Windows Analysis Report
3vYbe1bYFd.dll

Overview

General Information

Sample Name: 3vYbe1bYFd.dll
Analysis ID: 631916
MD5: bf2f633fde70f181cc81fe6dffb048e7
SHA1: b3aedb0275ec4f55f21a2e672e87c96b36f38959
SHA256: 663127c151c31915e66da770d7e2109306f1e2bf12acce04bb3defcb0de92134
Tags: exe
Infos:

Detection

Emotet
Score: 84
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Multi AV Scanner detection for domain / URL
Changes security center settings (notifications, updates, antivirus, firewall)
Machine Learning detection for sample
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries the volume information (name, serial number etc) of a device
One or more processes crash
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
IP address seen in connection with other malware
AV process strings found (often used to terminate AV products)
PE file contains an invalid checksum
Tries to load missing DLLs
Drops PE files to the windows directory (C:\Windows)
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Registers a DLL
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries disk information (often used to detect virtual machines)
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: 3vYbe1bYFd.dll Virustotal: Detection: 37% Perma Link
Source: 3vYbe1bYFd.dll ReversingLabs: Detection: 43%
Multi AV Scanner detection for domain / URL
Source: https://165.22.73.229/ Virustotal: Detection: 6% Perma Link
Machine Learning detection for sample
Source: 3vYbe1bYFd.dll Joe Sandbox ML: detected
Source: 3vYbe1bYFd.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018000BEF0 FindFirstFileW,FindNextFileW,FindClose, 7_2_000000018000BEF0

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\regsvr32.exe Network Connect: 165.22.73.229 8080 Jump to behavior
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 165.22.73.229 165.22.73.229
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.3:49747 -> 165.22.73.229:8080
Source: unknown TCP traffic detected without corresponding DNS query: 165.22.73.229
Source: unknown TCP traffic detected without corresponding DNS query: 165.22.73.229
Source: unknown TCP traffic detected without corresponding DNS query: 165.22.73.229
Source: unknown TCP traffic detected without corresponding DNS query: 165.22.73.229
Source: unknown TCP traffic detected without corresponding DNS query: 165.22.73.229
Source: unknown TCP traffic detected without corresponding DNS query: 165.22.73.229
Source: unknown TCP traffic detected without corresponding DNS query: 165.22.73.229
Source: unknown TCP traffic detected without corresponding DNS query: 165.22.73.229
Source: unknown TCP traffic detected without corresponding DNS query: 165.22.73.229
Source: unknown TCP traffic detected without corresponding DNS query: 165.22.73.229
Source: unknown TCP traffic detected without corresponding DNS query: 165.22.73.229
Source: unknown TCP traffic detected without corresponding DNS query: 165.22.73.229
Source: unknown TCP traffic detected without corresponding DNS query: 165.22.73.229
Source: svchost.exe, 0000001B.00000003.375910345.0000014C9BB73000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG", equals www.facebook.com (Facebook)
Source: svchost.exe, 0000001B.00000003.375910345.0000014C9BB73000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG", equals www.twitter.com (Twitter)
Source: svchost.exe, 0000001B.00000003.375925864.0000014C9BB84000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.375910345.0000014C9BB73000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-05-13T10:00:01.2192622Z||.||8adb3f26-c14b-4fc0-afb3-91b3c6daaa3f||1152921505694830749||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
Source: svchost.exe, 0000001B.00000003.375925864.0000014C9BB84000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.375910345.0000014C9BB73000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-05-13T10:00:01.2192622Z||.||8adb3f26-c14b-4fc0-afb3-91b3c6daaa3f||1152921505694830749||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
Source: regsvr32.exe, 00000007.00000003.538963258.000000000114C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.634012680.000000000114C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.603857311.0000029038E88000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.420026923.0000014C9BB00000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 00000018.00000002.603857311.0000029038E88000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.419979853.0000014C9B2EA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.ver)
Source: regsvr32.exe, 00000007.00000002.633938939.0000000001120000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.539252087.0000000001120000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: regsvr32.exe, 00000007.00000003.538963258.000000000114C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.634012680.000000000114C000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.7.dr String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: regsvr32.exe, 00000007.00000003.539137164.000000000119C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.634072790.000000000119C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.307082508.000000000119C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?74d3d90d88404
Source: regsvr32.exe, 00000007.00000003.538963258.000000000114C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.634012680.000000000114C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabH
Source: regsvr32.exe, 00000007.00000002.634251433.00000000033DD000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.307829167.00000000033B7000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.307890391.00000000033DD000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.307738141.0000000003371000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabt
Source: svchost.exe, 0000001B.00000003.392520522.0000014C9BB8A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://help.disneyplus.com.
