Windows Analysis Report
JtJ50Swtfo

Overview

General Information

Sample Name: JtJ50Swtfo (renamed file extension from none to dll)
Analysis ID: 631905
MD5: 646ca94d40f268c87215ffea9fd0e826
SHA1: 22e67eb4d6e4b5f09e3de5a6021462adcf99fe75
SHA256: 52769f52f479f16d61c449d307c7fd1fa23faa0b5589500e0967cd7955ca93d6
Tags: exetrojan
Infos:

Detection

Emotet
Score: 72
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Machine Learning detection for sample
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries the volume information (name, serial number etc) of a device
One or more processes crash
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
IP address seen in connection with other malware
PE file contains an invalid checksum
Tries to load missing DLLs
Drops PE files to the windows directory (C:\Windows)
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Registers a DLL
Launches processes in debugging mode, may be used to hinder debugging
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries disk information (often used to detect virtual machines)
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: JtJ50Swtfo.dll ReversingLabs: Detection: 58%
Machine Learning detection for sample
Source: JtJ50Swtfo.dll Joe Sandbox ML: detected
Source: JtJ50Swtfo.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: Binary string: UxTheme.pdb source: WerFault.exe, 0000000D.00000003.498387557.000001DCF47A7000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.498456869.000001DCF47A7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: gdi32.pdb source: WerFault.exe, 0000000D.00000003.498372530.000001DCF47A1000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.498450367.000001DCF47A4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: bcryptprimitives.pdb8 source: WerFault.exe, 0000000D.00000003.498372530.000001DCF47A1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: rpcrt4.pdb source: WerFault.exe, 0000000D.00000003.498372530.000001DCF47A1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 0000000D.00000003.498387557.000001DCF47A7000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.498456869.000001DCF47A7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000D.00000003.498372530.000001DCF47A1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: kernelbase.pdb8 source: WerFault.exe, 0000000D.00000003.498372530.000001DCF47A1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: shcore.pdb8 source: WerFault.exe, 0000000D.00000003.498372530.000001DCF47A1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ucrtbase.pdb8 source: WerFault.exe, 0000000D.00000003.498372530.000001DCF47A1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000D.00000003.498372530.000001DCF47A1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: combase.pdb8 source: WerFault.exe, 0000000D.00000003.498372530.000001DCF47A1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: win32u.pdb8 source: WerFault.exe, 0000000D.00000003.498372530.000001DCF47A1000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.498450367.000001DCF47A4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 0000000D.00000003.498372530.000001DCF47A1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: msctf.pdb source: WerFault.exe, 0000000D.00000003.498387557.000001DCF47A7000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.498456869.000001DCF47A7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ole32.pdb source: WerFault.exe, 0000000D.00000003.498435020.000001DCF47A0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: gdi32full.pdb8 source: WerFault.exe, 0000000D.00000003.498372530.000001DCF47A1000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.498450367.000001DCF47A4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: gdi32.pdb8 source: WerFault.exe, 0000000D.00000003.498372530.000001DCF47A1000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.498450367.000001DCF47A4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: user32.pdb source: WerFault.exe, 0000000D.00000003.498372530.000001DCF47A1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000D.00000003.498435020.000001DCF47A0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: rundll32.pdb8 source: WerFault.exe, 0000000D.00000003.498372530.000001DCF47A1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: rpcrt4.pdb8 source: WerFault.exe, 0000000D.00000003.498372530.000001DCF47A1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: WerFault.pdb source: WerFault.exe, 0000000D.00000003.498387557.000001DCF47A7000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.498456869.000001DCF47A7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000D.00000003.498372530.000001DCF47A1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: imagehlp.pdb8 source: WerFault.exe, 0000000D.00000003.498372530.000001DCF47A1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntdll.pdb source: WerFault.exe, 0000000D.00000003.498372530.000001DCF47A1000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.489436552.000001DCF3CDA000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.494207818.000001DCF3CDA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 0000000D.00000003.498372530.000001DCF47A1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: kernel32.pdb source: WerFault.exe, 0000000D.00000003.498372530.000001DCF47A1000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.489451616.000001DCF3CE0000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.493599535.000001DCF3CE0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: rundll32.pdb source: WerFault.exe, 0000000D.00000003.498372530.000001DCF47A1000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.489417428.000001DCF3CD4000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000002.506763697.000001DCF40D7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: msvcrt.pdb8 source: WerFault.exe, 0000000D.00000003.498372530.000001DCF47A1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000D.00000003.498387557.000001DCF47A7000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.498456869.000001DCF47A7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntdll.pdb8 source: WerFault.exe, 0000000D.00000003.498372530.000001DCF47A1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: imagehlp.pdb source: WerFault.exe, 0000000D.00000003.498372530.000001DCF47A1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: kernel32.pdb8 source: WerFault.exe, 0000000D.00000003.498372530.000001DCF47A1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: win32u.pdb source: WerFault.exe, 0000000D.00000003.498372530.000001DCF47A1000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.498450367.000001DCF47A4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: gdi32full.pdb source: WerFault.exe, 0000000D.00000003.498372530.000001DCF47A1000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.498450367.000001DCF47A4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: user32.pdb8 source: WerFault.exe, 0000000D.00000003.498372530.000001DCF47A1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: dwmapi.pdb source: WerFault.exe, 0000000D.00000003.498387557.000001DCF47A7000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.498456869.000001DCF47A7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntdll.pdb0 source: WerFault.exe, 0000000D.00000003.489436552.000001DCF3CDA000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.494207818.000001DCF3CDA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: kernelbase.pdb source: WerFault.exe, 0000000D.00000003.498372530.000001DCF47A1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: imm32.pdb source: WerFault.exe, 0000000D.00000003.498387557.000001DCF47A7000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.498456869.000001DCF47A7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: kernel32.pdb0 source: WerFault.exe, 0000000D.00000003.489451616.000001DCF3CE0000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.493599535.000001DCF3CE0000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_000000018000BEF0 FindFirstFileW,FindNextFileW,FindClose, 8_2_000000018000BEF0

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\regsvr32.exe Network Connect: 165.22.73.229 8080 Jump to behavior
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 165.22.73.229 165.22.73.229
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:49777 -> 165.22.73.229:8080
Source: unknown TCP traffic detected without corresponding DNS query: 165.22.73.229
Source: unknown TCP traffic detected without corresponding DNS query: 165.22.73.229
Source: unknown TCP traffic detected without corresponding DNS query: 165.22.73.229
Source: unknown TCP traffic detected without corresponding DNS query: 165.22.73.229
Source: unknown TCP traffic detected without corresponding DNS query: 165.22.73.229
Source: unknown TCP traffic detected without corresponding DNS query: 165.22.73.229
Source: unknown TCP traffic detected without corresponding DNS query: 165.22.73.229
Source: unknown TCP traffic detected without corresponding DNS query: 165.22.73.229
Source: unknown TCP traffic detected without corresponding DNS query: 165.22.73.229
Source: unknown TCP traffic detected without corresponding DNS query: 165.22.73.229
Source: unknown TCP traffic detected without corresponding DNS query: 165.22.73.229
Source: unknown TCP traffic detected without corresponding DNS query: 165.22.73.229
Source: svchost.exe, 0000001C.00000003.798183400.000001E5F2F68000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000003.798172295.000001E5F2F61000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG", equals www.facebook.com (Facebook)
Source: svchost.exe, 0000001C.00000003.798183400.000001E5F2F68000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000003.798172295.000001E5F2F61000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG", equals www.twitter.com (Twitter)
Source: svchost.exe, 0000001C.00000003.797311954.000001E5F2F85000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-05-13T10:00:01.2192622Z||.||8adb3f26-c14b-4fc0-afb3-91b3c6daaa3f||1152921505694830749||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
Source: svchost.exe, 0000001C.00000003.797311954.000001E5F2F85000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-05-13T10:00:01.2192622Z||.||8adb3f26-c14b-4fc0-afb3-91b3c6daaa3f||1152921505694830749||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
Source: svchost.exe, 0000001C.00000003.797311954.000001E5F2F85000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify - Music and Podcasts","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NCBCSZSJRSB","Properties":{"FulfillmentData":{"ProductId":"9NCBCSZSJRSB","WuCategoryId":"5c353b9c-7ac7-4d27-af07-923e7d9aa2e2","PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","SkuId":"0010"},"FulfillmentType":"WindowsUpdate","FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"Spotify"}],"Architectures":["x86"],"Ca equals www.facebook.com (Facebook)
Source: svchost.exe, 0000001C.00000003.797311954.000001E5F2F85000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify - Music and Podcasts","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NCBCSZSJRSB","Properties":{"FulfillmentData":{"ProductId":"9NCBCSZSJRSB","WuCategoryId":"5c353b9c-7ac7-4d27-af07-923e7d9aa2e2","PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","SkuId":"0010"},"FulfillmentType":"WindowsUpdate","FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"Spotify"}],"Architectures":["x86"],"Ca equals www.twitter.com (Twitter)
Source: regsvr32.exe, 00000008.00000003.530874778.000000000134B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000002.964141304.000000000134B000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000002.506608569.000001DCF3D59000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.847597205.0000021372862000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000002.851676211.000001E5F2F00000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 00000010.00000002.847475290.0000021372813000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000002.851676211.000001E5F2F00000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.ver)
Source: regsvr32.exe, 00000008.00000003.530930555.000000000131C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000002.964081730.000000000131C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: regsvr32.exe, 00000008.00000003.530874778.000000000134B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000002.964141304.000000000134B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: svchost.exe, 0000001C.00000003.824985746.000001E5F2FAF000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000003.824896680.000001E5F2F9E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://help.disneyplus.com.
Source: svchost.exe, 00000010.00000002.847350178.000002136D2AA000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.846896392.000002136D2A8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.o
Source: regsvr32.exe, 00000008.00000002.964035767.00000000012EA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://165.22.73.229/
Source: regsvr32.exe, 00000008.00000002.964047666.00000000012F2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000002.964035767.00000000012EA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://165.22.73.229:8080/
Source: regsvr32.exe, 00000008.00000003.530907736.00000000012F2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000002.964047666.00000000012F2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://165.22.73.229:8080/Num
Source: regsvr32.exe, 00000008.00000002.964035767.00000000012EA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://165.22.73.229:8080/d
Source: regsvr32.exe, 00000008.00000002.963976122.00000000012B8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://165.22.73.229:8080/z
Source: svchost.exe, 0000001C.00000003.824985746.000001E5F2FAF000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000003.824896680.000001E5F2F9E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://disneyplus.com/legal.
