Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
JtJ50Swtfo

Overview

General Information

Sample Name:JtJ50Swtfo (renamed file extension from none to dll)
Analysis ID:631905
MD5:646ca94d40f268c87215ffea9fd0e826
SHA1:22e67eb4d6e4b5f09e3de5a6021462adcf99fe75
SHA256:52769f52f479f16d61c449d307c7fd1fa23faa0b5589500e0967cd7955ca93d6
Tags:exetrojan
Infos:

Detection

Emotet
Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Machine Learning detection for sample
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries the volume information (name, serial number etc) of a device
One or more processes crash
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
IP address seen in connection with other malware
PE file contains an invalid checksum
Tries to load missing DLLs
Drops PE files to the windows directory (C:\Windows)
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Registers a DLL
Launches processes in debugging mode, may be used to hinder debugging
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries disk information (often used to detect virtual machines)
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • loaddll64.exe (PID: 7096 cmdline: loaddll64.exe "C:\Users\user\Desktop\JtJ50Swtfo.dll" MD5: 4E8A40CAD6CCC047914E3A7830A2D8AA)
    • cmd.exe (PID: 7104 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\JtJ50Swtfo.dll",#1 MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • rundll32.exe (PID: 7124 cmdline: rundll32.exe "C:\Users\user\Desktop\JtJ50Swtfo.dll",#1 MD5: 73C519F050C20580F8A62C849D49215A)
        • WerFault.exe (PID: 5944 cmdline: C:\Windows\system32\WerFault.exe -u -p 7124 -s 336 MD5: 2AFFE478D86272288BBEF5A00BBEF6A0)
    • regsvr32.exe (PID: 7112 cmdline: regsvr32.exe /s C:\Users\user\Desktop\JtJ50Swtfo.dll MD5: D78B75FC68247E8A63ACBA846182740E)
      • regsvr32.exe (PID: 6316 cmdline: C:\Windows\system32\regsvr32.exe "C:\Windows\system32\GJzmbimn\geJzufDvqRClHij.dll" MD5: D78B75FC68247E8A63ACBA846182740E)
    • rundll32.exe (PID: 7136 cmdline: rundll32.exe C:\Users\user\Desktop\JtJ50Swtfo.dll,AddIn_FileTime MD5: 73C519F050C20580F8A62C849D49215A)
      • WerFault.exe (PID: 5900 cmdline: C:\Windows\system32\WerFault.exe -u -p 7136 -s 328 MD5: 2AFFE478D86272288BBEF5A00BBEF6A0)
    • rundll32.exe (PID: 3552 cmdline: rundll32.exe C:\Users\user\Desktop\JtJ50Swtfo.dll,AddIn_SystemTime MD5: 73C519F050C20580F8A62C849D49215A)
      • WerFault.exe (PID: 5436 cmdline: C:\Windows\system32\WerFault.exe -u -p 3552 -s 332 MD5: 2AFFE478D86272288BBEF5A00BBEF6A0)
      • WerFault.exe (PID: 5148 cmdline: C:\Windows\system32\WerFault.exe -u -p 3552 -s 332 MD5: 2AFFE478D86272288BBEF5A00BBEF6A0)
    • rundll32.exe (PID: 6320 cmdline: rundll32.exe C:\Users\user\Desktop\JtJ50Swtfo.dll,DllRegisterServer MD5: 73C519F050C20580F8A62C849D49215A)
  • svchost.exe (PID: 5788 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 3008 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 4176 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5328 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6288 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6908 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.458651717.0000000002A20000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
    00000005.00000000.461474320.0000000180001000.00000020.00001000.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
      00000003.00000002.495781137.0000018014000000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
        00000005.00000000.461684776.00000297062B0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
          00000005.00000000.470298484.00000297062B0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
            Click to see the 17 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            4.2.rundll32.exe.21310570000.0.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
              4.0.rundll32.exe.21310570000.0.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                4.2.rundll32.exe.21310570000.0.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                  4.0.rundll32.exe.21310570000.2.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                    5.0.rundll32.exe.297062b0000.0.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                      Click to see the 17 entries

                      Sigma Signatures

                      No Sigma rule has matched

                      Snort Signatures

                      No Snort rule has matched

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Multi AV Scanner detection for submitted file
                      Source: JtJ50Swtfo.dllReversingLabs: Detection: 58%
                      Machine Learning detection for sample
                      Source: JtJ50Swtfo.dllJoe Sandbox ML: detected
                      Source: JtJ50Swtfo.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: UxTheme.pdb source: WerFault.exe, 0000000D.00000003.498387557.000001DCF47A7000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.498456869.000001DCF47A7000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: gdi32.pdb source: WerFault.exe, 0000000D.00000003.498372530.000001DCF47A1000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.498450367.000001DCF47A4000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: bcryptprimitives.pdb8 source: WerFault.exe, 0000000D.00000003.498372530.000001DCF47A1000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: rpcrt4.pdb source: WerFault.exe, 0000000D.00000003.498372530.000001DCF47A1000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: sechost.pdb source: WerFault.exe, 0000000D.00000003.498387557.000001DCF47A7000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.498456869.000001DCF47A7000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000D.00000003.498372530.000001DCF47A1000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: kernelbase.pdb8 source: WerFault.exe, 0000000D.00000003.498372530.000001DCF47A1000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: shcore.pdb8 source: WerFault.exe, 0000000D.00000003.498372530.000001DCF47A1000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: ucrtbase.pdb8 source: WerFault.exe, 0000000D.00000003.498372530.000001DCF47A1000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000D.00000003.498372530.000001DCF47A1000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: combase.pdb8 source: WerFault.exe, 0000000D.00000003.498372530.000001DCF47A1000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: win32u.pdb8 source: WerFault.exe, 0000000D.00000003.498372530.000001DCF47A1000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.498450367.000001DCF47A4000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: shcore.pdb source: WerFault.exe, 0000000D.00000003.498372530.000001DCF47A1000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: msctf.pdb source: WerFault.exe, 0000000D.00000003.498387557.000001DCF47A7000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.498456869.000001DCF47A7000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: ole32.pdb source: WerFault.exe, 0000000D.00000003.498435020.000001DCF47A0000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: gdi32full.pdb8 source: WerFault.exe, 0000000D.00000003.498372530.000001DCF47A1000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.498450367.000001DCF47A4000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: gdi32.pdb8 source: WerFault.exe, 0000000D.00000003.498372530.000001DCF47A1000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.498450367.000001DCF47A4000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: user32.pdb source: WerFault.exe, 0000000D.00000003.498372530.000001DCF47A1000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000D.00000003.498435020.000001DCF47A0000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: rundll32.pdb8 source: WerFault.exe, 0000000D.00000003.498372530.000001DCF47A1000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: rpcrt4.pdb8 source: WerFault.exe, 0000000D.00000003.498372530.000001DCF47A1000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: WerFault.pdb source: WerFault.exe, 0000000D.00000003.498387557.000001DCF47A7000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.498456869.000001DCF47A7000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000D.00000003.498372530.000001DCF47A1000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: imagehlp.pdb8 source: WerFault.exe, 0000000D.00000003.498372530.000001DCF47A1000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: ntdll.pdb source: WerFault.exe, 0000000D.00000003.498372530.000001DCF47A1000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.489436552.000001DCF3CDA000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.494207818.000001DCF3CDA000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: combase.pdb source: WerFault.exe, 0000000D.00000003.498372530.000001DCF47A1000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: kernel32.pdb source: WerFault.exe, 0000000D.00000003.498372530.000001DCF47A1000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.489451616.000001DCF3CE0000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.493599535.000001DCF3CE0000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: rundll32.pdb source: WerFault.exe, 0000000D.00000003.498372530.000001DCF47A1000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.489417428.000001DCF3CD4000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000002.506763697.000001DCF40D7000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: msvcrt.pdb8 source: WerFault.exe, 0000000D.00000003.498372530.000001DCF47A1000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000D.00000003.498387557.000001DCF47A7000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.498456869.000001DCF47A7000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: ntdll.pdb8 source: WerFault.exe, 0000000D.00000003.498372530.000001DCF47A1000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: imagehlp.pdb source: WerFault.exe, 0000000D.00000003.498372530.000001DCF47A1000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: kernel32.pdb8 source: WerFault.exe, 0000000D.00000003.498372530.000001DCF47A1000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: win32u.pdb source: WerFault.exe, 0000000D.00000003.498372530.000001DCF47A1000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.498450367.000001DCF47A4000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: gdi32full.pdb source: WerFault.exe, 0000000D.00000003.498372530.000001DCF47A1000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.498450367.000001DCF47A4000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: user32.pdb8 source: WerFault.exe, 0000000D.00000003.498372530.000001DCF47A1000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: dwmapi.pdb source: WerFault.exe, 0000000D.00000003.498387557.000001DCF47A7000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.498456869.000001DCF47A7000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: ntdll.pdb0 source: WerFault.exe, 0000000D.00000003.489436552.000001DCF3CDA000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.494207818.000001DCF3CDA000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: kernelbase.pdb source: WerFault.exe, 0000000D.00000003.498372530.000001DCF47A1000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: imm32.pdb source: WerFault.exe, 0000000D.00000003.498387557.000001DCF47A7000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.498456869.000001DCF47A7000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: kernel32.pdb0 source: WerFault.exe, 0000000D.00000003.489451616.000001DCF3CE0000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.493599535.000001DCF3CE0000.00000004.00000020.00020000.00000000.sdmp
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018000BEF0 FindFirstFileW,FindNextFileW,FindClose,