Source: svchost.exe, 00000013.00000002.318442092.0000024089013000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 00000011.00000002.633990708.000001E86223F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 00000011.00000002.633990708.000001E86223F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://%s.xboxlive.com
Source: regsvr32.exe, 00000007.00000002.633798852.00000000010F1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.539150633.00000000010F1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://165.22.73.229/
Source: regsvr32.exe, 00000007.00000002.633798852.00000000010F1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.539150633.00000000010F1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://165.22.73.229/:
Source: regsvr32.exe, 00000007.00000002.633798852.00000000010F1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.539150633.00000000010F1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://165.22.73.229:8080/
Source: regsvr32.exe, 00000007.00000002.633798852.00000000010F1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.539150633.00000000010F1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://165.22.73.229:8080/tem
Source: regsvr32.exe, 00000007.00000002.633798852.00000000010F1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.539150633.00000000010F1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://165.22.73.229:8080/tg5
Source: svchost.exe, 00000011.00000002.633990708.000001E86223F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 00000013.00000003.317849654.0000024089061000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 00000011.00000002.633990708.000001E86223F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000011.00000002.633990708.000001E86223F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000013.00000003.318005723.0000024089049000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000013.00000003.317849654.0000024089061000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 00000013.00000002.318486937.000002408903D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 00000013.00000003.317776474.0000024089067000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.318540112.0000024089069000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
Source: svchost.exe, 00000013.00000003.317849654.0000024089061000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 00000013.00000003.296155575.0000024089030000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 00000013.00000003.317849654.0000024089061000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 00000013.00000002.318486937.000002408903D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 00000013.00000003.317849654.0000024089061000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 00000013.00000003.317849654.0000024089061000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 00000013.00000003.317849654.0000024089061000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 00000013.00000003.296155575.0000024089030000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
Source: svchost.exe, 00000013.00000002.318493323.0000024089042000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.318036154.0000024089040000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.318089937.0000024089041000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 00000013.00000002.318493323.0000024089042000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.318036154.0000024089040000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.318089937.0000024089041000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 00000013.00000003.317849654.0000024089061000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 00000013.00000002.318498118.000002408904B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.318005723.0000024089049000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.318036154.0000024089040000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 0000001B.00000003.392520522.0000014C9BB8A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://disneyplus.com/legal.
