Windows Analysis Report
qJhkILqiEA.dll

Overview

General Information

Sample Name:	qJhkILqiEA.dll
Analysis ID:	631909
MD5:	8516983eedc8690c1495b828b4262a63
SHA1:	bdd250044234e53e9f08db444a1de00987735930
SHA256:	90498f1ee590da28566434c15efcfd98e829846f233387553ea655fc7559168d
Tags:	exetrojan
Infos:

Detection

Emotet

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Emotet

System process connects to network (likely due to code injection or exploit)

Antivirus detection for URL or domain

Changes security center settings (notifications, updates, antivirus, firewall)

Machine Learning detection for sample

Hides that the sample has been downloaded from the Internet (zone.identifier)

Queries the volume information (name, serial number etc) of a device

One or more processes crash

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Deletes files inside the Windows folder

May sleep (evasive loops) to hinder dynamic analysis

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Found evasive API chain (may stop execution after checking a module file name)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to dynamically determine API calls

IP address seen in connection with other malware

AV process strings found (often used to terminate AV products)

PE file contains an invalid checksum

Tries to load missing DLLs

Drops PE files to the windows directory (C:\Windows)

Detected TCP or UDP traffic on non-standard ports

Checks if the current process is being debugged

Registers a DLL

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries disk information (often used to detect virtual machines)

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: qJhkILqiEA.dll	Virustotal: Detection: 38%			Perma Link
Source: qJhkILqiEA.dll	ReversingLabs: Detection: 58%

Antivirus detection for URL or domain

Source: https://173.82.82.196:8080/f	Avira URL Cloud: Label: malware
Source: https://173.82.82.196/0.v9	Avira URL Cloud: Label: malware
Source: https://173.82.82.196:8080/(.	Avira URL Cloud: Label: malware
Source: https://173.82.82.196/	URL Reputation: Label: malware
Source: https://173.82.82.196:8080/	URL Reputation: Label: malware
Source: https://173.82.82.196:8080/P	Avira URL Cloud: Label: malware

Machine Learning detection for sample

Source: qJhkILqiEA.dll

Joe Sandbox ML: detected

Source: qJhkILqiEA.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: C:\Windows\System32\regsvr32.exe

Code function: 7_2_00000001800248B0 FindFirstFileW,FindNextFileW,FindClose,

7_2_00000001800248B0

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\regsvr32.exe

Network Connect: 173.82.82.196 8080

Jump to behavior

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: MULTA-ASN1US MULTA-ASN1US

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 173.82.82.196 173.82.82.196

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49762 -> 173.82.82.196:8080

Source: unknown	TCP traffic detected without corresponding DNS query: 173.82.82.196
Source: unknown	TCP traffic detected without corresponding DNS query: 173.82.82.196
Source: unknown	TCP traffic detected without corresponding DNS query: 173.82.82.196
Source: unknown	TCP traffic detected without corresponding DNS query: 173.82.82.196
Source: unknown	TCP traffic detected without corresponding DNS query: 173.82.82.196
Source: unknown	TCP traffic detected without corresponding DNS query: 173.82.82.196
Source: unknown	TCP traffic detected without corresponding DNS query: 173.82.82.196
Source: unknown	TCP traffic detected without corresponding DNS query: 173.82.82.196
Source: unknown	TCP traffic detected without corresponding DNS query: 173.82.82.196
Source: unknown	TCP traffic detected without corresponding DNS query: 173.82.82.196
Source: unknown	TCP traffic detected without corresponding DNS query: 173.82.82.196
Source: unknown	TCP traffic detected without corresponding DNS query: 173.82.82.196
Source: unknown	TCP traffic detected without corresponding DNS query: 173.82.82.196
Source: unknown	TCP traffic detected without corresponding DNS query: 173.82.82.196

Source: svchost.exe, 00000021.00000003.478052269.000001C77B973000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG", equals www.facebook.com (Facebook)
Source: svchost.exe, 00000021.00000003.478052269.000001C77B973000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG", equals www.twitter.com (Twitter)
Source: svchost.exe, 00000021.00000003.478052269.000001C77B973000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000021.00000003.478064549.000001C77B984000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-05-13T10:00:01.2192622Z\|\|.\|\|8adb3f26-c14b-4fc0-afb3-91b3c6daaa3f\|\|1152921505694830749\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
Source: svchost.exe, 00000021.00000003.478052269.000001C77B973000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000021.00000003.478064549.000001C77B984000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-05-13T10:00:01.2192622Z\|\|.\|\|8adb3f26-c14b-4fc0-afb3-91b3c6daaa3f\|\|1152921505694830749\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab

Source: regsvr32.exe, 00000007.00000003.535103457.0000000000ACE000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.647977849.0000000000ACE000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000002.644828486.0000022F4C272000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000021.00000002.523318756.000001C77B900000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 00000017.00000002.644662058.0000022F4C213000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000021.00000002.523167516.000001C77AEEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: regsvr32.exe, 00000007.00000003.536147270.0000000000A99000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.647866799.0000000000A99000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: regsvr32.exe, 00000007.00000003.535103457.0000000000ACE000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.647977849.0000000000ACE000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.7.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: regsvr32.exe, 00000007.00000003.319462034.0000000002CD2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.319338396.0000000002C91000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.319590287.0000000002CF4000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.648233032.0000000002CF4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab9
Source: svchost.exe, 00000021.00000003.495561358.000001C77B98E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000021.00000003.495361255.000001C77B9A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://help.disneyplus.com.
Source: svchost.exe, 00000012.00000002.317577945.00000195B5E24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 00000010.00000002.647477108.000001D20863E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 00000010.00000002.647477108.000001D20863E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://%s.xboxlive.com
Source: regsvr32.exe, 00000007.00000002.647445988.0000000000A72000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.535336382.0000000000A72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://173.82.82.196/
Source: regsvr32.exe, 00000007.00000002.647445988.0000000000A72000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.535336382.0000000000A72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://173.82.82.196/0.v9
Source: regsvr32.exe, 00000007.00000002.647496148.0000000000A7E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.647895703.0000000000AA4000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.535348405.0000000000A7E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.536554846.0000000000AA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://173.82.82.196:8080/
Source: regsvr32.exe, 00000007.00000002.647445988.0000000000A72000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.535336382.0000000000A72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://173.82.82.196:8080/(.
Source: regsvr32.exe, 00000007.00000002.647895703.0000000000AA4000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.536554846.0000000000AA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://173.82.82.196:8080/P
Source: regsvr32.exe, 00000007.00000002.647496148.0000000000A7E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.535348405.0000000000A7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://173.82.82.196:8080/f
Source: svchost.exe, 00000010.00000002.647477108.000001D20863E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 00000012.00000003.316801953.00000195B5E50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 00000010.00000002.647477108.000001D20863E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000010.00000002.647477108.000001D20863E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000012.00000003.316812477.00000195B5E4A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.317577945.00000195B5E24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000012.00000003.316812477.00000195B5E4A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.317612674.00000195B5E4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 00000012.00000003.316801953.00000195B5E50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 00000012.00000002.317593966.00000195B5E3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 00000012.00000003.316812477.00000195B5E4A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.317612674.00000195B5E4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
Source: svchost.exe, 00000012.00000003.316702192.00000195B5E68000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.317635939.00000195B5E6B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
Source: svchost.exe, 00000012.00000003.316801953.00000195B5E50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 00000012.00000002.317577945.00000195B5E24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 00000012.00000003.291687958.00000195B5E30000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.317577945.00000195B5E24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000012.00000003.316812477.00000195B5E4A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.317612674.00000195B5E4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 00000012.00000003.291687958.00000195B5E30000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.316801953.00000195B5E50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 00000012.00000002.317593966.00000195B5E3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 00000012.00000003.316801953.00000195B5E50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 00000012.00000003.316801953.00000195B5E50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 00000012.00000003.316801953.00000195B5E50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 00000012.00000002.317577945.00000195B5E24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
Source: svchost.exe, 00000012.00000003.316857943.00000195B5E41000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.317078891.00000195B5E42000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.317608897.00000195B5E43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 00000012.00000003.291687958.00000195B5E30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Stops/
Source: svchost.exe, 00000012.00000003.316857943.00000195B5E41000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.317078891.00000195B5E42000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.317608897.00000195B5E43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 00000012.00000003.316801953.00000195B5E50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 00000012.00000003.316812477.00000195B5E4A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.316857943.00000195B5E41000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.317612674.00000195B5E4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 00000012.00000003.291687958.00000195B5E30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?entry=
Source: svchost.exe, 00000021.00000003.495561358.000001C77B98E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000021.00000003.495361255.000001C77B9A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://disneyplus.com/legal.
Source: svchost.exe, 00000012.00000003.316812477.00000195B5E4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 00000012.00000003.316812477.00000195B5E4A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.317612674.00000195B5E4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000012.00000003.316812477.00000195B5E4A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.317612674.00000195B5E4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000012.00000002.317577945.00000195B5E24000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.317608897.00000195B5E43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.t
Source: svchost.exe, 00000012.00000003.316801953.00000195B5E50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 00000012.00000002.317593966.00000195B5E3E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.291687958.00000195B5E30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000012.00000003.291687958.00000195B5E30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 00000012.00000003.291687958.00000195B5E30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/roadshield.ashx?bucket=
Source: svchost.exe, 00000021.00000003.492529643.000001C77B9A8000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000021.00000003.492482077.000001C77BE03000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000021.00000003.492465997.000001C77BE02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000021.00000003.492512474.000001C77B986000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000021.00000003.492397766.000001C77B998000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000021.00000003.492570326.000001C77BE19000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000021.00000003.492430641.000001C77B9A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.hotspotshield.com/
Source: svchost.exe, 00000012.00000002.317593966.00000195B5E3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 00000012.00000002.317593966.00000195B5E3E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.317577945.00000195B5E24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 00000012.00000003.291687958.00000195B5E30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000012.00000003.316857943.00000195B5E41000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.317044423.00000195B5E46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000012.00000003.291687958.00000195B5E30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 00000012.00000003.317228227.00000195B5E3A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.291687958.00000195B5E30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 00000012.00000002.317577945.00000195B5E24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
Source: svchost.exe, 00000021.00000003.495561358.000001C77B98E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000021.00000003.495361255.000001C77B9A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
Source: svchost.exe, 00000021.00000003.495561358.000001C77B98E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000021.00000003.495361255.000001C77B9A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
Source: svchost.exe, 00000021.00000003.492529643.000001C77B9A8000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000021.00000003.492482077.000001C77BE03000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000021.00000003.492465997.000001C77BE02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000021.00000003.492512474.000001C77B986000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000021.00000003.492397766.000001C77B998000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000021.00000003.492570326.000001C77BE19000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000021.00000003.492430641.000001C77B9A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.hotspotshield.com/terms/
Source: svchost.exe, 00000021.00000003.492529643.000001C77B9A8000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000021.00000003.492482077.000001C77BE03000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000021.00000003.492465997.000001C77BE02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000021.00000003.492512474.000001C77B986000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000021.00000003.492397766.000001C77B998000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000021.00000003.492570326.000001C77BE19000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000021.00000003.492430641.000001C77B9A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.pango.co/privacy
Source: svchost.exe, 00000021.00000003.503721537.000001C77BE02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000021.00000003.503700080.000001C77B99F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000021.00000003.503683010.000001C77B98E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000021.00000003.503649260.000001C77B9B5000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000021.00000003.503617207.000001C77B9B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.tiktok.com/legal/report/feedback