                      Networking

                      barindex
                      System process connects to network (likely due to code injection or exploit)
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 165.22.73.229 8080
                      Source: Joe Sandbox ViewASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
                      Source: Joe Sandbox ViewIP Address: 165.22.73.229 165.22.73.229
                      Source: global trafficTCP traffic: 192.168.2.5:49777 -> 165.22.73.229:8080
                      Source: unknownTCP traffic detected without corresponding DNS query: 165.22.73.229
                      Source: unknownTCP traffic detected without corresponding DNS query: 165.22.73.229
                      Source: unknownTCP traffic detected without corresponding DNS query: 165.22.73.229
                      Source: unknownTCP traffic detected without corresponding DNS query: 165.22.73.229
                      Source: unknownTCP traffic detected without corresponding DNS query: 165.22.73.229
                      Source: unknownTCP traffic detected without corresponding DNS query: 165.22.73.229
                      Source: unknownTCP traffic detected without corresponding DNS query: 165.22.73.229
                      Source: unknownTCP traffic detected without corresponding DNS query: 165.22.73.229
                      Source: unknownTCP traffic detected without corresponding DNS query: 165.22.73.229
                      Source: unknownTCP traffic detected without corresponding DNS query: 165.22.73.229
                      Source: unknownTCP traffic detected without corresponding DNS query: 165.22.73.229
                      Source: unknownTCP traffic detected without corresponding DNS query: 165.22.73.229
                      Source: svchost.exe, 0000001C.00000003.798183400.000001E5F2F68000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000003.798172295.000001E5F2F61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG", equals www.facebook.com (Facebook)
                      Source: svchost.exe, 0000001C.00000003.798183400.000001E5F2F68000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000003.798172295.000001E5F2F61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG", equals www.twitter.com (Twitter)
                      Source: svchost.exe, 0000001C.00000003.797311954.000001E5F2F85000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-05-13T10:00:01.2192622Z||.||8adb3f26-c14b-4fc0-afb3-91b3c6daaa3f||1152921505694830749||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
                      Source: svchost.exe, 0000001C.00000003.797311954.000001E5F2F85000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-05-13T10:00:01.2192622Z||.||8adb3f26-c14b-4fc0-afb3-91b3c6daaa3f||1152921505694830749||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
                      Source: svchost.exe, 0000001C.00000003.797311954.000001E5F2F85000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify - Music and Podcasts","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NCBCSZSJRSB","Properties":{"FulfillmentData":{"ProductId":"9NCBCSZSJRSB","WuCategoryId":"5c353b9c-7ac7-4d27-af07-923e7d9aa2e2","PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","SkuId":"0010"},"FulfillmentType":"WindowsUpdate","FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"Spotify"}],"Architectures":["x86"],"Ca equals www.facebook.com (Facebook)
                      Source: svchost.exe, 0000001C.00000003.797311954.000001E5F2F85000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify - Music and Podcasts","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NCBCSZSJRSB","Properties":{"FulfillmentData":{"ProductId":"9NCBCSZSJRSB","WuCategoryId":"5c353b9c-7ac7-4d27-af07-923e7d9aa2e2","PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","SkuId":"0010"},"FulfillmentType":"WindowsUpdate","FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"Spotify"}],"Architectures":["x86"],"Ca equals www.twitter.com (Twitter)
                      Source: regsvr32.exe, 00000008.00000003.530874778.000000000134B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000002.964141304.000000000134B000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000002.506608569.000001DCF3D59000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.847597205.0000021372862000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000002.851676211.000001E5F2F00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: svchost.exe, 00000010.00000002.847475290.0000021372813000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000002.851676211.000001E5F2F00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
                      Source: regsvr32.exe, 00000008.00000003.530930555.000000000131C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000002.964081730.000000000131C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
                      Source: regsvr32.exe, 00000008.00000003.530874778.000000000134B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000002.964141304.000000000134B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                      Source: svchost.exe, 0000001C.00000003.824985746.000001E5F2FAF000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000003.824896680.000001E5F2F9E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://help.disneyplus.com.
                      Source: svchost.exe, 00000010.00000002.847350178.000002136D2AA000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.846896392.000002136D2A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.o
                      Source: regsvr32.exe, 00000008.00000002.964035767.00000000012EA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://165.22.73.229/
                      Source: regsvr32.exe, 00000008.00000002.964047666.00000000012F2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000002.964035767.00000000012EA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://165.22.73.229:8080/
                      Source: regsvr32.exe, 00000008.00000003.530907736.00000000012F2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000002.964047666.00000000012F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://165.22.73.229:8080/Num
                      Source: regsvr32.exe, 00000008.00000002.964035767.00000000012EA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://165.22.73.229:8080/d
                      Source: regsvr32.exe, 00000008.00000002.963976122.00000000012B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://165.22.73.229:8080/z
                      Source: svchost.exe, 0000001C.00000003.824985746.000001E5F2FAF000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000003.824896680.000001E5F2F9E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://disneyplus.com/legal.
                      Source: svchost.exe, 0000001C.00000003.819966685.000001E5F3402000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000003.820019247.000001E5F2F8D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000003.819907811.000001E5F2FAF000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000003.819952245.000001E5F341A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000003.819811916.000001E5F2F9E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000003.819800192.000001E5F2F8D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000003.819925695.000001E5F341A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.hotspotshield.com/
                      Source: svchost.exe, 0000001C.00000003.824985746.000001E5F2FAF000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000003.824896680.000001E5F2F9E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
                      Source: svchost.exe, 0000001C.00000003.824985746.000001E5F2FAF000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000003.824896680.000001E5F2F9E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
                      Source: svchost.exe, 0000001C.00000003.819966685.000001E5F3402000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000003.820019247.000001E5F2F8D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000003.819907811.000001E5F2FAF000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000003.819952245.000001E5F341A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000003.819811916.000001E5F2F9E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000003.819800192.000001E5F2F8D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000003.819925695.000001E5F341A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.hotspotshield.com/terms/
                      Source: svchost.exe, 0000001C.00000003.819966685.000001E5F3402000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000003.820019247.000001E5F2F8D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000003.819907811.000001E5F2FAF000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000003.819952245.000001E5F341A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000003.819811916.000001E5F2F9E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000003.819800192.000001E5F2F8D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000003.819925695.000001E5F341A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.pango.co/privacy
                      Source: svchost.exe, 0000001C.00000003.830088263.000001E5F2F8F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000003.830129017.000001E5F2FA0000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000003.830206867.000001E5F2FB1000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000003.830274121.000001E5F3418000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000003.830231188.000001E5F3418000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.tiktok.com/legal/report/feedback
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180017C8C InternetReadFile,

