: http://upx.sf.net
Source: svchost.exe, 0000000A.00000002.310262590.000002C758813000.00000004.00000001.sdmp	String found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 00000002.00000002.679804350.000001EEFC84F000.00000004.00000001.sdmp	String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 00000002.00000002.679804350.000001EEFC84F000.00000004.00000001.sdmp	String found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 00000002.00000002.679804350.000001EEFC84F000.00000004.00000001.sdmp	String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 00000002.00000002.679804350.000001EEFC84F000.00000004.00000001.sdmp	String found in binary or memory: https://activity.windows.comr
Source: svchost.exe, 0000000A.00000003.309518255.000002C758860000.00000004.00000001.sdmp	String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 00000002.00000002.679804350.000001EEFC84F000.00000004.00000001.sdmp	String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000002.00000002.679804350.000001EEFC84F000.00000004.00000001.sdmp	String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 0000000A.00000003.309539722.000002C758849000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000A.00000003.309518255.000002C758860000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 0000000A.00000002.310602064.000002C75883D000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 0000000A.00000003.309482803.000002C758867000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.310779768.000002C758869000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
Source: svchost.exe, 0000000A.00000003.309518255.000002C758860000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 0000000A.00000003.309494671.000002C75884D000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.310690980.000002C758852000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000000A.00000002.310602064.000002C75883D000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 0000000A.00000003.309518255.000002C758860000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 0000000A.00000003.309518255.000002C758860000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 0000000A.00000003.309518255.000002C758860000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 0000000A.00000002.310656304.000002C758842000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.309560133.000002C758840000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.309578524.000002C758841000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 0000000A.00000002.310656304.000002C758842000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.309560133.000002C758840000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.309578524.000002C758841000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 0000000A.00000003.309518255.000002C758860000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 0000000A.00000002.310723606.000002C75885C000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.309560133.000002C758840000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 0000001B.00000003.410355876.000001BC5677A000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.409785448.000001BC56791000.00000004.00000001.sdmp	String found in binary or memory: https://disneyplus.com/legal.
Source: svchost.exe, 0000000A.00000003.309539722.000002C758849000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000A.00000002.310723606.000002C75885C000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000A.00000002.310723606.000002C75885C000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000A.00000002.310690980.000002C758852000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t
Source: svchost.exe, 0000000A.00000003.309518255.000002C758860000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 0000000A.00000002.310602064.000002C75883D000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000A.00000003.287584222.000002C758831000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000000A.00000002.310602064.000002C75883D000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 0000000A.00000002.310602064.000002C75883D000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.310262590.000002C758813000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000A.00000003.309573636.000002C758845000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.309560133.000002C758840000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000A.00000003.309573636.000002C758845000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.309560133.000002C758840000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000A.00000003.287584222.000002C758831000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 0000000A.00000002.310557127.000002C75883A000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.287584222.000002C758831000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 0000000A.00000003.309494671.000002C75884D000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.310690980.000002C758852000.00000004.00000001.sdmp	String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
Source: svchost.exe, 0000001B.00000003.410355876.000001BC5677A000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.409785448.000001BC56791000.00000004.00000001.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
Source: svchost.exe, 0000001B.00000003.410355876.000001BC5677A000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.409785448.000001BC56791000.00000004.00000001.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
Source: svchost.exe, 0000001B.00000003.410707163.000001BC56788000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.410814184.000001BC56C19000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.410832016.000001BC56C02000.00000004.00000001.sdmp	String found in binary or memory: https://www.tiktok.com/legal/report/feedback

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 5_2_10001280 recvfrom,

5_2_10001280

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Potential key logger detected (key state polling based)

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_10027958 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,		5_2_10027958
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10027958 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,		6_2_10027958

E-Banking Fraud:

Yara detected Emotet

Source: Yara match	File source: 8.2.rundll32.exe.4dd0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.32f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.5610000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.regsvr32.exe.4960000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.loaddll32.exe.2b00000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.54e0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll32.exe.2b00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.32f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll32.exe.2b00000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.rundll32.exe.4940000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.54b0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.rundll32.exe.4940000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.5610000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.34c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.53b0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll32.exe.2b30000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.loaddll32.exe.2b00000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.loaddll32.exe.2b00000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.4e00000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.loaddll32.exe.2b00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.rundll32.exe.4970000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.54b0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.regsvr32.exe.4960000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.5380000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.5640000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.loaddll32.exe.2b30000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.5380000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.loaddll32.exe.2b30000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.regsvr32.exe.4990000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.4dd0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.336582284.00000000054B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.336161253.0000000004DD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.296629194.0000000002B00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.336665007.0000000005610000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.336717142.0000000005641000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.680318843.00000000032F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.336600440.00000000054E1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.296654820.0000000002B31000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.336482614.0000000005380000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.321734731.0000000002B00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.336517253.00000000053B1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.336197242.0000000004E01000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.290395049.0000000004991000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.680592852.00000000034C1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.339368070.0000000004971000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.339330671.0000000004940000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.299013072.0000000002B00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.299132771.0000000002B31000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.321766377.0000000002B31000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.290320378.0000000004960000.00000040.00000001.sdmp, type: MEMORY

System Summary:

Uses 32bit PE files

Source: nV5Wu77N8J.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

One or more processes crash

Source: C:\Windows\System32\svchost.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 6788 -ip 6788