Source: C:\Windows\System32\regsvr32.exe

Code function: 7_2_0000000180006B24 InternetReadFile,

7_2_0000000180006B24

E-Banking Fraud

Yara detected Emotet

Source: Yara match	File source: 2.2.regsvr32.exe.750000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rundll32.exe.1b300000000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.298ca850000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.1b300000000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.1b300000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.rundll32.exe.298ca850000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.rundll32.exe.298ca850000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.regsvr32.exe.a00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rundll32.exe.1b300000000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.rundll32.exe.298ca850000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rundll32.exe.1b300000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.rundll32.exe.298ca850000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.regsvr32.exe.a00000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.750000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rundll32.exe.1b300000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.298ca850000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000000.245516131.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.247075589.00000298CA850000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.327804102.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.248215300.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.248087583.0000000000750000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.245417474.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.646304136.0000000000A00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.328180679.000001B300000000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.328137058.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.248564765.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.248656368.000001B300000000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.327922020.00000298CA850000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.246778578.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.245618177.000001B300000000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.648425079.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.245495998.00000298CA850000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

One or more processes crash

Source: C:\Windows\System32\rundll32.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3180 -s 336

Deletes files inside the Windows folder

Source: C:\Windows\System32\regsvr32.exe

File deleted: C:\Windows\System32\IxbPFgKevemZDIDo\xuHXDLB.dll:Zone.Identifier

Jump to behavior

Creates files inside the system directory

Source: C:\Windows\System32\regsvr32.exe

File created: C:\Windows\system32\IxbPFgKevemZDIDo\

Jump to behavior

Detected potential crypto function

Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00007FFFEFB812B0	2_2_00007FFFEFB812B0
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00007FFFEFB853FB	2_2_00007FFFEFB853FB
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00007FFFEFB84A70	2_2_00007FFFEFB84A70
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00007FFFEFB85E01	2_2_00007FFFEFB85E01
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00007FFFEFB85CAD	2_2_00007FFFEFB85CAD
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00007FFFEFB8443C	2_2_00007FFFEFB8443C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00007FFFEFB86850	2_2_00007FFFEFB86850
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00710000	2_2_00710000
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180006414	2_2_0000000180006414
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180005C74	2_2_0000000180005C74
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018002ACE8	2_2_000000018002ACE8
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180024104	2_2_0000000180024104
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180020118	2_2_0000000180020118
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000359C	2_2_000000018000359C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000E99C	2_2_000000018000E99C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180019628	2_2_0000000180019628
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180025A4C	2_2_0000000180025A4C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018002B7B2	2_2_000000018002B7B2
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180009408	2_2_0000000180009408
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180023C14	2_2_0000000180023C14
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018002582C	2_2_000000018002582C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000B834	2_2_000000018000B834
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000403C	2_2_000000018000403C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180021444	2_2_0000000180021444
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180012044	2_2_0000000180012044
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180016054	2_2_0000000180016054
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001705C	2_2_000000018001705C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180001870	2_2_0000000180001870
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001F878	2_2_000000018001F878
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180014484	2_2_0000000180014484
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180015494	2_2_0000000180015494
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000BC98	2_2_000000018000BC98
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180008C9C	2_2_0000000180008C9C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800078A4	2_2_00000001800078A4
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001F0A8	2_2_000000018001F0A8
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001E4AC	2_2_000000018001E4AC
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800048B0	2_2_00000001800048B0
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001ACB4	2_2_000000018001ACB4
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800090B4	2_2_00000001800090B4
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800270C0	2_2_00000001800270C0
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800024C0	2_2_00000001800024C0
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800280C8	2_2_00000001800280C8
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800050D4	2_2_00000001800050D4
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800234D8	2_2_00000001800234D8
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800150F0	2_2_00000001800150F0
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180012500	2_2_0000000180012500
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001A10C	2_2_000000018001A10C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180028D10	2_2_0000000180028D10
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001A524	2_2_000000018001A524
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180002D28	2_2_0000000180002D28
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000E130	2_2_000000018000E130
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180029134	2_2_0000000180029134
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180008134	2_2_0000000180008134
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180022140	2_2_0000000180022140
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180006954	2_2_0000000180006954
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000F554	2_2_000000018000F554
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018002B564	2_2_000000018002B564
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180012168	2_2_0000000180012168
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180013568	2_2_0000000180013568
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180024570	2_2_0000000180024570
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180019178	2_2_0000000180019178
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180025180	2_2_0000000180025180
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180001980	2_2_0000000180001980
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180021588	2_2_0000000180021588
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001A988	2_2_000000018001A988
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180018190	2_2_0000000180018190
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180013994	2_2_0000000180013994
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180028998	2_2_0000000180028998
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800061A0	2_2_00000001800061A0
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800135A6	2_2_00000001800135A6
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180016DA8	2_2_0000000180016DA8
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800059AC	2_2_00000001800059AC
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800135B4	2_2_00000001800135B4
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001C1B8	2_2_000000018001C1B8
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800025B8	2_2_00000001800025B8
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800085BC	2_2_00000001800085BC
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800015C0	2_2_00000001800015C0
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800295C8	2_2_00000001800295C8
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800229CC	2_2_00000001800229CC
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000E5D4	2_2_000000018000E5D4
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018002A5D8	2_2_000000018002A5D8
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800261E0	2_2_00000001800261E0
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800079EC	2_2_00000001800079EC
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180023624	2_2_0000000180023624
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180018628	2_2_0000000180018628
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180017E2C	2_2_0000000180017E2C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180017638	2_2_0000000180017638
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180004E3C	2_2_0000000180004E3C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180020E40	2_2_0000000180020E40
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180015A64	2_2_0000000180015A64
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180015264	2_2_0000000180015264
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000A26C	2_2_000000018000A26C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180007678	2_2_0000000180007678
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001667C	2_2_000000018001667C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180012680	2_2_0000000180012680
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180001E88	2_2_0000000180001E88
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000968C	2_2_000000018000968C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180022290	2_2_0000000180022290
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180026A90	2_2_0000000180026A90
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000529C	2_2_000000018000529C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180020AA0	2_2_0000000180020AA0
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180022AAC	2_2_0000000180022AAC
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180007EB4	2_2_0000000180007EB4
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800162BC	2_2_00000001800162BC
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800252C0	2_2_00000001800252C0
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001AEC8	2_2_000000018001AEC8
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001F6DC	2_2_000000018001F6DC
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800026DC	2_2_00000001800026DC
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180002ADC	2_2_0000000180002ADC
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001E2F4	2_2_000000018001E2F4
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180016AF4	2_2_0000000180016AF4
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000DEF4	2_2_000000018000DEF4
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001DEFC	2_2_000000018001DEFC
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180006308	2_2_0000000180006308
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001370C	2_2_000000018001370C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180004B18	2_2_0000000180004B18
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180015F24	2_2_0000000180015F24
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180006B24	2_2_0000000180006B24
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000F328	2_2_000000018000F328
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180021738	2_2_0000000180021738
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018002AF38	2_2_000000018002AF38
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180028348	2_2_0000000180028348
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000DB4C	2_2_000000018000DB4C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180014F50	2_2_0000000180014F50
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000B350	2_2_000000018000B350
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000A758	2_2_000000018000A758
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018002975C	2_2_000000018002975C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180024370	2_2_0000000180024370
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180008370	2_2_0000000180008370
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180015774	2_2_0000000180015774
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180012378	2_2_0000000180012378
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180026B98	2_2_0000000180026B98
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001CF9C	2_2_000000018001CF9C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001EBA0	2_2_000000018001EBA0