                      E-Banking Fraud

                      barindex
                      Yara detected Emotet
                      Source: Yara matchFile source: 4.2.rundll32.exe.21310570000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.rundll32.exe.21310570000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.21310570000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.rundll32.exe.21310570000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.0.rundll32.exe.297062b0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.0.rundll32.exe.297062b0000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.0.rundll32.exe.297062b0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.18014000000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.rundll32.exe.21310570000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.18014000000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.rundll32.exe.18014000000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.regsvr32.exe.2a20000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.0.rundll32.exe.297062b0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.rundll32.exe.18014000000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.regsvr32.exe.2a20000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.regsvr32.exe.1490000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.rundll32.exe.21310570000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.297062b0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.rundll32.exe.18014000000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.297062b0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.regsvr32.exe.1490000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.rundll32.exe.18014000000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000002.00000002.458651717.0000000002A20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000000.461474320.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.495781137.0000018014000000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000000.461684776.00000297062B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000000.470298484.00000297062B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.454696390.0000021310570000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.459283574.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000000.454207000.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.457901753.0000021310570000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.964474360.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.492879250.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000000.465354445.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000000.454739254.0000018014000000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000000.457838374.0000018014000000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.507680225.00000297062B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.964188108.0000000001490000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.457423446.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.494965359.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000000.456381918.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.454349685.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.507222158.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.493226824.0000021310570000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7136 -s 328
                      Source: C:\Windows\System32\regsvr32.exeFile deleted: C:\Windows\System32\GJzmbimn\geJzufDvqRClHij.dll:Zone.IdentifierJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeFile created: C:\Windows\system32\GJzmbimn\Jump to behavior
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00007FFA533412B0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00007FFA533453FB
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00007FFA53345CAD
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00007FFA5334443C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00007FFA53346850
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00007FFA53345E01
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00007FFA53344A70
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_02A10000
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180026410
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180025C30
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180011CCC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001D510
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180001D58
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180011E5C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018002C6C8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018002C2C8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180026F14
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180016320
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180001378
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180018FE8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001ABE8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800243F4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800083F8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800247FC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001DBFC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001100C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180027C28
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018002143C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001303C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018002A840
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180003840
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000B444
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000F048
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018002AC4C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180010050
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180003050
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000445C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000C85C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180003460
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180029C6C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001586C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000406C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000E06C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000BC70
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001447C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180026C80
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180010C84
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180016088
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180002888
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180017C8C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000FC8C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018002D098
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800154B8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800064D0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800180D4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800054D8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018002CCE0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800254E4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800184E8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800010E8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000E8F0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018002A0F8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180019900
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180011904
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001F908
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018002490C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001890C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180003D18
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018002191C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001D128
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000D12C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180014930
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180008534
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001CD44
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000B948
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000796C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180010590
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180028D94
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800091A8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800171B8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180018DBC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800141C8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018002B1D4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180023DDC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800165E4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180029DF0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180015DF4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800011F4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000FE08
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180027E14
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000B618
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180023220
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180020A34
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180007634
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180022E38
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000E638
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180010250
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180026A64
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180004264
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180013674
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000F678
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000E278
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180005E7C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180025E88
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018002868C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180014E98
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180014AA4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800126A8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800036A8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018002A6BC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001CABC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000EAC0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001B6D4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000F2DC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800202E0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800226E0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180019AF0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000BEF0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180012EF8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180029710
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180017710
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000C740
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180020F44
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180023B48
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180023748
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180021754
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180022358
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180029F5C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018002B368
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001BF70
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180025374
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180007F74
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180021F7C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180019788
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180001B8C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180028394
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180013B94
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001479C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000E7A0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800087A4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180017BA8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000EBAC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001B3B8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180012BB8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800257C0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180008BC0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800117C4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800227E0
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00007FFA533412B0
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00007FFA533453FB
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00007FFA53345CAD
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00007FFA5334443C
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00007FFA53346850
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00007FFA53345E01
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00007FFA53344A70
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000018013E10000
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000021310560000
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000297062A0000
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_01480000
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180026410
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018000680F
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180025C30
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180013674
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180017C8C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018000A48C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180011CCC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018000BEF0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180029710
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018001D510
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180026F14
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180001D58
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018002B368
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180001378
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180010590
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_00000001800091A8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180018DBC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_00000001800165E4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180018FE8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018001ABE8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180029DF0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_00000001800243F4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180015DF4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_00000001800011F4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_00000001800083F8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_00000001800247FC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018001DBFC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018000FE08
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018001100C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180027E14
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018000B618
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180023220
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180027C28
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180020A34
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180007634
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180022E38
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018000E638
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018002143C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018001303C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018002A840
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180003840
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018000B444
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018000F048
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018002AC4C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180010050
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180010250
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180003050
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180011E5C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018000445C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018000C85C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180003460
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180026A64
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180004264
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180029C6C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018001586C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018000406C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018000E06C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018000BC70
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018000F678
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018000E278
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018001447C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180005E7C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180026C80
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180010C84
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180025E88
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180016088
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180002888
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018002868C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018000FC8C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018002D098
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180014E98
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180014AA4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_00000001800126A8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_00000001800036A8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_00000001800154B8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018002A6BC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018001CABC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018000EAC0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018002C6C8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018002C2C8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_00000001800064D0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018001B6D4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_00000001800180D4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_00000001800054D8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018000F2DC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_00000001800202E0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018002CCE0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_00000001800226E0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_00000001800254E4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_00000001800184E8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_00000001800010E8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180019AF0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018000E8F0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018002A0F8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180012EF8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180019900
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180011904
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018001F908
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018002490C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018001890C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180017710
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180003D18
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018002191C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180016320
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018001D128
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018000D12C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180014930
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180008534
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018000C740
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180020F44
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018001CD44
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180023B48
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180023748
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018000B948
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180021754
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180022358
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180029F5C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018000796C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018001BF70
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180025374
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180007F74
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180021F7C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180019788
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180001B8C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180028D94
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180028394
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180013B94
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018001479C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018000E7A0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_00000001800087A4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180017BA8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018000EBAC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180012BB8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018001B3B8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_00000001800171B8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_00000001800257C0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180008BC0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_00000001800117C4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_00000001800141C8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018002B1D4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180023DDC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_00000001800227E0
                      Source: C:\Windows\System32\rundll32.exeCode function: String function: 00007FFA5334B3B0 appears 148 times
                      Source: C:\Windows\System32\rundll32.exeCode function: String function: 00007FFA53347FF0 appears 31 times
                      Source: C:\Windows\System32\rundll32.exeCode function: String function: 00007FFA5334BD70 appears 113 times
                      Source: C:\Windows\System32\regsvr32.exeCode function: String function: 00007FFA5334B3B0 appears 148 times
                      Source: C:\Windows\System32\regsvr32.exeCode function: String function: 00007FFA53347FF0 appears 31 times
                      Source: C:\Windows\System32\regsvr32.exeCode function: String function: 00007FFA5334BD70 appears 113 times
                      Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dll
                      Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dll
                      Source: JtJ50Swtfo.dllReversingLabs: Detection: 58%
                      Source: JtJ50Swtfo.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Windows\System32\loaddll64.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: unknownProcess created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\JtJ50Swtfo.dll"
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\JtJ50Swtfo.dll",#1
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\JtJ50Swtfo.dll
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\JtJ50Swtfo.dll",#1
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\JtJ50Swtfo.dll,AddIn_FileTime
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\JtJ50Swtfo.dll,AddIn_SystemTime
                      Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\GJzmbimn\geJzufDvqRClHij.dll"
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\JtJ50Swtfo.dll,DllRegisterServer
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7136 -s 328
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7124 -s 336
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3552 -s 332
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3552 -s 332
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\JtJ50Swtfo.dll",#1
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\JtJ50Swtfo.dll
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\JtJ50Swtfo.dll,AddIn_FileTime
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\JtJ50Swtfo.dll,AddIn_SystemTime
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\JtJ50Swtfo.dll,DllRegisterServer
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\JtJ50Swtfo.dll",#1
                      Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\GJzmbimn\geJzufDvqRClHij.dll"
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3552 -s 332
                      Source: C:\Windows\System32\regsvr32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D105A4D4-344C-48EB-9866-EE378D90658B}\InProcServer32
                      Source: C:\Windows\System32\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER7F45.tmpJump to behavior
                      Source: classification engineClassification label: mal72.troj.evad.winDLL@27/17@0/2
                      Source: C:\Windows\System32\regsvr32.exeFile read: C:\Users\desktop.iniJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180029710 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,FindCloseChangeNotification,
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\JtJ50Swtfo.dll",#1
                      Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7124
                      Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7136
                      Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3552
                      Source: C:\Windows\System32\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: JtJ50Swtfo.dllStatic PE information: Image base 0x180000000 > 0x60000000
                      Source: JtJ50Swtfo.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: UxTheme.pdb source: WerFault.exe, 0000000D.00000003.498387557.000001DCF47A7000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.498456869.000001DCF47A7000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: gdi32.pdb source: WerFault.exe, 0000000D.00000003.498372530.000001DCF47A1000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.498450367.000001DCF47A4000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: bcryptprimitives.pdb8 source: WerFault.exe, 0000000D.00000003.498372530.000001DCF47A1000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: rpcrt4.pdb source: WerFault.exe, 0000000D.00000003.498372530.000001DCF47A1000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: sechost.pdb source: WerFault.exe, 0000000D.00000003.498387557.000001DCF47A7000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.498456869.000001DCF47A7000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000D.00000003.498372530.000001DCF47A1000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: kernelbase.pdb8 source: WerFault.exe, 0000000D.00000003.498372530.000001DCF47A1000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: shcore.pdb8 source: WerFault.exe, 0000000D.00000003.498372530.000001DCF47A1000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: ucrtbase.pdb8 source: WerFault.exe, 0000000D.00000003.498372530.000001DCF47A1000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000D.00000003.498372530.000001DCF47A1000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: combase.pdb8 source: WerFault.exe, 0000000D.00000003.498372530.000001DCF47A1000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: win32u.pdb8 source: WerFault.exe, 0000000D.00000003.498372530.000001DCF47A1000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.498450367.000001DCF47A4000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: shcore.pdb source: WerFault.exe, 0000000D.00000003.498372530.000001DCF47A1000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: msctf.pdb source: WerFault.exe, 0000000D.00000003.498387557.000001DCF47A7000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.498456869.000001DCF47A7000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: ole32.pdb source: WerFault.exe, 0000000D.00000003.498435020.000001DCF47A0000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: gdi32full.pdb8 source: WerFault.exe, 0000000D.00000003.498372530.000001DCF47A1000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.498450367.000001DCF47A4000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: gdi32.pdb8 source: WerFault.exe, 0000000D.00000003.498372530.000001DCF47A1000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.498450367.000001DCF47A4000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: user32.pdb source: WerFault.exe, 0000000D.00000003.498372530.000001DCF47A1000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000D.00000003.498435020.000001DCF47A0000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: rundll32.pdb8 source: WerFault.exe, 0000000D.00000003.498372530.000001DCF47A1000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: rpcrt4.pdb8 source: WerFault.exe, 0000000D.00000003.498372530.000001DCF47A1000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: WerFault.pdb source: WerFault.exe, 0000000D.00000003.498387557.000001DCF47A7000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.498456869.000001DCF47A7000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000D.00000003.498372530.000001DCF47A1000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: imagehlp.pdb8 source: WerFault.exe, 0000000D.00000003.498372530.000001DCF47A1000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: ntdll.pdb source: WerFault.exe, 0000000D.00000003.498372530.000001DCF47A1000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.489436552.000001DCF3CDA000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.494207818.000001DCF3CDA000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: combase.pdb source: WerFault.exe, 0000000D.00000003.498372530.000001DCF47A1000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: kernel32.pdb source: WerFault.exe, 0000000D.00000003.498372530.000001DCF47A1000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.489451616.000001DCF3CE0000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.493599535.000001DCF3CE0000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: rundll32.pdb source: WerFault.exe, 0000000D.00000003.498372530.000001DCF47A1000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.489417428.000001DCF3CD4000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000002.506763697.000001DCF40D7000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: msvcrt.pdb8 source: WerFault.exe, 0000000D.00000003.498372530.000001DCF47A1000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000D.00000003.498387557.000001DCF47A7000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.498456869.000001DCF47A7000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: ntdll.pdb8 source: WerFault.exe, 0000000D.00000003.498372530.000001DCF47A1000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: imagehlp.pdb source: WerFault.exe, 0000000D.00000003.498372530.000001DCF47A1000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: kernel32.pdb8 source: WerFault.exe, 0000000D.00000003.498372530.000001DCF47A1000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: win32u.pdb source: WerFault.exe, 0000000D.00000003.498372530.000001DCF47A1000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.498450367.000001DCF47A4000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: gdi32full.pdb source: WerFault.exe, 0000000D.00000003.498372530.000001DCF47A1000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.498450367.000001DCF47A4000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: user32.pdb8 source: WerFault.exe, 0000000D.00000003.498372530.000001DCF47A1000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: dwmapi.pdb source: WerFault.exe, 0000000D.00000003.498387557.000001DCF47A7000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.498456869.000001DCF47A7000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: ntdll.pdb0 source: WerFault.exe, 0000000D.00000003.489436552.000001DCF3CDA000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.494207818.000001DCF3CDA000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: kernelbase.pdb source: WerFault.exe, 0000000D.00000003.498372530.000001DCF47A1000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: imm32.pdb source: WerFault.exe, 0000000D.00000003.498387557.000001DCF47A7000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.498456869.000001DCF47A7000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: kernel32.pdb0 source: WerFault.exe, 0000000D.00000003.489451616.000001DCF3CE0000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.493599535.000001DCF3CE0000.00000004.00000020.00020000.00000000.sdmp
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180006951 pushad ; retf
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00007FFA533512E3 LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,
                      Source: JtJ50Swtfo.dllStatic PE information: real checksum: 0x61dc7 should be: 0x5caa2
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\JtJ50Swtfo.dll
                      Source: C:\Windows\System32\regsvr32.exePE file moved: C:\Windows\System32\GJzmbimn\geJzufDvqRClHij.dllJump to behavior

