Windows Analysis Report
qJhkILqiEA

Overview

General Information

Sample Name: qJhkILqiEA (renamed file extension from none to dll)
Analysis ID: 631909
MD5: 8516983eedc8690c1495b828b4262a63
SHA1: bdd250044234e53e9f08db444a1de00987735930
SHA256: 90498f1ee590da28566434c15efcfd98e829846f233387553ea655fc7559168d
Tags: exetrojan
Infos:

Detection

Emotet
Score: 84
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Changes security center settings (notifications, updates, antivirus, firewall)
Machine Learning detection for sample
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries the volume information (name, serial number etc) of a device
One or more processes crash
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
IP address seen in connection with other malware
AV process strings found (often used to terminate AV products)
PE file contains an invalid checksum
Tries to load missing DLLs
Drops PE files to the windows directory (C:\Windows)
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Registers a DLL
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries disk information (often used to detect virtual machines)
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: qJhkILqiEA.dll Virustotal: Detection: 38% Perma Link
Source: qJhkILqiEA.dll ReversingLabs: Detection: 58%
Antivirus detection for URL or domain
Source: https://173.82.82.196:8080/tem Avira URL Cloud: Label: malware
Source: https://173.82.82.196:8080/4 Avira URL Cloud: Label: malware
Source: https://173.82.82.196/ URL Reputation: Label: malware
Source: https://173.82.82.196:8080/ URL Reputation: Label: malware
Source: https://173.82.82.196:8080/X Avira URL Cloud: Label: malware
Machine Learning detection for sample
Source: qJhkILqiEA.dll Joe Sandbox ML: detected
Source: qJhkILqiEA.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_00000001800248B0 FindFirstFileW,FindNextFileW,FindClose, 9_2_00000001800248B0

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\regsvr32.exe Network Connect: 173.82.82.196 8080 Jump to behavior
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: MULTA-ASN1US MULTA-ASN1US
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 173.82.82.196 173.82.82.196
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49753 -> 173.82.82.196:8080
Source: unknown TCP traffic detected without corresponding DNS query: 173.82.82.196
Source: unknown TCP traffic detected without corresponding DNS query: 173.82.82.196
Source: unknown TCP traffic detected without corresponding DNS query: 173.82.82.196
Source: unknown TCP traffic detected without corresponding DNS query: 173.82.82.196
Source: unknown TCP traffic detected without corresponding DNS query: 173.82.82.196
Source: unknown TCP traffic detected without corresponding DNS query: 173.82.82.196
Source: unknown TCP traffic detected without corresponding DNS query: 173.82.82.196
Source: unknown TCP traffic detected without corresponding DNS query: 173.82.82.196
Source: unknown TCP traffic detected without corresponding DNS query: 173.82.82.196
Source: unknown TCP traffic detected without corresponding DNS query: 173.82.82.196
Source: unknown TCP traffic detected without corresponding DNS query: 173.82.82.196
Source: svchost.exe, 00000026.00000003.602679362.000002450776F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG", equals www.facebook.com (Facebook)
Source: svchost.exe, 00000026.00000003.602679362.000002450776F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG", equals www.twitter.com (Twitter)
Source: svchost.exe, 00000026.00000003.602679362.000002450776F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.602717062.0000024507780000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-05-13T10:00:01.2192622Z||.||8adb3f26-c14b-4fc0-afb3-91b3c6daaa3f||1152921505694830749||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
Source: svchost.exe, 00000026.00000003.602679362.000002450776F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.602717062.0000024507780000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-05-13T10:00:01.2192622Z||.||8adb3f26-c14b-4fc0-afb3-91b3c6daaa3f||1152921505694830749||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
Source: regsvr32.exe, 00000009.00000003.572877262.0000000000C00000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000002.779869873.0000000000C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000002.667132701.00000233A6462000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.645256392.0000024507700000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 00000015.00000002.667067807.00000233A6413000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.ver)
Source: regsvr32.exe, 00000009.00000002.779704007.0000000000BCC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.574209878.0000000000BCB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: regsvr32.exe, 00000009.00000003.573783150.0000000000C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.345372968.0000000002D61000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000002.779982091.0000000000C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.345995503.0000000002DA2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.346476340.0000000002DC4000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000002.780319248.0000000002DC4000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.9.dr String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: regsvr32.exe, 00000009.00000003.573783150.0000000000C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000002.779982091.0000000000C2A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab7A
Source: regsvr32.exe, 00000009.00000003.573487527.0000000000C57000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000002.780054708.0000000000C57000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?1e21e31cb5a00
Source: svchost.exe, 00000026.00000003.620962483.00000245077AB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://help.disneyplus.com.