Source: svchost.exe, 0000001C.00000003.819966685.000001E5F3402000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000003.820019247.000001E5F2F8D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000003.819907811.000001E5F2FAF000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000003.819952245.000001E5F341A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000003.819811916.000001E5F2F9E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000003.819800192.000001E5F2F8D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000003.819925695.000001E5F341A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.hotspotshield.com/
Source: svchost.exe, 0000001C.00000003.824985746.000001E5F2FAF000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000003.824896680.000001E5F2F9E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
Source: svchost.exe, 0000001C.00000003.824985746.000001E5F2FAF000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000003.824896680.000001E5F2F9E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
Source: svchost.exe, 0000001C.00000003.819966685.000001E5F3402000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000003.820019247.000001E5F2F8D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000003.819907811.000001E5F2FAF000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000003.819952245.000001E5F341A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000003.819811916.000001E5F2F9E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000003.819800192.000001E5F2F8D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000003.819925695.000001E5F341A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.hotspotshield.com/terms/
Source: svchost.exe, 0000001C.00000003.819966685.000001E5F3402000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000003.820019247.000001E5F2F8D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000003.819907811.000001E5F2FAF000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000003.819952245.000001E5F341A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000003.819811916.000001E5F2F9E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000003.819800192.000001E5F2F8D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000003.819925695.000001E5F341A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.pango.co/privacy
Source: svchost.exe, 0000001C.00000003.830088263.000001E5F2F8F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000003.830129017.000001E5F2FA0000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000003.830206867.000001E5F2FB1000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000003.830274121.000001E5F3418000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000003.830231188.000001E5F3418000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.tiktok.com/legal/report/feedback
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180017C8C InternetReadFile, 8_2_0000000180017C8C

E-Banking Fraud
barindex
Yara detected Emotet
Source: Yara match File source: 4.2.rundll32.exe.21310570000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.rundll32.exe.21310570000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.21310570000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.rundll32.exe.21310570000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.rundll32.exe.297062b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.rundll32.exe.297062b0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.rundll32.exe.297062b0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.18014000000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.rundll32.exe.21310570000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.18014000000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.rundll32.exe.18014000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.regsvr32.exe.2a20000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.rundll32.exe.297062b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.rundll32.exe.18014000000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.regsvr32.exe.2a20000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.regsvr32.exe.1490000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.rundll32.exe.21310570000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.297062b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.rundll32.exe.18014000000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.297062b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.regsvr32.exe.1490000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.rundll32.exe.18014000000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.458651717.0000000002A20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.461474320.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.495781137.0000018014000000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.461684776.00000297062B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.470298484.00000297062B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.454696390.0000021310570000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.459283574.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.454207000.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.457901753.0000021310570000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.964474360.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.492879250.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.465354445.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.454739254.0000018014000000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.457838374.0000018014000000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.507680225.00000297062B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.964188108.0000000001490000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.457423446.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.494965359.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.456381918.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.454349685.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.507222158.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.493226824.0000021310570000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
One or more processes crash
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7136 -s 328
Deletes files inside the Windows folder
Source: C:\Windows\System32\regsvr32.exe File deleted: C:\Windows\System32\GJzmbimn\geJzufDvqRClHij.dll:Zone.Identifier Jump to behavior
Creates files inside the system directory
Source: C:\Windows\System32\regsvr32.exe File created: C:\Windows\system32\GJzmbimn\ Jump to behavior
Detected potential crypto function
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00007FFA533412B0 2_2_00007FFA533412B0
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00007FFA533453FB 2_2_00007FFA533453FB
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00007FFA53345CAD 2_2_00007FFA53345CAD
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00007FFA5334443C 2_2_00007FFA5334443C
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00007FFA53346850 2_2_00007FFA53346850
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00007FFA53345E01 2_2_00007FFA53345E01
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00007FFA53344A70 2_2_00007FFA53344A70
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_02A10000 2_2_02A10000
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180026410 2_2_0000000180026410
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180025C30 2_2_0000000180025C30
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180011CCC 2_2_0000000180011CCC
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018001D510 2_2_000000018001D510
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180001D58 2_2_0000000180001D58
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180011E5C 2_2_0000000180011E5C
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018002C6C8 2_2_000000018002C6C8
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018002C2C8 2_2_000000018002C2C8
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180026F14 2_2_0000000180026F14
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180016320 2_2_0000000180016320
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180001378 2_2_0000000180001378
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180018FE8 2_2_0000000180018FE8
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018001ABE8 2_2_000000018001ABE8
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00000001800243F4 2_2_00000001800243F4
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00000001800083F8 2_2_00000001800083F8
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00000001800247FC 2_2_00000001800247FC
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018001DBFC 2_2_000000018001DBFC
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018001100C 2_2_000000018001100C
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180027C28 2_2_0000000180027C28