                      Hooking and other Techniques for Hiding and Protection

                      barindex
                      Hides that the sample has been downloaded from the Internet (zone.identifier)
                      Source: C:\Windows\System32\regsvr32.exeFile opened: C:\Windows\system32\GJzmbimn\geJzufDvqRClHij.dll:Zone.Identifier read attributes | delete
                      Source: C:\Windows\System32\WerFault.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\System32\svchost.exe TID: 5832Thread sleep time: -30000s >= -30000s
                      Source: C:\Windows\System32\svchost.exe TID: 5816Thread sleep time: -30000s >= -30000s
                      Source: C:\Windows\System32\svchost.exe TID: 7000Thread sleep time: -90000s >= -30000s
                      Source: C:\Windows\System32\rundll32.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
                      Source: C:\Windows\System32\regsvr32.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
                      Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
                      Source: C:\Windows\System32\regsvr32.exeAPI coverage: 8.6 %
                      Source: C:\Windows\System32\rundll32.exeAPI coverage: 8.6 %
                      Source: C:\Windows\System32\regsvr32.exeProcess information queried: ProcessInformation
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018000BEF0 FindFirstFileW,FindNextFileW,FindClose,
                      Source: C:\Windows\System32\regsvr32.exeAPI call chain: ExitProcess graph end node
                      Source: C:\Windows\System32\regsvr32.exeAPI call chain: ExitProcess graph end node
                      Source: C:\Windows\System32\rundll32.exeAPI call chain: ExitProcess graph end node
                      Source: C:\Windows\System32\rundll32.exeAPI call chain: ExitProcess graph end node
                      Source: C:\Windows\System32\regsvr32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: regsvr32.exe, 00000002.00000002.456457446.000000000114B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: War&Prod_VMware_
                      Source: svchost.exe, 00000010.00000002.847597205.0000021372862000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "@Hyper-V RAW
                      Source: svchost.exe, 00000010.00000002.847200538.000002136D229000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWm
                      Source: regsvr32.exe, 00000008.00000003.530930555.000000000131C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000002.964081730.000000000131C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWJC
                      Source: WerFault.exe, 0000000D.00000002.506564826.000001DCF3D4D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWAN Miniport (Network Monitor)-QoS Packet Scheduler-0000
                      Source: regsvr32.exe, 00000008.00000003.530930555.000000000131C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000002.964081730.000000000131C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.530907736.00000000012F2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000002.964047666.00000000012F2000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000002.506564826.000001DCF3D4D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.847584884.0000021372855000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000002.851593319.000001E5F24EF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                      Source: svchost.exe, 00000011.00000002.964021650.0000024340A02000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
                      Source: WerFault.exe, 0000000D.00000002.505993659.000001DCF1E92000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW@(
                      Source: svchost.exe, 0000001C.00000002.851473850.000001E5F24A8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                      Source: svchost.exe, 00000011.00000002.964079683.0000024340A28000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00007FFA53343280 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00007FFA53350215 _itow_s,_invoke_watson_if_error,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,_wcsftime_l,_invoke_watson_if_oneof,_invoke_watson_if_error,_invoke_watson_if_error,_invoke_watson_if_error,_invoke_watson_if_error,_invoke_watson_if_error,_snwprintf_s,_invoke_watson_if_oneof,_invoke_watson_if_error,_invoke_watson_if_oneof,_invoke_watson_if_error,_unlock,GetFileType,WriteConsoleW,GetLastError,_invoke_watson_if_oneof,WriteFile,WriteFile,OutputDebugStringW,_itow_s,_invoke_watson_if_error,
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00007FFA533512E3 LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,
                      Source: C:\Windows\System32\loaddll64.exeProcess queried: DebugPort
                      Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPort
                      Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPort
                      Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPort
                      Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPort
                      Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPort
                      Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPort
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3552 -s 332
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00007FFA53343280 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00007FFA5334BE50 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00007FFA53343280 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00007FFA5334BE50 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      System process connects to network (likely due to code injection or exploit)
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 165.22.73.229 8080
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\JtJ50Swtfo.dll",#1
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3552 -s 332
                      Source: C:\Windows\System32\regsvr32.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\regsvr32.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Windows\System32\regsvr32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00007FFA53348900 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00007FFA53348860 HeapCreate,GetVersion,HeapSetInformation,

                      Stealing of Sensitive Information

                      barindex
                      Yara detected Emotet
                      Source: Yara matchFile source: 4.2.rundll32.exe.21310570000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.rundll32.exe.21310570000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.21310570000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.rundll32.exe.21310570000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.0.rundll32.exe.297062b0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.0.rundll32.exe.297062b0000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.0.rundll32.exe.297062b0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.18014000000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.rundll32.exe.21310570000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.18014000000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.rundll32.exe.18014000000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.regsvr32.exe.2a20000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.0.rundll32.exe.297062b0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.rundll32.exe.18014000000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.regsvr32.exe.2a20000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.regsvr32.exe.1490000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.rundll32.exe.21310570000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.297062b0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.rundll32.exe.18014000000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.297062b0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.regsvr32.exe.1490000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.rundll32.exe.18014000000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000002.00000002.458651717.0000000002A20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000000.461474320.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.495781137.0000018014000000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000000.461684776.00000297062B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000000.470298484.00000297062B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.454696390.0000021310570000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.459283574.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000000.454207000.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.457901753.0000021310570000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.964474360.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.492879250.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000000.465354445.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000000.454739254.0000018014000000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000000.457838374.0000018014000000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.507680225.00000297062B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.964188108.0000000001490000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.457423446.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.494965359.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000000.456381918.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.454349685.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.507222158.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.493226824.0000021310570000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid Accounts2
                      Native API                      		1
                      DLL Side-Loading                      		111
                      Process Injection                      		2
                      Masquerading                      		OS Credential Dumping1
                      System Time Discovery                      		Remote Services1
                      Archive Collected Data                      		Exfiltration Over Other Network Medium1
                      Encrypted Channel                      		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                      DLL Side-Loading                      		1
                      Disable or Modify Tools                      		LSASS Memory1
                      Query Registry                      		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
                      Non-Standard Port                      		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)3
                      Virtualization/Sandbox Evasion                      		Security Account Manager41
                      Security Software Discovery                      		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
                      Ingress Tool Transfer                      		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)111
                      Process Injection                      		NTDS3
                      Virtualization/Sandbox Evasion                      		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                      Deobfuscate/Decode Files or Information                      		LSA Secrets2
                      Process Discovery                      		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.common1
                      Hidden Files and Directories                      		Cached Domain Credentials1
                      Remote System Discovery                      		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup Items2
                      Obfuscated Files or Information                      		DCSync2
                      File and Directory Discovery                      		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
                      Regsvr32                      		Proc Filesystem25
                      System Information Discovery                      		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)1
                      Rundll32                      		/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                      Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)1
                      DLL Side-Loading                      		Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
                      Compromise Software Dependencies and Development ToolsWindows Command ShellCronCron1
                      File Deletion                      		Input CapturePermission Groups DiscoveryReplication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 631905 Sample: JtJ50Swtfo Startdate: 22/05/2022 Architecture: WINDOWS Score: 72 46 Multi AV Scanner detection for submitted file 2->46 48 Yara detected Emotet 2->48 50 Machine Learning detection for sample 2->50 8 loaddll64.exe 1 2->8         started        10 svchost.exe 9 1 2->10         started        13 svchost.exe 2->13         started        15 4 other processes 2->15 process3 dnsIp4 17 regsvr32.exe 5 8->17         started        20 rundll32.exe 8->20         started        22 cmd.exe 1 8->22         started        24 2 other processes 8->24 40 127.0.0.1 unknown unknown 10->40 process5 signatures6 44 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->44 26 regsvr32.exe 17->26         started        30 WerFault.exe 9 20->30         started        32 WerFault.exe 20->32         started        34 rundll32.exe 22->34         started        36 WerFault.exe 20 9 24->36         started        process7 dnsIp8 42 165.22.73.229, 49777, 8080 DIGITALOCEAN-ASNUS United States 26->42 52 System process connects to network (likely due to code injection or exploit) 26->52 38 WerFault.exe 9 34->38         started        signatures9 process10

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      JtJ50Swtfo.dll59%ReversingLabsWin64.Trojan.Emotet
                      JtJ50Swtfo.dll100%Joe Sandbox ML

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      4.0.rundll32.exe.21310570000.0.unpack100%AviraHEUR/AGEN.1215461Download File
                      3.2.rundll32.exe.18014000000.0.unpack100%AviraHEUR/AGEN.1215461Download File
                      4.2.rundll32.exe.21310570000.0.unpack100%AviraHEUR/AGEN.1215461Download File
                      3.0.rundll32.exe.18014000000.0.unpack100%AviraHEUR/AGEN.1215461Download File
                      3.0.rundll32.exe.18014000000.2.unpack100%AviraHEUR/AGEN.1215461Download File
                      2.2.regsvr32.exe.2a20000.0.unpack100%AviraHEUR/AGEN.1215461Download File
                      5.0.rundll32.exe.297062b0000.0.unpack100%AviraHEUR/AGEN.1215461Download File
                      5.0.rundll32.exe.297062b0000.2.unpack100%AviraHEUR/AGEN.1215461Download File
                      4.0.rundll32.exe.21310570000.2.unpack100%AviraHEUR/AGEN.1215461Download File
                      8.2.regsvr32.exe.1490000.0.unpack100%AviraHEUR/AGEN.1215461Download File
                      5.2.rundll32.exe.297062b0000.0.unpack100%AviraHEUR/AGEN.1215461Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      https://www.disneyplus.com/legal/your-california-privacy-rights0%URL Reputationsafe
                      https://www.disneyplus.com/legal/privacy-policy0%URL Reputationsafe
                      https://165.22.73.229:8080/d0%Avira URL Cloudsafe
                      https://165.22.73.229:8080/0%Avira URL Cloudsafe
                      https://www.pango.co/privacy0%URL Reputationsafe
                      http://schemas.xmlsoap.o0%URL Reputationsafe
                      https://disneyplus.com/legal.0%URL Reputationsafe
                      https://165.22.73.229/0%Avira URL Cloudsafe
                      https://165.22.73.229:8080/z0%Avira URL Cloudsafe
                      https://165.22.73.229:8080/Num0%Avira URL Cloudsafe
                      http://crl.ver)0%Avira URL Cloudsafe
                      https://www.tiktok.com/legal/report/feedback0%URL Reputationsafe
                      http://help.disneyplus.com.0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      https://www.disneyplus.com/legal/your-california-privacy-rightssvchost.exe, 0000001C.00000003.824985746.000001E5F2FAF000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000003.824896680.000001E5F2F9E000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://www.disneyplus.com/legal/privacy-policysvchost.exe, 0000001C.00000003.824985746.000001E5F2FAF000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000003.824896680.000001E5F2F9E000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://165.22.73.229:8080/dregsvr32.exe, 00000008.00000002.964035767.00000000012EA000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://165.22.73.229:8080/regsvr32.exe, 00000008.00000002.964047666.00000000012F2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000002.964035767.00000000012EA000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://www.hotspotshield.com/terms/svchost.exe, 0000001C.00000003.819966685.000001E5F3402000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000003.820019247.000001E5F2F8D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000003.819907811.000001E5F2FAF000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000003.819952245.000001E5F341A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000003.819811916.000001E5F2F9E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000003.819800192.000001E5F2F8D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000003.819925695.000001E5F341A000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        https://www.pango.co/privacysvchost.exe, 0000001C.00000003.819966685.000001E5F3402000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000003.820019247.000001E5F2F8D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000003.819907811.000001E5F2FAF000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000003.819952245.000001E5F341A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000003.819811916.000001E5F2F9E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000003.819800192.000001E5F2F8D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000003.819925695.000001E5F341A000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.osvchost.exe, 00000010.00000002.847350178.000002136D2AA000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.846896392.000002136D2A8000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://disneyplus.com/legal.svchost.exe, 0000001C.00000003.824985746.000001E5F2FAF000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000003.824896680.000001E5F2F9E000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://165.22.73.229/regsvr32.exe, 00000008.00000002.964035767.00000000012EA000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://165.22.73.229:8080/zregsvr32.exe, 00000008.00000002.963976122.00000000012B8000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://165.22.73.229:8080/Numregsvr32.exe, 00000008.00000003.530907736.00000000012F2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000002.964047666.00000000012F2000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://crl.ver)svchost.exe, 00000010.00000002.847475290.0000021372813000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000002.851676211.000001E5F2F00000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		low
                        https://www.tiktok.com/legal/report/feedbacksvchost.exe, 0000001C.00000003.830088263.000001E5F2F8F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000003.830129017.000001E5F2FA0000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000003.830206867.000001E5F2FB1000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000003.830274121.000001E5F3418000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000003.830231188.000001E5F3418000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://help.disneyplus.com.svchost.exe, 0000001C.00000003.824985746.000001E5F2FAF000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000003.824896680.000001E5F2F9E000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://support.hotspotshield.com/svchost.exe, 0000001C.00000003.819966685.000001E5F3402000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000003.820019247.000001E5F2F8D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000003.819907811.000001E5F2FAF000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000003.819952245.000001E5F341A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000003.819811916.000001E5F2F9E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000003.819800192.000001E5F2F8D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000003.819925695.000001E5F341A000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          165.22.73.229
                          		unknownUnited States
                          		14061DIGITALOCEAN-ASNUStrue