Deletes files inside the Windows folder

Source: C:\Windows\SysWOW64\rundll32.exe

File deleted: C:\Windows\SysWOW64\Oxcjjbulglczzu\tjxbcbc.cmd:Zone.Identifier

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B4EFDD	1_2_02B4EFDD
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B546BD	1_2_02B546BD
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B40EBC	1_2_02B40EBC
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B3C6B8	1_2_02B3C6B8
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B40ABA	1_2_02B40ABA
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B4A2A5	1_2_02B4A2A5
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B31CA1	1_2_02B31CA1
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B3BAA9	1_2_02B3BAA9
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B43EAA	1_2_02B43EAA
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B536AA	1_2_02B536AA
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B4BEFD	1_2_02B4BEFD
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B4E4E5	1_2_02B4E4E5
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B3F0E9	1_2_02B3F0E9
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B500EF	1_2_02B500EF
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B53EE9	1_2_02B53EE9
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B4CAD5	1_2_02B4CAD5
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B4CCD9	1_2_02B4CCD9
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B4D8DB	1_2_02B4D8DB
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B380C0	1_2_02B380C0
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B33431	1_2_02B33431
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B38636	1_2_02B38636
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B3B820	1_2_02B3B820
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B48806	1_2_02B48806
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B49A01	1_2_02B49A01
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B47A0F	1_2_02B47A0F
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B52009	1_2_02B52009
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B4A474	1_2_02B4A474
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B3A871	1_2_02B3A871
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B4DC71	1_2_02B4DC71
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B3DE74	1_2_02B3DE74
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B37E79	1_2_02B37E79
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B37078	1_2_02B37078
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B4567B	1_2_02B4567B
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B50A64	1_2_02B50A64
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B44A66	1_2_02B44A66
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B53263	1_2_02B53263
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B4B257	1_2_02B4B257
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B42E5D	1_2_02B42E5D
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B44244	1_2_02B44244
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B37442	1_2_02B37442
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B3E640	1_2_02B3E640
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B4F840	1_2_02B4F840
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B3A445	1_2_02B3A445
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B4D1BC	1_2_02B4D1BC
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B517BD	1_2_02B517BD
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B357B8	1_2_02B357B8
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B3BFBE	1_2_02B3BFBE
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B377A3	1_2_02B377A3
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B48FAE	1_2_02B48FAE
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B507AA	1_2_02B507AA
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B32194	1_2_02B32194
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B43D85	1_2_02B43D85
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B40F86	1_2_02B40F86
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B46187	1_2_02B46187
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B3FB8E	1_2_02B3FB8E
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B3238C	1_2_02B3238C
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B49DF5	1_2_02B49DF5
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B485FF	1_2_02B485FF
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B4E1F8	1_2_02B4E1F8
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B355FF	1_2_02B355FF
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B34BFC	1_2_02B34BFC
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B467E6	1_2_02B467E6
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B4C5D5	1_2_02B4C5D5
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B3C5D8	1_2_02B3C5D8
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B3E7DE	1_2_02B3E7DE
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B45333	1_2_02B45333
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B48D3D	1_2_02B48D3D
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B31F38	1_2_02B31F38
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B45515	1_2_02B45515
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B3670B	1_2_02B3670B
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B52B09	1_2_02B52B09
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B4AD08	1_2_02B4AD08
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B3EF0C	1_2_02B3EF0C
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B44F74	1_2_02B44F74
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B49774	1_2_02B49774
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B36B7A	1_2_02B36B7A
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B45779	1_2_02B45779
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B4017B	1_2_02B4017B
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B3F369	1_2_02B3F369
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B4E955	1_2_02B4E955
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B52D53	1_2_02B52D53
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B4FF58	1_2_02B4FF58
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B47D5B	1_2_02B47D5B
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B42142	1_2_02B42142
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B4654A	1_2_02B4654A
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B3D14C	1_2_02B3D14C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_100291F6	5_2_100291F6
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_1002F378	5_2_1002F378
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_100403D7	5_2_100403D7
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_1004250B	5_2_1004250B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_10041557	5_2_10041557
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_100395A1	5_2_100395A1
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_1002F784	5_2_1002F784
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_1004091B	5_2_1004091B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_1002EACF	5_2_1002EACF
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_1002FBA4	5_2_1002FBA4
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_10035D96	5_2_10035D96
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_100291F6	6_2_100291F6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1002F378	6_2_1002F378
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_100403D7	6_2_100403D7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1004250B	6_2_1004250B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10041557	6_2_10041557
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_100395A1	6_2_100395A1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1002F784	6_2_1002F784
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1004091B	6_2_1004091B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1002EACF	6_2_1002EACF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1002FBA4	6_2_1002FBA4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10035D96	6_2_10035D96
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10040E5F	6_2_10040E5F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1002EFA4	6_2_1002EFA4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E14A66	8_2_04E14A66
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E0DE74	8_2_04E0DE74
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E1B257	8_2_04E1B257
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E08636	8_2_04E08636
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E22009	8_2_04E22009
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E17A0F	8_2_04E17A0F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E185FF	8_2_04E185FF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E0C5D8	8_2_04E0C5D8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E1EFDD	8_2_04E1EFDD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E217BD	8_2_04E217BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E12142	8_2_04E12142
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E1654A	8_2_04E1654A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E1E955	8_2_04E1E955
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E1FF58	8_2_04E1FF58
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E1AD08	8_2_04E1AD08
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E0670B	8_2_04E0670B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E1E4E5	8_2_04E1E4E5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E0F0E9	8_2_04E0F0E9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E23EE9	8_2_04E23EE9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E200EF	8_2_04E200EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E1BEFD	8_2_04E1BEFD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E080C0	8_2_04E080C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E1CAD5	8_2_04E1CAD5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E1CCD9	8_2_04E1CCD9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E1D8DB	8_2_04E1D8DB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E01CA1	8_2_04E01CA1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E1A2A5	8_2_04E1A2A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E236AA	8_2_04E236AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E0BAA9	8_2_04E0BAA9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E13EAA	8_2_04E13EAA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E0C6B8	8_2_04E0C6B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E10ABA	8_2_04E10ABA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E10EBC	8_2_04E10EBC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E246BD	8_2_04E246BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E23263	8_2_04E23263
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E20A64	8_2_04E20A64
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E1DC71	8_2_04E1DC71
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E0A871	8_2_04E0A871
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E1A474	8_2_04E1A474
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E07078	8_2_04E07078
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E07E79	8_2_04E07E79
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E1567B	8_2_04E1567B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E0E640	8_2_04E0E640
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E1F840	8_2_04E1F840
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E07442	8_2_04E07442
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E0A445	8_2_04E0A445
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E14244	8_2_04E14244
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E12E5D	8_2_04E12E5D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E0B820	8_2_04E0B820
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E03431	8_2_04E03431
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E19A01	8_2_04E19A01
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E18806	8_2_04E18806
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E167E6	8_2_04E167E6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E19DF5	8_2_04E19DF5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E107F4	8_2_04E107F4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E127F9	8_2_04E127F9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E1E1F8	8_2_04E1E1F8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E04BFC	8_2_04E04BFC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E055FF	8_2_04E055FF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E1C5D5	8_2_04E1C5D5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E0E7DE	8_2_04E0E7DE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E1FBDE	8_2_04E1FBDE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E077A3	8_2_04E077A3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E207AA	8_2_04E207AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E18FAE	8_2_04E18FAE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E057B8	8_2_04E057B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E1D1BC	8_2_04E1D1BC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E0BFBE	8_2_04E0BFBE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E13D85	8_2_04E13D85
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E16187	8_2_04E16187
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E10F86	8_2_04E10F86
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E0238C	8_2_04E0238C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E0FB8E	8_2_04E0FB8E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E02194	8_2_04E02194
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E0F369	8_2_04E0F369
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E14F74	8_2_04E14F74
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E19774	8_2_04E19774
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E15779	8_2_04E15779
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E06B7A	8_2_04E06B7A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E1017B	8_2_04E1017B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E1437A	8_2_04E1437A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E0D14C	8_2_04E0D14C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E22D53	8_2_04E22D53
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E17D5B	8_2_04E17D5B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E15333	8_2_04E15333
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E01F38	8_2_04E01F38
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E18D3D	8_2_04E18D3D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E22B09	8_2_04E22B09
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E0EF0C	8_2_04E0EF0C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E15515	8_2_04E15515