Source: svchost.exe, 00000010.00000002.326155574.000001EEBD413000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 0000000E.00000002.779831348.000001E2D8843000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 0000000E.00000002.779831348.000001E2D8843000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://%s.xboxlive.com
Source: regsvr32.exe, 00000009.00000002.779518435.0000000000BA2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.573842211.0000000000BA2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://173.82.82.196/
Source: regsvr32.exe, 00000009.00000002.779518435.0000000000BA2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.573842211.0000000000BA2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://173.82.82.196:8080/
Source: regsvr32.exe, 00000009.00000002.779518435.0000000000BA2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.573842211.0000000000BA2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://173.82.82.196:8080/4
Source: regsvr32.exe, 00000009.00000002.779344665.0000000000B68000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://173.82.82.196:8080/X
Source: regsvr32.exe, 00000009.00000002.779518435.0000000000BA2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.573842211.0000000000BA2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://173.82.82.196:8080/tem
Source: svchost.exe, 0000000E.00000002.779831348.000001E2D8843000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 00000010.00000003.325811178.000001EEBD461000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 0000000E.00000002.779831348.000001E2D8843000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 0000000E.00000002.779831348.000001E2D8843000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000010.00000003.325834208.000001EEBD449000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000010.00000003.325811178.000001EEBD461000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 00000010.00000002.326446385.000001EEBD43D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 00000010.00000002.326502045.000001EEBD469000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.325786484.000001EEBD467000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
Source: svchost.exe, 00000010.00000003.325811178.000001EEBD461000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 00000010.00000002.326477827.000001EEBD456000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.325925433.000001EEBD450000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.325821699.000001EEBD44D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 00000010.00000003.303858019.000001EEBD430000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 00000010.00000003.325811178.000001EEBD461000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 00000010.00000002.326446385.000001EEBD43D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 00000010.00000003.325811178.000001EEBD461000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 00000010.00000003.325811178.000001EEBD461000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 00000010.00000003.325811178.000001EEBD461000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 00000010.00000003.303858019.000001EEBD430000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
Source: svchost.exe, 00000010.00000002.326457641.000001EEBD442000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.325856156.000001EEBD440000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.325882596.000001EEBD441000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 00000010.00000002.326457641.000001EEBD442000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.325856156.000001EEBD440000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.325882596.000001EEBD441000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 00000010.00000003.325811178.000001EEBD461000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 00000010.00000003.325856156.000001EEBD440000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.326463887.000001EEBD44B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.325834208.000001EEBD449000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 00000026.00000003.620962483.00000245077AB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://disneyplus.com/legal.
Source: svchost.exe, 00000010.00000003.325834208.000001EEBD449000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 00000010.00000002.326463887.000001EEBD44B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.325834208.000001EEBD449000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000010.00000002.326463887.000001EEBD44B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.325834208.000001EEBD449000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000010.00000003.325821699.000001EEBD44D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dynamic.t
Source: svchost.exe, 00000010.00000003.325811178.000001EEBD461000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 00000010.00000003.303858019.000001EEBD430000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.326446385.000001EEBD43D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000010.00000003.303858019.000001EEBD430000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 00000026.00000003.616553473.00000245077AA000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.616691918.0000024507787000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.616612672.00000245077B4000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.616639931.0000024507C02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.616586218.0000024507798000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.616569796.0000024507787000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.hotspotshield.com/
Source: svchost.exe, 00000010.00000002.326446385.000001EEBD43D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 00000010.00000002.326155574.000001EEBD413000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.326446385.000001EEBD43D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 00000010.00000003.325856156.000001EEBD440000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.325877149.000001EEBD445000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000010.00000003.325856156.000001EEBD440000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.325877149.000001EEBD445000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000010.00000003.303858019.000001EEBD430000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 00000010.00000003.303858019.000001EEBD430000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.326347509.000001EEBD439000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 00000010.00000002.326477827.000001EEBD456000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.325925433.000001EEBD450000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.325821699.000001EEBD44D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
Source: svchost.exe, 00000026.00000003.620962483.00000245077AB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
Source: svchost.exe, 00000026.00000003.620962483.00000245077AB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