                          Private

                          IP
                          127.0.0.1

                          General Information

                          Joe Sandbox Version:34.0.0 Boulder Opal
                          Analysis ID:631905
                          Start date and time: 22/05/202222:27:592022-05-22 22:27:59 +02:00
                          Joe Sandbox Product:CloudBasic
                          Overall analysis duration:0h 10m 33s
                          Hypervisor based Inspection enabled:false
                          Report type:light
                          Sample file name:JtJ50Swtfo (renamed file extension from none to dll)
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                          Number of analysed new started processes analysed:30
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • HDC enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Detection:MAL
                          Classification:mal72.troj.evad.winDLL@27/17@0/2
                          EGA Information:
                          • Successful, ratio: 100%
                          HDC Information:
                          • Successful, ratio: 73% (good quality ratio 38.9%)
                          • Quality average: 32.7%
                          • Quality standard deviation: 37.6%
                          HCA Information:
                          • Successful, ratio: 94%
                          • Number of executed functions: 0
                          • Number of non-executed functions: 0
                          Cookbook Comments:
                          • Adjust boot time
                          • Enable AMSI
                          • Override analysis time to 240s for rundll32

                          Warnings

                          • Exclude process from analysis (whitelisted): audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, backgroundTaskHost.exe, wuapihost.exe
                          • Excluded IPs from analysis (whitelisted): 23.211.6.115, 20.189.173.22, 20.42.73.29, 69.192.160.56, 20.223.24.244
                          • Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, onedsblobprdwus17.westus.cloudapp.azure.com, store-images.s-microsoft.com-c.edgekey.net, e1723.g.akamaiedge.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, login.live.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, prod.fs.microsoft.com.akadns.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                          • Not all processes where analyzed, report is missing behavior information
                          • Report size exceeded maximum capacity and may have missing behavior information.
                          • Report size exceeded maximum capacity and may have missing disassembly code.
                          • Report size getting too big, too many NtOpenKeyEx calls found.
                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                          • Report size getting too big, too many NtQueryValueKey calls found.
                          • VT rate limit hit for: JtJ50Swtfo.dll

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          22:29:42API Interceptor3x Sleep call for process: WerFault.exe modified
                          22:29:43API Interceptor11x Sleep call for process: svchost.exe modified

                          Joe Sandbox View / Context

                          IPs

                          No context

                          Domains

                          No context

                          ASNs

                          No context

                          JA3 Fingerprints

                          No context

                          Dropped Files

                          No context

                          Created / dropped Files

                          C:\ProgramData\Microsoft\Network\Downloader\edb.chk

                          Download File
                          Process:C:\Windows\System32\svchost.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):8192
                          Entropy (8bit):0.3593198815979092
                          Encrypted:false
                          SSDEEP:12:SnaaD0JcaaD0JwQQU2naaD0JcaaD0JwQQU:4tgJctgJw/tgJctgJw
                          MD5:BF1DC7D5D8DAD7478F426DF8B3F8BAA6
                          SHA1:C6B0BDE788F553F865D65F773D8F6A3546887E42
                          SHA-256:BE47C764C38CA7A90A345BE183F5261E89B98743B5E35989E9A8BE0DA498C0F2
                          SHA-512:00F2412AA04E09EA19A8315D80BE66D2727C713FC0F5AE6A9334BABA539817F568A98CA3A45B2673282BDD325B8B0E2840A393A4DCFADCB16473F5EAF2AF3180
                          Malicious:false
                          Preview:.............*..........3...w..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@......................................................*.............................................................................................................................................................................................................................................................................................................................................................

                          C:\ProgramData\Microsoft\Network\Downloader\edb.log

                          Download File
                          Process:C:\Windows\System32\svchost.exe
                          File Type:MPEG-4 LOAS
                          Category:dropped
                          Size (bytes):1310720
                          Entropy (8bit):0.24944714559392273
                          Encrypted:false
                          SSDEEP:1536:BJiRdfVzkZm3lyf49uyc0ga04PdHS9LrM/oVMUdSRU44:BJiRdwfu2SRU44
                          MD5:3E2858CB05A9D748F750D8039601AB23
                          SHA1:55D4E5A52F95F129696CF737D4F32A1C34C09909
                          SHA-256:9E2E8BC9DE84ED75E0ACFD61FD791887A08327F0B9174482F5AC9CADFCE86D21
                          SHA-512:2C244429562908B15A2186B1477AB7CA158D4EE9A60D55B1B674C0DFB1F527F67A5AD5876E6B174361405EE15675BE7A5E01C61B1FCEEAA631097AD5451AFDF7
                          Malicious:false
                          Preview:V.d.........@..@.3...w...........................3...w..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@.........................................d#.................................................................................................................................................................................................................................................................................................................................................

                          C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                          Download File
                          Process:C:\Windows\System32\svchost.exe
                          File Type:Extensible storage engine DataBase, version 0x620, checksum 0x292d39b8, page size 16384, Windows version 10.0
                          Category:dropped
                          Size (bytes):786432
                          Entropy (8bit):0.2507046524094365
                          Encrypted:false
                          SSDEEP:384:8vB+W0StseCJ48EApW0StseCJ48E2rTSjlK/ebmLerYSRSY1J2:8vqSB2nSB2RSjlK/+mLesOj1J2
                          MD5:17C3F78317E76B2C2DD76253E2873D75
                          SHA1:B19DEF2289166100899C754D126CE94036ED59D0
                          SHA-256:F66049E69E4C11374790B7BCBB5F439970EE0BB22478B0C8DA79D7C47A8F6346
                          SHA-512:CF93D742329BE22FA8C6C9E0CDC6C48AED0144343E1659CD13AFAA6E40A7C01BAE34AACF1EE37A2F600F96F57464869F939FFFCB3D0192A57B90EFA5DEF3D6ED
                          Malicious:false
                          Preview:)-9.... ................e.f.3...w........................).....7 ...z..+....z..h.(.....7 ...z....)..............3...w...........................................................................................................B...........@...................................................................................................... ....................................................................................................................................................................................................................................................'..7 ...z......................7 ...z..........................................................................................................................................................................................................................................................................................................................................................................................

                          C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                          Download File
                          Process:C:\Windows\System32\svchost.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):16384
                          Entropy (8bit):0.07485229205221174
                          Encrypted:false
                          SSDEEP:3:uSlr7vO6z4lAgyatKkS+ll/lle12Vlall3Vkttlmlnl:LlrrO6z4GgyatKkS2llrVA3
                          MD5:2B39CA08FECEFC1515366C71F597E30D
                          SHA1:2DC245390ADFECB8C661CF7FC83D657B951E377B
                          SHA-256:18D6F0A2BFF9DA25FBE25FACF5F73C14722481914BA28A314C073AD82AD1E1CA
                          SHA-512:10166219A1E70EFA4592BD4A478237E3A807DEF7E2DDA727215E8E9A9DC7ECFBA897B75CE4A2AA55534DD2E7DC8AF9358BC8B4DEC2BEF34837DA65B47C83D19D
                          Malicious:false
                          Preview:.5^......................................3...w..+....z..7 ...z..........7 ...z..7 ...z...F..7 ...z.i....................7 ...z..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_JtJ_f1302aae73d1bd36c99beead2422e86237ae15_9903e0f3_15e02aea\Report.wer

                          Download File
                          Process:C:\Windows\System32\WerFault.exe
                          File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):65536
                          Entropy (8bit):0.7853108972243561
                          Encrypted:false
                          SSDEEP:96:GWFGspicAJPnyYj455oo7Rl6tpXIQcQPc6cWcEXcw3ufXaXz+HbHgSQgJPb5IDVw:x8eihJK4HhwW9K3jv9/u7sYS274ltZ
                          MD5:ACC827E38E39B150496954207F26CF9F
                          SHA1:AEECCE7820CD6B08DAC87E16AB391C4E35BE0876
                          SHA-256:19A9590BEAA003E8B1C936F8827090E59B4ED9414C38CA62D08177164A6BFD3F
                          SHA-512:40103EBC730DCC5CC13B4C9FE07930821DFBC52CDDBC9065C5960FBBC734490F21A92DC88CC432E7FA2C7B28DDCF8E3588CC35E032148E4925DC8294A523E9B0
                          Malicious:false
                          Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.6.4.....E.v.e.n.t.T.i.m.e.=.1.3.2.9.7.7.5.7.3.8.4.3.0.6.4.8.7.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.9.7.7.5.7.3.8.6.9.4.7.1.0.4.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.e.6.9.a.e.b.7.-.0.d.b.a.-.4.a.f.a.-.9.6.e.c.-.8.b.6.7.4.8.a.c.f.8.6.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.5.b.7.8.d.b.0.-.d.8.e.7.-.4.b.5.1.-.b.0.9.8.-.5.7.d.7.7.e.f.f.8.f.1.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.J.t.J.5.0.S.w.t.f.o...d.l.l.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.d.e.0.-.0.0.0.1.-.0.0.1.7.-.0.2.d.c.-.b.4.0.e.6.6.6.e.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.2.f.3.4.c.c.f.d.d.8.1.4.1.a.e.e.e.2.e.8.9.f.f.b.0.7.0.c.e.2.3.9.c.7.d.0.0.7.0.6.!.