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001B3A4	2_2_000000018001B3A4
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000D7AC	2_2_000000018000D7AC
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800053B0	2_2_00000001800053B0
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180015BB8	2_2_0000000180015BB8
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800207BC	2_2_00000001800207BC
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000FFC0	2_2_000000018000FFC0
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800173DC	2_2_00000001800173DC
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180018BDC	2_2_0000000180018BDC
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFFEFB812B0	3_2_00007FFFEFB812B0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFFEFB853FB	3_2_00007FFFEFB853FB
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFFEFB84A70	3_2_00007FFFEFB84A70
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFFEFB85E01	3_2_00007FFFEFB85E01
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFFEFB85CAD	3_2_00007FFFEFB85CAD
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFFEFB8443C	3_2_00007FFFEFB8443C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFFEFB86850	3_2_00007FFFEFB86850
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000298C8F90000	3_2_00000298C8F90000
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000001B37B360000	4_2_000001B37B360000
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_007F0000	7_2_007F0000
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180006414	7_2_0000000180006414
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018000C819	7_2_000000018000C819
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180019628	7_2_0000000180019628
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180025A4C	7_2_0000000180025A4C
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180012864	7_2_0000000180012864
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180005C74	7_2_0000000180005C74
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_00000001800248B0	7_2_00000001800248B0
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_00000001800252C0	7_2_00000001800252C0
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180006B24	7_2_0000000180006B24
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180006F2C	7_2_0000000180006F2C
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018000A758	7_2_000000018000A758
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180012168	7_2_0000000180012168
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180024570	7_2_0000000180024570
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018000E99C	7_2_000000018000E99C
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018001B3A4	7_2_000000018001B3A4
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_00000001800079EC	7_2_00000001800079EC
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180009408	7_2_0000000180009408
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180023C14	7_2_0000000180023C14
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180023624	7_2_0000000180023624
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180018628	7_2_0000000180018628
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018002582C	7_2_000000018002582C
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180017E2C	7_2_0000000180017E2C
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018000B834	7_2_000000018000B834
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180017638	7_2_0000000180017638
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018000403C	7_2_000000018000403C
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180004E3C	7_2_0000000180004E3C
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180020E40	7_2_0000000180020E40
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180021444	7_2_0000000180021444
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180012044	7_2_0000000180012044
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180016054	7_2_0000000180016054
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018001705C	7_2_000000018001705C
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180015A64	7_2_0000000180015A64
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180015264	7_2_0000000180015264
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018000A26C	7_2_000000018000A26C
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180001870	7_2_0000000180001870
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018001F878	7_2_000000018001F878
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180007678	7_2_0000000180007678
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018001667C	7_2_000000018001667C
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180012680	7_2_0000000180012680
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180014484	7_2_0000000180014484
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180001E88	7_2_0000000180001E88
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018000968C	7_2_000000018000968C
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180022290	7_2_0000000180022290
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180026A90	7_2_0000000180026A90
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180015494	7_2_0000000180015494
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018000BC98	7_2_000000018000BC98
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018000529C	7_2_000000018000529C
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180008C9C	7_2_0000000180008C9C
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180020AA0	7_2_0000000180020AA0
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_00000001800078A4	7_2_00000001800078A4
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018001F0A8	7_2_000000018001F0A8
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180022AAC	7_2_0000000180022AAC
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018001E4AC	7_2_000000018001E4AC
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_00000001800048B0	7_2_00000001800048B0
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018001ACB4	7_2_000000018001ACB4
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180007EB4	7_2_0000000180007EB4
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_00000001800090B4	7_2_00000001800090B4
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_00000001800162BC	7_2_00000001800162BC
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_00000001800270C0	7_2_00000001800270C0
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_00000001800024C0	7_2_00000001800024C0
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_00000001800280C8	7_2_00000001800280C8
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018001AEC8	7_2_000000018001AEC8
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_00000001800050D4	7_2_00000001800050D4
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_00000001800234D8	7_2_00000001800234D8
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018001F6DC	7_2_000000018001F6DC
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_00000001800026DC	7_2_00000001800026DC
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180002ADC	7_2_0000000180002ADC
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018002ACE8	7_2_000000018002ACE8
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_00000001800150F0	7_2_00000001800150F0
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018001E2F4	7_2_000000018001E2F4
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180016AF4	7_2_0000000180016AF4
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018000DEF4	7_2_000000018000DEF4
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018001DEFC	7_2_000000018001DEFC
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180012500	7_2_0000000180012500
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180024104	7_2_0000000180024104
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180006308	7_2_0000000180006308
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018001370C	7_2_000000018001370C
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018001A10C	7_2_000000018001A10C
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180028D10	7_2_0000000180028D10
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180020118	7_2_0000000180020118
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180004B18	7_2_0000000180004B18
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018001A524	7_2_000000018001A524
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180015F24	7_2_0000000180015F24
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018000F328	7_2_000000018000F328
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180002D28	7_2_0000000180002D28
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018000E130	7_2_000000018000E130
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180029134	7_2_0000000180029134
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180008134	7_2_0000000180008134
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180021738	7_2_0000000180021738
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018002AF38	7_2_000000018002AF38
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180022140	7_2_0000000180022140
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180028348	7_2_0000000180028348
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018000DB4C	7_2_000000018000DB4C
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180014F50	7_2_0000000180014F50
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018000B350	7_2_000000018000B350
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180006954	7_2_0000000180006954
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018000F554	7_2_000000018000F554
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018002975C	7_2_000000018002975C
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018002B564	7_2_000000018002B564
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180013568	7_2_0000000180013568
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180024370	7_2_0000000180024370
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180008370	7_2_0000000180008370
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180015774	7_2_0000000180015774
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180012378	7_2_0000000180012378
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180019178	7_2_0000000180019178
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180025180	7_2_0000000180025180
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180001980	7_2_0000000180001980
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180021588	7_2_0000000180021588
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018001A988	7_2_000000018001A988
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180018190	7_2_0000000180018190
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180013994	7_2_0000000180013994
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180026B98	7_2_0000000180026B98
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180028998	7_2_0000000180028998
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018001CF9C	7_2_000000018001CF9C
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018000359C	7_2_000000018000359C
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018001EBA0	7_2_000000018001EBA0
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_00000001800061A0	7_2_00000001800061A0
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_00000001800135A6	7_2_00000001800135A6
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180016DA8	7_2_0000000180016DA8
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_00000001800059AC	7_2_00000001800059AC
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018000D7AC	7_2_000000018000D7AC
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_00000001800053B0	7_2_00000001800053B0
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_00000001800135B4	7_2_00000001800135B4
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018001C1B8	7_2_000000018001C1B8
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180015BB8	7_2_0000000180015BB8
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_00000001800025B8	7_2_00000001800025B8
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_00000001800207BC	7_2_00000001800207BC
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_00000001800085BC	7_2_00000001800085BC
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_00000001800015C0	7_2_00000001800015C0
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018000FFC0	7_2_000000018000FFC0
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_00000001800295C8	7_2_00000001800295C8
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_00000001800229CC	7_2_00000001800229CC
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018000E5D4	7_2_000000018000E5D4
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018002A5D8	7_2_000000018002A5D8
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_00000001800173DC	7_2_00000001800173DC
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180018BDC	7_2_0000000180018BDC
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_00000001800261E0	7_2_00000001800261E0

Found potential string decryption / allocating functions

Source: C:\Windows\System32\rundll32.exe	Code function: String function: 00007FFFEFB87FF0 appears 31 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 00007FFFEFB8B3B0 appears 148 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 00007FFFEFB8BD70 appears 113 times
Source: C:\Windows\System32\regsvr32.exe	Code function: String function: 00007FFFEFB87FF0 appears 31 times
Source: C:\Windows\System32\regsvr32.exe	Code function: String function: 00007FFFEFB8B3B0 appears 148 times
Source: C:\Windows\System32\regsvr32.exe	Code function: String function: 00007FFFEFB8BD70 appears 113 times

Tries to load missing DLLs

Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xboxlivetitleid.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cdpsgshims.dll	Jump to behavior

Source: qJhkILqiEA.dll	Virustotal: Detection: 38%
Source: qJhkILqiEA.dll	ReversingLabs: Detection: 58%

