Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
yj81rxDZIp

Overview

General Information

Sample Name:yj81rxDZIp (renamed file extension from none to dll)
Analysis ID:626482
MD5:4f1cdae4390ecb862267f2eaaf826c74
SHA1:082de69d51991350ddfc05350073a55571c3ce5d
SHA256:c4e2c26fd37189447fcd387393974199933fdbffaadf2faaaac5347d1b0a8ef5
Tags:exetrojan
Infos:

Detection

Emotet
Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Snort IDS alert for network traffic
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Found evasive API chain (may stop execution after checking a module file name)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Program does not show much activity (idle)
IP address seen in connection with other malware
PE file contains an invalid checksum
Tries to load missing DLLs
Drops PE files to the windows directory (C:\Windows)
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Registers a DLL
Queries disk information (often used to detect virtual machines)
Creates a process in suspended mode (likely to inject code)

Classification

  • System is w10x64
  • loaddll64.exe (PID: 7068 cmdline: loaddll64.exe "C:\Users\user\Desktop\yj81rxDZIp.dll" MD5: 4E8A40CAD6CCC047914E3A7830A2D8AA)
    • cmd.exe (PID: 7080 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\yj81rxDZIp.dll",#1 MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • rundll32.exe (PID: 7104 cmdline: rundll32.exe "C:\Users\user\Desktop\yj81rxDZIp.dll",#1 MD5: 73C519F050C20580F8A62C849D49215A)
        • regsvr32.exe (PID: 2532 cmdline: C:\Windows\system32\regsvr32.exe "C:\Windows\system32\KZsiDdn\sdxQuTDjzsbvXJ.dll" MD5: D78B75FC68247E8A63ACBA846182740E)
    • regsvr32.exe (PID: 7092 cmdline: regsvr32.exe /s C:\Users\user\Desktop\yj81rxDZIp.dll MD5: D78B75FC68247E8A63ACBA846182740E)
    • rundll32.exe (PID: 7112 cmdline: rundll32.exe C:\Users\user\Desktop\yj81rxDZIp.dll,DllRegisterServer MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 3384 cmdline: rundll32.exe C:\Users\user\Desktop\yj81rxDZIp.dll,DllUnregisterServer MD5: 73C519F050C20580F8A62C849D49215A)
  • svchost.exe (PID: 1300 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5756 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6356 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 7160 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6696 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 1592 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
00000003.00000002.436780201.0000000180001000.00000020.00001000.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
    00000004.00000002.434955422.000001A2C05E0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
      00000002.00000002.434632880.0000000000CE0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
        00000006.00000002.944705463.0000000000B80000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
          00000003.00000002.437553196.0000012A08A10000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
            Click to see the 3 entries
            SourceRuleDescriptionAuthorStrings
            3.2.rundll32.exe.12a08a10000.0.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
              6.2.regsvr32.exe.b80000.1.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                6.2.regsvr32.exe.b80000.1.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                  2.2.regsvr32.exe.ce0000.0.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                    4.2.rundll32.exe.1a2c05e0000.1.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                      Click to see the 3 entries
                      No Sigma rule has matched
                      Timestamp:192.168.2.5150.95.66.1244977580802404312 05/14/22-04:33:59.725234
                      SID:2404312
                      Source Port:49775
                      Destination Port:8080
                      Protocol:TCP
                      Classtype:A Network Trojan was detected

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Source: yj81rxDZIp.dllVirustotal: Detection: 35%Perma Link
                      Source: https://23.239.0.12/xAvira URL Cloud: Label: malware
                      Source: https://23.239.0.12/?Avira URL Cloud: Label: malware
                      Source: https://23.239.0.12/=Avira URL Cloud: Label: malware
                      Source: https://150.95.66.124:8080/Virustotal: Detection: 6%Perma Link
                      Source: unknownHTTPS traffic detected: 23.239.0.12:443 -> 192.168.2.5:49773 version: TLS 1.2
                      Source: yj81rxDZIp.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: msacm32.pdb source: regsvr32.exe, 00000006.00000002.944457970.00000000008B5000.00000004.00000010.00020000.00000000.sdmp
                      Source: Binary string: msacm32.pdbGCTL source: regsvr32.exe, 00000006.00000002.944457970.00000000008B5000.00000004.00000010.00020000.00000000.sdmp
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018000D26C FindFirstFileW,FindNextFileW,FindClose,