Source: svchost.exe, 00000013.00000003.318005723.0000024089049000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 00000013.00000002.318498118.000002408904B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.318005723.0000024089049000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000013.00000002.318498118.000002408904B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.318005723.0000024089049000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000013.00000003.318036154.0000024089040000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.318089937.0000024089041000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dynamic.t
Source: svchost.exe, 00000013.00000003.317849654.0000024089061000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 00000013.00000002.318486937.000002408903D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000013.00000003.296155575.0000024089030000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000001B.00000003.388278316.0000014C9C003000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.388243624.0000014C9C002000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.388214343.0000014C9BB9A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.388325169.0000014C9BBAA000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.388305706.0000014C9BB88000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.388351293.0000014C9C019000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.388226079.0000014C9BBAA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.hotspotshield.com/
Source: svchost.exe, 00000013.00000002.318486937.000002408903D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 00000013.00000002.318442092.0000024089013000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.318486937.000002408903D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 00000013.00000003.318072301.0000024089045000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.318036154.0000024089040000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000013.00000003.318072301.0000024089045000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.318036154.0000024089040000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000013.00000003.296155575.0000024089030000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 00000013.00000002.318478368.0000024089039000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.296155575.0000024089030000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 00000013.00000002.318519840.0000024089056000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.317967284.000002408904D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.318154497.0000024089050000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
Source: svchost.exe, 0000001B.00000003.392520522.0000014C9BB8A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
Source: svchost.exe, 0000001B.00000003.392520522.0000014C9BB8A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
Source: svchost.exe, 0000001B.00000003.388278316.0000014C9C003000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.388243624.0000014C9C002000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.388214343.0000014C9BB9A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.388325169.0000014C9BBAA000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.388305706.0000014C9BB88000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.388351293.0000014C9C019000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.388226079.0000014C9BBAA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.hotspotshield.com/terms/
Source: svchost.exe, 0000001B.00000003.388278316.0000014C9C003000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.388243624.0000014C9C002000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.388214343.0000014C9BB9A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.388325169.0000014C9BBAA000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.388305706.0000014C9BB88000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.388351293.0000014C9C019000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.388226079.0000014C9BBAA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.pango.co/privacy
Source: svchost.exe, 0000001B.00000003.400604746.0000014C9BBAF000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.400585855.0000014C9BBAF000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.400650100.0000014C9C002000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.400622481.0000014C9BB88000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.400633517.0000014C9BB99000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.tiktok.com/legal/report/feedback
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180017C8C InternetReadFile, 7_2_0000000180017C8C

E-Banking Fraud
barindex
Yara detected Emotet
Source: Yara match File source: 3.0.rundll32.exe.1e8b52c0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.regsvr32.exe.1290000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.rundll32.exe.1e8b52c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.regsvr32.exe.ee0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.rundll32.exe.1e8b52c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.regsvr32.exe.1290000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.rundll32.exe.1e8b52c0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.1ef360c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.1e8b52c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.rundll32.exe.1ef360c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.rundll32.exe.1ef360c0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.1e8b52c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.rundll32.exe.1ef360c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.rundll32.exe.1ef360c0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.regsvr32.exe.ee0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.1ef360c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000000.250134876.000001E8B52C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.634375590.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.634110300.0000000001290000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.261630591.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.249906990.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.248944138.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.250231200.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.249310347.000001EF360C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.261749514.000001E8B52C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.249207974.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.261251343.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.249070931.000001E8B52C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.261348422.000001EF360C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.250685839.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.250432192.000001EF360C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.250530772.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