Source: svchost.exe, 00000026.00000003.616553473.00000245077AA000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.616691918.0000024507787000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.616612672.00000245077B4000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.616639931.0000024507C02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.616586218.0000024507798000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.616569796.0000024507787000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.hotspotshield.com/terms/
Source: svchost.exe, 00000026.00000003.616553473.00000245077AA000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.616691918.0000024507787000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.616612672.00000245077B4000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.616639931.0000024507C02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.616586218.0000024507798000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.616569796.0000024507787000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.pango.co/privacy
Source: svchost.exe, 00000026.00000003.624893055.0000024507789000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.tiktok.com/legal/report
Source: svchost.exe, 00000026.00000003.624813083.00000245077B0000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.624938666.0000024507C02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.624922280.000002450779A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.624893055.0000024507789000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.624832618.00000245077B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.tiktok.com/legal/report/feedback
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_0000000180006B24 InternetReadFile, 9_2_0000000180006B24

E-Banking Fraud
barindex
Yara detected Emotet
Source: Yara match File source: 9.2.regsvr32.exe.2430000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.rundll32.exe.14b00000000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.rundll32.exe.1bb54e00000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.10b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.14b00000000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.rundll32.exe.1bb54e00000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.regsvr32.exe.2430000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.rundll32.exe.1bb54e00000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.rundll32.exe.1bb54e00000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.1bb54e00000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.rundll32.exe.14b00000000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.rundll32.exe.14b00000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.14b00000000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.1bb54e00000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.rundll32.exe.14b00000000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.10b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.276299390.00000000010B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.275085692.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.273091773.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.301040705.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.275341515.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.275169745.0000014B00000000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.300731557.000001BB54E00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.274124592.000001BB54E00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.300443242.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.275509127.000001BB54E00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.273232804.0000014B00000000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.780104900.0000000002430000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.780540136.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.273887036.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.301094896.0000014B00000000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
One or more processes crash
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2960 -s 352
Deletes files inside the Windows folder
Source: C:\Windows\System32\regsvr32.exe File deleted: C:\Windows\System32\JTkGafd\eTKTE.dll:Zone.Identifier Jump to behavior
Creates files inside the system directory
Source: C:\Windows\System32\regsvr32.exe File created: C:\Windows\system32\JTkGafd\ Jump to behavior
Detected potential crypto function
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFFE27212B0 3_2_00007FFFE27212B0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFFE2724A70 3_2_00007FFFE2724A70
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFFE27253FB 3_2_00007FFFE27253FB
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFFE2725CAD 3_2_00007FFFE2725CAD
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFFE272443C 3_2_00007FFFE272443C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFFE2726850 3_2_00007FFFE2726850
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFFE2725E01 3_2_00007FFFE2725E01
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_010A0000 3_2_010A0000
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180006414 3_2_0000000180006414
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180005C74 3_2_0000000180005C74
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018002ACE8 3_2_000000018002ACE8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180024104 3_2_0000000180024104
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180020118 3_2_0000000180020118
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000359C 3_2_000000018000359C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000E99C 3_2_000000018000E99C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180019628 3_2_0000000180019628
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180025A4C 3_2_0000000180025A4C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018002B7B2 3_2_000000018002B7B2
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180009408 3_2_0000000180009408
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180023C14 3_2_0000000180023C14
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018002582C 3_2_000000018002582C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000B834 3_2_000000018000B834
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000403C 3_2_000000018000403C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180021444 3_2_0000000180021444
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180012044 3_2_0000000180012044
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180016054 3_2_0000000180016054
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001705C 3_2_000000018001705C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180001870 3_2_0000000180001870
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001F878 3_2_000000018001F878
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180014484 3_2_0000000180014484
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180015494 3_2_0000000180015494
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000BC98 3_2_000000018000BC98