                      Networking

                      barindex
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 150.95.66.124 8080
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 23.239.0.12 443
                      Source: TrafficSnort IDS: 2404312 ET CNC Feodo Tracker Reported CnC Server TCP group 7 192.168.2.5:49775 -> 150.95.66.124:8080
                      Source: Joe Sandbox ViewASN Name: LINODE-APLinodeLLCUS LINODE-APLinodeLLCUS
                      Source: Joe Sandbox ViewASN Name: GMO-Z-COM-THGMO-ZcomNetDesignHoldingsCoLtdSG GMO-Z-COM-THGMO-ZcomNetDesignHoldingsCoLtdSG
                      Source: Joe Sandbox ViewJA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1Cookie: QplU=hBL9qJmGvW/2EuZ+GBF9bH2Pgx/JXOgEgUtSMs/Xr65WzDcqetddaWzwuXh5JGx39JgIR932OSnFY7E9phFJznqERMAUy3kUCUPxgga7CbKI6PBLY6I638PGhOIVZSUw305F9rapXw/czJXriHFq3NWcZgk0+SEeip6YZgc+3gUrtVrVeMEIF9KknYl3mfXEDIMIpUXTxabJMjN6Z50nL/WUTE7lAATo6Fjj4ZuuVOtxKlmhmkYxOI9E6JidVirta2dbsnCt+uBB1ViBVc3HvZOhdAwkTZXZin4oG8ahn7usXUw+DZruLwhbao/dbbpRRY9R4mVWuKxe55MemWZ4R6k=Host: 23.239.0.12Connection: Keep-AliveCache-Control: no-cache
                      Source: Joe Sandbox ViewIP Address: 23.239.0.12 23.239.0.12
                      Source: Joe Sandbox ViewIP Address: 150.95.66.124 150.95.66.124
                      Source: global trafficTCP traffic: 192.168.2.5:49775 -> 150.95.66.124:8080
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49773
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49773 -> 443
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.239.0.12
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.239.0.12
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.239.0.12
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.239.0.12
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.239.0.12
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.239.0.12
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.239.0.12
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.239.0.12
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.239.0.12
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.239.0.12
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.239.0.12
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.239.0.12
                      Source: unknownTCP traffic detected without corresponding DNS query: 150.95.66.124
                      Source: unknownTCP traffic detected without corresponding DNS query: 150.95.66.124
                      Source: unknownTCP traffic detected without corresponding DNS query: 150.95.66.124
                      Source: unknownTCP traffic detected without corresponding DNS query: 150.95.66.124
                      Source: unknownTCP traffic detected without corresponding DNS query: 150.95.66.124
                      Source: unknownTCP traffic detected without corresponding DNS query: 150.95.66.124
                      Source: unknownTCP traffic detected without corresponding DNS query: 150.95.66.124
                      Source: unknownTCP traffic detected without corresponding DNS query: 150.95.66.124
                      Source: unknownTCP traffic detected without corresponding DNS query: 150.95.66.124
                      Source: unknownTCP traffic detected without corresponding DNS query: 150.95.66.124
                      Source: unknownTCP traffic detected without corresponding DNS query: 150.95.66.124
                      Source: unknownTCP traffic detected without corresponding DNS query: 150.95.66.124
                      Source: svchost.exe, 00000016.00000003.570659323.0000023559D61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO"," equals www.facebook.com (Facebook)
                      Source: svchost.exe, 00000016.00000003.570659323.0000023559D61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO"," equals www.twitter.com (Twitter)
                      Source: svchost.exe, 00000016.00000003.570659323.0000023559D61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-05-13T10:00:01.2192622Z||.||8adb3f26-c14b-4fc0-afb3-91b3c6daaa3f||1152921505694830749||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
                      Source: svchost.exe, 00000016.00000003.570659323.0000023559D61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-05-13T10:00:01.2192622Z||.||8adb3f26-c14b-4fc0-afb3-91b3c6daaa3f||1152921505694830749||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
                      Source: svchost.exe, 00000016.00000003.570659323.0000023559D61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-05-13T10:00:01.2192622Z||.||8adb3f26-c14b-4fc0-afb3-91b3c6daaa3f||1152921505694830749||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
                      Source: svchost.exe, 00000016.00000003.570659323.0000023559D61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-05-13T10:00:01.2192622Z||.||8adb3f26-c14b-4fc0-afb3-91b3c6daaa3f||1152921505694830749||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
                      Source: regsvr32.exe, 00000006.00000003.499195648.0000000000A4E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.944607086.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.504672087.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.843036544.000002282D65F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000002.616890927.0000023559D00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: svchost.exe, 00000016.00000002.616786064.00000235594EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
                      Source: regsvr32.exe, 00000006.00000002.944648757.0000000000A7C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.504698135.0000000000A7C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                      Source: regsvr32.exe, 00000006.00000003.504573320.00000000009F2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.944559132.00000000009F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enEM32
                      Source: svchost.exe, 00000016.00000003.589933112.0000023559D9F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.590112698.0000023559D82000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://help.disneyplus.com.
                      Source: regsvr32.exe, 00000006.00000003.504573320.00000000009F2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.944559132.00000000009F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://150.95.66.124/
                      Source: regsvr32.exe, 00000006.00000003.504672087.0000000000A41000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://150.95.66.124:8080/
                      Source: regsvr32.exe, 00000006.00000003.504573320.00000000009F2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.504585685.0000000000A07000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.504659041.0000000000A21000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.499268137.00000000009F2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.499295870.0000000000A07000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.944559132.00000000009F2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.499409533.0000000000A21000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.944590898.0000000000A22000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://23.239.0.12/
                      Source: regsvr32.exe, 00000006.00000003.504585685.0000000000A07000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.504659041.0000000000A21000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.499295870.0000000000A07000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.499409533.0000000000A21000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.944590898.0000000000A22000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://23.239.0.12/=
                      Source: regsvr32.exe, 00000006.00000003.504585685.0000000000A07000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.504659041.0000000000A21000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.499295870.0000000000A07000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.499409533.0000000000A21000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.944590898.0000000000A22000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://23.239.0.12/?
                      Source: regsvr32.exe, 00000006.00000003.504573320.00000000009F2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.499268137.00000000009F2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.944559132.00000000009F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://23.239.0.12/x
                      Source: svchost.exe, 00000016.00000003.589933112.0000023559D9F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.590112698.0000023559D82000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://disneyplus.com/legal.
                      Source: svchost.exe, 00000016.00000003.585431569.0000023559DBC000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.585412811.0000023559DD4000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.585397505.0000023559DD4000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.585362996.0000023559D9B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.585448090.000002355A202000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.586829312.0000023559D82000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.hotspotshield.com/
                      Source: svchost.exe, 00000016.00000003.589933112.0000023559D9F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.590112698.0000023559D82000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
                      Source: svchost.exe, 00000016.00000003.589933112.0000023559D9F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.590112698.0000023559D82000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
                      Source: svchost.exe, 00000016.00000003.585431569.0000023559DBC000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.585412811.0000023559DD4000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.585397505.0000023559DD4000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.585362996.0000023559D9B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.585448090.000002355A202000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.586829312.0000023559D82000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.hotspotshield.com/terms/
                      Source: svchost.exe, 00000016.00000003.585431569.0000023559DBC000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.585412811.0000023559DD4000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.585397505.0000023559DD4000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.585362996.0000023559D9B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.585448090.000002355A202000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.586829312.0000023559D82000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.pango.co/privacy
                      Source: svchost.exe, 00000016.00000003.594720633.000002355A218000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.594881074.0000023559DA1000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.594813489.000002355A218000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.594855999.0000023559D82000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.594837634.000002355A202000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.tiktok.com/legal/report/feedback
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800132F0 InternetReadFile,RtlAllocateHeap,
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1Cookie: QplU=hBL9qJmGvW/2EuZ+GBF9bH2Pgx/JXOgEgUtSMs/Xr65WzDcqetddaWzwuXh5JGx39JgIR932OSnFY7E9phFJznqERMAUy3kUCUPxgga7CbKI6PBLY6I638PGhOIVZSUw305F9rapXw/czJXriHFq3NWcZgk0+SEeip6YZgc+3gUrtVrVeMEIF9KknYl3mfXEDIMIpUXTxabJMjN6Z50nL/WUTE7lAATo6Fjj4ZuuVOtxKlmhmkYxOI9E6JidVirta2dbsnCt+uBB1ViBVc3HvZOhdAwkTZXZin4oG8ahn7usXUw+DZruLwhbao/dbbpRRY9R4mVWuKxe55MemWZ4R6k=Host: 23.239.0.12Connection: Keep-AliveCache-Control: no-cache
                      Source: unknownHTTPS traffic detected: 23.239.0.12:443 -> 192.168.2.5:49773 version: TLS 1.2