One or more processes crash
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6352 -s 324
Deletes files inside the Windows folder
Source: C:\Windows\System32\regsvr32.exe File deleted: C:\Windows\System32\SyeNstLIaswClq\bXSPARJszx.dll:Zone.Identifier Jump to behavior
Creates files inside the system directory
Source: C:\Windows\System32\regsvr32.exe File created: C:\Windows\system32\SyeNstLIaswClq\ Jump to behavior
Detected potential crypto function
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00007FFC66B912B0 2_2_00007FFC66B912B0
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00007FFC66B9443C 2_2_00007FFC66B9443C
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00007FFC66B96850 2_2_00007FFC66B96850
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00007FFC66B953FB 2_2_00007FFC66B953FB
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00007FFC66B95CAD 2_2_00007FFC66B95CAD
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00007FFC66B94A70 2_2_00007FFC66B94A70
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00007FFC66B95E01 2_2_00007FFC66B95E01
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00ED0000 2_2_00ED0000
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180026410 2_2_0000000180026410
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180025C30 2_2_0000000180025C30
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180011CCC 2_2_0000000180011CCC
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018001D510 2_2_000000018001D510
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180001D58 2_2_0000000180001D58
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180011E5C 2_2_0000000180011E5C
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018002C6C8 2_2_000000018002C6C8
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018002C2C8 2_2_000000018002C2C8
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180026F14 2_2_0000000180026F14
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180016320 2_2_0000000180016320
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180001378 2_2_0000000180001378
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180018FE8 2_2_0000000180018FE8
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018001ABE8 2_2_000000018001ABE8
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00000001800243F4 2_2_00000001800243F4
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00000001800083F8 2_2_00000001800083F8
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00000001800247FC 2_2_00000001800247FC
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018001DBFC 2_2_000000018001DBFC
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018001100C 2_2_000000018001100C
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180027C28 2_2_0000000180027C28
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018002143C 2_2_000000018002143C
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018001303C 2_2_000000018001303C
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018002A840 2_2_000000018002A840
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180003840 2_2_0000000180003840
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018000B444 2_2_000000018000B444
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018000F048 2_2_000000018000F048
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018002AC4C 2_2_000000018002AC4C
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180010050 2_2_0000000180010050
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180003050 2_2_0000000180003050
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018000445C 2_2_000000018000445C
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018000C85C 2_2_000000018000C85C
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180003460 2_2_0000000180003460
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180029C6C 2_2_0000000180029C6C
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018001586C 2_2_000000018001586C
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018000406C 2_2_000000018000406C
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018000E06C 2_2_000000018000E06C
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018000BC70 2_2_000000018000BC70
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018001447C 2_2_000000018001447C
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180026C80 2_2_0000000180026C80
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180010C84 2_2_0000000180010C84
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180016088 2_2_0000000180016088
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180002888 2_2_0000000180002888
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180017C8C 2_2_0000000180017C8C
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018000FC8C 2_2_000000018000FC8C
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018002D098 2_2_000000018002D098
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00000001800154B8 2_2_00000001800154B8
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00000001800064D0 2_2_00000001800064D0
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00000001800180D4 2_2_00000001800180D4
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00000001800054D8 2_2_00000001800054D8
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018002CCE0 2_2_000000018002CCE0
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00000001800254E4 2_2_00000001800254E4
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00000001800184E8 2_2_00000001800184E8
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00000001800010E8 2_2_00000001800010E8
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018000E8F0 2_2_000000018000E8F0
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018002A0F8 2_2_000000018002A0F8
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180019900 2_2_0000000180019900
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180011904 2_2_0000000180011904
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018001F908 2_2_000000018001F908
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018002490C 2_2_000000018002490C
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018001890C 2_2_000000018001890C
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180003D18 2_2_0000000180003D18
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018002191C 2_2_000000018002191C
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018001D128 2_2_000000018001D128
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018000D12C 2_2_000000018000D12C
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180014930 2_2_0000000180014930
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180008534 2_2_0000000180008534
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018001CD44 2_2_000000018001CD44
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018000B948 2_2_000000018000B948
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018000796C 2_2_000000018000796C