                          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_JtJ_f1302aae73d1bd36c99beead2422e86237ae15_9903e0f3_1747af5d\Report.wer

                          Download File
                          Process:C:\Windows\System32\WerFault.exe
                          File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):65536
                          Entropy (8bit):0.785376784883369
                          Encrypted:false
                          SSDEEP:96:5EweF2TpiwJPnyHj455oo7Rl6tpXIQcQPc6cWcEhx6cw3hQXaXz+HbHgSQgJPb5Z:5RekiwJKfHhwWAYjv9/u7sYS274ltZ
                          MD5:ED96BDCDAAE1D9424028EF842E615A0F
                          SHA1:3BAA92D74A6964C50AF8C2029AA6AEEC85DA26AE
                          SHA-256:BD9D3EAFE53E1DC3DE3A7A3D1196096535AA68C82811EA99C6A269E2289FA953
                          SHA-512:503A9D7DD3D16A85B8C65535064EB776A258507206328BD0490FC797EA96204665C46A067367EFA817798780AA7A150DDE62EB3B9E13BA0B0FD9048F3FF2A031
                          Malicious:false
                          Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.6.4.....E.v.e.n.t.T.i.m.e.=.1.3.2.9.7.7.5.7.3.6.9.8.0.6.9.6.8.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.9.7.7.5.7.3.7.9.9.1.6.2.6.0.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.e.b.9.d.3.2.7.-.c.b.9.d.-.4.6.1.c.-.9.0.8.a.-.c.a.a.e.f.6.0.3.6.6.8.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.c.e.0.6.9.5.b.-.0.e.5.2.-.4.c.8.7.-.8.4.6.4.-.7.a.a.b.a.6.4.6.b.f.5.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.J.t.J.5.0.S.w.t.f.o...d.l.l.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.e.0.-.0.0.0.1.-.0.0.1.7.-.0.f.e.6.-.6.0.0.c.6.6.6.e.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.2.f.3.4.c.c.f.d.d.8.1.4.1.a.e.e.e.2.e.8.9.f.f.b.0.7.0.c.e.2.3.9.c.7.d.0.0.7.0.6.!.

                          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_JtJ_f1302aae73d1bd36c99beead2422e86237ae15_9903e0f3_1773b171\Report.wer

                          Download File
                          Process:C:\Windows\System32\WerFault.exe
                          File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):65536
                          Entropy (8bit):0.7842975090540836
                          Encrypted:false
                          SSDEEP:96:b8xFppiqJPnyOj455oo7Rl6tpXIQcQPc6cWcEhx6cw3hQXaXz+HbHgSQgJPb5IDS:aliqJK+HhwWAYjv9/u7sYS274ltZ
                          MD5:CBD5581585A10FC5031E233CD69C170A
                          SHA1:01AA4FB42F81295A27AB5D9C7F38466034C86BA0
                          SHA-256:D4F180660024F2F240D414266211FD669AC40C9CF4BF165D8B2A72820CBAB36E
                          SHA-512:FC6926313ABB573E13AB87928BB1F60FC4E7C248CB1D327D7E0FA1B092A76EE249355144833D21B134142210B8DE55F362E3727AF3586DA064E0FB1FFFA5AC4D
                          Malicious:false
                          Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.6.4.....E.v.e.n.t.T.i.m.e.=.1.3.2.9.7.7.5.7.3.7.0.1.4.6.8.1.4.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.9.7.7.5.7.3.8.0.7.4.0.5.1.5.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.8.7.0.1.6.e.a.-.4.7.4.0.-.4.5.9.d.-.8.b.1.5.-.9.c.f.4.2.2.b.6.0.b.b.a.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.e.f.4.e.c.7.b.-.9.e.9.b.-.4.c.9.4.-.8.f.e.7.-.4.e.e.4.2.c.a.f.6.c.4.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.J.t.J.5.0.S.w.t.f.o...d.l.l.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.d.4.-.0.0.0.1.-.0.0.1.7.-.6.c.9.8.-.1.a.0.c.6.6.6.e.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.2.f.3.4.c.c.f.d.d.8.1.4.1.a.e.e.e.2.e.8.9.f.f.b.0.7.0.c.e.2.3.9.c.7.d.0.0.7.0.6.!.

                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER1A8E.tmp.dmp

                          Download File
                          Process:C:\Windows\System32\WerFault.exe
                          File Type:Mini DuMP crash report, 15 streams, Mon May 23 05:29:45 2022, 0x1205a4 type
                          Category:dropped
                          Size (bytes):66212
                          Entropy (8bit):2.280297288692693
                          Encrypted:false
                          SSDEEP:384:ByO904cSe2YqH2FC/HK7dlwcldYnUxUo88fvrW:cufMqH2FC/qdlw+t88K
                          MD5:E2CFC23224F78A477BDF042747F96436
                          SHA1:60BE11384E5D6E36A75EE5F189F0F3767B2EF495
                          SHA-256:6A08D0241262573BF1098020EC3BD5807B9303C361E801C510A35F49E893EE65
                          SHA-512:93105110026D42D7CDD48C2F5C04CA78F59FB6D7434741849CF3F4203536C1F5E4B1719429BB3005ECD45FBD8991690B1431357536C8BBB1D96C7E487F9075F9
                          Malicious:false
                          Preview:MDMP....... ..........b........................................8.......$...d;..........`.......8...........T............................"...........$...................................................................U...........B......P%......Lw................|.....T..............b.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER2127.tmp.WERInternalMetadata.xml

                          Download File
                          Process:C:\Windows\System32\WerFault.exe
                          File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):6678
                          Entropy (8bit):3.72760217005663
                          Encrypted:false
                          SSDEEP:192:Rrl7r3GLNiEax6jSooYhNSx8CCpr989b4gW7fVom:RrlsNiJojSooYhNSP4p7fv
                          MD5:2F521D7AB8C6ABEE091480261B1BC764
                          SHA1:A590641E5DB006BE00B856A417765510EB700AFE
                          SHA-256:B9DF3C362BC36875DAC16029D2D9D38057DDDE078DE32AB3160F8FFC63CD150E
                          SHA-512:8A7BDF77DEAB242631FCF0B5BB570BF2CDF409E2FFBC2D3C545B7FF1097F922533390AA9B107F2AC5C94B89A410937B5016D9F2D01EC345AA5F51A673FD62A4A
                          Malicious:false
                          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.5.5.2.<./.P.i.d.>.......

                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER235A.tmp.xml

                          Download File
                          Process:C:\Windows\System32\WerFault.exe
                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):4892
                          Entropy (8bit):4.505358903748867
                          Encrypted:false
                          SSDEEP:48:cvIwSD8zsXJgtBI9KcWgc8sqYjf8fm8M4JCRCII+nFEXyq8vhII+m0ZESC5SMd:uITf5AVgrsqYQJtvW3eVvMd
                          MD5:13555536D901F4E1034B9843C71A46E9
                          SHA1:44FC1A57192C982684C753D56B0BFE4A638C2518
                          SHA-256:C415F810072D8F5047AFDBAE7194416794CFB0B258F5B72579792F0B7773FAF1
                          SHA-512:0B7A9324415AD89DA811417331151E5A93CD99D051FA9AD24274321A27AADB07B9767380A04A817EEBCC97FA8C465672FBCBEB69180681C80C74EB759CB04CD1
                          Malicious:false
                          Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1527280" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER7F45.tmp.dmp

                          Download File
                          Process:C:\Windows\System32\WerFault.exe
                          File Type:Mini DuMP crash report, 15 streams, Mon May 23 05:29:37 2022, 0x1205a4 type
                          Category:dropped
                          Size (bytes):65216
                          Entropy (8bit):2.2879602329885613
                          Encrypted:false
                          SSDEEP:384:m04cSe2YqH29QC7FcldYn1QYSXsLvaGRB:mfMqH29QCx+FYSXg
                          MD5:5F036A0EE06E7F8A37F2916DACA3FD90
                          SHA1:E0BE7693EACEE0FD3004AB408091FCAEFC214100
                          SHA-256:23677DE67B59ECDDB4F42D5E4062803F711A0554A2E9244BCB8F5441D040C4D8
                          SHA-512:E642656D8470B34B1743E6CBE55997AB278100D2AE9D7A5FD7BB4B6056A8153B3D67086967D2D41F947854F5AB597C210D2F6B7956861DCFCAEBB4C9BE29A908
                          Malicious:false
                          Preview:MDMP....... ..........b........................................8.......$...d;..........`.......8...........T...........X...h............"...........$...................................................................U...........B......P%......Lw..................D...T..............b.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER809D.tmp.dmp

                          Download File
                          Process:C:\Windows\System32\WerFault.exe
                          File Type:Mini DuMP crash report, 15 streams, Mon May 23 05:29:38 2022, 0x1205a4 type
                          Category:dropped
                          Size (bytes):64428
                          Entropy (8bit):2.3099754861449417
                          Encrypted:false
                          SSDEEP:384:j04cSe2YqH2nbNCKUDPpcldYnCSG5a6p:jfMqH2bNCKC+tH
                          MD5:1DE1EC7CED80A4369CF671C0CCAF96E1
                          SHA1:A8892CBE7C9497C66B2736993B3DDE55F359AFB3
                          SHA-256:F11BF9E703C8D45A280388947283D9F82AC1152CBF34C6CA747FC23D708C5D39
                          SHA-512:0C99F5E4261D6935B152DE77152A4D04C8247B50BF2015A6ADC272359FDD9F448035268E6830566CA8C2AB7721BF856704D8FA78E39C5F5D92829BBEBCCB3AED
                          Malicious:false
                          Preview:MDMP....... ..........b........................................8.......$...d;..........`.......8...........T............................"...........$...................................................................U...........B......P%......Lw................T(o...T..............b.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERA01C.tmp.WERInternalMetadata.xml

                          Download File
                          Process:C:\Windows\System32\WerFault.exe
                          File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):6664
                          Entropy (8bit):3.725950692747971
                          Encrypted:false
                          SSDEEP:192:Rrl7r3GLNimJx/Ul+H3kYhNSxACprJ89bRt/fv7m:RrlsNiI5Ul+HUYhNSoRFfK
                          MD5:6001D212B5EB3A7ABBF335C898D3C3C5
                          SHA1:4894F791110FAEB18D9EC772C9CC4BF86B2FCE75
                          SHA-256:CF5603ABB60C16F4560F7AA77322A0CFBD3DFC15F58D94ABD75E9D1802045C35
                          SHA-512:5E71DAB490BFD9A5C88C9F5149C1F579678BD14122FBD0E1692D78DBB2C80B3823E087A4BCB1F8196507AC4423EE0DF36E8DF6A1581CBFC157D6CCEBB0E47B0A
                          Malicious:false
                          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.1.3.6.<./.P.i.d.>.......