                      E-Banking Fraud

                      barindex
                      Source: Yara matchFile source: 3.2.rundll32.exe.12a08a10000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.regsvr32.exe.b80000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.regsvr32.exe.b80000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.regsvr32.exe.ce0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.1a2c05e0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.regsvr32.exe.ce0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.1a2c05e0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.12a08a10000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000002.436780201.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.434955422.000001A2C05E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.434632880.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.944705463.0000000000B80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.437553196.0000012A08A10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.434704633.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.944856611.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.435422797.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: C:\Windows\System32\rundll32.exeFile deleted: C:\Windows\System32\KZsiDdn\sdxQuTDjzsbvXJ.dll:Zone.IdentifierJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeFile created: C:\Windows\system32\UZGafOdUUOHTFa\Jump to behavior
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00007FFA5323FCA0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00007FFA5323E6C0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00007FFA53236F0C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00007FFA5323FB6C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00007FFA5323AF70
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00007FFA5323EB60
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00007FFA5323A77C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00007FFA5323B5CC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00007FFA5323AA0C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00007FFA5323895C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00007FFA53235944
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00CD0000
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180010FF4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180028C20
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018002C058
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180009100
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001C964
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000C608
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180021618
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001E3AC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001DBE8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001FC0C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000580C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180022010
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001481C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018002A42C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180011834
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180023831
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180021C3C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000703C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000AC48
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000FC48
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180006458
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001C05C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001A460
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180029888
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001D49C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180008CA0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800248A8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180015CB0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800124B4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000C4B4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800288B8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800024B8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000D8C4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800250CC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800190D4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180017CE4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800264F0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800014F8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180020CFC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018002C904
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180017908
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180021510
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000F917
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000551C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000F128
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001CD38
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180016D3C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001F944
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180018148
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001ED50
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180013150
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001D950
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001E960
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180019D60
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180001D68
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001496C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180002D70
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180002178
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180024D80
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180018598
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180003598
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018002A9A8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800119A8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180025DAC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180018DAC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800269B0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800059B8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800029BC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800141C0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800125C4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800121CC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000BDD0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800075D4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800095DC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000F9E8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180002610
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180019618
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180013E28
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001FA38
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000A270
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180019E78
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001DA80
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180024698
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000EE98
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800176B8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001AAB8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180011AD0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180008AD8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800296EC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000A6EC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800132F0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180019300
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001BB04
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018002870C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180026B10
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000131C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000671C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180029B28
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180012F28
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000BB28
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001EB30
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180020334
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180010758
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001435C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180009F5C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180029368
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180020768
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180017378
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180013780
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180015388
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000338C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000738C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180002790
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180027F9C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800197A0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018002C7B4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001DFB4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001F7C0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800097C0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800157D8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180019FDC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180017BDC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000F7E0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180001FE0
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180010FF4
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180028C20
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018002C058
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180009100
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180007958
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018000C608
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180021618
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180013E28
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001E3AC
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001DBE8
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001FC0C
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018000580C
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180022010
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001481C
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018002A42C
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180011834
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180023831
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180021C3C
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018000703C
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018000AC48
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018000FC48
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180006458
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001C05C
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001A460
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180029888
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001D49C
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180008CA0
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800248A8
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180015CB0
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800124B4
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018000C4B4
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800288B8
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800024B8
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018000D8C4
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800250CC
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800190D4
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180017CE4
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800264F0
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800014F8
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180020CFC
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018002C904
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180017908
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180021510
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018000F917
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018000551C
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018000F128
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001CD38
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180016D3C
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001F944
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180018148
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001D950
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180013150
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001ED50
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001E960
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180019D60
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001C964
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180001D68
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001496C
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180002D70
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180002178
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180024D80
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180018598
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180003598
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018002A9A8
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800119A8
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180025DAC
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180018DAC
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800269B0
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800059B8
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800029BC
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800141C0
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800125C4
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800121CC
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800075D4
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800095DC
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018000F9E8
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180002610
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180019618
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001FA38
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018000A270
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180019E78
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001DA80
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180024698
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018000EE98
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800176B8
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001AAB8
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180011AD0
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180008AD8
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800296EC
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018000A6EC
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800132F0
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180019300
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001BB04
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018002870C
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180026B10
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018000131C
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018000671C
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180029B28
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180012F28
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018000BB28
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001EB30
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180020334
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180010758
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001435C
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180009F5C
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180029368
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180020768
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180017378
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180013780
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180015388
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018000338C
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018000738C
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180002790
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180027F9C
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800197A0
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018002C7B4
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001DFB4
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001F7C0
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800097C0
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800157D8
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180019FDC
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180017BDC
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018000F7E0
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180001FE0
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000012A07230000
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180010FF4
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018002C058
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180009100
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000C608
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180021618
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001E3AC
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001DBE8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001FC0C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000580C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180022010
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001481C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018002A42C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180011834
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180021C3C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000703C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000AC48
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000FC48
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180006458
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001C05C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001A460
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180029888
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001D49C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180008CA0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800248A8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180015CB0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800124B4
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000C4B4
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800288B8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800024B8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000D8C4
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800250CC
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800190D4
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180017CE4
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800264F0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800014F8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180020CFC
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018002C904
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180017908
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180021510
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000F917
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000551C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000F128
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001CD38
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180016D3C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001F944
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180018148
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001ED50
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180013150
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001D950
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001E960
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180019D60
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001C964
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180001D68
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001496C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180002D70
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180002178
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180024D80
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180018598
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180003598
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018002A9A8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800119A8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180025DAC
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180018DAC
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800269B0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800059B8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800029BC
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800141C0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800125C4
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800121CC
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800075D4
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800095DC
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000F9E8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180002610
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180019618
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180013E28
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001FA38
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000A270
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180019E78
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001DA80
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180024698
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000EE98
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800176B8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001AAB8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180011AD0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180008AD8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800296EC
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000A6EC
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800132F0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180019300
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001BB04
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018002870C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180026B10
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000131C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000671C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180029B28
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180012F28
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000BB28
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001EB30
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180020334
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180010758
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001435C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180009F5C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180029368
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180020768
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180017378
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180013780
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180015388
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000338C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000738C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180002790
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800197A0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018002C7B4
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001DFB4
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001F7C0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800097C0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800157D8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180019FDC
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180017BDC
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000F7E0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180001FE0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000001A2C0330000
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00980000
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180010FF4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180028C20
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018002C058
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018001ACA4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018000551C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180018148
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018001496C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018000E1E0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018000C608
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180021618
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180013E28
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018002AE44
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018000D26C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180025278
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800046A8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180004ACA
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800132F0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180026B10
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018001DBE8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018001FC0C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018000580C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180022010
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018001481C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018002A42C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180011834
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180021C3C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018000703C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018000AC48
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018000FC48
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180024458
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180006458
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018001C05C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018001A460
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180029888
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018001D49C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180008CA0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800248A8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180015CB0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800124B4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018000C4B4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800288B8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800024B8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018000D8C4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800250CC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800190D4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180017CE4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800264F0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800014F8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180020CFC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180009100
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018002C904
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180017908
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180021510
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018000F917
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018000F128
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018001CD38
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180016D3C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018001F944
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018001D950
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180013150
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018001ED50
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018001E960
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180019D60
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018001C964
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018001C568
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180001D68
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180002D70
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180024574
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180002178
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180024D80
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180018598
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180003598
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018001F1A4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018002A9A8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800119A8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180025DAC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180018DAC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800269B0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800059B8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800029BC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800141C0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800125C4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800121CC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018000BDD0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800075D4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800095DC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018000F9E8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180002610
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180019618
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018001FA38
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018000A270
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180019E78
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018001DA80
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180024698
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018000EE98
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800176B8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018001AAB8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018002CAD0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180011AD0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180008AD8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800296EC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018000A6EC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180019300
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018001BB04
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018002870C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018000131C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018000671C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180029B28
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180012F28
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018000BB28
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018001EB30
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180020334
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180010758
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018001435C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180009F5C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180029368
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180020768
                      Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dll
                      Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dll
                      Source: yj81rxDZIp.dllVirustotal: Detection: 35%
                      Source: yj81rxDZIp.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Windows\System32\loaddll64.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: unknownProcess created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\yj81rxDZIp.dll"
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\yj81rxDZIp.dll",#1
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\yj81rxDZIp.dll
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\yj81rxDZIp.dll",#1
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\yj81rxDZIp.dll,DllRegisterServer
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\yj81rxDZIp.dll,DllUnregisterServer
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\KZsiDdn\sdxQuTDjzsbvXJ.dll"
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\yj81rxDZIp.dll",#1
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\yj81rxDZIp.dll
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\yj81rxDZIp.dll,DllRegisterServer
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\yj81rxDZIp.dll,DllUnregisterServer
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\yj81rxDZIp.dll",#1
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\KZsiDdn\sdxQuTDjzsbvXJ.dll"
                      Source: C:\Windows\System32\regsvr32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D105A4D4-344C-48EB-9866-EE378D90658B}\InProcServer32
                      Source: classification engineClassification label: mal92.troj.evad.winDLL@19/5@0/4
                      Source: C:\Windows\System32\regsvr32.exeFile read: C:\Users\desktop.iniJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800046A8 CreateToolhelp32Snapshot,Process32NextW,Process32FirstW,FindCloseChangeNotification,
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\yj81rxDZIp.dll",#1
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: yj81rxDZIp.dllStatic PE information: Image base 0x180000000 > 0x60000000
                      Source: yj81rxDZIp.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: msacm32.pdb source: regsvr32.exe, 00000006.00000002.944457970.00000000008B5000.00000004.00000010.00020000.00000000.sdmp
                      Source: Binary string: msacm32.pdbGCTL source: regsvr32.exe, 00000006.00000002.944457970.00000000008B5000.00000004.00000010.00020000.00000000.sdmp
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001AFFD push ebp; retf
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800051D1 push ebp; iretd
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001BA32 push ebp; retf
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180004E83 push es; ret
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001B694 push es; ret
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001BADD push ebp; iretd
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001B717 push ebp; iretd
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180007B3F push esp; retf
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001AF4E push ebp; retf
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001AFFD push ebp; retf
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800051D1 push ebp; iretd
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001BA32 push ebp; retf
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180004E83 push es; ret
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001B694 push es; ret
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001BADD push ebp; iretd
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001B717 push ebp; iretd
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001AF4E push ebp; retf
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001AFFD push ebp; retf
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800051D1 push ebp; iretd
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001BA32 push ebp; retf
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180004E83 push es; ret
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001B694 push es; ret
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001BADD push ebp; iretd
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001B717 push ebp; iretd
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180007B3F push esp; retf
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001AF4E push ebp; retf
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800051D1 push ebp; iretd
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180004E83 push es; ret
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180007B3F push esp; retf
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00007FFA53237BE8 DecodePointer,_errno,LoadLibraryA,GetProcAddress,_errno,GetLastError,GetLastError,EncodePointer,FreeLibrary,_errno,_errno,
                      Source: yj81rxDZIp.dllStatic PE information: real checksum: 0x85ab6 should be: 0x925b5
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\yj81rxDZIp.dll
                      Source: C:\Windows\System32\rundll32.exePE file moved: C:\Windows\System32\KZsiDdn\sdxQuTDjzsbvXJ.dllJump to behavior