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180008C9C 3_2_0000000180008C9C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800078A4 3_2_00000001800078A4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001F0A8 3_2_000000018001F0A8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001E4AC 3_2_000000018001E4AC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800048B0 3_2_00000001800048B0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001ACB4 3_2_000000018001ACB4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800090B4 3_2_00000001800090B4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800270C0 3_2_00000001800270C0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800024C0 3_2_00000001800024C0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800280C8 3_2_00000001800280C8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800050D4 3_2_00000001800050D4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800234D8 3_2_00000001800234D8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800150F0 3_2_00000001800150F0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180012500 3_2_0000000180012500
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001A10C 3_2_000000018001A10C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180028D10 3_2_0000000180028D10
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001A524 3_2_000000018001A524
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180002D28 3_2_0000000180002D28
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000E130 3_2_000000018000E130
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180029134 3_2_0000000180029134
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180008134 3_2_0000000180008134
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180022140 3_2_0000000180022140
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180006954 3_2_0000000180006954
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000F554 3_2_000000018000F554
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018002B564 3_2_000000018002B564
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180012168 3_2_0000000180012168
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180013568 3_2_0000000180013568
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180024570 3_2_0000000180024570
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180019178 3_2_0000000180019178
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180025180 3_2_0000000180025180
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180001980 3_2_0000000180001980
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180021588 3_2_0000000180021588
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001A988 3_2_000000018001A988
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180018190 3_2_0000000180018190
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180013994 3_2_0000000180013994
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180028998 3_2_0000000180028998
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800061A0 3_2_00000001800061A0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800135A6 3_2_00000001800135A6
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180016DA8 3_2_0000000180016DA8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800059AC 3_2_00000001800059AC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800135B4 3_2_00000001800135B4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001C1B8 3_2_000000018001C1B8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800025B8 3_2_00000001800025B8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800085BC 3_2_00000001800085BC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800015C0 3_2_00000001800015C0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800295C8 3_2_00000001800295C8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800229CC 3_2_00000001800229CC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000E5D4 3_2_000000018000E5D4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018002A5D8 3_2_000000018002A5D8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800261E0 3_2_00000001800261E0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800079EC 3_2_00000001800079EC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180023624 3_2_0000000180023624
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180018628 3_2_0000000180018628
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180017E2C 3_2_0000000180017E2C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180017638 3_2_0000000180017638
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180004E3C 3_2_0000000180004E3C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180020E40 3_2_0000000180020E40
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180015A64 3_2_0000000180015A64
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180015264 3_2_0000000180015264
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000A26C 3_2_000000018000A26C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180007678 3_2_0000000180007678
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001667C 3_2_000000018001667C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180012680 3_2_0000000180012680
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180001E88 3_2_0000000180001E88
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000968C 3_2_000000018000968C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180022290 3_2_0000000180022290
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180026A90 3_2_0000000180026A90
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000529C 3_2_000000018000529C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180020AA0 3_2_0000000180020AA0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180022AAC 3_2_0000000180022AAC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180007EB4 3_2_0000000180007EB4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800162BC 3_2_00000001800162BC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800252C0 3_2_00000001800252C0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001AEC8 3_2_000000018001AEC8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001F6DC 3_2_000000018001F6DC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800026DC 3_2_00000001800026DC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180002ADC 3_2_0000000180002ADC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001E2F4 3_2_000000018001E2F4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180016AF4 3_2_0000000180016AF4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000DEF4 3_2_000000018000DEF4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001DEFC 3_2_000000018001DEFC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180006308 3_2_0000000180006308
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001370C 3_2_000000018001370C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180004B18 3_2_0000000180004B18
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180015F24 3_2_0000000180015F24
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180006B24 3_2_0000000180006B24
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000F328 3_2_000000018000F328
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180021738 3_2_0000000180021738
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018002AF38 3_2_000000018002AF38
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180028348 3_2_0000000180028348
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000DB4C 3_2_000000018000DB4C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180014F50 3_2_0000000180014F50