Source: qJhkILqiEA.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\qJhkILqiEA.dll"
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\qJhkILqiEA.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\qJhkILqiEA.dll
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\qJhkILqiEA.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\qJhkILqiEA.dll,AddIn_FileTime
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\IxbPFgKevemZDIDo\xuHXDLB.dll"
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\qJhkILqiEA.dll,AddIn_SystemTime
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3180 -s 336
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3088 -s 332
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\qJhkILqiEA.dll,DllRegisterServer
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown	Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k unistacksvcgroup
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\qJhkILqiEA.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\qJhkILqiEA.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\qJhkILqiEA.dll,AddIn_FileTime	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\qJhkILqiEA.dll,AddIn_SystemTime	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\qJhkILqiEA.dll,DllRegisterServer	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\qJhkILqiEA.dll",#1	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\IxbPFgKevemZDIDo\xuHXDLB.dll"	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable	Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D105A4D4-344C-48EB-9866-EE378D90658B}\InProcServer32

Jump to behavior

Source: C:\Windows\System32\svchost.exe

File created: C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl

Jump to behavior

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERD79.tmp

Jump to behavior

Source: classification engine

Classification label: mal84.troj.evad.winDLL@32/16@0/3

Source: C:\Windows\System32\regsvr32.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

Code function: 7_2_0000000180006F2C FindCloseChangeNotification,Process32FirstW,CreateToolhelp32Snapshot,Process32NextW,

7_2_0000000180006F2C

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\qJhkILqiEA.dll",#1

Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3180
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3088
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:5008:120:WilError_01

Source: C:\Windows\System32\regsvr32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK

Source: qJhkILqiEA.dll

Static PE information: Image base 0x180000000 > 0x60000000

Source: qJhkILqiEA.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000C892 push ebp; retf	2_2_000000018000C895
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000D095 push B3B8007Eh; iretd	2_2_000000018000D09A
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000D0F3 push ebp; iretd	2_2_000000018000D0F4
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180013551 push ebx; retf	2_2_0000000180013559
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000D15D push ebx; retn 0068h	2_2_000000018000D15E
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000CDA8 push ebp; iretd	2_2_000000018000CDA9
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000CE36 push 458B0086h; iretd	2_2_000000018000CE3B
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180013551 push ebx; retf	7_2_0000000180013559

Contains functionality to dynamically determine API calls

Source: C:\Windows\System32\regsvr32.exe

Code function: 2_2_00007FFFEFB912E3 LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,

2_2_00007FFFEFB912E3

PE file contains an invalid checksum

Source: qJhkILqiEA.dll

Static PE information: real checksum: 0x654f5 should be: 0x66558

Registers a DLL

Source: C:\Windows\System32\loaddll64.exe

Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\qJhkILqiEA.dll

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\System32\regsvr32.exe

PE file moved: C:\Windows\System32\IxbPFgKevemZDIDo\xuHXDLB.dll

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\System32\regsvr32.exe

File opened: C:\Windows\system32\IxbPFgKevemZDIDo\xuHXDLB.dll:Zone.Identifier read attributes | delete

Jump to behavior

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Windows\System32\regsvr32.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Jump to behavior

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\svchost.exe TID: 5992	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6412	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6196	Thread sleep time: -30000s >= -30000s

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Found evasive API chain (may stop execution after checking a module file name)

Source: C:\Windows\System32\rundll32.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Windows\System32\regsvr32.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

Queries disk information (often used to detect virtual machines)

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Found large amount of non-executed APIs

Source: C:\Windows\System32\regsvr32.exe	API coverage: 8.2 %
Source: C:\Windows\System32\rundll32.exe	API coverage: 8.6 %

Source: C:\Windows\System32\regsvr32.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

Code function: 7_2_00000001800248B0 FindFirstFileW,FindNextFileW,FindClose,

7_2_00000001800248B0

Source: C:\Windows\System32\regsvr32.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\System32\regsvr32.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\System32\rundll32.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\System32\rundll32.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\System32\regsvr32.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: svchost.exe, 00000017.00000002.644757918.0000022F4C24C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @Hyper-V RAW
Source: svchost.exe, 00000021.00000002.522958403.000001C77AE70000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWp
Source: regsvr32.exe, 00000007.00000002.647496148.0000000000A7E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.535348405.0000000000A7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`o
Source: regsvr32.exe, 00000007.00000002.647895703.0000000000AA4000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.536554846.0000000000AA4000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000002.644757918.0000022F4C24C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000021.00000002.523167516.000001C77AEEE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 0000000F.00000002.646346054.0000023B29A02000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
Source: svchost.exe, 00000017.00000002.640444149.0000022F46A29000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW]%L/
Source: svchost.exe, 0000000F.00000002.647352744.0000023B29A40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.647564108.000001D208662000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.647409492.000001E43F029000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\System32\regsvr32.exe

Code function: 2_2_00007FFFEFB83280 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

2_2_00007FFFEFB83280

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Windows\System32\regsvr32.exe

Code function: 2_2_00007FFFEFB90215 _itow_s,_invoke_watson_if_error,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,_wcsftime_l,_invoke_watson_if_oneof,_invoke_watson_if_error,_invoke_watson_if_error,_invoke_watson_if_error,_invoke_watson_if_error,_invoke_watson_if_error,_snwprintf_s,_invoke_watson_if_oneof,_invoke_watson_if_error,_invoke_watson_if_oneof,_invoke_watson_if_error,_unlock,GetFileType,WriteConsoleW,GetLastError,_invoke_watson_if_oneof,WriteFile,WriteFile,OutputDebugStringW,_itow_s,_invoke_watson_if_error,

2_2_00007FFFEFB90215

Contains functionality to dynamically determine API calls

Source: C:\Windows\System32\regsvr32.exe

2_2_00007FFFEFB912E3

Checks if the current process is being debugged

Source: C:\Windows\System32\loaddll64.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00007FFFEFB83280 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00007FFFEFB83280
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00007FFFEFB8BE50 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00007FFFEFB8BE50
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFFEFB83280 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_00007FFFEFB83280
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFFEFB8BE50 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_00007FFFEFB8BE50

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\regsvr32.exe

Network Connect: 173.82.82.196 8080

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\qJhkILqiEA.dll",#1

Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

Code function: 2_2_00007FFFEFB88900 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

2_2_00007FFFEFB88900

Source: C:\Windows\System32\regsvr32.exe

Code function: 2_2_00007FFFEFB88860 HeapCreate,GetVersion,HeapSetInformation,

2_2_00007FFFEFB88860

Lowering of HIPS / PFW / Operating System Security Settings

Changes security center settings (notifications, updates, antivirus, firewall)

Source: C:\Windows\System32\svchost.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval

Jump to behavior

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct

AV process strings found (often used to terminate AV products)

Source: svchost.exe, 00000014.00000002.647404909.000001A69D840000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: (@V%ProgramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 00000014.00000002.647352065.000001A69D829000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.647502307.000001A69D902000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Stealing of Sensitive Information

Yara detected Emotet

Source: Yara match	File source: 2.2.regsvr32.exe.750000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rundll32.exe.1b300000000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.298ca850000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.1b300000000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.1b300000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.rundll32.exe.298ca850000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.rundll32.exe.298ca850000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.regsvr32.exe.a00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rundll32.exe.1b300000000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.rundll32.exe.298ca850000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rundll32.exe.1b300000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.rundll32.exe.298ca850000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.regsvr32.exe.a00000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.750000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rundll32.exe.1b300000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.298ca850000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000000.245516131.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.247075589.00000298CA850000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.327804102.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.248215300.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.248087583.0000000000750000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.245417474.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.646304136.0000000000A00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.328180679.000001B300000000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.328137058.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.248564765.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.248656368.000001B300000000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.327922020.00000298CA850000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.246778578.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.245618177.000001B300000000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.648425079.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.245495998.00000298CA850000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
173.82.82.196	unknown	United States		35916	MULTA-ASN1US	true

Private

IP
192.168.2.1
127.0.0.1

AV Detection

Multi AV Scanner detection for submitted file

Source: qJhkILqiEA.dll	Virustotal: Detection: 38%			Perma Link
Source: qJhkILqiEA.dll	ReversingLabs: Detection: 58%

Antivirus detection for URL or domain

Source: https://173.82.82.196:8080/f	Avira URL Cloud: Label: malware
Source: https://173.82.82.196/0.v9	Avira URL Cloud: Label: malware
Source: https://173.82.82.196:8080/(.	Avira URL Cloud: Label: malware
Source: https://173.82.82.196/	URL Reputation: Label: malware
Source: https://173.82.82.196:8080/	URL Reputation: Label: malware
Source: https://173.82.82.196:8080/P	Avira URL Cloud: Label: malware

Machine Learning detection for sample

Source: qJhkILqiEA.dll

Joe Sandbox ML: detected

Source: qJhkILqiEA.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: C:\Windows\System32\regsvr32.exe

Code function: 7_2_00000001800248B0 FindFirstFileW,FindNextFileW,FindClose,

7_2_00000001800248B0

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\regsvr32.exe

Network Connect: 173.82.82.196 8080

Jump to behavior

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: MULTA-ASN1US MULTA-ASN1US

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 173.82.82.196 173.82.82.196