                      Hooking and other Techniques for Hiding and Protection

                      barindex
                      Source: C:\Windows\System32\regsvr32.exeFile opened: C:\Windows\system32\UZGafOdUUOHTFa\Ungk.dll:Zone.Identifier read attributes | delete
                      Source: C:\Windows\System32\rundll32.exeFile opened: C:\Windows\system32\KZsiDdn\sdxQuTDjzsbvXJ.dll:Zone.Identifier read attributes | delete
                      Source: C:\Windows\System32\rundll32.exeFile opened: C:\Windows\system32\ImNHWeflhr\kbFonV.dll:Zone.Identifier read attributes | delete
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exe TID: 7060Thread sleep time: -30000s >= -30000s
                      Source: C:\Windows\System32\svchost.exe TID: 6472Thread sleep time: -30000s >= -30000s
                      Source: C:\Windows\System32\svchost.exe TID: 5876Thread sleep time: -90000s >= -30000s
                      Source: C:\Windows\System32\regsvr32.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
                      Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                      Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
                      Source: C:\Windows\System32\regsvr32.exeProcess information queried: ProcessInformation
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018000D26C FindFirstFileW,FindNextFileW,FindClose,
                      Source: C:\Windows\System32\regsvr32.exeAPI call chain: ExitProcess graph end node
                      Source: C:\Windows\System32\regsvr32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\System32\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: svchost.exe, 0000000F.00000002.843036544.000002282D65F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "@Hyper-V RAW
                      Source: regsvr32.exe, 00000006.00000003.504585685.0000000000A07000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.504659041.0000000000A21000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.499295870.0000000000A07000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.499409533.0000000000A21000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.944590898.0000000000A22000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.843008663.000002282D652000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.842276174.0000022827E29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000002.616634196.00000235594AC000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000002.616786064.00000235594EB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                      Source: svchost.exe, 00000010.00000002.944526689.0000016B76802000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
                      Source: regsvr32.exe, 00000006.00000003.504585685.0000000000A07000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.504659041.0000000000A21000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.499295870.0000000000A07000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.499409533.0000000000A21000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.944590898.0000000000A22000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWG
                      Source: regsvr32.exe, 00000006.00000003.504585685.0000000000A07000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.944572376.0000000000A07000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.499295870.0000000000A07000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW0w
                      Source: svchost.exe, 00000010.00000002.944563842.0000016B76828000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00007FFA532320E0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00007FFA53237BE8 DecodePointer,_errno,LoadLibraryA,GetProcAddress,_errno,GetLastError,GetLastError,EncodePointer,FreeLibrary,_errno,_errno,
                      Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                      Source: C:\Windows\System32\loaddll64.exeProcess queried: DebugPort
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00007FFA5323D318 RtlCaptureContext,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00007FFA532320E0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00007FFA53236550 RtlCaptureContext,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 150.95.66.124 8080
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 23.239.0.12 443
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\yj81rxDZIp.dll",#1
                      Source: C:\Windows\System32\regsvr32.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Windows\System32\regsvr32.exeCode function: EnumSystemLocalesA,
                      Source: C:\Windows\System32\regsvr32.exeCode function: EnumSystemLocalesA,
                      Source: C:\Windows\System32\regsvr32.exeCode function: _getptd,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,
                      Source: C:\Windows\System32\regsvr32.exeCode function: _getptd,GetLocaleInfoA,
                      Source: C:\Windows\System32\regsvr32.exeCode function: GetLocaleInfoW,
                      Source: C:\Windows\System32\regsvr32.exeCode function: GetLocaleInfoW,
                      Source: C:\Windows\System32\regsvr32.exeCode function: GetLocaleInfoA,
                      Source: C:\Windows\System32\regsvr32.exeCode function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,free,GetLocaleInfoA,
                      Source: C:\Windows\System32\regsvr32.exeCode function: GetLocaleInfoA,
                      Source: C:\Windows\System32\regsvr32.exeCode function: _getptd,GetLocaleInfoA,
                      Source: C:\Windows\System32\regsvr32.exeCode function: EnumSystemLocalesA,
                      Source: C:\Windows\System32\regsvr32.exeCode function: _getptd,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,GetLocaleInfoA,_itow_s,
                      Source: C:\Windows\System32\regsvr32.exeCode function: GetLocaleInfoA,GetLocaleInfoA,GetACP,
                      Source: C:\Windows\System32\regsvr32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00007FFA53234558 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00007FFA5323E6C0 _lock,___lc_codepage_func,free,free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

                      Stealing of Sensitive Information

                      barindex
                      Source: Yara matchFile source: 3.2.rundll32.exe.12a08a10000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.regsvr32.exe.b80000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.regsvr32.exe.b80000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.regsvr32.exe.ce0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.1a2c05e0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.regsvr32.exe.ce0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.1a2c05e0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.12a08a10000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000002.436780201.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.434955422.000001A2C05E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.434632880.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.944705463.0000000000B80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.437553196.0000012A08A10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.434704633.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.944856611.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.435422797.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid Accounts2
                      Native API
                      1
                      DLL Side-Loading
                      111
                      Process Injection
                      2
                      Masquerading
                      OS Credential Dumping2
                      System Time Discovery
                      Remote Services1
                      Archive Collected Data
                      Exfiltration Over Other Network Medium11
                      Encrypted Channel
                      Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                      DLL Side-Loading
                      3
                      Virtualization/Sandbox Evasion
                      LSASS Memory31
                      Security Software Discovery
                      Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
                      Non-Standard Port
                      Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)111
                      Process Injection
                      Security Account Manager3
                      Virtualization/Sandbox Evasion
                      SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration2
                      Ingress Tool Transfer
                      Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
                      Hidden Files and Directories
                      NTDS2
                      Process Discovery
                      Distributed Component Object ModelInput CaptureScheduled Transfer1
                      Non-Application Layer Protocol
                      SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                      Obfuscated Files or Information
                      LSA Secrets1
                      Remote System Discovery
                      SSHKeyloggingData Transfer Size Limits2
                      Application Layer Protocol
                      Manipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.common1
                      Regsvr32
                      Cached Domain Credentials2
                      File and Directory Discovery
                      VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup Items1
                      Rundll32
                      DCSync34
                      System Information Discovery
                      Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
                      DLL Side-Loading
                      Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)1
                      File Deletion
                      /etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 626482 Sample: yj81rxDZIp Startdate: 14/05/2022 Architecture: WINDOWS Score: 92 41 Snort IDS alert for network traffic 2->41 43 Multi AV Scanner detection for domain / URL 2->43 45 Antivirus detection for URL or domain 2->45 47 2 other signatures 2->47 8 loaddll64.exe 1 2->8         started        10 svchost.exe 9 1 2->10         started        13 svchost.exe 2->13         started        15 4 other processes 2->15 process3 dnsIp4 17 cmd.exe 1 8->17         started        19 regsvr32.exe 1 8->19         started        22 rundll32.exe 2 8->22         started        24 rundll32.exe 8->24         started        33 127.0.0.1 unknown unknown 10->33 process5 signatures6 26 rundll32.exe 2 17->26         started        49 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->49 process7 signatures8 51 Hides that the sample has been downloaded from the Internet (zone.identifier) 26->51 29 regsvr32.exe 26->29         started        process9 dnsIp10 35 23.239.0.12, 443, 49773 LINODE-APLinodeLLCUS United States 29->35 37 150.95.66.124, 49775, 8080 GMO-Z-COM-THGMO-ZcomNetDesignHoldingsCoLtdSG Singapore 29->37 39 192.168.2.1 unknown unknown 29->39 53 System process connects to network (likely due to code injection or exploit) 29->53 signatures11