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018002143C 2_2_000000018002143C
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018001303C 2_2_000000018001303C
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018002A840 2_2_000000018002A840
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180003840 2_2_0000000180003840
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018000B444 2_2_000000018000B444
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018000F048 2_2_000000018000F048
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018002AC4C 2_2_000000018002AC4C
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180010050 2_2_0000000180010050
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180003050 2_2_0000000180003050
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018000445C 2_2_000000018000445C
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018000C85C 2_2_000000018000C85C
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180003460 2_2_0000000180003460
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180029C6C 2_2_0000000180029C6C
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018001586C 2_2_000000018001586C
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018000406C 2_2_000000018000406C
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018000E06C 2_2_000000018000E06C
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018000BC70 2_2_000000018000BC70
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018001447C 2_2_000000018001447C
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180026C80 2_2_0000000180026C80
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180010C84 2_2_0000000180010C84
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180016088 2_2_0000000180016088
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180002888 2_2_0000000180002888
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180017C8C 2_2_0000000180017C8C
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018000FC8C 2_2_000000018000FC8C
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018002D098 2_2_000000018002D098
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00000001800154B8 2_2_00000001800154B8
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00000001800064D0 2_2_00000001800064D0
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00000001800180D4 2_2_00000001800180D4
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00000001800054D8 2_2_00000001800054D8
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018002CCE0 2_2_000000018002CCE0
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00000001800254E4 2_2_00000001800254E4
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00000001800184E8 2_2_00000001800184E8
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00000001800010E8 2_2_00000001800010E8
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018000E8F0 2_2_000000018000E8F0
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018002A0F8 2_2_000000018002A0F8
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180019900 2_2_0000000180019900
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180011904 2_2_0000000180011904
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018001F908 2_2_000000018001F908
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018002490C 2_2_000000018002490C
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018001890C 2_2_000000018001890C
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180003D18 2_2_0000000180003D18
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018002191C 2_2_000000018002191C
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018001D128 2_2_000000018001D128
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018000D12C 2_2_000000018000D12C
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180014930 2_2_0000000180014930
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180008534 2_2_0000000180008534
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018001CD44 2_2_000000018001CD44
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018000B948 2_2_000000018000B948
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018000796C 2_2_000000018000796C
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180010590 2_2_0000000180010590
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180028D94 2_2_0000000180028D94
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00000001800091A8 2_2_00000001800091A8
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00000001800171B8 2_2_00000001800171B8
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180018DBC 2_2_0000000180018DBC
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00000001800141C8 2_2_00000001800141C8
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018002B1D4 2_2_000000018002B1D4
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180023DDC 2_2_0000000180023DDC
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00000001800165E4 2_2_00000001800165E4
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180029DF0 2_2_0000000180029DF0
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180015DF4 2_2_0000000180015DF4
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00000001800011F4 2_2_00000001800011F4
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018000FE08 2_2_000000018000FE08
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180027E14 2_2_0000000180027E14
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018000B618 2_2_000000018000B618
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180023220 2_2_0000000180023220
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180020A34 2_2_0000000180020A34
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180007634 2_2_0000000180007634
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180022E38 2_2_0000000180022E38
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018000E638 2_2_000000018000E638
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180010250 2_2_0000000180010250
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180026A64 2_2_0000000180026A64
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180004264 2_2_0000000180004264
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180013674 2_2_0000000180013674
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018000F678 2_2_000000018000F678
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018000E278 2_2_000000018000E278
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180005E7C 2_2_0000000180005E7C
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180025E88 2_2_0000000180025E88
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018002868C 2_2_000000018002868C
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180014E98 2_2_0000000180014E98
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180014AA4 2_2_0000000180014AA4
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00000001800126A8 2_2_00000001800126A8
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00000001800036A8 2_2_00000001800036A8
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018002A6BC 2_2_000000018002A6BC
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018001CABC 2_2_000000018001CABC
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018000EAC0 2_2_000000018000EAC0
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018001B6D4 2_2_000000018001B6D4
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018000F2DC 2_2_000000018000F2DC
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00000001800202E0 2_2_00000001800202E0
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00000001800226E0 2_2_00000001800226E0
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180019AF0 2_2_0000000180019AF0
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018000BEF0 2_2_000000018000BEF0
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180012EF8 2_2_0000000180012EF8
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180029710 2_2_0000000180029710
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180017710 2_2_0000000180017710
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018000C740 2_2_000000018000C740
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180020F44 2_2_0000000180020F44
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180023B48 2_2_0000000180023B48
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180023748 2_2_0000000180023748
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180021754 2_2_0000000180021754
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180022358 2_2_0000000180022358
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180029F5C 2_2_0000000180029F5C
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018002B368 2_2_000000018002B368
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018001BF70 2_2_000000018001BF70
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180025374 2_2_0000000180025374
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180007F74 2_2_0000000180007F74