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180010590 2_2_0000000180010590
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180028D94 2_2_0000000180028D94
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00000001800091A8 2_2_00000001800091A8
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00000001800171B8 2_2_00000001800171B8
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180018DBC 2_2_0000000180018DBC
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00000001800141C8 2_2_00000001800141C8
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018002B1D4 2_2_000000018002B1D4
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180023DDC 2_2_0000000180023DDC
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00000001800165E4 2_2_00000001800165E4
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180029DF0 2_2_0000000180029DF0
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180015DF4 2_2_0000000180015DF4
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00000001800011F4 2_2_00000001800011F4
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018000FE08 2_2_000000018000FE08
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180027E14 2_2_0000000180027E14
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018000B618 2_2_000000018000B618
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180023220 2_2_0000000180023220
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180020A34 2_2_0000000180020A34
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180007634 2_2_0000000180007634
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180022E38 2_2_0000000180022E38
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018000E638 2_2_000000018000E638
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180010250 2_2_0000000180010250
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180026A64 2_2_0000000180026A64
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180004264 2_2_0000000180004264
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180013674 2_2_0000000180013674
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018000F678 2_2_000000018000F678
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018000E278 2_2_000000018000E278
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180005E7C 2_2_0000000180005E7C
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180025E88 2_2_0000000180025E88
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018002868C 2_2_000000018002868C
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180014E98 2_2_0000000180014E98
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180014AA4 2_2_0000000180014AA4
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00000001800126A8 2_2_00000001800126A8
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00000001800036A8 2_2_00000001800036A8
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018002A6BC 2_2_000000018002A6BC
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018001CABC 2_2_000000018001CABC
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018000EAC0 2_2_000000018000EAC0
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018001B6D4 2_2_000000018001B6D4
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018000F2DC 2_2_000000018000F2DC
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00000001800202E0 2_2_00000001800202E0
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00000001800226E0 2_2_00000001800226E0
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180019AF0 2_2_0000000180019AF0
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018000BEF0 2_2_000000018000BEF0
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180012EF8 2_2_0000000180012EF8
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180029710 2_2_0000000180029710
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180017710 2_2_0000000180017710
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018000C740 2_2_000000018000C740
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180020F44 2_2_0000000180020F44
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180023B48 2_2_0000000180023B48
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180023748 2_2_0000000180023748
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180021754 2_2_0000000180021754
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180022358 2_2_0000000180022358
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180029F5C 2_2_0000000180029F5C
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018002B368 2_2_000000018002B368
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018001BF70 2_2_000000018001BF70
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180025374 2_2_0000000180025374
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180007F74 2_2_0000000180007F74
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180021F7C 2_2_0000000180021F7C
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180019788 2_2_0000000180019788
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180001B8C 2_2_0000000180001B8C
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180028394 2_2_0000000180028394
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180013B94 2_2_0000000180013B94
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018001479C 2_2_000000018001479C
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018000E7A0 2_2_000000018000E7A0
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00000001800087A4 2_2_00000001800087A4
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180017BA8 2_2_0000000180017BA8
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018000EBAC 2_2_000000018000EBAC
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018001B3B8 2_2_000000018001B3B8
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180012BB8 2_2_0000000180012BB8
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00000001800257C0 2_2_00000001800257C0
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180008BC0 2_2_0000000180008BC0
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00000001800117C4 2_2_00000001800117C4
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00000001800227E0 2_2_00000001800227E0
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00007FFC66B912B0 3_2_00007FFC66B912B0
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00007FFC66B9443C 3_2_00007FFC66B9443C
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00007FFC66B96850 3_2_00007FFC66B96850
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00007FFC66B953FB 3_2_00007FFC66B953FB
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00007FFC66B95CAD 3_2_00007FFC66B95CAD
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00007FFC66B94A70 3_2_00007FFC66B94A70
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00007FFC66B95E01 3_2_00007FFC66B95E01
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000001E8B52B0000 3_2_000001E8B52B0000
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000001EF360B0000 4_2_000001EF360B0000