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000B350 3_2_000000018000B350
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000A758 3_2_000000018000A758
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018002975C 3_2_000000018002975C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180024370 3_2_0000000180024370
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180008370 3_2_0000000180008370
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180015774 3_2_0000000180015774
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180012378 3_2_0000000180012378
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180026B98 3_2_0000000180026B98
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001CF9C 3_2_000000018001CF9C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001EBA0 3_2_000000018001EBA0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001B3A4 3_2_000000018001B3A4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000D7AC 3_2_000000018000D7AC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800053B0 3_2_00000001800053B0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180015BB8 3_2_0000000180015BB8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800207BC 3_2_00000001800207BC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000FFC0 3_2_000000018000FFC0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800173DC 3_2_00000001800173DC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180018BDC 3_2_0000000180018BDC
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00007FFFE27212B0 4_2_00007FFFE27212B0
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00007FFFE2724A70 4_2_00007FFFE2724A70
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00007FFFE27253FB 4_2_00007FFFE27253FB
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00007FFFE2725CAD 4_2_00007FFFE2725CAD
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00007FFFE272443C 4_2_00007FFFE272443C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00007FFFE2726850 4_2_00007FFFE2726850
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00007FFFE2725E01 4_2_00007FFFE2725E01
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000014B7C8C0000 4_2_0000014B7C8C0000
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001BB54DF0000 5_2_000001BB54DF0000
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_00E00000 9_2_00E00000
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_0000000180006414 9_2_0000000180006414
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_000000018000C819 9_2_000000018000C819
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_0000000180019628 9_2_0000000180019628
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_0000000180025A4C 9_2_0000000180025A4C
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_0000000180012864 9_2_0000000180012864
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_0000000180005C74 9_2_0000000180005C74
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_00000001800248B0 9_2_00000001800248B0
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_00000001800252C0 9_2_00000001800252C0
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_0000000180006B24 9_2_0000000180006B24
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_0000000180006F2C 9_2_0000000180006F2C
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_000000018000A758 9_2_000000018000A758
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_0000000180012168 9_2_0000000180012168
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_0000000180024570 9_2_0000000180024570
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_000000018000E99C 9_2_000000018000E99C
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_000000018001B3A4 9_2_000000018001B3A4
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_00000001800079EC 9_2_00000001800079EC
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_0000000180009408 9_2_0000000180009408
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_0000000180023C14 9_2_0000000180023C14
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_0000000180023624 9_2_0000000180023624
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_0000000180018628 9_2_0000000180018628
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_000000018002582C 9_2_000000018002582C
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_0000000180017E2C 9_2_0000000180017E2C
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_000000018000B834 9_2_000000018000B834
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_0000000180017638 9_2_0000000180017638
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_000000018000403C 9_2_000000018000403C
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_0000000180004E3C 9_2_0000000180004E3C
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_0000000180020E40 9_2_0000000180020E40
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_0000000180021444 9_2_0000000180021444
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_0000000180012044 9_2_0000000180012044
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_0000000180016054 9_2_0000000180016054
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_000000018001705C 9_2_000000018001705C
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_0000000180015A64 9_2_0000000180015A64
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_0000000180015264 9_2_0000000180015264
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_000000018000A26C 9_2_000000018000A26C
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_0000000180001870 9_2_0000000180001870
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_000000018001F878 9_2_000000018001F878
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_0000000180007678 9_2_0000000180007678
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_000000018001667C 9_2_000000018001667C
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_0000000180012680 9_2_0000000180012680
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_0000000180014484 9_2_0000000180014484
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_0000000180001E88 9_2_0000000180001E88
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_000000018000968C 9_2_000000018000968C
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_0000000180022290 9_2_0000000180022290
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_0000000180026A90 9_2_0000000180026A90
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_0000000180015494 9_2_0000000180015494
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_000000018000BC98 9_2_000000018000BC98
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_000000018000529C 9_2_000000018000529C
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_0000000180008C9C 9_2_0000000180008C9C
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_0000000180020AA0 9_2_0000000180020AA0
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_00000001800078A4 9_2_00000001800078A4
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_000000018001F0A8 9_2_000000018001F0A8
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_0000000180022AAC 9_2_0000000180022AAC
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_000000018001E4AC 9_2_000000018001E4AC
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_00000001800048B0 9_2_00000001800048B0