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand
                      SourceDetectionScannerLabelLink
                      yj81rxDZIp.dll35%VirustotalBrowse
                      No Antivirus matches
                      SourceDetectionScannerLabelLinkDownload
                      2.2.regsvr32.exe.ce0000.0.unpack100%AviraHEUR/AGEN.1215493Download File
                      4.2.rundll32.exe.1a2c05e0000.1.unpack100%AviraHEUR/AGEN.1215493Download File
                      6.2.regsvr32.exe.b80000.1.unpack100%AviraHEUR/AGEN.1215493Download File
                      3.2.rundll32.exe.12a08a10000.0.unpack100%AviraHEUR/AGEN.1215493Download File
                      No Antivirus matches
                      SourceDetectionScannerLabelLink
                      https://www.disneyplus.com/legal/your-california-privacy-rights0%URL Reputationsafe
                      https://www.disneyplus.com/legal/privacy-policy0%URL Reputationsafe
                      https://150.95.66.124:8080/7%VirustotalBrowse
                      https://150.95.66.124:8080/0%Avira URL Cloudsafe
                      https://150.95.66.124/0%Avira URL Cloudsafe
                      https://23.239.0.12/x100%Avira URL Cloudmalware
                      https://www.pango.co/privacy0%URL Reputationsafe
                      https://disneyplus.com/legal.0%URL Reputationsafe
                      https://23.239.0.12/?100%Avira URL Cloudmalware
                      http://crl.ver)0%Avira URL Cloudsafe
                      https://23.239.0.12/=100%Avira URL Cloudmalware
                      https://www.tiktok.com/legal/report/feedback0%URL Reputationsafe
                      https://23.239.0.12/0%URL Reputationsafe
                      http://help.disneyplus.com.0%URL Reputationsafe
                      No contacted domains info
                      NameMaliciousAntivirus DetectionReputation
                      https://23.239.0.12/true
                      • URL Reputation: safe
                      unknown
                      NameSourceMaliciousAntivirus DetectionReputation
                      https://www.disneyplus.com/legal/your-california-privacy-rightssvchost.exe, 00000016.00000003.589933112.0000023559D9F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.590112698.0000023559D82000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      unknown
                      https://www.disneyplus.com/legal/privacy-policysvchost.exe, 00000016.00000003.589933112.0000023559D9F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.590112698.0000023559D82000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      unknown
                      https://150.95.66.124:8080/regsvr32.exe, 00000006.00000003.504672087.0000000000A41000.00000004.00000020.00020000.00000000.sdmptrue
                      • 7%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      unknown
                      https://150.95.66.124/regsvr32.exe, 00000006.00000003.504573320.00000000009F2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.944559132.00000000009F2000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      unknown
                      https://www.hotspotshield.com/terms/svchost.exe, 00000016.00000003.585431569.0000023559DBC000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.585412811.0000023559DD4000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.585397505.0000023559DD4000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.585362996.0000023559D9B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.585448090.000002355A202000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.586829312.0000023559D82000.00000004.00000020.00020000.00000000.sdmpfalse
                        high
                        https://23.239.0.12/xregsvr32.exe, 00000006.00000003.504573320.00000000009F2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.499268137.00000000009F2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.944559132.00000000009F2000.00000004.00000020.00020000.00000000.sdmptrue
                        • Avira URL Cloud: malware
                        unknown
                        https://www.pango.co/privacysvchost.exe, 00000016.00000003.585431569.0000023559DBC000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.585412811.0000023559DD4000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.585397505.0000023559DD4000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.585362996.0000023559D9B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.585448090.000002355A202000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.586829312.0000023559D82000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        unknown
                        https://disneyplus.com/legal.svchost.exe, 00000016.00000003.589933112.0000023559D9F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.590112698.0000023559D82000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        unknown
                        https://23.239.0.12/?regsvr32.exe, 00000006.00000003.504585685.0000000000A07000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.504659041.0000000000A21000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.499295870.0000000000A07000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.499409533.0000000000A21000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.944590898.0000000000A22000.00000004.00000020.00020000.00000000.sdmptrue
                        • Avira URL Cloud: malware
                        unknown
                        http://crl.ver)svchost.exe, 00000016.00000002.616786064.00000235594EB000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        low
                        https://23.239.0.12/=regsvr32.exe, 00000006.00000003.504585685.0000000000A07000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.504659041.0000000000A21000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.499295870.0000000000A07000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.499409533.0000000000A21000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.944590898.0000000000A22000.00000004.00000020.00020000.00000000.sdmptrue
                        • Avira URL Cloud: malware
                        unknown
                        https://www.tiktok.com/legal/report/feedbacksvchost.exe, 00000016.00000003.594720633.000002355A218000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.594881074.0000023559DA1000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.594813489.000002355A218000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.594855999.0000023559D82000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.594837634.000002355A202000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        unknown
                        http://help.disneyplus.com.svchost.exe, 00000016.00000003.589933112.0000023559D9F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.590112698.0000023559D82000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        unknown
                        https://support.hotspotshield.com/svchost.exe, 00000016.00000003.585431569.0000023559DBC000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.585412811.0000023559DD4000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.585397505.0000023559DD4000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.585362996.0000023559D9B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.585448090.000002355A202000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.586829312.0000023559D82000.00000004.00000020.00020000.00000000.sdmpfalse
                          high
                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs
                          IPDomainCountryFlagASNASN NameMalicious
                          23.239.0.12
                          unknownUnited States
                          63949LINODE-APLinodeLLCUStrue
                          150.95.66.124
                          unknownSingapore
                          135161GMO-Z-COM-THGMO-ZcomNetDesignHoldingsCoLtdSGtrue
                          IP
                          192.168.2.1
                          127.0.0.1
                          Joe Sandbox Version:34.0.0 Boulder Opal
                          Analysis ID:626482
                          Start date and time: 14/05/202204:32:132022-05-14 04:32:13 +02:00
                          Joe Sandbox Product:CloudBasic
                          Overall analysis duration:0h 10m 35s
                          Hypervisor based Inspection enabled:false
                          Report type:light
                          Sample file name:yj81rxDZIp (renamed file extension from none to dll)
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                          Number of analysed new started processes analysed:27
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • HDC enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Detection:MAL
                          Classification:mal92.troj.evad.winDLL@19/5@0/4
                          EGA Information:
                          • Successful, ratio: 100%
                          HDC Information:Failed
                          HCA Information:
                          • Successful, ratio: 99%
                          • Number of executed functions: 0
                          • Number of non-executed functions: 0
                          Cookbook Comments:
                          • Adjust boot time
                          • Enable AMSI
                          • Override analysis time to 240s for rundll32
                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, wuapihost.exe
                          • Excluded IPs from analysis (whitelisted): 20.49.150.241, 23.205.181.161, 40.127.240.158, 23.211.4.86, 20.223.24.244
                          • Excluded domains from analysis (whitelisted): fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, e11290.dspg.akamaiedge.net, go.microsoft.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, login.live.com, sls.update.microsoft.com, settings-prod-neu-1.northeurope.cloudapp.azure.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, atm-settingsfe-prod-geo.trafficmanager.net, prod.fs.microsoft.com.akadns.net, client.wns.windows.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ctldl.windowsupdate.com, settings-win.data.microsoft.com, e1723.g.akamaiedge.net, ris.api.iris.microsoft.com, settings-prod-uks-2.uksouth.cloudapp.azure.com, store-images.s-microsoft.com, go.microsoft.com.edgekey.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                          • Not all processes where analyzed, report is missing behavior information
                          • Report size exceeded maximum capacity and may have missing behavior information.
                          • Report size getting too big, too many NtOpenKeyEx calls found.
                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                          • Report size getting too big, too many NtQueryValueKey calls found.
                          TimeTypeDescription
                          04:33:55API Interceptor11x Sleep call for process: svchost.exe modified