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_01280000 7_2_01280000
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180026410 7_2_0000000180026410
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018000680F 7_2_000000018000680F
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180025C30 7_2_0000000180025C30
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180013674 7_2_0000000180013674
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180017C8C 7_2_0000000180017C8C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018000A48C 7_2_000000018000A48C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018000BEF0 7_2_000000018000BEF0
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180029710 7_2_0000000180029710
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018001D510 7_2_000000018001D510
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180026F14 7_2_0000000180026F14
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180001D58 7_2_0000000180001D58
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018002B368 7_2_000000018002B368
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180001378 7_2_0000000180001378
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180010590 7_2_0000000180010590
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00000001800091A8 7_2_00000001800091A8
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180018DBC 7_2_0000000180018DBC
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00000001800165E4 7_2_00000001800165E4
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180018FE8 7_2_0000000180018FE8
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018001ABE8 7_2_000000018001ABE8
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180029DF0 7_2_0000000180029DF0
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00000001800243F4 7_2_00000001800243F4
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180015DF4 7_2_0000000180015DF4
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00000001800011F4 7_2_00000001800011F4
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00000001800083F8 7_2_00000001800083F8
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00000001800247FC 7_2_00000001800247FC
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018001DBFC 7_2_000000018001DBFC
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018000FE08 7_2_000000018000FE08
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018001100C 7_2_000000018001100C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180027E14 7_2_0000000180027E14
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018000B618 7_2_000000018000B618
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180023220 7_2_0000000180023220
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180027C28 7_2_0000000180027C28
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180020A34 7_2_0000000180020A34
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180007634 7_2_0000000180007634
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180022E38 7_2_0000000180022E38
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018000E638 7_2_000000018000E638
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018002143C 7_2_000000018002143C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018001303C 7_2_000000018001303C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018002A840 7_2_000000018002A840
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180003840 7_2_0000000180003840
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018000B444 7_2_000000018000B444
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018000F048 7_2_000000018000F048
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018002AC4C 7_2_000000018002AC4C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180010050 7_2_0000000180010050
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180010250 7_2_0000000180010250
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180003050 7_2_0000000180003050
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180011E5C 7_2_0000000180011E5C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018000445C 7_2_000000018000445C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018000C85C 7_2_000000018000C85C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180003460 7_2_0000000180003460
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180026A64 7_2_0000000180026A64
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180004264 7_2_0000000180004264
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180029C6C 7_2_0000000180029C6C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018001586C 7_2_000000018001586C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018000406C 7_2_000000018000406C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018000E06C 7_2_000000018000E06C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018000BC70 7_2_000000018000BC70
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018000F678 7_2_000000018000F678
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018000E278 7_2_000000018000E278
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018001447C 7_2_000000018001447C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180005E7C 7_2_0000000180005E7C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180026C80 7_2_0000000180026C80
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180010C84 7_2_0000000180010C84
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180025E88 7_2_0000000180025E88
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180016088 7_2_0000000180016088
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180002888 7_2_0000000180002888
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018002868C 7_2_000000018002868C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018000FC8C 7_2_000000018000FC8C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018002D098 7_2_000000018002D098
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180014E98 7_2_0000000180014E98
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180014AA4 7_2_0000000180014AA4
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00000001800126A8 7_2_00000001800126A8
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00000001800036A8 7_2_00000001800036A8
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00000001800154B8 7_2_00000001800154B8
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018002A6BC 7_2_000000018002A6BC
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018001CABC 7_2_000000018001CABC
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018000EAC0 7_2_000000018000EAC0
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018002C6C8 7_2_000000018002C6C8
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018002C2C8 7_2_000000018002C2C8
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180011CCC 7_2_0000000180011CCC
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00000001800064D0 7_2_00000001800064D0
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018001B6D4 7_2_000000018001B6D4