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_000000018001ACB4 9_2_000000018001ACB4
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_0000000180007EB4 9_2_0000000180007EB4
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_00000001800090B4 9_2_00000001800090B4
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_00000001800162BC 9_2_00000001800162BC
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_00000001800270C0 9_2_00000001800270C0
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_00000001800024C0 9_2_00000001800024C0
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_00000001800280C8 9_2_00000001800280C8
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_000000018001AEC8 9_2_000000018001AEC8
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_00000001800050D4 9_2_00000001800050D4
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_00000001800234D8 9_2_00000001800234D8
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_000000018001F6DC 9_2_000000018001F6DC
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_00000001800026DC 9_2_00000001800026DC
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_0000000180002ADC 9_2_0000000180002ADC
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_000000018002ACE8 9_2_000000018002ACE8
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_00000001800150F0 9_2_00000001800150F0
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_000000018001E2F4 9_2_000000018001E2F4
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_0000000180016AF4 9_2_0000000180016AF4
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_000000018000DEF4 9_2_000000018000DEF4
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_000000018001DEFC 9_2_000000018001DEFC
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_0000000180012500 9_2_0000000180012500
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_0000000180024104 9_2_0000000180024104
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_0000000180006308 9_2_0000000180006308
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_000000018001370C 9_2_000000018001370C
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_000000018001A10C 9_2_000000018001A10C
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_0000000180028D10 9_2_0000000180028D10
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_0000000180020118 9_2_0000000180020118
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_0000000180004B18 9_2_0000000180004B18
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_000000018001A524 9_2_000000018001A524
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_0000000180015F24 9_2_0000000180015F24
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_000000018000F328 9_2_000000018000F328
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_0000000180002D28 9_2_0000000180002D28
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_000000018000E130 9_2_000000018000E130
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_0000000180029134 9_2_0000000180029134
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_0000000180008134 9_2_0000000180008134
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_0000000180021738 9_2_0000000180021738
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_000000018002AF38 9_2_000000018002AF38
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_0000000180022140 9_2_0000000180022140
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_0000000180028348 9_2_0000000180028348
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_000000018000DB4C 9_2_000000018000DB4C
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_0000000180014F50 9_2_0000000180014F50
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_000000018000B350 9_2_000000018000B350
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_0000000180006954 9_2_0000000180006954
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_000000018000F554 9_2_000000018000F554
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_000000018002975C 9_2_000000018002975C
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_000000018002B564 9_2_000000018002B564
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_0000000180013568 9_2_0000000180013568
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_0000000180024370 9_2_0000000180024370
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_0000000180008370 9_2_0000000180008370
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_0000000180015774 9_2_0000000180015774
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_0000000180012378 9_2_0000000180012378
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_0000000180019178 9_2_0000000180019178
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_0000000180025180 9_2_0000000180025180
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_0000000180001980 9_2_0000000180001980
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_0000000180021588 9_2_0000000180021588
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_000000018001A988 9_2_000000018001A988
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_0000000180018190 9_2_0000000180018190
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_0000000180013994 9_2_0000000180013994
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_0000000180026B98 9_2_0000000180026B98
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_0000000180028998 9_2_0000000180028998
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_000000018001CF9C 9_2_000000018001CF9C
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_000000018000359C 9_2_000000018000359C
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_000000018001EBA0 9_2_000000018001EBA0
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_00000001800061A0 9_2_00000001800061A0
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_00000001800135A6 9_2_00000001800135A6
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_0000000180016DA8 9_2_0000000180016DA8
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_00000001800059AC 9_2_00000001800059AC
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_000000018000D7AC 9_2_000000018000D7AC
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_00000001800053B0 9_2_00000001800053B0
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_00000001800135B4 9_2_00000001800135B4
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_000000018001C1B8 9_2_000000018001C1B8
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_0000000180015BB8 9_2_0000000180015BB8
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_00000001800025B8 9_2_00000001800025B8
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_00000001800207BC 9_2_00000001800207BC
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_00000001800085BC 9_2_00000001800085BC
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_00000001800015C0 9_2_00000001800015C0
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_000000018000FFC0 9_2_000000018000FFC0
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_00000001800295C8 9_2_00000001800295C8
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_00000001800229CC 9_2_00000001800229CC
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_000000018000E5D4 9_2_000000018000E5D4