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: String function: 10030E38 appears 50 times
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: String function: 10030535 appears 79 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 10030E38 appears 58 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 10030535 appears 87 times

Source: C:\Windows\System32\svchost.exe	Section loaded: xboxlivetitleid.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cdpsgshims.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior

Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\nV5Wu77N8J.dll"
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\nV5Wu77N8J.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\nV5Wu77N8J.dll
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\nV5Wu77N8J.dll",#1
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\nV5Wu77N8J.dll,DllRegisterServer
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k unistacksvcgroup
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\nV5Wu77N8J.dll",DllRegisterServer
Source: unknown	Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 6788 -ip 6788
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6788 -s 512
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\nV5Wu77N8J.dll",DllRegisterServer
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Oxcjjbulglczzu\tjxbcbc.cmd",JEKd
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Oxcjjbulglczzu\tjxbcbc.cmd",DllRegisterServer
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\nV5Wu77N8J.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\nV5Wu77N8J.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\nV5Wu77N8J.dll,DllRegisterServer	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\nV5Wu77N8J.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\nV5Wu77N8J.dll",DllRegisterServer	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\nV5Wu77N8J.dll",DllRegisterServer	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Oxcjjbulglczzu\tjxbcbc.cmd",JEKd	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 6788 -ip 6788	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6788 -s 512	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Oxcjjbulglczzu\tjxbcbc.cmd",DllRegisterServer	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:4624:120:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \BaseNamedObjects\Local\SM0:6300:64:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6788

Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: nV5Wu77N8J.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: nV5Wu77N8J.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: nV5Wu77N8J.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: nV5Wu77N8J.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: nV5Wu77N8J.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B408E0 push esp; iretd	1_2_02B408E3
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B31195 push cs; iretd	1_2_02B31197
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_1003060D push ecx; ret	5_2_10030620
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1003060D push ecx; ret	6_2_10030620
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10030E7D push ecx; ret	6_2_10030E90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E01195 push cs; iretd	8_2_04E01197

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_100250A3 IsIconic,GetWindowPlacement,GetWindowRect,	5_2_100250A3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_100250A3 IsIconic,GetWindowPlacement,GetWindowRect,	6_2_100250A3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1001DFC0 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,	6_2_1001DFC0

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Source: C:\Windows\SysWOW64\regsvr32.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Windows\SysWOW64\rundll32.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep

Source: C:\Windows\SysWOW64\regsvr32.exe	API coverage: 4.6 %
Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 4.9 %

Source: C:\Windows\SysWOW64\regsvr32.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rundll32.exe	API call chain: ExitProcess graph end node

Source: Amcache.hve.18.dr	Binary or memory string: VMware
Source: Amcache.hve.18.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.18.dr	Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.18.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.18.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.18.dr	Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.18.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.18.dr	Binary or memory string: VMware7,1
Source: Amcache.hve.18.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.18.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.18.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: svchost.exe, 00000000.00000002.679522004.0000017948C02000.00000004.00000001.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
Source: svchost.exe, 0000001B.00000002.428874939.000001BC56084000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000002.429490850.000001BC560EA000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.18.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.18.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.18.dr	Binary or memory string: VMware, Inc.me
Source: Amcache.hve.18.dr	Binary or memory string: VMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7
Source: Amcache.hve.18.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: svchost.exe, 00000000.00000002.679644301.0000017948C28000.00000004.00000001.sdmp, svchost.exe, 00000002.00000002.679752634.000001EEFC837000.00000004.00000001.sdmp, svchost.exe, 00000007.00000002.679837307.0000014F18429000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.18.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B3F7F7 mov eax, dword ptr fs:[00000030h]		1_2_02B3F7F7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E0F7F7 mov eax, dword ptr fs:[00000030h]		8_2_04E0F7F7

Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_1003A8D4 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_1003A8D4
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_1002DB0D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_1002DB0D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_10032CB9 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_10032CB9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1003A8D4 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_1003A8D4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1002DB0D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_1002DB0D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10032CB9 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_10032CB9

Source: loaddll32.exe, 00000001.00000000.298555349.0000000001670000.00000002.00020000.sdmp, loaddll32.exe, 00000001.00000000.296585233.0000000001670000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.681257947.0000000003960000.00000002.00020000.sdmp, svchost.exe, 00000009.00000002.680909111.0000014E73F90000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: loaddll32.exe, 00000001.00000000.298555349.0000000001670000.00000002.00020000.sdmp, loaddll32.exe, 00000001.00000000.296585233.0000000001670000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.681257947.0000000003960000.00000002.00020000.sdmp, svchost.exe, 00000009.00000002.680909111.0000014E73F90000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000001.00000000.298555349.0000000001670000.00000002.00020000.sdmp, loaddll32.exe, 00000001.00000000.296585233.0000000001670000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.681257947.0000000003960000.00000002.00020000.sdmp, svchost.exe, 00000009.00000002.680909111.0000014E73F90000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: loaddll32.exe, 00000001.00000000.298555349.0000000001670000.00000002.00020000.sdmp, loaddll32.exe, 00000001.00000000.296585233.0000000001670000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.681257947.0000000003960000.00000002.00020000.sdmp, svchost.exe, 00000009.00000002.680909111.0000014E73F90000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: GetLocaleInfoA,	5_2_1003E000
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement,	5_2_1003D098
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: _strcpy_s,GetLocaleInfoA,__snwprintf_s,LoadLibraryA,	5_2_1002129B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement,	5_2_1003D35E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW,	5_2_1003850E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: GetLocaleInfoA,GetLocaleInfoA,GetACP,	5_2_1003D7AE
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	5_2_1003C7D2
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	5_2_1003D8C5
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen,	5_2_1003D95D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	5_2_1003D9D1
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: GetLocaleInfoA,GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l,	5_2_1003F9F4
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: _LocaleUpdate::_LocaleUpdate,GetLocaleInfoW,	5_2_1003EA86
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,__alloca_probe_16,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,GetLocaleInfoA,	5_2_1003EABA
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	5_2_1003DBA3
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	5_2_1003EBF9
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	5_2_1003DC64
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	5_2_1003DCCB
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s,	5_2_1003DD07
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,	6_2_1003E000
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement,	6_2_1003D098
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _strcpy_s,GetLocaleInfoA,__snwprintf_s,LoadLibraryA,	6_2_1002129B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement,	6_2_1003D35E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW,	6_2_1003850E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,GetLocaleInfoA,GetACP,	6_2_1003D7AE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	6_2_1003C7D2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	6_2_1003D8C5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen,	6_2_1003D95D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	6_2_1003D9D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l,	6_2_1003F9F4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _LocaleUpdate::_LocaleUpdate,GetLocaleInfoW,	6_2_1003EA86
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,__alloca_probe_16,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,GetLocaleInfoA,	6_2_1003EABA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	6_2_1003DBA3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	6_2_1003EBF9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	6_2_1003DC64
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	6_2_1003DCCB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s,	6_2_1003DD07
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,	6_2_1003CE40

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct

Windows Analysis Report nV5Wu77N8J.dll

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Source: Amcache.hve.LOG1.18.dr, Amcache.hve.18.dr	Binary or memory string: c:\users\user\desktop\procexp.exe
Source: Amcache.hve.18.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: svchost.exe, 0000000E.00000002.679805770.0000020AA0C3D000.00000004.00000001.sdmp	Binary or memory string: (@\REGISTRY\USER\S-1-5-19ws Defender\MsMpeng.exe
Source: svchost.exe, 0000000E.00000002.679936943.0000020AA0D02000.00000004.00000001.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.LOG1.18.dr, Amcache.hve.18.dr	Binary or memory string: procexp.exe