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49762 -> 173.82.82.196:8080

Source: unknown	TCP traffic detected without corresponding DNS query: 173.82.82.196
Source: unknown	TCP traffic detected without corresponding DNS query: 173.82.82.196
Source: unknown	TCP traffic detected without corresponding DNS query: 173.82.82.196
Source: unknown	TCP traffic detected without corresponding DNS query: 173.82.82.196
Source: unknown	TCP traffic detected without corresponding DNS query: 173.82.82.196
Source: unknown	TCP traffic detected without corresponding DNS query: 173.82.82.196
Source: unknown	TCP traffic detected without corresponding DNS query: 173.82.82.196
Source: unknown	TCP traffic detected without corresponding DNS query: 173.82.82.196
Source: unknown	TCP traffic detected without corresponding DNS query: 173.82.82.196
Source: unknown	TCP traffic detected without corresponding DNS query: 173.82.82.196
Source: unknown	TCP traffic detected without corresponding DNS query: 173.82.82.196
Source: unknown	TCP traffic detected without corresponding DNS query: 173.82.82.196
Source: unknown	TCP traffic detected without corresponding DNS query: 173.82.82.196
Source: unknown	TCP traffic detected without corresponding DNS query: 173.82.82.196

Source: svchost.exe, 00000021.00000003.478052269.000001C77B973000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG", equals www.facebook.com (Facebook)
Source: svchost.exe, 00000021.00000003.478052269.000001C77B973000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG", equals www.twitter.com (Twitter)
Source: svchost.exe, 00000021.00000003.478052269.000001C77B973000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000021.00000003.478064549.000001C77B984000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-05-13T10:00:01.2192622Z\|\|.\|\|8adb3f26-c14b-4fc0-afb3-91b3c6daaa3f\|\|1152921505694830749\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
Source: svchost.exe, 00000021.00000003.478052269.000001C77B973000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000021.00000003.478064549.000001C77B984000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-05-13T10:00:01.2192622Z\|\|.\|\|8adb3f26-c14b-4fc0-afb3-91b3c6daaa3f\|\|1152921505694830749\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab

Source: regsvr32.exe, 00000007.00000003.535103457.0000000000ACE000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.647977849.0000000000ACE000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000002.644828486.0000022F4C272000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000021.00000002.523318756.000001C77B900000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 00000017.00000002.644662058.0000022F4C213000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000021.00000002.523167516.000001C77AEEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: regsvr32.exe, 00000007.00000003.536147270.0000000000A99000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.647866799.0000000000A99000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: regsvr32.exe, 00000007.00000003.535103457.0000000000ACE000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.647977849.0000000000ACE000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.7.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: regsvr32.exe, 00000007.00000003.319462034.0000000002CD2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.319338396.0000000002C91000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.319590287.0000000002CF4000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.648233032.0000000002CF4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab9
Source: svchost.exe, 00000021.00000003.495561358.000001C77B98E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000021.00000003.495361255.000001C77B9A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://help.disneyplus.com.
Source: svchost.exe, 00000012.00000002.317577945.00000195B5E24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 00000010.00000002.647477108.000001D20863E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 00000010.00000002.647477108.000001D20863E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://%s.xboxlive.com
Source: regsvr32.exe, 00000007.00000002.647445988.0000000000A72000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.535336382.0000000000A72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://173.82.82.196/
Source: regsvr32.exe, 00000007.00000002.647445988.0000000000A72000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.535336382.0000000000A72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://173.82.82.196/0.v9
Source: regsvr32.exe, 00000007.00000002.647496148.0000000000A7E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.647895703.0000000000AA4000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.535348405.0000000000A7E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.536554846.0000000000AA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://173.82.82.196:8080/
Source: regsvr32.exe, 00000007.00000002.647445988.0000000000A72000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.535336382.0000000000A72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://173.82.82.196:8080/(.
Source: regsvr32.exe, 00000007.00000002.647895703.0000000000AA4000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.536554846.0000000000AA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://173.82.82.196:8080/P
Source: regsvr32.exe, 00000007.00000002.647496148.0000000000A7E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.535348405.0000000000A7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://173.82.82.196:8080/f
Source: svchost.exe, 00000010.00000002.647477108.000001D20863E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 00000012.00000003.316801953.00000195B5E50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 00000010.00000002.647477108.000001D20863E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000010.00000002.647477108.000001D20863E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000012.00000003.316812477.00000195B5E4A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.317577945.00000195B5E24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000012.00000003.316812477.00000195B5E4A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.317612674.00000195B5E4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 00000012.00000003.316801953.00000195B5E50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 00000012.00000002.317593966.00000195B5E3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 00000012.00000003.316812477.00000195B5E4A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.317612674.00000195B5E4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
Source: svchost.exe, 00000012.00000003.316702192.00000195B5E68000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.317635939.00000195B5E6B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
Source: svchost.exe, 00000012.00000003.316801953.00000195B5E50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 00000012.00000002.317577945.00000195B5E24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 00000012.00000003.291687958.00000195B5E30000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.317577945.00000195B5E24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000012.00000003.316812477.00000195B5E4A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.317612674.00000195B5E4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 00000012.00000003.291687958.00000195B5E30000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.316801953.00000195B5E50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 00000012.00000002.317593966.00000195B5E3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 00000012.00000003.316801953.00000195B5E50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 00000012.00000003.316801953.00000195B5E50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 00000012.00000003.316801953.00000195B5E50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 00000012.00000002.317577945.00000195B5E24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
Source: svchost.exe, 00000012.00000003.316857943.00000195B5E41000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.317078891.00000195B5E42000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.317608897.00000195B5E43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 00000012.00000003.291687958.00000195B5E30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Stops/
Source: svchost.exe, 00000012.00000003.316857943.00000195B5E41000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.317078891.00000195B5E42000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.317608897.00000195B5E43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 00000012.00000003.316801953.00000195B5E50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 00000012.00000003.316812477.00000195B5E4A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.316857943.00000195B5E41000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.317612674.00000195B5E4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 00000012.00000003.291687958.00000195B5E30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?entry=
Source: svchost.exe, 00000021.00000003.495561358.000001C77B98E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000021.00000003.495361255.000001C77B9A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://disneyplus.com/legal.
Source: svchost.exe, 00000012.00000003.316812477.00000195B5E4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 00000012.00000003.316812477.00000195B5E4A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.317612674.00000195B5E4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000012.00000003.316812477.00000195B5E4A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.317612674.00000195B5E4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000012.00000002.317577945.00000195B5E24000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.317608897.00000195B5E43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.t
Source: svchost.exe, 00000012.00000003.316801953.00000195B5E50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 00000012.00000002.317593966.00000195B5E3E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.291687958.00000195B5E30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000012.00000003.291687958.00000195B5E30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 00000012.00000003.291687958.00000195B5E30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/roadshield.ashx?bucket=
Source: svchost.exe, 00000021.00000003.492529643.000001C77B9A8000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000021.00000003.492482077.000001C77BE03000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000021.00000003.492465997.000001C77BE02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000021.00000003.492512474.000001C77B986000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000021.00000003.492397766.000001C77B998000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000021.00000003.492570326.000001C77BE19000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000021.00000003.492430641.000001C77B9A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.hotspotshield.com/
Source: svchost.exe, 00000012.00000002.317593966.00000195B5E3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 00000012.00000002.317593966.00000195B5E3E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.317577945.00000195B5E24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 00000012.00000003.291687958.00000195B5E30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000012.00000003.316857943.00000195B5E41000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.317044423.00000195B5E46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000012.00000003.291687958.00000195B5E30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 00000012.00000003.317228227.00000195B5E3A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.291687958.00000195B5E30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 00000012.00000002.317577945.00000195B5E24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
Source: svchost.exe, 00000021.00000003.495561358.000001C77B98E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000021.00000003.495361255.000001C77B9A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
Source: svchost.exe, 00000021.00000003.495561358.000001C77B98E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000021.00000003.495361255.000001C77B9A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
Source: svchost.exe, 00000021.00000003.492529643.000001C77B9A8000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000021.00000003.492482077.000001C77BE03000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000021.00000003.492465997.000001C77BE02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000021.00000003.492512474.000001C77B986000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000021.00000003.492397766.000001C77B998000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000021.00000003.492570326.000001C77BE19000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000021.00000003.492430641.000001C77B9A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.hotspotshield.com/terms/
Source: svchost.exe, 00000021.00000003.492529643.000001C77B9A8000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000021.00000003.492482077.000001C77BE03000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000021.00000003.492465997.000001C77BE02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000021.00000003.492512474.000001C77B986000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000021.00000003.492397766.000001C77B998000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000021.00000003.492570326.000001C77BE19000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000021.00000003.492430641.000001C77B9A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.pango.co/privacy
Source: svchost.exe, 00000021.00000003.503721537.000001C77BE02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000021.00000003.503700080.000001C77B99F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000021.00000003.503683010.000001C77B98E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000021.00000003.503649260.000001C77B9B5000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000021.00000003.503617207.000001C77B9B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.tiktok.com/legal/report/feedback

Source: C:\Windows\System32\regsvr32.exe

Code function: 7_2_0000000180006B24 InternetReadFile,

7_2_0000000180006B24

E-Banking Fraud

Yara detected Emotet

Source: Yara match	File source: 2.2.regsvr32.exe.750000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rundll32.exe.1b300000000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.298ca850000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.1b300000000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.1b300000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.rundll32.exe.298ca850000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.rundll32.exe.298ca850000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.regsvr32.exe.a00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rundll32.exe.1b300000000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.rundll32.exe.298ca850000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rundll32.exe.1b300000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.rundll32.exe.298ca850000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.regsvr32.exe.a00000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.750000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rundll32.exe.1b300000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.298ca850000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000000.245516131.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.247075589.00000298CA850000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.327804102.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.248215300.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.248087583.0000000000750000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.245417474.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.646304136.0000000000A00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.328180679.000001B300000000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.328137058.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.248564765.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.248656368.000001B300000000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.327922020.00000298CA850000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.246778578.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.245618177.000001B300000000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.648425079.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.245495998.00000298CA850000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