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_000000018002A5D8 9_2_000000018002A5D8
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_00000001800173DC 9_2_00000001800173DC
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_0000000180018BDC 9_2_0000000180018BDC
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_00000001800261E0 9_2_00000001800261E0
Found potential string decryption / allocating functions
Source: C:\Windows\System32\rundll32.exe Code function: String function: 00007FFFE2727FF0 appears 31 times
Source: C:\Windows\System32\rundll32.exe Code function: String function: 00007FFFE272B3B0 appears 148 times
Source: C:\Windows\System32\rundll32.exe Code function: String function: 00007FFFE272BD70 appears 113 times
Source: C:\Windows\System32\regsvr32.exe Code function: String function: 00007FFFE2727FF0 appears 31 times
Source: C:\Windows\System32\regsvr32.exe Code function: String function: 00007FFFE272B3B0 appears 148 times
Source: C:\Windows\System32\regsvr32.exe Code function: String function: 00007FFFE272BD70 appears 113 times
Tries to load missing DLLs
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: xboxlivetitleid.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cdpsgshims.dll Jump to behavior
Source: qJhkILqiEA.dll Virustotal: Detection: 38%
Source: qJhkILqiEA.dll ReversingLabs: Detection: 58%
Source: qJhkILqiEA.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll64.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\qJhkILqiEA.dll"
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\qJhkILqiEA.dll",#1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\qJhkILqiEA.dll
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\qJhkILqiEA.dll",#1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\qJhkILqiEA.dll,AddIn_FileTime
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\qJhkILqiEA.dll,AddIn_SystemTime
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\JTkGafd\eTKTE.dll"
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2960 -s 352
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6236 -s 328
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\qJhkILqiEA.dll,DllRegisterServer
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k unistacksvcgroup
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\System32\svchost.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\qJhkILqiEA.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\qJhkILqiEA.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\qJhkILqiEA.dll,AddIn_FileTime Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\qJhkILqiEA.dll,AddIn_SystemTime Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\qJhkILqiEA.dll,DllRegisterServer Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\qJhkILqiEA.dll",#1 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\JTkGafd\eTKTE.dll" Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D105A4D4-344C-48EB-9866-EE378D90658B}\InProcServer32 Jump to behavior
Source: C:\Windows\System32\svchost.exe File created: C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl Jump to behavior
Source: C:\Windows\System32\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERE25C.tmp Jump to behavior
Source: classification engine Classification label: mal84.troj.evad.winDLL@32/16@0/3
Source: C:\Windows\System32\regsvr32.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_0000000180006F2C FindCloseChangeNotification,Process32FirstW,CreateToolhelp32Snapshot,Process32NextW, 9_2_0000000180006F2C
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\qJhkILqiEA.dll",#1
Source: C:\Windows\System32\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6236
Source: C:\Windows\System32\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2960
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:5772:120:WilError_01
Source: C:\Windows\System32\regsvr32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\rundll32.exe Automated click: OK
Source: C:\Windows\System32\rundll32.exe Automated click: OK
Source: qJhkILqiEA.dll Static PE information: Image base 0x180000000 > 0x60000000
Source: qJhkILqiEA.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000C892 push ebp; retf 3_2_000000018000C895
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000D095 push B3B8007Eh; iretd 3_2_000000018000D09A
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000D0F3 push ebp; iretd 3_2_000000018000D0F4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180013551 push ebx; retf 3_2_0000000180013559
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000D15D push ebx; retn 0068h 3_2_000000018000D15E
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000CDA8 push ebp; iretd 3_2_000000018000CDA9
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000CE36 push 458B0086h; iretd 3_2_000000018000CE3B
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_0000000180013551 push ebx; retf 9_2_0000000180013559
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFFE27312E3 LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer, 3_2_00007FFFE27312E3
PE file contains an invalid checksum
Source: qJhkILqiEA.dll Static PE information: real checksum: 0x654f5 should be: 0x66558
Registers a DLL
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\qJhkILqiEA.dll
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\System32\regsvr32.exe PE file moved: C:\Windows\System32\JTkGafd\eTKTE.dll Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\System32\regsvr32.exe File opened: C:\Windows\system32\JTkGafd\eTKTE.dll:Zone.Identifier read attributes | delete Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\System32\regsvr32.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\svchost.exe TID: 1404 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 5304 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 4180 Thread sleep time: -90000s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Windows\System32\rundll32.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Windows\System32\regsvr32.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Queries disk information (often used to detect virtual machines)
Source: C:\Windows\System32\svchost.exe File opened: PhysicalDrive0 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Windows\System32\regsvr32.exe API coverage: 8.2 %
Source: C:\Windows\System32\rundll32.exe API coverage: 8.6 %
Source: C:\Windows\System32\regsvr32.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_00000001800248B0 FindFirstFileW,FindNextFileW,FindClose, 9_2_00000001800248B0
Source: C:\Windows\System32\regsvr32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\regsvr32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\rundll32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\rundll32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\regsvr32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: svchost.exe, 00000015.00000002.666840804.00000233A0C24000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW`RF
Source: svchost.exe, 00000015.00000002.667132701.00000233A6462000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: @Hyper-V RAW(@