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_10001160 WSAStartup,_memset,htonl,htons,socket,bind,setsockopt,		5_2_10001160
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10001160 WSAStartup,_memset,htonl,htons,socket,bind,setsockopt,		6_2_10001160

IP	Domain	Country	ASN	ASN Name	Malicious
207.148.81.119	unknown	United States	20473	AS-CHOOPAUS	true
104.131.62.48	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
85.214.67.203	unknown	Germany	6724	STRATOSTRATOAGDE	true
191.252.103.16	unknown	Brazil	27715	LocawebServicosdeInternetSABR	true
168.197.250.14	unknown	Argentina	264776	OmarAnselmoRipollTDCNETAR	true
66.42.57.149	unknown	United States	20473	AS-CHOOPAUS	true
185.148.168.15	unknown	Germany	44780	EVERSCALE-ASDE	true
51.210.242.234	unknown	France	16276	OVHFR	true
217.182.143.207	unknown	France	16276	OVHFR	true
69.16.218.101	unknown	United States	32244	LIQUIDWEBUS	true
159.69.237.188	unknown	Germany	24940	HETZNER-ASDE	true
45.138.98.34	unknown	Germany	9009	M247GB	true
116.124.128.206	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	true
78.46.73.125	unknown	Germany	24940	HETZNER-ASDE	true
37.59.209.141	unknown	France	16276	OVHFR	true
210.57.209.142	unknown	Indonesia	38142	UNAIR-AS-IDUniversitasAirlanggaID	true
185.148.168.220	unknown	Germany	44780	EVERSCALE-ASDE	true
54.37.228.122	unknown	France	16276	OVHFR	true
190.90.233.66	unknown	Colombia	18678	INTERNEXASAESPCO	true
142.4.219.173	unknown	Canada	16276	OVHFR	true
54.38.242.185	unknown	France	16276	OVHFR	true
195.154.146.35	unknown	France	12876	OnlineSASFR	true
195.77.239.39	unknown	Spain	60493	FICOSA-ASES	true
78.47.204.80	unknown	Germany	24940	HETZNER-ASDE	true
37.44.244.177	unknown	Germany	47583	AS-HOSTINGERLT	true
62.171.178.147	unknown	United Kingdom	51167	CONTABODE	true
128.199.192.135	unknown	United Kingdom	14061	DIGITALOCEAN-ASNUS	true