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180021F7C 2_2_0000000180021F7C
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180019788 2_2_0000000180019788
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180001B8C 2_2_0000000180001B8C
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180028394 2_2_0000000180028394
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180013B94 2_2_0000000180013B94
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018001479C 2_2_000000018001479C
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018000E7A0 2_2_000000018000E7A0
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00000001800087A4 2_2_00000001800087A4
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180017BA8 2_2_0000000180017BA8
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018000EBAC 2_2_000000018000EBAC
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018001B3B8 2_2_000000018001B3B8
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180012BB8 2_2_0000000180012BB8
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00000001800257C0 2_2_00000001800257C0
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180008BC0 2_2_0000000180008BC0
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00000001800117C4 2_2_00000001800117C4
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00000001800227E0 2_2_00000001800227E0
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00007FFA533412B0 3_2_00007FFA533412B0
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00007FFA533453FB 3_2_00007FFA533453FB
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00007FFA53345CAD 3_2_00007FFA53345CAD
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00007FFA5334443C 3_2_00007FFA5334443C
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00007FFA53346850 3_2_00007FFA53346850
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00007FFA53345E01 3_2_00007FFA53345E01
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00007FFA53344A70 3_2_00007FFA53344A70
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000018013E10000 3_2_0000018013E10000
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000021310560000 4_2_0000021310560000
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_00000297062A0000 5_2_00000297062A0000
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_01480000 8_2_01480000
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180026410 8_2_0000000180026410
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_000000018000680F 8_2_000000018000680F
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180025C30 8_2_0000000180025C30
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180013674 8_2_0000000180013674
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180017C8C 8_2_0000000180017C8C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_000000018000A48C 8_2_000000018000A48C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180011CCC 8_2_0000000180011CCC
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_000000018000BEF0 8_2_000000018000BEF0
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180029710 8_2_0000000180029710
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_000000018001D510 8_2_000000018001D510
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180026F14 8_2_0000000180026F14
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180001D58 8_2_0000000180001D58
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_000000018002B368 8_2_000000018002B368
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180001378 8_2_0000000180001378
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180010590 8_2_0000000180010590
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00000001800091A8 8_2_00000001800091A8
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180018DBC 8_2_0000000180018DBC
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00000001800165E4 8_2_00000001800165E4
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180018FE8 8_2_0000000180018FE8
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_000000018001ABE8 8_2_000000018001ABE8
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180029DF0 8_2_0000000180029DF0
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00000001800243F4 8_2_00000001800243F4
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180015DF4 8_2_0000000180015DF4
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00000001800011F4 8_2_00000001800011F4
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00000001800083F8 8_2_00000001800083F8
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00000001800247FC 8_2_00000001800247FC
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_000000018001DBFC 8_2_000000018001DBFC
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_000000018000FE08 8_2_000000018000FE08
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_000000018001100C 8_2_000000018001100C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180027E14 8_2_0000000180027E14
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_000000018000B618 8_2_000000018000B618
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180023220 8_2_0000000180023220
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180027C28 8_2_0000000180027C28
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180020A34 8_2_0000000180020A34
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180007634 8_2_0000000180007634
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180022E38 8_2_0000000180022E38
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_000000018000E638 8_2_000000018000E638
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_000000018002143C 8_2_000000018002143C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_000000018001303C 8_2_000000018001303C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_000000018002A840 8_2_000000018002A840
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180003840 8_2_0000000180003840
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_000000018000B444 8_2_000000018000B444
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_000000018000F048 8_2_000000018000F048
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_000000018002AC4C 8_2_000000018002AC4C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180010050 8_2_0000000180010050
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180010250 8_2_0000000180010250
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180003050 8_2_0000000180003050
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180011E5C 8_2_0000000180011E5C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_000000018000445C 8_2_000000018000445C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_000000018000C85C 8_2_000000018000C85C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180003460 8_2_0000000180003460
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180026A64 8_2_0000000180026A64
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180004264 8_2_0000000180004264
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180029C6C 8_2_0000000180029C6C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_000000018001586C 8_2_000000018001586C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_000000018000406C 8_2_000000018000406C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_000000018000E06C 8_2_000000018000E06C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_000000018000BC70 8_2_000000018000BC70
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_000000018000F678 8_2_000000018000F678
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_000000018000E278 8_2_000000018000E278
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_000000018001447C 8_2_000000018001447C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180005E7C 8_2_0000000180005E7C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180026C80 8_2_0000000180026C80
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180010C84 8_2_0000000180010C84
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180025E88 8_2_0000000180025E88
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180016088 8_2_0000000180016088
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180002888 8_2_0000000180002888
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_000000018002868C 8_2_000000018002868C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_000000018000FC8C 8_2_000000018000FC8C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_000000018002D098 8_2_000000018002D098
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180014E98 8_2_0000000180014E98
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180014AA4 8_2_0000000180014AA4
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00000001800126A8 8_2_00000001800126A8
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00000001800036A8 8_2_00000001800036A8
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00000001800154B8 8_2_00000001800154B8