                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERA33A.tmp.xml

                          Download File
                          Process:C:\Windows\System32\WerFault.exe
                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):4892
                          Entropy (8bit):4.503869739793946
                          Encrypted:false
                          SSDEEP:48:cvIwSD8zsXJgtBI9KcWgc8sqYj78fm8M4JCRCII+nF7yq8vhII+P0ZESC5Spd:uITf5AVgrsqY8Jt8W3JVvpd
                          MD5:47AA0CE1F66ACB829997A6775FD25EB2
                          SHA1:2E7B95D962BBF68430388A686744AD4F60412F81
                          SHA-256:A65356709DD7AD26A14B1EDA3F53F7FE2E79F9B0A556AB53F0FBA1CB479CE5C5
                          SHA-512:5A801063C35EFA6616CB61E9EEA970E4CEA5559AFC9E9A3A72C04DAC8693C8F222CA1FC7CAF7C5940DA4323B27CC9964EFC7AAB0F54C99B92EBDA0E82A3E8A2B
                          Malicious:false
                          Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1527280" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERA3F4.tmp.WERInternalMetadata.xml

                          Download File
                          Process:C:\Windows\System32\WerFault.exe
                          File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):8654
                          Entropy (8bit):3.7019577354697155
                          Encrypted:false
                          SSDEEP:192:Rrl7r3GLNil+TUB+gh6Y8aBDgmfhNSxACpr889bIf2fa4m:RrlsNicTUB+gh6YXDgmfhNSHI+f0
                          MD5:1750C18A710CBAD9A9B097441376D048
                          SHA1:7577D35041786C148A49C98C099B99239208AD7B
                          SHA-256:81CC89B90768B2E03E8F4A780AC65E00AA8CA148560FB9A8D4CD1B41E1267785
                          SHA-512:3A92B9D8D79013DA61AA48AFBA0D92C6F52B53178C953BFACD04D7FD62270F7581679BDA03580DCFF6770B3072DC62CF10F225FC8426A084449B3A2C3F7D6616
                          Malicious:false
                          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.1.2.4.<./.P.i.d.>.......

                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERA7DD.tmp.xml

                          Download File
                          Process:C:\Windows\System32\WerFault.exe
                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):4892
                          Entropy (8bit):4.50421410004922
                          Encrypted:false
                          SSDEEP:48:cvIwSD8zsXJgtBI9KcWgc8sqYjl8fm8M4JCRCII+nFjyq8vhII+D0ZESC5Smd:uITf5AVgrsqYGJtsW3VVvmd
                          MD5:DACBE25C80B0FF301B54B760288687C5
                          SHA1:BF0A6F8F31707964EE580656201C96D07AC05322
                          SHA-256:C2382A5F6DECE4378F908631D2EFE6208690E1F87E3C2CC5D8F3A6E14A9A1653
                          SHA-512:BCD8A4E4B5C4D51EB6643C72ECBED76EEB5F38F90946F5A3626666D1029FE1174328B679DD770C284E2247BD35DE34D773DF6BDE7B1EF71C18032F3AFD0C87E1
                          Malicious:false
                          Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1527280" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

                          C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                          Download File
                          Process:C:\Windows\System32\svchost.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):55
                          Entropy (8bit):4.306461250274409
                          Encrypted:false
                          SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                          MD5:DCA83F08D448911A14C22EBCACC5AD57
                          SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                          SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                          SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                          Malicious:false
                          Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                          Static File Info

                          General

                          File type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                          Entropy (8bit):7.152718217466625
                          TrID:
                          • Win64 Dynamic Link Library (generic) (102004/3) 86.43%
                          • Win64 Executable (generic) (12005/4) 10.17%
                          • Generic Win/DOS Executable (2004/3) 1.70%
                          • DOS Executable Generic (2002/1) 1.70%
                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
                          File name:JtJ50Swtfo.dll
                          File size:371200
                          MD5:646ca94d40f268c87215ffea9fd0e826
                          SHA1:22e67eb4d6e4b5f09e3de5a6021462adcf99fe75
                          SHA256:52769f52f479f16d61c449d307c7fd1fa23faa0b5589500e0967cd7955ca93d6
                          SHA512:5ae522eb99551146f84f9aa94f270083cedc1bb8df26697e15d57fcf7af126766f8f18ed4ffac06df46d88e07c08a8523cd8a4187af3dd8173baf35272de794b
                          SSDEEP:6144:hlNuuXQASByX7LxoJcXy16qFHJ7wwD1w3pq6jTK/V9OT0u:hlNu9ASByX7xy/BJ7rGTK/V3
                          TLSH:36848E46F7F551E5E8F7C13889A23267F9317C948B38A7CB8A44466A4F70BA0E93D701
                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........8..ik..ik..ik...k..ik...k..ik...k..ik..hk..ik...k..ik...k..ik...k..ik...k..ikRich..ik................PE..d....{.b.........."

                          File Icon

                          Icon Hash:74f0e4ecccdce0e4

                          Static PE Info

                          General

                          Entrypoint:0x180003580
                          Entrypoint Section:.text
                          Digitally signed:false
                          Imagebase:0x180000000
                          Subsystem:windows gui
                          Image File Characteristics:EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT
                          Time Stamp:0x62877BF5 [Fri May 20 11:31:01 2022 UTC]
                          TLS Callbacks:
                          CLR (.Net) Version:
                          OS Version Major:5
                          OS Version Minor:2
                          File Version Major:5
                          File Version Minor:2
                          Subsystem Version Major:5
                          Subsystem Version Minor:2
                          Import Hash:ad5c5b0f3e2e211c551f3b5059e614d7

                          Entrypoint Preview

                          Instruction
                          dec esp
                          mov dword ptr [esp+18h], eax
                          mov dword ptr [esp+10h], edx
                          dec eax
                          mov dword ptr [esp+08h], ecx
                          dec eax
                          sub esp, 28h
                          cmp dword ptr [esp+38h], 01h
                          jne 00007F0D9877FCD7h
                          call 00007F0D98785037h
                          dec esp
                          mov eax, dword ptr [esp+40h]
                          mov edx, dword ptr [esp+38h]
                          dec eax
                          mov ecx, dword ptr [esp+30h]
                          call 00007F0D9877FCE4h
                          dec eax
                          add esp, 28h
                          ret
                          int3
                          int3
                          int3
                          int3
                          int3
                          int3
                          int3
                          int3
                          int3
                          int3
                          dec esp
                          mov dword ptr [esp+18h], eax
                          mov dword ptr [esp+10h], edx
                          dec eax
                          mov dword ptr [esp+08h], ecx
                          dec eax
                          sub esp, 48h
                          mov dword ptr [esp+20h], 00000001h
                          cmp dword ptr [esp+58h], 00000000h
                          jne 00007F0D9877FCE2h
                          cmp dword ptr [00028DE8h], 00000000h
                          jne 00007F0D9877FCD9h
                          xor eax, eax
                          jmp 00007F0D9877FDF4h
                          cmp dword ptr [esp+58h], 01h
                          je 00007F0D9877FCD9h
                          cmp dword ptr [esp+58h], 02h
                          jne 00007F0D9877FD20h
                          dec eax
                          cmp dword ptr [0001ED99h], 00000000h
                          je 00007F0D9877FCEAh
                          dec esp
                          mov eax, dword ptr [esp+60h]
                          mov edx, dword ptr [esp+58h]
                          dec eax
                          mov ecx, dword ptr [esp+50h]
                          call dword ptr [0001ED83h]
                          mov dword ptr [esp+20h], eax
                          cmp dword ptr [esp+20h], 00000000h
                          je 00007F0D9877FCE9h
                          dec esp
                          mov eax, dword ptr [esp+60h]
                          mov edx, dword ptr [esp+58h]
                          dec eax
                          mov ecx, dword ptr [esp+50h]
                          call 00007F0D9877FA3Ah
                          mov dword ptr [esp+20h], eax
                          cmp dword ptr [esp+20h], 00000000h
                          jne 00007F0D9877FCD9h
                          xor eax, eax

                          Rich Headers

                          Programming Language:
                          • [LNK] VS2010 build 30319
                          • [ASM] VS2010 build 30319
                          • [ C ] VS2010 build 30319
                          • [C++] VS2010 build 30319
                          • [EXP] VS2010 build 30319
                          • [RES] VS2010 build 30319
                          • [IMP] VS2008 SP1 build 30729

                          Data Directories

                          NameVirtual AddressVirtual Size Is in Section
                          IMAGE_DIRECTORY_ENTRY_EXPORT0x2aab00x84.rdata
                          IMAGE_DIRECTORY_ENTRY_IMPORT0x2a1e40x50.rdata
                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x300000x2e9fc.rsrc
                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x2f0000xfcc.pdata
                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x5f0000x294.reloc
                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IAT0x220000x298.rdata
                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                          Sections

                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                          .text0x10000x203fa0x20400False0.405439983043zlib compressed data5.75409030586IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                          .rdata0x220000x8b340x8c00False0.275446428571data4.41532108635IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .data0x2b0000x37980x1400False0.161328125data2.21550179132IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                          .pdata0x2f0000xfcc0x1000False0.5048828125data5.08183440168IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .rsrc0x300000x2e9fc0x2ea00False0.887011980563data7.85049584102IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .reloc0x5f0000x6fc0x800False0.21435546875data2.34217115221IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                          Resources

                          NameRVASizeTypeLanguageCountry
                          RT_FONTDIR0x300a00x2e800dataEnglishUnited States
                          RT_MANIFEST0x5e8a00x15aASCII text, with CRLF line terminatorsEnglishUnited States