                          No context
                          No context
                          No context
                          No context
                          No context
                          Process:C:\Windows\System32\svchost.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):8192
                          Entropy (8bit):0.3593198815979092
                          Encrypted:false
                          SSDEEP:12:SnaaD0JcaaD0JwQQU2naaD0JcaaD0JwQQU:4tgJctgJw/tgJctgJw
                          MD5:BF1DC7D5D8DAD7478F426DF8B3F8BAA6
                          SHA1:C6B0BDE788F553F865D65F773D8F6A3546887E42
                          SHA-256:BE47C764C38CA7A90A345BE183F5261E89B98743B5E35989E9A8BE0DA498C0F2
                          SHA-512:00F2412AA04E09EA19A8315D80BE66D2727C713FC0F5AE6A9334BABA539817F568A98CA3A45B2673282BDD325B8B0E2840A393A4DCFADCB16473F5EAF2AF3180
                          Malicious:false
                          Preview:.............*..........3...w..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@......................................................*.............................................................................................................................................................................................................................................................................................................................................................
                          Process:C:\Windows\System32\svchost.exe
                          File Type:MPEG-4 LOAS
                          Category:dropped
                          Size (bytes):1310720
                          Entropy (8bit):0.24941011137019306
                          Encrypted:false
                          SSDEEP:1536:BJiRdfVzkZm3lyf49uyc0ga04PdHS9LrM/oVMUdSRU4Y:BJiRdwfu2SRU4Y
                          MD5:0A50BC0D8944C740545889B492DD729E
                          SHA1:09C2138770C17485809429A5588CCE24EB529AC5
                          SHA-256:EC34BBB5C1C72A00395DC9091C87DFD3C931AE939B5655476F6E8CA22567B97C
                          SHA-512:2311FCD429210E56378B47BC08EEDD8E9288CDEB14406097FAC6F02BF55ACB53D0D77F4F26CD462ADC0BC09ADA6853512943A8986F7409B10D85E1AA0FA434AA
                          Malicious:false
                          Preview:V.d.........@..@.3...w...........................3...w..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@.........................................d#.................................................................................................................................................................................................................................................................................................................................................
                          Process:C:\Windows\System32\svchost.exe
                          File Type:Extensible storage engine DataBase, version 0x620, checksum 0x48378a27, page size 16384, Windows version 10.0
                          Category:dropped
                          Size (bytes):786432
                          Entropy (8bit):0.25070166097977487
                          Encrypted:false
                          SSDEEP:384:Rnm+W0StseCJ48EApW0StseCJ48E2rTSjlK/ebmLerYSRSY1J2:RnJSB2nSB2RSjlK/+mLesOj1J2
                          MD5:928624A83F9D798FF803E65377721137
                          SHA1:11C16385024ACA104734770654E915BDEA55196A
                          SHA-256:E8711ACA4D7AB3DD0C82E9B59BCE3CA2DE255D78D544741EF7E9D6B901FD780C
                          SHA-512:B1C108C99AA6443226F7D118A4F249018C710E364A22263067F84D265F2C9FB43983CF59EE294A35EADA58B5C8FA143E0CC97F825CA003BEDC6D13BD64FEEB8B
                          Malicious:false
                          Preview:H7.'... ................e.f.3...w........................)......%...z..9!...z..h.(......%...z....)..............3...w...........................................................................................................B...........@...................................................................................................... ........................................................................................................................................................................................................................................................%...z...................~[..%...z..........................................................................................................................................................................................................................................................................................................................................................................................
                          Process:C:\Windows\System32\svchost.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):16384
                          Entropy (8bit):0.07727315315325223
                          Encrypted:false
                          SSDEEP:3:Er7vcEkBjApfm1/+mmgkcICA//FjApfm1/All3Vkttlmlnl:ErrcEk6oYDzWoA3
                          MD5:4146FB090B15A32AA759FB82DB1905B6
                          SHA1:5D1466F577C4C8B68060FB2A13B9718A8E1E2700
                          SHA-256:077E85DA7D7D045B8680FDF82B04E9A5BA48191448330A9A4F16433AC5261C15
                          SHA-512:0372A572C11DE60FF4CDEF69716DE199D05D3416CF92ED020C2FC998078F5F7AE31E9E80E260EB321D53FFF983132186A7DA9497F2D5D435B85C7429067DD9AA
                          Malicious:false
                          Preview:.JZ{.....................................3...w..9!...z/..%...z...........%...z...%...z......%...z.e.................~[..%...z..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                          Process:C:\Windows\System32\svchost.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):55
                          Entropy (8bit):4.306461250274409
                          Encrypted:false
                          SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                          MD5:DCA83F08D448911A14C22EBCACC5AD57
                          SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                          SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                          SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                          Malicious:false
                          Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}
                          File type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                          Entropy (8bit):6.482098733128464
                          TrID:
                          • Win64 Dynamic Link Library (generic) (102004/3) 86.43%
                          • Win64 Executable (generic) (12005/4) 10.17%
                          • Generic Win/DOS Executable (2004/3) 1.70%
                          • DOS Executable Generic (2002/1) 1.70%
                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
                          File name:yj81rxDZIp.dll
                          File size:545280
                          MD5:4f1cdae4390ecb862267f2eaaf826c74
                          SHA1:082de69d51991350ddfc05350073a55571c3ce5d
                          SHA256:c4e2c26fd37189447fcd387393974199933fdbffaadf2faaaac5347d1b0a8ef5
                          SHA512:04e5e7f0086810c82e1ae0e21fb953df25873f8361da4f20f5d844778d91a77cb3b71489d005ebd4fa7535f2a96db3bfbcca632cebe12d9022f899fab7efee0e
                          SSDEEP:12288:B4UJY9B+TenWsSEPHjMOUP9uXdt7JpfYNVr9RM54RutCTdJGqIoTCZ4eEsZiHxHy:B4UJY9BSenZSEPHjMOUP9Udt7JpfYNVe
                          TLSH:33C4CFA5435C08FCE762C3395C975BC5B1F7BDAE0664AF260BC18DA05E1BA90F53A381
                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......2.H.v.&.v.&.v.&.h...o.&.h...2.&.h.....&.Q6].s.&.v.'.9.&.h...w.&.h...w.&.h...w.&.h...w.&.Richv.&.........PE..d.....}b.........."
                          Icon Hash:74f0e4ecccdce0e4
                          Entrypoint:0x1800423a8
                          Entrypoint Section:.text
                          Digitally signed:false
                          Imagebase:0x180000000
                          Subsystem:windows gui
                          Image File Characteristics:EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT
                          Time Stamp:0x627D8598 [Thu May 12 22:09:28 2022 UTC]
                          TLS Callbacks:
                          CLR (.Net) Version:
                          OS Version Major:5
                          OS Version Minor:2
                          File Version Major:5
                          File Version Minor:2
                          Subsystem Version Major:5
                          Subsystem Version Minor:2
                          Import Hash:b268dbaa2e6eb6acd16e04d482356598
                          Instruction
                          dec eax
                          mov dword ptr [esp+08h], ebx
                          dec eax
                          mov dword ptr [esp+10h], esi
                          push edi
                          dec eax
                          sub esp, 20h
                          dec ecx
                          mov edi, eax
                          mov ebx, edx
                          dec eax
                          mov esi, ecx
                          cmp edx, 01h
                          jne 00007F698C737937h
                          call 00007F698C739AC4h
                          dec esp
                          mov eax, edi
                          mov edx, ebx
                          dec eax
                          mov ecx, esi
                          dec eax
                          mov ebx, dword ptr [esp+30h]
                          dec eax
                          mov esi, dword ptr [esp+38h]
                          dec eax
                          add esp, 20h
                          pop edi
                          jmp 00007F698C7377E0h
                          int3
                          int3
                          int3
                          dec eax
                          mov dword ptr [esp+08h], ecx
                          dec eax
                          sub esp, 00000088h
                          dec eax
                          lea ecx, dword ptr [00014D05h]
                          call dword ptr [0000FC7Fh]
                          dec esp
                          mov ebx, dword ptr [00014DF0h]
                          dec esp
                          mov dword ptr [esp+58h], ebx
                          inc ebp
                          xor eax, eax
                          dec eax
                          lea edx, dword ptr [esp+60h]
                          dec eax
                          mov ecx, dword ptr [esp+58h]
                          call 00007F698C7464BAh
                          dec eax
                          mov dword ptr [esp+50h], eax
                          dec eax
                          cmp dword ptr [esp+50h], 00000000h