One or more processes crash

Source: C:\Windows\System32\rundll32.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3180 -s 336

Deletes files inside the Windows folder

Source: C:\Windows\System32\regsvr32.exe

File deleted: C:\Windows\System32\IxbPFgKevemZDIDo\xuHXDLB.dll:Zone.Identifier

Jump to behavior

Creates files inside the system directory

Source: C:\Windows\System32\regsvr32.exe

File created: C:\Windows\system32\IxbPFgKevemZDIDo\

Jump to behavior

Detected potential crypto function

Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00007FFFEFB812B0	2_2_00007FFFEFB812B0
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00007FFFEFB853FB	2_2_00007FFFEFB853FB
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00007FFFEFB84A70	2_2_00007FFFEFB84A70
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00007FFFEFB85E01	2_2_00007FFFEFB85E01
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00007FFFEFB85CAD	2_2_00007FFFEFB85CAD
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00007FFFEFB8443C	2_2_00007FFFEFB8443C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00007FFFEFB86850	2_2_00007FFFEFB86850
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00710000	2_2_00710000
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180006414	2_2_0000000180006414
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180005C74	2_2_0000000180005C74
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018002ACE8	2_2_000000018002ACE8
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180024104	2_2_0000000180024104
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180020118	2_2_0000000180020118
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000359C	2_2_000000018000359C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000E99C	2_2_000000018000E99C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180019628	2_2_0000000180019628
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180025A4C	2_2_0000000180025A4C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018002B7B2	2_2_000000018002B7B2
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180009408	2_2_0000000180009408
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180023C14	2_2_0000000180023C14
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018002582C	2_2_000000018002582C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000B834	2_2_000000018000B834
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000403C	2_2_000000018000403C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180021444	2_2_0000000180021444
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180012044	2_2_0000000180012044
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180016054	2_2_0000000180016054
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001705C	2_2_000000018001705C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180001870	2_2_0000000180001870
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001F878	2_2_000000018001F878
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180014484	2_2_0000000180014484
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180015494	2_2_0000000180015494
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000BC98	2_2_000000018000BC98
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180008C9C	2_2_0000000180008C9C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800078A4	2_2_00000001800078A4
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001F0A8	2_2_000000018001F0A8
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001E4AC	2_2_000000018001E4AC
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800048B0	2_2_00000001800048B0
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001ACB4	2_2_000000018001ACB4
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800090B4	2_2_00000001800090B4
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800270C0	2_2_00000001800270C0
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800024C0	2_2_00000001800024C0
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800280C8	2_2_00000001800280C8
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800050D4	2_2_00000001800050D4
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800234D8	2_2_00000001800234D8
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800150F0	2_2_00000001800150F0
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180012500	2_2_0000000180012500
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001A10C	2_2_000000018001A10C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180028D10	2_2_0000000180028D10
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001A524	2_2_000000018001A524
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180002D28	2_2_0000000180002D28
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000E130	2_2_000000018000E130
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180029134	2_2_0000000180029134
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180008134	2_2_0000000180008134
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180022140	2_2_0000000180022140
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180006954	2_2_0000000180006954
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000F554	2_2_000000018000F554
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018002B564	2_2_000000018002B564
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180012168	2_2_0000000180012168
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180013568	2_2_0000000180013568
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180024570	2_2_0000000180024570
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180019178	2_2_0000000180019178
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180025180	2_2_0000000180025180
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180001980	2_2_0000000180001980
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180021588	2_2_0000000180021588
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001A988	2_2_000000018001A988
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180018190	2_2_0000000180018190
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180013994	2_2_0000000180013994
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180028998	2_2_0000000180028998
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800061A0	2_2_00000001800061A0
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800135A6	2_2_00000001800135A6
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180016DA8	2_2_0000000180016DA8
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800059AC	2_2_00000001800059AC
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800135B4	2_2_00000001800135B4
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001C1B8	2_2_000000018001C1B8
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800025B8	2_2_00000001800025B8
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800085BC	2_2_00000001800085BC
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800015C0	2_2_00000001800015C0
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800295C8	2_2_00000001800295C8
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800229CC	2_2_00000001800229CC
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000E5D4	2_2_000000018000E5D4
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018002A5D8	2_2_000000018002A5D8
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800261E0	2_2_00000001800261E0
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800079EC	2_2_00000001800079EC
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180023624	2_2_0000000180023624
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180018628	2_2_0000000180018628
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180017E2C	2_2_0000000180017E2C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180017638	2_2_0000000180017638
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180004E3C	2_2_0000000180004E3C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180020E40	2_2_0000000180020E40
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180015A64	2_2_0000000180015A64
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180015264	2_2_0000000180015264
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000A26C	2_2_000000018000A26C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180007678	2_2_0000000180007678
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001667C	2_2_000000018001667C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180012680	2_2_0000000180012680
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180001E88	2_2_0000000180001E88
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000968C	2_2_000000018000968C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180022290	2_2_0000000180022290
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180026A90	2_2_0000000180026A90
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000529C	2_2_000000018000529C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180020AA0	2_2_0000000180020AA0
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180022AAC	2_2_0000000180022AAC
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180007EB4	2_2_0000000180007EB4
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800162BC	2_2_00000001800162BC
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800252C0	2_2_00000001800252C0
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001AEC8	2_2_000000018001AEC8
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001F6DC	2_2_000000018001F6DC
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800026DC	2_2_00000001800026DC
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180002ADC	2_2_0000000180002ADC
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001E2F4	2_2_000000018001E2F4
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180016AF4	2_2_0000000180016AF4
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000DEF4	2_2_000000018000DEF4
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001DEFC	2_2_000000018001DEFC
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180006308	2_2_0000000180006308
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001370C	2_2_000000018001370C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180004B18	2_2_0000000180004B18
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180015F24	2_2_0000000180015F24
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180006B24	2_2_0000000180006B24
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000F328	2_2_000000018000F328
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180021738	2_2_0000000180021738
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018002AF38	2_2_000000018002AF38
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180028348	2_2_0000000180028348
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000DB4C	2_2_000000018000DB4C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180014F50	2_2_0000000180014F50
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000B350	2_2_000000018000B350
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000A758	2_2_000000018000A758
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018002975C	2_2_000000018002975C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180024370	2_2_0000000180024370
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180008370	2_2_0000000180008370
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180015774	2_2_0000000180015774
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180012378	2_2_0000000180012378
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180026B98	2_2_0000000180026B98
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001CF9C	2_2_000000018001CF9C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001EBA0	2_2_000000018001EBA0
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001B3A4	2_2_000000018001B3A4
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000D7AC	2_2_000000018000D7AC
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800053B0	2_2_00000001800053B0
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180015BB8	2_2_0000000180015BB8
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800207BC	2_2_00000001800207BC
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000FFC0	2_2_000000018000FFC0
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800173DC	2_2_00000001800173DC
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180018BDC	2_2_0000000180018BDC
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFFEFB812B0	3_2_00007FFFEFB812B0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFFEFB853FB	3_2_00007FFFEFB853FB
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFFEFB84A70	3_2_00007FFFEFB84A70
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFFEFB85E01	3_2_00007FFFEFB85E01
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFFEFB85CAD	3_2_00007FFFEFB85CAD
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFFEFB8443C	3_2_00007FFFEFB8443C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFFEFB86850	3_2_00007FFFEFB86850
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000298C8F90000	3_2_00000298C8F90000
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000001B37B360000	4_2_000001B37B360000
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_007F0000	7_2_007F0000
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180006414	7_2_0000000180006414
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018000C819	7_2_000000018000C819
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180019628	7_2_0000000180019628
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180025A4C	7_2_0000000180025A4C
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180012864	7_2_0000000180012864
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180005C74	7_2_0000000180005C74
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_00000001800248B0	7_2_00000001800248B0
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_00000001800252C0	7_2_00000001800252C0
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180006B24	7_2_0000000180006B24
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180006F2C	7_2_0000000180006F2C
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018000A758	7_2_000000018000A758
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180012168	7_2_0000000180012168
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180024570	7_2_0000000180024570
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018000E99C	7_2_000000018000E99C
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018001B3A4	7_2_000000018001B3A4
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_00000001800079EC	7_2_00000001800079EC
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180009408	7_2_0000000180009408
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180023C14	7_2_0000000180023C14
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180023624	7_2_0000000180023624
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180018628	7_2_0000000180018628
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018002582C	7_2_000000018002582C
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180017E2C	7_2_0000000180017E2C
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018000B834	7_2_000000018000B834
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180017638	7_2_0000000180017638
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018000403C	7_2_000000018000403C
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180004E3C	7_2_0000000180004E3C
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180020E40	7_2_0000000180020E40
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180021444	7_2_0000000180021444
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180012044	7_2_0000000180012044
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180016054	7_2_0000000180016054
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018001705C	7_2_000000018001705C
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180015A64	7_2_0000000180015A64
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180015264	7_2_0000000180015264
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018000A26C	7_2_000000018000A26C
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180001870	7_2_0000000180001870
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018001F878	7_2_000000018001F878
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180007678	7_2_0000000180007678
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018001667C	7_2_000000018001667C
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180012680	7_2_0000000180012680
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180014484	7_2_0000000180014484
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180001E88	7_2_0000000180001E88
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018000968C	7_2_000000018000968C
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180022290	7_2_0000000180022290
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180026A90	7_2_0000000180026A90
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180015494	7_2_0000000180015494
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018000BC98	7_2_000000018000BC98
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018000529C	7_2_000000018000529C
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180008C9C	7_2_0000000180008C9C
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180020AA0	7_2_0000000180020AA0
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_00000001800078A4	7_2_00000001800078A4
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018001F0A8	7_2_000000018001F0A8
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180022AAC	7_2_0000000180022AAC
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018001E4AC	7_2_000000018001E4AC
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_00000001800048B0	7_2_00000001800048B0
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018001ACB4	7_2_000000018001ACB4
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180007EB4	7_2_0000000180007EB4
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_00000001800090B4	7_2_00000001800090B4
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_00000001800162BC	7_2_00000001800162BC
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_00000001800270C0	7_2_00000001800270C0
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_00000001800024C0	7_2_00000001800024C0
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_00000001800280C8	7_2_00000001800280C8
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018001AEC8	7_2_000000018001AEC8
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_00000001800050D4	7_2_00000001800050D4
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_00000001800234D8	7_2_00000001800234D8
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018001F6DC	7_2_000000018001F6DC
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_00000001800026DC	7_2_00000001800026DC
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180002ADC	7_2_0000000180002ADC
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018002ACE8	7_2_000000018002ACE8
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_00000001800150F0	7_2_00000001800150F0
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018001E2F4	7_2_000000018001E2F4
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180016AF4	7_2_0000000180016AF4
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018000DEF4	7_2_000000018000DEF4
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018001DEFC	7_2_000000018001DEFC
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180012500	7_2_0000000180012500
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180024104	7_2_0000000180024104
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180006308	7_2_0000000180006308
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018001370C	7_2_000000018001370C
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018001A10C	7_2_000000018001A10C
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180028D10	7_2_0000000180028D10
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180020118	7_2_0000000180020118
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180004B18	7_2_0000000180004B18
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018001A524	7_2_000000018001A524
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180015F24	7_2_0000000180015F24
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018000F328	7_2_000000018000F328
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180002D28	7_2_0000000180002D28
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018000E130	7_2_000000018000E130
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180029134	7_2_0000000180029134
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180008134	7_2_0000000180008134
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180021738	7_2_0000000180021738
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018002AF38	7_2_000000018002AF38
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180022140	7_2_0000000180022140
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180028348	7_2_0000000180028348
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018000DB4C	7_2_000000018000DB4C
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180014F50	7_2_0000000180014F50
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018000B350	7_2_000000018000B350
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180006954	7_2_0000000180006954
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018000F554	7_2_000000018000F554
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018002975C	7_2_000000018002975C
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018002B564	7_2_000000018002B564
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180013568	7_2_0000000180013568
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180024370	7_2_0000000180024370
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180008370	7_2_0000000180008370
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180015774	7_2_0000000180015774
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180012378	7_2_0000000180012378
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180019178	7_2_0000000180019178
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180025180	7_2_0000000180025180
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180001980	7_2_0000000180001980
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180021588	7_2_0000000180021588
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018001A988	7_2_000000018001A988
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180018190	7_2_0000000180018190
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180013994	7_2_0000000180013994
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180026B98	7_2_0000000180026B98
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180028998	7_2_0000000180028998
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018001CF9C	7_2_000000018001CF9C
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018000359C	7_2_000000018000359C
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018001EBA0	7_2_000000018001EBA0
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_00000001800061A0	7_2_00000001800061A0
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_00000001800135A6	7_2_00000001800135A6
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180016DA8	7_2_0000000180016DA8
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_00000001800059AC	7_2_00000001800059AC
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018000D7AC	7_2_000000018000D7AC
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_00000001800053B0	7_2_00000001800053B0
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_00000001800135B4	7_2_00000001800135B4
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018001C1B8	7_2_000000018001C1B8
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180015BB8	7_2_0000000180015BB8
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_00000001800025B8	7_2_00000001800025B8
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_00000001800207BC	7_2_00000001800207BC
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_00000001800085BC	7_2_00000001800085BC
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_00000001800015C0	7_2_00000001800015C0
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018000FFC0	7_2_000000018000FFC0
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_00000001800295C8	7_2_00000001800295C8
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_00000001800229CC	7_2_00000001800229CC
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018000E5D4	7_2_000000018000E5D4
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018002A5D8	7_2_000000018002A5D8
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_00000001800173DC	7_2_00000001800173DC
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180018BDC	7_2_0000000180018BDC
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_00000001800261E0	7_2_00000001800261E0