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_000000018002A6BC 8_2_000000018002A6BC
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_000000018001CABC 8_2_000000018001CABC
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_000000018000EAC0 8_2_000000018000EAC0
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_000000018002C6C8 8_2_000000018002C6C8
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_000000018002C2C8 8_2_000000018002C2C8
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00000001800064D0 8_2_00000001800064D0
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_000000018001B6D4 8_2_000000018001B6D4
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00000001800180D4 8_2_00000001800180D4
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00000001800054D8 8_2_00000001800054D8
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_000000018000F2DC 8_2_000000018000F2DC
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00000001800202E0 8_2_00000001800202E0
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_000000018002CCE0 8_2_000000018002CCE0
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00000001800226E0 8_2_00000001800226E0
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00000001800254E4 8_2_00000001800254E4
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00000001800184E8 8_2_00000001800184E8
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00000001800010E8 8_2_00000001800010E8
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180019AF0 8_2_0000000180019AF0
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_000000018000E8F0 8_2_000000018000E8F0
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_000000018002A0F8 8_2_000000018002A0F8
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180012EF8 8_2_0000000180012EF8
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180019900 8_2_0000000180019900
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180011904 8_2_0000000180011904
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_000000018001F908 8_2_000000018001F908
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_000000018002490C 8_2_000000018002490C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_000000018001890C 8_2_000000018001890C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180017710 8_2_0000000180017710
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180003D18 8_2_0000000180003D18
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_000000018002191C 8_2_000000018002191C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180016320 8_2_0000000180016320
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_000000018001D128 8_2_000000018001D128
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_000000018000D12C 8_2_000000018000D12C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180014930 8_2_0000000180014930
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180008534 8_2_0000000180008534
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_000000018000C740 8_2_000000018000C740
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180020F44 8_2_0000000180020F44
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_000000018001CD44 8_2_000000018001CD44
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180023B48 8_2_0000000180023B48
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180023748 8_2_0000000180023748
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_000000018000B948 8_2_000000018000B948
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180021754 8_2_0000000180021754
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180022358 8_2_0000000180022358
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180029F5C 8_2_0000000180029F5C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_000000018000796C 8_2_000000018000796C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_000000018001BF70 8_2_000000018001BF70
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180025374 8_2_0000000180025374
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180007F74 8_2_0000000180007F74
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180021F7C 8_2_0000000180021F7C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180019788 8_2_0000000180019788
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180001B8C 8_2_0000000180001B8C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180028D94 8_2_0000000180028D94
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180028394 8_2_0000000180028394
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180013B94 8_2_0000000180013B94
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_000000018001479C 8_2_000000018001479C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_000000018000E7A0 8_2_000000018000E7A0
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00000001800087A4 8_2_00000001800087A4
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180017BA8 8_2_0000000180017BA8
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_000000018000EBAC 8_2_000000018000EBAC
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180012BB8 8_2_0000000180012BB8
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_000000018001B3B8 8_2_000000018001B3B8
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00000001800171B8 8_2_00000001800171B8
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00000001800257C0 8_2_00000001800257C0
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180008BC0 8_2_0000000180008BC0
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00000001800117C4 8_2_00000001800117C4
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00000001800141C8 8_2_00000001800141C8
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_000000018002B1D4 8_2_000000018002B1D4
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180023DDC 8_2_0000000180023DDC
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00000001800227E0 8_2_00000001800227E0
Found potential string decryption / allocating functions
Source: C:\Windows\System32\rundll32.exe Code function: String function: 00007FFA5334B3B0 appears 148 times
Source: C:\Windows\System32\rundll32.exe Code function: String function: 00007FFA53347FF0 appears 31 times
Source: C:\Windows\System32\rundll32.exe Code function: String function: 00007FFA5334BD70 appears 113 times
Source: C:\Windows\System32\regsvr32.exe Code function: String function: 00007FFA5334B3B0 appears 148 times
Source: C:\Windows\System32\regsvr32.exe Code function: String function: 00007FFA53347FF0 appears 31 times
Source: C:\Windows\System32\regsvr32.exe Code function: String function: 00007FFA5334BD70 appears 113 times
Tries to load missing DLLs
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: JtJ50Swtfo.dll ReversingLabs: Detection: 58%
Source: JtJ50Swtfo.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll64.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\JtJ50Swtfo.dll"
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\JtJ50Swtfo.dll",#1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\JtJ50Swtfo.dll
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\JtJ50Swtfo.dll",#1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\JtJ50Swtfo.dll,AddIn_FileTime
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\JtJ50Swtfo.dll,AddIn_SystemTime
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\GJzmbimn\geJzufDvqRClHij.dll"
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\JtJ50Swtfo.dll,DllRegisterServer
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7136 -s 328
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7124 -s 336
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3552 -s 332
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3552 -s 332
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\JtJ50Swtfo.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\JtJ50Swtfo.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\JtJ50Swtfo.dll,AddIn_FileTime Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\JtJ50Swtfo.dll,AddIn_SystemTime Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\JtJ50Swtfo.dll,DllRegisterServer Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\JtJ50Swtfo.dll",#1 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\GJzmbimn\geJzufDvqRClHij.dll" Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3552 -s 332 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D105A4D4-344C-48EB-9866-EE378D90658B}\InProcServer32 Jump to behavior
Source: C:\Windows\System32\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER7F45.tmp Jump to behavior
Source: classification engine Classification label: mal72.troj.evad.winDLL@27/17@0/2
Source: C:\Windows\System32\regsvr32.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180029710 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,FindCloseChangeNotification, 8_2_0000000180029710
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\JtJ50Swtfo.dll",#1