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00000001800180D4 7_2_00000001800180D4
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00000001800054D8 7_2_00000001800054D8
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018000F2DC 7_2_000000018000F2DC
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00000001800202E0 7_2_00000001800202E0
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018002CCE0 7_2_000000018002CCE0
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00000001800226E0 7_2_00000001800226E0
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00000001800254E4 7_2_00000001800254E4
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00000001800184E8 7_2_00000001800184E8
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00000001800010E8 7_2_00000001800010E8
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180019AF0 7_2_0000000180019AF0
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018000E8F0 7_2_000000018000E8F0
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018002A0F8 7_2_000000018002A0F8
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180012EF8 7_2_0000000180012EF8
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180019900 7_2_0000000180019900
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180011904 7_2_0000000180011904
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018001F908 7_2_000000018001F908
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018002490C 7_2_000000018002490C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018001890C 7_2_000000018001890C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180017710 7_2_0000000180017710
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180003D18 7_2_0000000180003D18
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018002191C 7_2_000000018002191C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180016320 7_2_0000000180016320
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018001D128 7_2_000000018001D128
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018000D12C 7_2_000000018000D12C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180014930 7_2_0000000180014930
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180008534 7_2_0000000180008534
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018000C740 7_2_000000018000C740
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180020F44 7_2_0000000180020F44
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018001CD44 7_2_000000018001CD44
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180023B48 7_2_0000000180023B48
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180023748 7_2_0000000180023748
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018000B948 7_2_000000018000B948
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180021754 7_2_0000000180021754
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180022358 7_2_0000000180022358
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180029F5C 7_2_0000000180029F5C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018000796C 7_2_000000018000796C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018001BF70 7_2_000000018001BF70
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180025374 7_2_0000000180025374
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180007F74 7_2_0000000180007F74
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180021F7C 7_2_0000000180021F7C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180019788 7_2_0000000180019788
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180001B8C 7_2_0000000180001B8C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180028D94 7_2_0000000180028D94
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180028394 7_2_0000000180028394
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180013B94 7_2_0000000180013B94
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018001479C 7_2_000000018001479C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018000E7A0 7_2_000000018000E7A0
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00000001800087A4 7_2_00000001800087A4
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180017BA8 7_2_0000000180017BA8
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018000EBAC 7_2_000000018000EBAC
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180012BB8 7_2_0000000180012BB8
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018001B3B8 7_2_000000018001B3B8
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00000001800171B8 7_2_00000001800171B8
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00000001800257C0 7_2_00000001800257C0
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180008BC0 7_2_0000000180008BC0
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00000001800117C4 7_2_00000001800117C4
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00000001800141C8 7_2_00000001800141C8
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018002B1D4 7_2_000000018002B1D4
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180023DDC 7_2_0000000180023DDC
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00000001800227E0 7_2_00000001800227E0
Found potential string decryption / allocating functions
Source: C:\Windows\System32\rundll32.exe Code function: String function: 00007FFC66B9B3B0 appears 148 times
Source: C:\Windows\System32\rundll32.exe Code function: String function: 00007FFC66B9BD70 appears 113 times
Source: C:\Windows\System32\rundll32.exe Code function: String function: 00007FFC66B97FF0 appears 31 times
Source: C:\Windows\System32\regsvr32.exe Code function: String function: 00007FFC66B9B3B0 appears 148 times
Source: C:\Windows\System32\regsvr32.exe Code function: String function: 00007FFC66B9BD70 appears 113 times
Source: C:\Windows\System32\regsvr32.exe Code function: String function: 00007FFC66B97FF0 appears 31 times
Tries to load missing DLLs
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: xboxlivetitleid.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cdpsgshims.dll Jump to behavior
Source: 3vYbe1bYFd.dll Virustotal: Detection: 37%
Source: 3vYbe1bYFd.dll ReversingLabs: Detection: 43%
Source: 3vYbe1bYFd.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll64.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\3vYbe1bYFd.dll"
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\3vYbe1bYFd.dll",#1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\3vYbe1bYFd.dll
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\3vYbe1bYFd.dll",#1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3vYbe1bYFd.dll,AddIn_FileTime
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\SyeNstLIaswClq\bXSPARJszx.dll"
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3vYbe1bYFd.dll,AddIn_SystemTime
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6352 -s 324
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6360 -s 316
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3vYbe1bYFd.dll,DllRegisterServer