Found potential string decryption / allocating functions

Source: C:\Windows\System32\rundll32.exe	Code function: String function: 00007FFFEFB87FF0 appears 31 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 00007FFFEFB8B3B0 appears 148 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 00007FFFEFB8BD70 appears 113 times
Source: C:\Windows\System32\regsvr32.exe	Code function: String function: 00007FFFEFB87FF0 appears 31 times
Source: C:\Windows\System32\regsvr32.exe	Code function: String function: 00007FFFEFB8B3B0 appears 148 times
Source: C:\Windows\System32\regsvr32.exe	Code function: String function: 00007FFFEFB8BD70 appears 113 times

Tries to load missing DLLs

Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xboxlivetitleid.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cdpsgshims.dll	Jump to behavior

Source: qJhkILqiEA.dll	Virustotal: Detection: 38%
Source: qJhkILqiEA.dll	ReversingLabs: Detection: 58%

Source: qJhkILqiEA.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\qJhkILqiEA.dll"
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\qJhkILqiEA.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\qJhkILqiEA.dll
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\qJhkILqiEA.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\qJhkILqiEA.dll,AddIn_FileTime
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\IxbPFgKevemZDIDo\xuHXDLB.dll"
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\qJhkILqiEA.dll,AddIn_SystemTime
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3180 -s 336
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3088 -s 332
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\qJhkILqiEA.dll,DllRegisterServer
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown	Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k unistacksvcgroup
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\qJhkILqiEA.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\qJhkILqiEA.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\qJhkILqiEA.dll,AddIn_FileTime	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\qJhkILqiEA.dll,AddIn_SystemTime	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\qJhkILqiEA.dll,DllRegisterServer	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\qJhkILqiEA.dll",#1	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\IxbPFgKevemZDIDo\xuHXDLB.dll"	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable	Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D105A4D4-344C-48EB-9866-EE378D90658B}\InProcServer32

Jump to behavior

Source: C:\Windows\System32\svchost.exe

File created: C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl

Jump to behavior

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERD79.tmp

Jump to behavior

Source: classification engine

Classification label: mal84.troj.evad.winDLL@32/16@0/3

Source: C:\Windows\System32\regsvr32.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

Code function: 7_2_0000000180006F2C FindCloseChangeNotification,Process32FirstW,CreateToolhelp32Snapshot,Process32NextW,

7_2_0000000180006F2C

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\qJhkILqiEA.dll",#1

Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3180
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3088
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:5008:120:WilError_01

Source: C:\Windows\System32\regsvr32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK

Source: qJhkILqiEA.dll

Static PE information: Image base 0x180000000 > 0x60000000

Source: qJhkILqiEA.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000C892 push ebp; retf	2_2_000000018000C895
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000D095 push B3B8007Eh; iretd	2_2_000000018000D09A
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000D0F3 push ebp; iretd	2_2_000000018000D0F4
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180013551 push ebx; retf	2_2_0000000180013559
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000D15D push ebx; retn 0068h	2_2_000000018000D15E
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000CDA8 push ebp; iretd	2_2_000000018000CDA9
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000CE36 push 458B0086h; iretd	2_2_000000018000CE3B
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180013551 push ebx; retf	7_2_0000000180013559

Contains functionality to dynamically determine API calls

Source: C:\Windows\System32\regsvr32.exe

2_2_00007FFFEFB912E3

PE file contains an invalid checksum

Source: qJhkILqiEA.dll

Static PE information: real checksum: 0x654f5 should be: 0x66558

Registers a DLL

Source: C:\Windows\System32\loaddll64.exe

Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\qJhkILqiEA.dll

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\System32\regsvr32.exe

PE file moved: C:\Windows\System32\IxbPFgKevemZDIDo\xuHXDLB.dll

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\System32\regsvr32.exe

File opened: C:\Windows\system32\IxbPFgKevemZDIDo\xuHXDLB.dll:Zone.Identifier read attributes | delete

Jump to behavior

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Windows\System32\regsvr32.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Jump to behavior

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\svchost.exe TID: 5992	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6412	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6196	Thread sleep time: -30000s >= -30000s

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Found evasive API chain (may stop execution after checking a module file name)

Source: C:\Windows\System32\rundll32.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Windows\System32\regsvr32.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

Queries disk information (often used to detect virtual machines)