Source: C:\Windows\System32\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7124
Source: C:\Windows\System32\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7136
Source: C:\Windows\System32\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3552
Source: C:\Windows\System32\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: JtJ50Swtfo.dll Static PE information: Image base 0x180000000 > 0x60000000
Source: JtJ50Swtfo.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: Binary string: UxTheme.pdb source: WerFault.exe, 0000000D.00000003.498387557.000001DCF47A7000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.498456869.000001DCF47A7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: gdi32.pdb source: WerFault.exe, 0000000D.00000003.498372530.000001DCF47A1000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.498450367.000001DCF47A4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: bcryptprimitives.pdb8 source: WerFault.exe, 0000000D.00000003.498372530.000001DCF47A1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: rpcrt4.pdb source: WerFault.exe, 0000000D.00000003.498372530.000001DCF47A1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 0000000D.00000003.498387557.000001DCF47A7000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.498456869.000001DCF47A7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000D.00000003.498372530.000001DCF47A1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: kernelbase.pdb8 source: WerFault.exe, 0000000D.00000003.498372530.000001DCF47A1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: shcore.pdb8 source: WerFault.exe, 0000000D.00000003.498372530.000001DCF47A1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ucrtbase.pdb8 source: WerFault.exe, 0000000D.00000003.498372530.000001DCF47A1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000D.00000003.498372530.000001DCF47A1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: combase.pdb8 source: WerFault.exe, 0000000D.00000003.498372530.000001DCF47A1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: win32u.pdb8 source: WerFault.exe, 0000000D.00000003.498372530.000001DCF47A1000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.498450367.000001DCF47A4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 0000000D.00000003.498372530.000001DCF47A1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: msctf.pdb source: WerFault.exe, 0000000D.00000003.498387557.000001DCF47A7000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.498456869.000001DCF47A7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ole32.pdb source: WerFault.exe, 0000000D.00000003.498435020.000001DCF47A0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: gdi32full.pdb8 source: WerFault.exe, 0000000D.00000003.498372530.000001DCF47A1000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.498450367.000001DCF47A4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: gdi32.pdb8 source: WerFault.exe, 0000000D.00000003.498372530.000001DCF47A1000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.498450367.000001DCF47A4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: user32.pdb source: WerFault.exe, 0000000D.00000003.498372530.000001DCF47A1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000D.00000003.498435020.000001DCF47A0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: rundll32.pdb8 source: WerFault.exe, 0000000D.00000003.498372530.000001DCF47A1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: rpcrt4.pdb8 source: WerFault.exe, 0000000D.00000003.498372530.000001DCF47A1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: WerFault.pdb source: WerFault.exe, 0000000D.00000003.498387557.000001DCF47A7000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.498456869.000001DCF47A7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000D.00000003.498372530.000001DCF47A1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: imagehlp.pdb8 source: WerFault.exe, 0000000D.00000003.498372530.000001DCF47A1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntdll.pdb source: WerFault.exe, 0000000D.00000003.498372530.000001DCF47A1000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.489436552.000001DCF3CDA000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.494207818.000001DCF3CDA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 0000000D.00000003.498372530.000001DCF47A1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: kernel32.pdb source: WerFault.exe, 0000000D.00000003.498372530.000001DCF47A1000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.489451616.000001DCF3CE0000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.493599535.000001DCF3CE0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: rundll32.pdb source: WerFault.exe, 0000000D.00000003.498372530.000001DCF47A1000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.489417428.000001DCF3CD4000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000002.506763697.000001DCF40D7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: msvcrt.pdb8 source: WerFault.exe, 0000000D.00000003.498372530.000001DCF47A1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000D.00000003.498387557.000001DCF47A7000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.498456869.000001DCF47A7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntdll.pdb8 source: WerFault.exe, 0000000D.00000003.498372530.000001DCF47A1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: imagehlp.pdb source: WerFault.exe, 0000000D.00000003.498372530.000001DCF47A1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: kernel32.pdb8 source: WerFault.exe, 0000000D.00000003.498372530.000001DCF47A1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: win32u.pdb source: WerFault.exe, 0000000D.00000003.498372530.000001DCF47A1000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.498450367.000001DCF47A4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: gdi32full.pdb source: WerFault.exe, 0000000D.00000003.498372530.000001DCF47A1000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.498450367.000001DCF47A4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: user32.pdb8 source: WerFault.exe, 0000000D.00000003.498372530.000001DCF47A1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: dwmapi.pdb source: WerFault.exe, 0000000D.00000003.498387557.000001DCF47A7000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.498456869.000001DCF47A7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntdll.pdb0 source: WerFault.exe, 0000000D.00000003.489436552.000001DCF3CDA000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.494207818.000001DCF3CDA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: kernelbase.pdb source: WerFault.exe, 0000000D.00000003.498372530.000001DCF47A1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: imm32.pdb source: WerFault.exe, 0000000D.00000003.498387557.000001DCF47A7000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.498456869.000001DCF47A7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: kernel32.pdb0 source: WerFault.exe, 0000000D.00000003.489451616.000001DCF3CE0000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.493599535.000001DCF3CE0000.00000004.00000020.00020000.00000000.sdmp
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180006951 pushad ; retf 2_2_0000000180006953
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00007FFA533512E3 LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer, 2_2_00007FFA533512E3
PE file contains an invalid checksum
Source: JtJ50Swtfo.dll Static PE information: real checksum: 0x61dc7 should be: 0x5caa2
Registers a DLL
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\JtJ50Swtfo.dll
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\System32\regsvr32.exe PE file moved: C:\Windows\System32\GJzmbimn\geJzufDvqRClHij.dll Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\System32\regsvr32.exe File opened: C:\Windows\system32\GJzmbimn\geJzufDvqRClHij.dll:Zone.Identifier read attributes | delete Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\System32\WerFault.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\svchost.exe TID: 5832 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 5816 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7000 Thread sleep time: -90000s >= -30000s Jump to behavior
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Windows\System32\rundll32.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Windows\System32\regsvr32.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Queries disk information (often used to detect virtual machines)
Source: C:\Windows\System32\svchost.exe File opened: PhysicalDrive0 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Windows\System32\regsvr32.exe API coverage: 8.6 %
Source: C:\Windows\System32\rundll32.exe API coverage: 8.6 %
Source: C:\Windows\System32\regsvr32.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_000000018000BEF0 FindFirstFileW,FindNextFileW,FindClose, 8_2_000000018000BEF0