                          je 00007F698C737973h
                          dec eax
                          mov dword ptr [esp+38h], 00000000h
                          dec eax
                          lea eax, dword ptr [esp+48h]
                          dec eax
                          mov dword ptr [esp+30h], eax
                          dec eax
                          lea eax, dword ptr [esp+40h]
                          dec eax
                          mov dword ptr [esp+28h], eax
                          dec eax
                          lea eax, dword ptr [00014CB0h]
                          dec eax
                          mov dword ptr [esp+20h], eax
                          dec esp
                          mov ecx, dword ptr [esp+50h]
                          dec esp
                          mov eax, dword ptr [esp+58h]
                          dec eax
                          mov edx, dword ptr [esp+60h]
                          xor ecx, ecx
                          call 00007F698C746468h
                          jmp 00007F698C737954h
                          dec eax
                          mov eax, dword ptr [eax+eax+00000000h]
                          Programming Language:
                          • [ C ] VS2008 build 21022
                          • [LNK] VS2008 build 21022
                          • [ASM] VS2008 build 21022
                          • [IMP] VS2005 build 50727
                          • [RES] VS2008 build 21022
                          • [EXP] VS2008 build 21022
                          • [C++] VS2008 build 21022
                          NameVirtual AddressVirtual Size Is in Section
                          IMAGE_DIRECTORY_ENTRY_EXPORT0x55cf00x6f.rdata
                          IMAGE_DIRECTORY_ENTRY_IMPORT0x5544c0x3c.rdata
                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x5a0000x2dffc.rsrc
                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x590000xe1c.pdata
                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x880000x1d8.reloc
                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IAT0x520000x288.rdata
                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                          .text0x10000x504ca0x50600False0.389081940124zlib compressed data5.26882252971IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                          .rdata0x520000x3d5f0x3e00False0.355405745968data5.39334203825IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .data0x560000x20d80x1200False0.180772569444data2.18161586025IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                          .pdata0x590000xe1c0x1000False0.44580078125data4.98556265168IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .rsrc0x5a0000x2dffc0x2e000False0.839408542799data7.73448363752IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .reloc0x880000x6f80x800False0.1796875data1.81179169858IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                          NameRVASizeTypeLanguageCountry
                          RT_RCDATA0x5a0a00x2de00dataEnglishUnited States
                          RT_MANIFEST0x87ea00x15aASCII text, with CRLF line terminatorsEnglishUnited States
                          DLLImport
                          KERNEL32.dllExitProcess, VirtualAlloc, CompareStringW, CompareStringA, GetTimeZoneInformation, GetLocaleInfoW, GetCurrentThreadId, FlsSetValue, GetCommandLineA, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, RtlVirtualUnwind, RtlLookupFunctionEntry, RtlCaptureContext, EncodePointer, DecodePointer, TlsAlloc, FlsGetValue, FlsFree, SetLastError, GetLastError, GetCurrentThread, FlsAlloc, HeapFree, Sleep, GetModuleHandleW, GetProcAddress, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, DeleteCriticalSection, GetModuleFileNameA, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, HeapSetInformation, HeapCreate, HeapDestroy, RtlUnwindEx, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, LeaveCriticalSection, FatalAppExitA, EnterCriticalSection, HeapAlloc, HeapReAlloc, WriteFile, SetConsoleCtrlHandler, FreeLibrary, LoadLibraryA, InitializeCriticalSectionAndSpinCount, LCMapStringA, MultiByteToWideChar, LCMapStringW, GetStringTypeA, GetStringTypeW, GetDateFormatA, GetTimeFormatA, GetUserDefaultLCID, GetLocaleInfoA, EnumSystemLocalesA, IsValidLocale, HeapSize, SetEnvironmentVariableA
                          ole32.dllCoTaskMemFree, CoLoadLibrary, CoTaskMemAlloc
                          NameOrdinalAddress
                          DllRegisterServer10x180042050
                          DllUnregisterServer20x180042080
                          Language of compilation systemCountry where language is spokenMap
                          EnglishUnited States
                          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                          192.168.2.5150.95.66.1244977580802404312 05/14/22-04:33:59.725234TCP2404312ET CNC Feodo Tracker Reported CnC Server TCP group 7497758080192.168.2.5150.95.66.124
                          TimestampSource PortDest PortSource IPDest IP
                          May 14, 2022 04:33:56.379163027 CEST49773443192.168.2.523.239.0.12
                          May 14, 2022 04:33:56.379209042 CEST4434977323.239.0.12192.168.2.5
                          May 14, 2022 04:33:56.379298925 CEST49773443192.168.2.523.239.0.12
                          May 14, 2022 04:33:56.414200068 CEST49773443192.168.2.523.239.0.12
                          May 14, 2022 04:33:56.414246082 CEST4434977323.239.0.12192.168.2.5
                          May 14, 2022 04:33:56.960381985 CEST4434977323.239.0.12192.168.2.5
                          May 14, 2022 04:33:56.960558891 CEST49773443192.168.2.523.239.0.12
                          May 14, 2022 04:33:58.667026043 CEST49773443192.168.2.523.239.0.12
                          May 14, 2022 04:33:58.667067051 CEST4434977323.239.0.12192.168.2.5
                          May 14, 2022 04:33:58.667361975 CEST4434977323.239.0.12192.168.2.5
                          May 14, 2022 04:33:58.667604923 CEST49773443192.168.2.523.239.0.12
                          May 14, 2022 04:33:58.671036005 CEST49773443192.168.2.523.239.0.12
                          May 14, 2022 04:33:58.712493896 CEST4434977323.239.0.12192.168.2.5
                          May 14, 2022 04:33:58.843278885 CEST4434977323.239.0.12192.168.2.5
                          May 14, 2022 04:33:58.843379021 CEST4434977323.239.0.12192.168.2.5
                          May 14, 2022 04:33:58.843453884 CEST49773443192.168.2.523.239.0.12
                          May 14, 2022 04:33:58.843478918 CEST49773443192.168.2.523.239.0.12
                          May 14, 2022 04:33:58.846863031 CEST49773443192.168.2.523.239.0.12
                          May 14, 2022 04:33:58.846904039 CEST4434977323.239.0.12192.168.2.5
                          May 14, 2022 04:33:58.846919060 CEST49773443192.168.2.523.239.0.12
                          May 14, 2022 04:33:58.846963882 CEST49773443192.168.2.523.239.0.12
                          May 14, 2022 04:33:59.725234032 CEST497758080192.168.2.5150.95.66.124
                          May 14, 2022 04:33:59.922143936 CEST808049775150.95.66.124192.168.2.5
                          May 14, 2022 04:33:59.925414085 CEST497758080192.168.2.5150.95.66.124
                          May 14, 2022 04:33:59.926034927 CEST497758080192.168.2.5150.95.66.124
                          May 14, 2022 04:34:00.122863054 CEST808049775150.95.66.124192.168.2.5
                          May 14, 2022 04:34:00.138585091 CEST808049775150.95.66.124192.168.2.5
                          May 14, 2022 04:34:00.138623953 CEST808049775150.95.66.124192.168.2.5
                          May 14, 2022 04:34:00.138844013 CEST497758080192.168.2.5150.95.66.124
                          May 14, 2022 04:34:00.299082041 CEST497758080192.168.2.5150.95.66.124
                          May 14, 2022 04:34:00.497375965 CEST808049775150.95.66.124192.168.2.5
                          May 14, 2022 04:34:00.497461081 CEST497758080192.168.2.5150.95.66.124
                          May 14, 2022 04:34:00.498275042 CEST497758080192.168.2.5150.95.66.124
                          May 14, 2022 04:34:00.732228994 CEST808049775150.95.66.124192.168.2.5
                          May 14, 2022 04:34:01.423486948 CEST808049775150.95.66.124192.168.2.5
                          May 14, 2022 04:34:01.423706055 CEST497758080192.168.2.5150.95.66.124
                          May 14, 2022 04:34:04.423486948 CEST808049775150.95.66.124192.168.2.5
                          May 14, 2022 04:34:04.423563957 CEST808049775150.95.66.124192.168.2.5
                          May 14, 2022 04:34:04.423650026 CEST497758080192.168.2.5150.95.66.124
                          May 14, 2022 04:34:04.424582005 CEST497758080192.168.2.5150.95.66.124
                          May 14, 2022 04:35:46.266910076 CEST497758080192.168.2.5150.95.66.124
                          May 14, 2022 04:35:46.266943932 CEST497758080192.168.2.5150.95.66.124
                          • 23.239.0.12
                          Session IDSource IPSource PortDestination IPDestination PortProcess
                          0192.168.2.54977323.239.0.12443C:\Windows\System32\regsvr32.exe
                          TimestampkBytes transferredDirectionData
                          2022-05-14 02:33:58 UTC0OUTGET / HTTP/1.1
                          Cookie: QplU=hBL9qJmGvW/2EuZ+GBF9bH2Pgx/JXOgEgUtSMs/Xr65WzDcqetddaWzwuXh5JGx39JgIR932OSnFY7E9phFJznqERMAUy3kUCUPxgga7CbKI6PBLY6I638PGhOIVZSUw305F9rapXw/czJXriHFq3NWcZgk0+SEeip6YZgc+3gUrtVrVeMEIF9KknYl3mfXEDIMIpUXTxabJMjN6Z50nL/WUTE7lAATo6Fjj4ZuuVOtxKlmhmkYxOI9E6JidVirta2dbsnCt+uBB1ViBVc3HvZOhdAwkTZXZin4oG8ahn7usXUw+DZruLwhbao/dbbpRRY9R4mVWuKxe55MemWZ4R6k=
                          Host: 23.239.0.12
                          Connection: Keep-Alive
                          Cache-Control: no-cache
                          2022-05-14 02:33:58 UTC0INHTTP/1.1 503 Service Temporarily Unavailable
                          Server: nginx
                          Date: Sat, 14 May 2022 02:33:58 GMT
                          Content-Type: text/html
                          Content-Length: 494
                          Connection: close
                          ETag: "605d14d6-1ee"
                          2022-05-14 02:33:58 UTC0INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 3c 73 74 79 6c 65 3e 0a 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 20 33 35 65 6d 3b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 54 61 68 6f 6d 61 2c 20 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 7d 0a 3c 2f 73 74 79 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 6e 20 65 72 72 6f 72 20 6f 63 63 75 72 72 65 64 2e 3c 2f 68 31 3e 0a 3c 70 3e 53 6f 72 72 79 2c 20 74 68 65 20 70 61 67 65 20 79 6f 75 20 61 72
                          Data Ascii: <!DOCTYPE html><html><head><title>Error</title><style> body { width: 35em; margin: 0 auto; font-family: Tahoma, Verdana, Arial, sans-serif; }</style></head><body><h1>An error occurred.</h1><p>Sorry, the page you ar