                          Imports

                          DLLImport
                          KERNEL32.dllGetTimeFormatA, GetDateFormatA, GetThreadLocale, FileTimeToSystemTime, VirtualAlloc, ExitProcess, CloseHandle, CreateFileW, SetStdHandle, GetCurrentThreadId, FlsSetValue, GetCommandLineA, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, RtlVirtualUnwind, RtlLookupFunctionEntry, RtlCaptureContext, RtlUnwindEx, EncodePointer, FlsGetValue, FlsAlloc, FlsFree, SetLastError, GetLastError, HeapSize, HeapValidate, IsBadReadPtr, DecodePointer, GetProcAddress, GetModuleHandleW, SetHandleCount, GetStdHandle, InitializeCriticalSectionAndSpinCount, GetFileType, GetStartupInfoW, DeleteCriticalSection, GetModuleFileNameA, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, HeapSetInformation, GetVersion, HeapCreate, HeapDestroy, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, EnterCriticalSection, LeaveCriticalSection, GetACP, GetOEMCP, GetCPInfo, IsValidCodePage, HeapAlloc, GetModuleFileNameW, HeapReAlloc, HeapQueryInformation, HeapFree, WriteFile, LoadLibraryW, LCMapStringW, MultiByteToWideChar, GetStringTypeW, OutputDebugStringA, WriteConsoleW, OutputDebugStringW, RaiseException, RtlPcToFileHeader, SetFilePointer, GetConsoleCP, GetConsoleMode, FlushFileBuffers
                          USER32.dllMessageBoxA
                          ole32.dllCoTaskMemFree, CoTaskMemAlloc, CoLoadLibrary

                          Exports

                          NameOrdinalAddress
                          AddIn_FileTime10x180001140
                          AddIn_SystemTime20x1800010b0
                          DllRegisterServer30x180003110

                          Possible Origin

                          Language of compilation systemCountry where language is spokenMap
                          EnglishUnited States

                          Network Behavior

                          Network Port Distribution

                          TCP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          May 22, 2022 22:29:59.489087105 CEST497778080192.168.2.5165.22.73.229
                          May 22, 2022 22:29:59.531128883 CEST808049777165.22.73.229192.168.2.5
                          May 22, 2022 22:29:59.531321049 CEST497778080192.168.2.5165.22.73.229
                          May 22, 2022 22:29:59.628360033 CEST497778080192.168.2.5165.22.73.229
                          May 22, 2022 22:29:59.670537949 CEST808049777165.22.73.229192.168.2.5
                          May 22, 2022 22:29:59.680217028 CEST808049777165.22.73.229192.168.2.5
                          May 22, 2022 22:29:59.680253983 CEST808049777165.22.73.229192.168.2.5
                          May 22, 2022 22:29:59.680344105 CEST497778080192.168.2.5165.22.73.229
                          May 22, 2022 22:30:00.540261030 CEST497778080192.168.2.5165.22.73.229
                          May 22, 2022 22:30:00.608218908 CEST808049777165.22.73.229192.168.2.5
                          May 22, 2022 22:30:00.608436108 CEST497778080192.168.2.5165.22.73.229
                          May 22, 2022 22:30:00.648366928 CEST497778080192.168.2.5165.22.73.229
                          May 22, 2022 22:30:00.732100964 CEST808049777165.22.73.229192.168.2.5
                          May 22, 2022 22:30:00.900325060 CEST808049777165.22.73.229192.168.2.5
                          May 22, 2022 22:30:00.900473118 CEST497778080192.168.2.5165.22.73.229
                          May 22, 2022 22:30:03.899759054 CEST808049777165.22.73.229192.168.2.5
                          May 22, 2022 22:30:03.899795055 CEST808049777165.22.73.229192.168.2.5
                          May 22, 2022 22:30:03.899924040 CEST497778080192.168.2.5165.22.73.229
                          May 22, 2022 22:30:03.899954081 CEST497778080192.168.2.5165.22.73.229
                          May 22, 2022 22:31:49.447776079 CEST497778080192.168.2.5165.22.73.229
                          May 22, 2022 22:31:49.447818995 CEST497778080192.168.2.5165.22.73.229

                          Statistics

                          Behavior

                          Click to jump to process

                          System Behavior

                          General

                          Target ID:0
                          Start time:22:29:16
                          Start date:22/05/2022
                          Path:C:\Windows\System32\loaddll64.exe
                          Wow64 process (32bit):false
                          Commandline:loaddll64.exe "C:\Users\user\Desktop\JtJ50Swtfo.dll"
                          Imagebase:0x7ff7a0d20000
                          File size:140288 bytes
                          MD5 hash:4E8A40CAD6CCC047914E3A7830A2D8AA
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high

                          General

                          Target ID:1
                          Start time:22:29:17
                          Start date:22/05/2022
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\JtJ50Swtfo.dll",#1
                          Imagebase:0x7ff602050000
                          File size:273920 bytes
                          MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high

                          General

                          Target ID:2
                          Start time:22:29:17
                          Start date:22/05/2022
                          Path:C:\Windows\System32\regsvr32.exe
                          Wow64 process (32bit):false
                          Commandline:regsvr32.exe /s C:\Users\user\Desktop\JtJ50Swtfo.dll
                          Imagebase:0x7ff705580000
                          File size:24064 bytes
                          MD5 hash:D78B75FC68247E8A63ACBA846182740E
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000002.00000002.458651717.0000000002A20000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000002.00000002.459283574.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                          Reputation:high

                          General

                          Target ID:3
                          Start time:22:29:17
                          Start date:22/05/2022
                          Path:C:\Windows\System32\rundll32.exe
                          Wow64 process (32bit):false
                          Commandline:rundll32.exe "C:\Users\user\Desktop\JtJ50Swtfo.dll",#1
                          Imagebase:0x7ff7d2730000
                          File size:69632 bytes
                          MD5 hash:73C519F050C20580F8A62C849D49215A
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.495781137.0000018014000000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000000.454207000.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000000.454739254.0000018014000000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000000.457838374.0000018014000000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.494965359.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000000.456381918.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                          Reputation:high

                          General

                          Target ID:4
                          Start time:22:29:18
                          Start date:22/05/2022
                          Path:C:\Windows\System32\rundll32.exe
                          Wow64 process (32bit):false
                          Commandline:rundll32.exe C:\Users\user\Desktop\JtJ50Swtfo.dll,AddIn_FileTime
                          Imagebase:0x7ff7d2730000
                          File size:69632 bytes
                          MD5 hash:73C519F050C20580F8A62C849D49215A
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000000.454696390.0000021310570000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000000.457901753.0000021310570000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.492879250.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000000.457423446.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000000.454349685.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.493226824.0000021310570000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                          Reputation:high

                          General

                          Target ID:5
                          Start time:22:29:22
                          Start date:22/05/2022
                          Path:C:\Windows\System32\rundll32.exe
                          Wow64 process (32bit):false
                          Commandline:rundll32.exe C:\Users\user\Desktop\JtJ50Swtfo.dll,AddIn_SystemTime
                          Imagebase:0x7ff7d2730000
                          File size:69632 bytes
                          MD5 hash:73C519F050C20580F8A62C849D49215A
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000000.461474320.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000000.461684776.00000297062B0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000000.470298484.00000297062B0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000000.465354445.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.507680225.00000297062B0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.507222158.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                          Reputation:high

                          General

                          Target ID:8
                          Start time:22:29:24
                          Start date:22/05/2022
                          Path:C:\Windows\System32\regsvr32.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\regsvr32.exe "C:\Windows\system32\GJzmbimn\geJzufDvqRClHij.dll"
                          Imagebase:0x7ff705580000
                          File size:24064 bytes
                          MD5 hash:D78B75FC68247E8A63ACBA846182740E
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000008.00000002.964474360.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000008.00000002.964188108.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                          Reputation:high

                          General

                          Target ID:9
                          Start time:22:29:26
                          Start date:22/05/2022
                          Path:C:\Windows\System32\rundll32.exe
                          Wow64 process (32bit):false
                          Commandline:rundll32.exe C:\Users\user\Desktop\JtJ50Swtfo.dll,DllRegisterServer
                          Imagebase:0x7ff7d2730000
                          File size:69632 bytes
                          MD5 hash:73C519F050C20580F8A62C849D49215A
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high

                          General

                          Target ID:11
                          Start time:22:29:27
                          Start date:22/05/2022
                          Path:C:\Windows\System32\WerFault.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\WerFault.exe -u -p 7136 -s 328
                          Imagebase:0x7ff76a840000
                          File size:494488 bytes
                          MD5 hash:2AFFE478D86272288BBEF5A00BBEF6A0
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language

                          General

                          Target ID:12
                          Start time:22:29:28
                          Start date:22/05/2022
                          Path:C:\Windows\System32\WerFault.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\WerFault.exe -u -p 7124 -s 336
                          Imagebase:0x7ff76a840000
                          File size:494488 bytes
                          MD5 hash:2AFFE478D86272288BBEF5A00BBEF6A0
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language

                          General

                          Target ID:13
                          Start time:22:29:37
                          Start date:22/05/2022
                          Path:C:\Windows\System32\WerFault.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\WerFault.exe -u -p 3552 -s 332
                          Imagebase:0x7ff76a840000
                          File size:494488 bytes
                          MD5 hash:2AFFE478D86272288BBEF5A00BBEF6A0
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language

                          General

                          Target ID:14
                          Start time:22:29:38
                          Start date:22/05/2022
                          Path:C:\Windows\System32\WerFault.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\WerFault.exe -u -p 3552 -s 332
                          Imagebase:0x7ff76a840000
                          File size:494488 bytes
                          MD5 hash:2AFFE478D86272288BBEF5A00BBEF6A0
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language

                          General

                          Target ID:16
                          Start time:22:29:42
                          Start date:22/05/2022
                          Path:C:\Windows\System32\svchost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                          Imagebase:0x7ff78ca80000
                          File size:51288 bytes
                          MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language

                          General

                          Target ID:17
                          Start time:22:29:52
                          Start date:22/05/2022
                          Path:C:\Windows\System32\svchost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                          Imagebase:0x7ff78ca80000
                          File size:51288 bytes
                          MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language

                          General

                          Target ID:22
                          Start time:22:30:31
                          Start date:22/05/2022
                          Path:C:\Windows\System32\svchost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                          Imagebase:0x7ff78ca80000
                          File size:51288 bytes
                          MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language

                          General

                          Target ID:25
                          Start time:22:31:18
                          Start date:22/05/2022
                          Path:C:\Windows\System32\svchost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                          Imagebase:0x7ff78ca80000
                          File size:51288 bytes
                          MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language

                          General

                          Target ID:26
                          Start time:22:31:40
                          Start date:22/05/2022
                          Path:C:\Windows\System32\svchost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                          Imagebase:0x7ff78ca80000
                          File size:51288 bytes
                          MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language

                          General

                          Target ID:28
                          Start time:22:31:59
                          Start date:22/05/2022
                          Path:C:\Windows\System32\svchost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                          Imagebase:0x7ff78ca80000
                          File size:51288 bytes
                          MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language

                          Disassembly

                          No disassembly