Source: C:\Windows\System32\regsvr32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\regsvr32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\rundll32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\rundll32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\regsvr32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: regsvr32.exe, 00000002.00000002.456457446.000000000114B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: War&Prod_VMware_
Source: svchost.exe, 00000010.00000002.847597205.0000021372862000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: "@Hyper-V RAW
Source: svchost.exe, 00000010.00000002.847200538.000002136D229000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWm
Source: regsvr32.exe, 00000008.00000003.530930555.000000000131C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000002.964081730.000000000131C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWJC
Source: WerFault.exe, 0000000D.00000002.506564826.000001DCF3D4D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWAN Miniport (Network Monitor)-QoS Packet Scheduler-0000
Source: regsvr32.exe, 00000008.00000003.530930555.000000000131C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000002.964081730.000000000131C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.530907736.00000000012F2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000002.964047666.00000000012F2000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000002.506564826.000001DCF3D4D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.847584884.0000021372855000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000002.851593319.000001E5F24EF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000011.00000002.964021650.0000024340A02000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
Source: WerFault.exe, 0000000D.00000002.505993659.000001DCF1E92000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW@(
Source: svchost.exe, 0000001C.00000002.851473850.000001E5F24A8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000011.00000002.964079683.0000024340A28000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00007FFA53343280 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_00007FFA53343280
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00007FFA53350215 _itow_s,_invoke_watson_if_error,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,_wcsftime_l,_invoke_watson_if_oneof,_invoke_watson_if_error,_invoke_watson_if_error,_invoke_watson_if_error,_invoke_watson_if_error,_invoke_watson_if_error,_snwprintf_s,_invoke_watson_if_oneof,_invoke_watson_if_error,_invoke_watson_if_oneof,_invoke_watson_if_error,_unlock,GetFileType,WriteConsoleW,GetLastError,_invoke_watson_if_oneof,WriteFile,WriteFile,OutputDebugStringW,_itow_s,_invoke_watson_if_error, 2_2_00007FFA53350215
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00007FFA533512E3 LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer, 2_2_00007FFA533512E3
Checks if the current process is being debugged
Source: C:\Windows\System32\loaddll64.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort Jump to behavior
Launches processes in debugging mode, may be used to hinder debugging
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3552 -s 332 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00007FFA53343280 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_00007FFA53343280
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00007FFA5334BE50 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_00007FFA5334BE50
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00007FFA53343280 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_00007FFA53343280
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00007FFA5334BE50 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_00007FFA5334BE50

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\regsvr32.exe Network Connect: 165.22.73.229 8080 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\JtJ50Swtfo.dll",#1 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3552 -s 332 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\regsvr32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00007FFA53348900 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 2_2_00007FFA53348900
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00007FFA53348860 HeapCreate,GetVersion,HeapSetInformation, 2_2_00007FFA53348860

Stealing of Sensitive Information
barindex
Yara detected Emotet
Source: Yara match File source: 4.2.rundll32.exe.21310570000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.rundll32.exe.21310570000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.21310570000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.rundll32.exe.21310570000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.rundll32.exe.297062b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.rundll32.exe.297062b0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.rundll32.exe.297062b0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.18014000000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.rundll32.exe.21310570000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.18014000000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.rundll32.exe.18014000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.regsvr32.exe.2a20000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.rundll32.exe.297062b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.rundll32.exe.18014000000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.regsvr32.exe.2a20000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.regsvr32.exe.1490000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.rundll32.exe.21310570000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.297062b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.rundll32.exe.18014000000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.297062b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.regsvr32.exe.1490000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.rundll32.exe.18014000000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.458651717.0000000002A20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.461474320.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.495781137.0000018014000000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.461684776.00000297062B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.470298484.00000297062B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.454696390.0000021310570000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.459283574.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.454207000.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.457901753.0000021310570000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.964474360.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.492879250.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.465354445.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.454739254.0000018014000000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.457838374.0000018014000000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.507680225.00000297062B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.964188108.0000000001490000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.457423446.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.494965359.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.456381918.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.454349685.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.507222158.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.493226824.0000021310570000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 631905 Sample: JtJ50Swtfo Startdate: 22/05/2022 Architecture: WINDOWS Score: 72 46 Multi AV Scanner detection for submitted file 2->46 48 Yara detected Emotet 2->48 50 Machine Learning detection for sample 2->50 8 loaddll64.exe 1 2->8         started        10 svchost.exe 9 1 2->10         started        13 svchost.exe 2->13         started        15 4 other processes 2->15 process3 dnsIp4 17 regsvr32.exe 5 8->17         started        20 rundll32.exe 8->20         started        22 cmd.exe 1 8->22         started        24 2 other processes 8->24 40 127.0.0.1 unknown unknown 10->40 process5 signatures6 44 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->44 26 regsvr32.exe 17->26         started        30 WerFault.exe 9 20->30         started        32 WerFault.exe 20->32         started        34 rundll32.exe 22->34         started        36 WerFault.exe 20 9 24->36         started        process7 dnsIp8 42 165.22.73.229, 49777, 8080 DIGITALOCEAN-ASNUS United States 26->42 52 System process connects to network (likely due to code injection or exploit) 26->52 38 WerFault.exe 9 34->38         started        signatures9 process10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
165.22.73.229
 unknown United States
14061 DIGITALOCEAN-ASNUS true

Private

IP
127.0.0.1