Source: regsvr32.exe, 00000009.00000002.779704007.0000000000BCC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000002.779591916.0000000000BB5000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.574209878.0000000000BCB000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.573842211.0000000000BA2000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000002.667115148.00000233A6449000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.645176753.0000024506ED6000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.645202538.0000024506EED000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.645130309.0000024506EAB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: svchost.exe, 0000000D.00000002.779374181.000001E85C802000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
Source: svchost.exe, 0000000D.00000002.779489914.000001E85C841000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.779831348.000001E2D8843000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.779540220.0000024354A29000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFFE272BE50 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_00007FFFE272BE50
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFFE2730215 _itow_s,_invoke_watson_if_error,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,_wcsftime_l,_invoke_watson_if_oneof,_invoke_watson_if_error,_invoke_watson_if_error,_invoke_watson_if_error,_invoke_watson_if_error,_invoke_watson_if_error,_snwprintf_s,_invoke_watson_if_oneof,_invoke_watson_if_error,_invoke_watson_if_oneof,_invoke_watson_if_error,_unlock,GetFileType,WriteConsoleW,GetLastError,_invoke_watson_if_oneof,WriteFile,WriteFile,OutputDebugStringW,_itow_s,_invoke_watson_if_error, 3_2_00007FFFE2730215
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFFE27312E3 LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer, 3_2_00007FFFE27312E3
Checks if the current process is being debugged
Source: C:\Windows\System32\loaddll64.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFFE272BE50 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_00007FFFE272BE50
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFFE2723280 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_00007FFFE2723280
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00007FFFE272BE50 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_00007FFFE272BE50
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00007FFFE2723280 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 4_2_00007FFFE2723280

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\regsvr32.exe Network Connect: 173.82.82.196 8080 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\qJhkILqiEA.dll",#1 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\regsvr32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFFE2728900 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 3_2_00007FFFE2728900
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFFE2728860 HeapCreate,GetVersion,HeapSetInformation, 3_2_00007FFFE2728860

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Changes security center settings (notifications, updates, antivirus, firewall)
Source: C:\Windows\System32\svchost.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval Jump to behavior
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct
AV process strings found (often used to terminate AV products)
Source: svchost.exe, 00000012.00000002.779551502.000002064CE40000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: &@\REGISTRY\USER\S-1-5-19ws Defender\MsMpeng.exe
Source: svchost.exe, 00000012.00000002.779505236.000002064CE29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.779593376.000002064CF02000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Stealing of Sensitive Information
barindex
Yara detected Emotet
Source: Yara match File source: 9.2.regsvr32.exe.2430000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.rundll32.exe.14b00000000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.rundll32.exe.1bb54e00000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.10b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.14b00000000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.rundll32.exe.1bb54e00000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.regsvr32.exe.2430000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.rundll32.exe.1bb54e00000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.rundll32.exe.1bb54e00000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.1bb54e00000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.rundll32.exe.14b00000000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.rundll32.exe.14b00000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.14b00000000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.1bb54e00000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.rundll32.exe.14b00000000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.10b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.276299390.00000000010B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.275085692.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.273091773.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.301040705.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.275341515.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.275169745.0000014B00000000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.300731557.000001BB54E00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.274124592.000001BB54E00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.300443242.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.275509127.000001BB54E00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.273232804.0000014B00000000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.780104900.0000000002430000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.780540136.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.273887036.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.301094896.0000014B00000000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 631909 Sample: qJhkILqiEA Startdate: 22/05/2022 Architecture: WINDOWS Score: 84 47 Antivirus detection for URL or domain 2->47 49 Multi AV Scanner detection for submitted file 2->49 51 Yara detected Emotet 2->51 53 Machine Learning detection for sample 2->53 8 loaddll64.exe 1 2->8         started        10 svchost.exe 2->10         started        13 svchost.exe 1 1 2->13         started        16 10 other processes 2->16 process3 dnsIp4 18 regsvr32.exe 5 8->18         started        21 rundll32.exe 8->21         started        23 cmd.exe 1 8->23         started        27 2 other processes 8->27 57 Changes security center settings (notifications, updates, antivirus, firewall) 10->57 25 MpCmdRun.exe 1 10->25         started        41 127.0.0.1 unknown unknown 13->41 signatures5 process6 signatures7 55 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->55 29 regsvr32.exe 18->29         started        33 WerFault.exe 9 21->33         started        35 rundll32.exe 23->35         started        37 conhost.exe 25->37         started        process8 dnsIp9 43 173.82.82.196, 49753, 8080 MULTA-ASN1US United States 29->43 59 System process connects to network (likely due to code injection or exploit) 29->59 45 192.168.2.1 unknown unknown 33->45 39 WerFault.exe 20 9 35->39         started        signatures10 process11
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
173.82.82.196
 unknown United States
35916 MULTA-ASN1US true

Private

IP
192.168.2.1
127.0.0.1