ID:	553353
Product:	CloudBasic
Start time:	19:05:02
Start date:	14.01.2022
Sample:	nV5Wu77N8J.dll
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	a0306b7a6a12022e4fc8e586b0bc90ec
SHA1:	ee7d221826a725a2110bbddbea34bd14522b5ab4
SHA256:	9b1ca060b5a969f03c4c8d99ad487a454742e47fff97343a90afacb5da7d9589
Filetype:	Win32 Dynamic Link Library (generic) (1002004/3) 98.32%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_7d3365b34093db6d884642e334bbbe4e6283fce_7cac0383_0d82d310\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	8991A50910FD04404E3D05E0C536E5B4	2EEC72EF2F4D1A6CA5E2E140B822306EF0AD917F	F051C6A067B457B3D82EA6584B7AD2561B0E939809CA0192E94617E032499625
C:\ProgramData\Microsoft\Windows\WER\Temp\WER5BDC.tmp.csv	data	9AC3F84A170D0BA7C3BF7A942BC9AD2C	8AE191729FDA11A9AD787073144DD3800D60AFB4	650DBA864290DEC64F543C71045A6865E09E9B4BAB66F19324A800B86165A5D1
C:\ProgramData\Microsoft\Windows\WER\Temp\WER60EE.tmp.txt	data	80853B5DA19A59FFFB85C9684A03CA60	EC92583B0022F173F0C0496411B348BBA01B1BAF	CEF8FFDFB673B4E9D316B88311E534ED1C56CDAD503FBF56CD6542069BAB4F22
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB9FA.tmp.dmp	Mini DuMP crash report, 15 streams, Sat Jan 15 03:06:09 2022, 0x1205a4 type	56467E8FD745BCFC06C0B5F88A62BF6F	899B58925C5F9C639DB207975911CF1465777642	D7C69D8A79DC2400FF03A61F3A804D3E96F20E4EFB5D423C469BF99B31327390
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC20A.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	B35C804BF51DBB7FFE497EEE056033D9	F59521EB0A418AE51CA77D122B59AB0DF827EF37	47361D87D4418E879C8F761A43D94C66BDB83AB1284BDE982243E8628F620ABC
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC622.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	F85F06BAC1F9052071AB11572B341DD1	87A2129CA1B02F0F0832859F5EAE31E51257DF7F	1216B2DE52FD428865C835DACB39B0E521F858995A4330C84CA0AC69B55E6C09
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	Microsoft Cabinet archive data, 61414 bytes, 1 file	ACAEDA60C79C6BCAC925EEB3653F45E0	2AAAE490BCDACCC6172240FF1697753B37AC5578	6B0CECCF0103AFD89844761417C1D23ACC41F8AEBF3B7230765209B61EEE5658
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	data	101BCECEB3D5E9850C1FF2955B331302	94D03A05BBBE53EAE7EC4D7C18A341141BF9FF0C	D8C0BD2F4FEB0AFE954259AB835AC1FF5E7883696BA77C16A9FA6DA3B66DAAA4
C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\SyncVerbose.etl	data	28B2D9AD6EE54677C317A1D005F81248	F6B86083C9E0077ACF7F393F716E92CA41DC01D3	D4A1B84C98AE190BFB1546EEF6D488039703768C942CDBBCD80A560238916D02
C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\UnistackCircular.etl	data	6CA6C206DD887547E5A7BD10F28DCC74	A90B74A155108C7FC60C929F67E754BB1C000B96	6C46C67D7108FE77B2AFCB078E2E30F19260320FE7EF05F483769FEBAA7C7CAA
C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl	data	D3627C9A2EA309C80D0DE8DA9CDCEFA4	EBD314F52624E3DFF8BDE03C20219BB5DBDCC583	8CAC63BF778E778D3AFB9028A9A2B5641FB73AE91C70B623E72859FEBAD946A5
C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\SyncVerbose.etl.0001@. (copy)	data	28B2D9AD6EE54677C317A1D005F81248	F6B86083C9E0077ACF7F393F716E92CA41DC01D3	D4A1B84C98AE190BFB1546EEF6D488039703768C942CDBBCD80A560238916D02
C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\UnistackCircular.etl.0001 (copy)	data	6CA6C206DD887547E5A7BD10F28DCC74	A90B74A155108C7FC60C929F67E754BB1C000B96	6C46C67D7108FE77B2AFCB078E2E30F19260320FE7EF05F483769FEBAA7C7CAA
C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl.0001.N (copy)	data	D3627C9A2EA309C80D0DE8DA9CDCEFA4	EBD314F52624E3DFF8BDE03C20219BB5DBDCC583	8CAC63BF778E778D3AFB9028A9A2B5641FB73AE91C70B623E72859FEBAD946A5
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators	32C8C0A87C56C68AF0C62759666804BE	AB2A681D654B67C30E33913D60C6B7B9414DCFE7	5AFE9CE2F28BF00342A6490A504135BEF50323EA14C345894D14678D2510A45C
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Logs\dosvc.20220115_030558_389.etl	data	05E13967C32752BFBBB54274AB317CD6	78D4EB6274C8C7E6028285C562CAB93B7067D893	DDDEE0A3EA061D612B79712A84ED62A05D008169E85EC8085ABBA8425C2C040E
C:\Windows\appcompat\Programs\Amcache.hve	MS Windows registry file, NT/2000 or above	0DF88476CCE68E4067ADED702897C784	9A28B38C9262F4BE6702E9FA902730415B97B028	6FFF8B214A0898BC837183DA889D428F095DFA5A9395E55D964741649AC69E2E
C:\Windows\appcompat\Programs\Amcache.hve.LOG1	MS Windows registry file, NT/2000 or above	E94CC21BF7538517A00003547F9F632F	C22C72820ADEA00B343F1656D0C03C93E169C838	84352C22DA2D4952E04400C4CBAE54366F77EB48C3324AB6D07077056C01ADB5