                          Click to jump to process

                          Target ID:0
                          Start time:04:33:22
                          Start date:14/05/2022
                          Path:C:\Windows\System32\loaddll64.exe
                          Wow64 process (32bit):false
                          Commandline:loaddll64.exe "C:\Users\user\Desktop\yj81rxDZIp.dll"
                          Imagebase:0x7ff7e2710000
                          File size:140288 bytes
                          MD5 hash:4E8A40CAD6CCC047914E3A7830A2D8AA
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high

                          Target ID:1
                          Start time:04:33:22
                          Start date:14/05/2022
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\yj81rxDZIp.dll",#1
                          Imagebase:0x7ff602050000
                          File size:273920 bytes
                          MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high

                          Target ID:2
                          Start time:04:33:23
                          Start date:14/05/2022
                          Path:C:\Windows\System32\regsvr32.exe
                          Wow64 process (32bit):false
                          Commandline:regsvr32.exe /s C:\Users\user\Desktop\yj81rxDZIp.dll
                          Imagebase:0x7ff703e50000
                          File size:24064 bytes
                          MD5 hash:D78B75FC68247E8A63ACBA846182740E
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000002.00000002.434632880.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000002.00000002.435422797.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                          Reputation:high

                          Target ID:3
                          Start time:04:33:23
                          Start date:14/05/2022
                          Path:C:\Windows\System32\rundll32.exe
                          Wow64 process (32bit):false
                          Commandline:rundll32.exe "C:\Users\user\Desktop\yj81rxDZIp.dll",#1
                          Imagebase:0x7ff7d6be0000
                          File size:69632 bytes
                          MD5 hash:73C519F050C20580F8A62C849D49215A
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.436780201.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.437553196.0000012A08A10000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                          Reputation:high

                          Target ID:4
                          Start time:04:33:23
                          Start date:14/05/2022
                          Path:C:\Windows\System32\rundll32.exe
                          Wow64 process (32bit):false
                          Commandline:rundll32.exe C:\Users\user\Desktop\yj81rxDZIp.dll,DllRegisterServer
                          Imagebase:0x7ff7d6be0000
                          File size:69632 bytes
                          MD5 hash:73C519F050C20580F8A62C849D49215A
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.434955422.000001A2C05E0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.434704633.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                          Reputation:high

                          Target ID:5
                          Start time:04:33:27
                          Start date:14/05/2022
                          Path:C:\Windows\System32\rundll32.exe
                          Wow64 process (32bit):false
                          Commandline:rundll32.exe C:\Users\user\Desktop\yj81rxDZIp.dll,DllUnregisterServer
                          Imagebase:0x7ff7d6be0000
                          File size:69632 bytes
                          MD5 hash:73C519F050C20580F8A62C849D49215A
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high

                          Target ID:6
                          Start time:04:33:27
                          Start date:14/05/2022
                          Path:C:\Windows\System32\regsvr32.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\regsvr32.exe "C:\Windows\system32\KZsiDdn\sdxQuTDjzsbvXJ.dll"
                          Imagebase:0x7ff703e50000
                          File size:24064 bytes
                          MD5 hash:D78B75FC68247E8A63ACBA846182740E
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.944705463.0000000000B80000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.944856611.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                          Reputation:high

                          Target ID:12
                          Start time:04:33:44
                          Start date:14/05/2022
                          Path:C:\Windows\System32\svchost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                          Imagebase:0x7ff78ca80000
                          File size:51288 bytes
                          MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high

                          Target ID:14
                          Start time:04:33:50
                          Start date:14/05/2022
                          Path:C:\Windows\System32\svchost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                          Imagebase:0x7ff78ca80000
                          File size:51288 bytes
                          MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language

                          Target ID:15
                          Start time:04:33:54
                          Start date:14/05/2022
                          Path:C:\Windows\System32\svchost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                          Imagebase:0x7ff78ca80000
                          File size:51288 bytes
                          MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language

                          Target ID:16
                          Start time:04:33:59
                          Start date:14/05/2022
                          Path:C:\Windows\System32\svchost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                          Imagebase:0x7ff78ca80000
                          File size:51288 bytes
                          MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language

                          Target ID:17
                          Start time:04:34:09
                          Start date:14/05/2022
                          Path:C:\Windows\System32\svchost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                          Imagebase:0x7ff78ca80000
                          File size:51288 bytes
                          MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language

                          Target ID:22
                          Start time:04:34:26
                          Start date:14/05/2022
                          Path:C:\Windows\System32\svchost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                          Imagebase:0x7ff78ca80000
                          File size:51288 bytes
                          MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language

                          No disassembly