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Found large amount of non-executed APIs

Source: C:\Windows\System32\regsvr32.exe	API coverage: 8.2 %
Source: C:\Windows\System32\rundll32.exe	API coverage: 8.6 %

Source: C:\Windows\System32\regsvr32.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

Code function: 7_2_00000001800248B0 FindFirstFileW,FindNextFileW,FindClose,

7_2_00000001800248B0

Source: C:\Windows\System32\regsvr32.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\System32\regsvr32.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\System32\rundll32.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\System32\rundll32.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\System32\regsvr32.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: svchost.exe, 00000017.00000002.644757918.0000022F4C24C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @Hyper-V RAW
Source: svchost.exe, 00000021.00000002.522958403.000001C77AE70000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWp
Source: regsvr32.exe, 00000007.00000002.647496148.0000000000A7E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.535348405.0000000000A7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`o
Source: regsvr32.exe, 00000007.00000002.647895703.0000000000AA4000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.536554846.0000000000AA4000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000002.644757918.0000022F4C24C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000021.00000002.523167516.000001C77AEEE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 0000000F.00000002.646346054.0000023B29A02000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
Source: svchost.exe, 00000017.00000002.640444149.0000022F46A29000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW]%L/
Source: svchost.exe, 0000000F.00000002.647352744.0000023B29A40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.647564108.000001D208662000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.647409492.000001E43F029000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\System32\regsvr32.exe

2_2_00007FFFEFB83280

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Windows\System32\regsvr32.exe

2_2_00007FFFEFB90215

Contains functionality to dynamically determine API calls

Source: C:\Windows\System32\regsvr32.exe

2_2_00007FFFEFB912E3

Checks if the current process is being debugged

Source: C:\Windows\System32\loaddll64.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00007FFFEFB83280 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00007FFFEFB83280
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00007FFFEFB8BE50 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00007FFFEFB8BE50
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFFEFB83280 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_00007FFFEFB83280
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFFEFB8BE50 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_00007FFFEFB8BE50

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\regsvr32.exe

Network Connect: 173.82.82.196 8080

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\qJhkILqiEA.dll",#1

Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

Code function: 2_2_00007FFFEFB88900 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

2_2_00007FFFEFB88900

Source: C:\Windows\System32\regsvr32.exe

Code function: 2_2_00007FFFEFB88860 HeapCreate,GetVersion,HeapSetInformation,

2_2_00007FFFEFB88860

Lowering of HIPS / PFW / Operating System Security Settings

Changes security center settings (notifications, updates, antivirus, firewall)

Source: C:\Windows\System32\svchost.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval

Jump to behavior

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct

AV process strings found (often used to terminate AV products)

Source: svchost.exe, 00000014.00000002.647404909.000001A69D840000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: (@V%ProgramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 00000014.00000002.647352065.000001A69D829000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.647502307.000001A69D902000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Stealing of Sensitive Information

Yara detected Emotet

Source: Yara match	File source: 2.2.regsvr32.exe.750000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rundll32.exe.1b300000000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.298ca850000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.1b300000000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.1b300000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.rundll32.exe.298ca850000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.rundll32.exe.298ca850000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.regsvr32.exe.a00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rundll32.exe.1b300000000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.rundll32.exe.298ca850000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rundll32.exe.1b300000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.rundll32.exe.298ca850000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.regsvr32.exe.a00000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.750000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rundll32.exe.1b300000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.298ca850000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000000.245516131.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.247075589.00000298CA850000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.327804102.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.248215300.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.248087583.0000000000750000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.245417474.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.646304136.0000000000A00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.328180679.000001B300000000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.328137058.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.248564765.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.248656368.000001B300000000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.327922020.00000298CA850000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.246778578.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.245618177.000001B300000000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.648425079.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.245495998.00000298CA850000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

ID:	631909
Product:	CloudBasic
Start time:	22:47:18
Start date:	22.05.2022
Sample:	qJhkILqiEA.dll
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	8516983eedc8690c1495b828b4262a63
SHA1:	bdd250044234e53e9f08db444a1de00987735930
SHA256:	90498f1ee590da28566434c15efcfd98e829846f233387553ea655fc7559168d
Filetype:	Win64 Dynamic Link Library (generic) (102004/3) 86.43%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Network\Downloader\edb.chk	data	BF1DC7D5D8DAD7478F426DF8B3F8BAA6	C6B0BDE788F553F865D65F773D8F6A3546887E42	BE47C764C38CA7A90A345BE183F5261E89B98743B5E35989E9A8BE0DA498C0F2
C:\ProgramData\Microsoft\Network\Downloader\edb.log	MPEG-4 LOAS	D8FF300C6D885188DF2AC60E3BCD71CB	21A25B82AC439052932E64A78951D8F79E5D047A	B387363557993C28D2FCE0B206954E7F10FDD369168300F4C8749C214BC0DF4B
C:\ProgramData\Microsoft\Network\Downloader\qmgr.db	Extensible storage engine DataBase, version 0x620, checksum 0xe8784526, page size 16384, Windows version 10.0	7CC246726A494BBEEDDDF2D804264E81	5D8A6E26FDA3D4604503FDEEC2DEE828D27D1907	CD57CF3B12D5478C28A09E3AC5C81FB79416DA47CF9529A698B162C439A81301
C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm	data	F16CAFCA17364D171423EA175A7DC2EB	302DF404A45B15292D76BFFBDB5014E842479A4D	41B9D3515826337015A984E44A842E7394B108406374A0581362B3AFADA93636
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_qJh_4c633c907b4a85acdb7918fc966c22f420621b1_e567d4a7_0d7c99ac\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	712C9C534669558E0D3D02502A6D1EBD	2FD4029900005F0D64033CB3AC82E7471FC5E2E3	E9138AC8E879C912F4DB97F311D1567E848DA56DE387CA61B9A971B668A73209
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_qJh_4c633c907b4a85acdb7918fc966c22f420621b1_e567d4a7_1130994e\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	F7E90A1BBDB0CD4F72B29E3908A6C190	60DD6FCDEB84671E399818282F1A73CEF379B5C3	DCB5344170BEDABEB85285397BB188D7E7AD0CF820316386F05D502FF43C64B9
C:\ProgramData\Microsoft\Windows\WER\Temp\WER125C.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	1046F0EED316DBAFE38CB0D9A0D3CB78	938364FAAD0A8A464AEDC915AB3487F890F7F1E6	C9685DB4A4BB1C84458EEC1FCF9414DAFE6F793C71D9ECF2CDADF3D9B334A553
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1422.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	187432A1D31ED3C938791AFF2B2AFA45	B9F31E06E9E100148B87A03679B02D460A53E9DA	2B8101185AE6B83AFB966FC5FB1082424A7B5A6CD4397315D79CB0F97496EA30
C:\ProgramData\Microsoft\Windows\WER\Temp\WER146F.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	CFE3F6B219A74B629B6621046E8344C0	997AF685CA3C5481E5228D017E6AAC8944032A19	AAA2FCD607AC304FAC850FE70D38F20A5789396B13D0E1B09F8B6A7FED0171B5
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1664.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	D733CE4203C0A165D35770F1552C8902	1D972A278E1456DC34792310D673B013D31AAC21	382BD0E26D6BE879B3D019491ECAA6F6CEA0665D542598F560EEBA9587E73248
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD79.tmp.dmp	Mini DuMP crash report, 15 streams, Sun May 22 20:48:30 2022, 0x1205a4 type	A9DCC66453173D9D26F7633B9E86B633	870EB92173E26CE8D5DAA00C9105A16FA49B86FC	200D24DF6B12A1F022C9D578AE06F9B855699AD6A7D994DACE293F2720E9F3CD
C:\ProgramData\Microsoft\Windows\WER\Temp\WERFCB.tmp.dmp	Mini DuMP crash report, 15 streams, Sun May 22 20:48:31 2022, 0x1205a4 type	CE0805F60565B06C14AE97418E371D1F	76BDAD64C7576D826733E8020C6E69FE5FC6EB5D	1F3E378129CE75950E13C1499498CE9AEB48652B17A04B0FBD5EA80DA96D388C
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	Microsoft Cabinet archive data, 61480 bytes, 1 file	B9F21D8DB36E88831E5352BB82C438B3	4A3C330954F9F65A2F5FD7E55800E46CE228A3E2	998E0209690A48ED33B79AF30FC13851E3E3416BED97E3679B6030C10CAB361E
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	data	0363219B7DEEC845F2D1295ECAD25D12	A891520C6FF13386920F25934CFC8781AD33337B	E9ADAF25088C4793C72D2E63718FD56E4AF2537B2DA0ECABCDF22EC36D0CA848
C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp	ASCII text, with no line terminators	DCA83F08D448911A14C22EBCACC5AD57	91270525521B7FE0D986DB19747F47D34B6318AD	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators	6705BF0FB1F764118D7B18E958138FEB	B7D1CD4369B65F74A969674FC2EBC62B1C384494	1924CCE0EC3F1140F37D9A3B6BF46419F608CF1F8D42AA297A15BA1A879A3129

Windows Analysis Report
qJhkILqiEA.dll

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Windows Analysis Report qJhkILqiEA.dll

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Windows Analysis Report
qJhkILqiEA.dll