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\svchost.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\3vYbe1bYFd.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\3vYbe1bYFd.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3vYbe1bYFd.dll,AddIn_FileTime Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3vYbe1bYFd.dll,AddIn_SystemTime Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3vYbe1bYFd.dll,DllRegisterServer Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\3vYbe1bYFd.dll",#1 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\SyeNstLIaswClq\bXSPARJszx.dll" Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D105A4D4-344C-48EB-9866-EE378D90658B}\InProcServer32 Jump to behavior
Source: C:\Windows\System32\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERD56F.tmp Jump to behavior
Source: classification engine Classification label: mal84.troj.evad.winDLL@30/16@0/2
Source: C:\Windows\System32\regsvr32.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180029710 CreateToolhelp32Snapshot,Process32FirstW,FindCloseChangeNotification, 7_2_0000000180029710
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\3vYbe1bYFd.dll",#1
Source: C:\Windows\System32\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6360
Source: C:\Windows\System32\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6352
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:244:120:WilError_01
Source: C:\Windows\System32\regsvr32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\rundll32.exe Automated click: OK
Source: C:\Windows\System32\rundll32.exe Automated click: OK
Source: 3vYbe1bYFd.dll Static PE information: Image base 0x180000000 > 0x60000000
Source: 3vYbe1bYFd.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180006951 pushad ; retf 2_2_0000000180006953
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00007FFC66BA12E3 LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer, 2_2_00007FFC66BA12E3
PE file contains an invalid checksum
Source: 3vYbe1bYFd.dll Static PE information: real checksum: 0x61dc7 should be: 0x672ae
Registers a DLL
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\3vYbe1bYFd.dll
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\System32\regsvr32.exe PE file moved: C:\Windows\System32\SyeNstLIaswClq\bXSPARJszx.dll Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\System32\regsvr32.exe File opened: C:\Windows\system32\SyeNstLIaswClq\bXSPARJszx.dll:Zone.Identifier read attributes | delete Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\System32\regsvr32.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\svchost.exe TID: 6648 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6660 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 4712 Thread sleep time: -30000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Windows\System32\rundll32.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Windows\System32\regsvr32.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Queries disk information (often used to detect virtual machines)
Source: C:\Windows\System32\svchost.exe File opened: PhysicalDrive0 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Windows\System32\regsvr32.exe API coverage: 8.6 %
Source: C:\Windows\System32\rundll32.exe API coverage: 8.2 %
Source: C:\Windows\System32\regsvr32.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018000BEF0 FindFirstFileW,FindNextFileW,FindClose, 7_2_000000018000BEF0
Source: C:\Windows\System32\regsvr32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\regsvr32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\rundll32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\rundll32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\regsvr32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: svchost.exe, 00000018.00000002.603834204.0000029038E62000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: @Hyper-V RAW
Source: svchost.exe, 0000001B.00000002.419846319.0000014C9B27E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWp
Source: regsvr32.exe, 00000007.00000002.633938939.0000000001120000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.633798852.00000000010F1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.539252087.0000000001120000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.539150633.00000000010F1000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.603463554.0000029033629000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.603821491.0000029038E4A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.419972540.0000014C9B2E2000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.419979853.0000014C9B2EA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000010.00000002.633729352.000001DAD4802000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
Source: svchost.exe, 00000010.00000002.633811678.000001DAD483F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.634035891.000001E862266000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.633616529.0000026369829000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00007FFC66B93280 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_00007FFC66B93280
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00007FFC66BA0215 _itow_s,_invoke_watson_if_error,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,_wcsftime_l,_invoke_watson_if_oneof,_invoke_watson_if_error,_invoke_watson_if_error,_invoke_watson_if_error,_invoke_watson_if_error,_invoke_watson_if_error,_snwprintf_s,_invoke_watson_if_oneof,_invoke_watson_if_error,_invoke_watson_if_oneof,_invoke_watson_if_error,_unlock,GetFileType,WriteConsoleW,GetLastError,_invoke_watson_if_oneof,WriteFile,WriteFile,OutputDebugStringW,_itow_s,_invoke_watson_if_error, 2_2_00007FFC66BA0215
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00007FFC66BA12E3 LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer, 2_2_00007FFC66BA12E3
Checks if the current process is being debugged
Source: C:\Windows\System32\loaddll64.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00007FFC66B93280 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_00007FFC66B93280
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00007FFC66B9BE50 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_00007FFC66B9BE50
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00007FFC66B93280 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_00007FFC66B93280
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00007FFC66B9BE50 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_00007FFC66B9BE50

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\regsvr32.exe Network Connect: 165.22.73.229 8080 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\3vYbe1bYFd.dll",#1 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\regsvr32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00007FFC66B98900 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 2_2_00007FFC66B98900
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00007FFC66B98860 HeapCreate,GetVersion,HeapSetInformation, 2_2_00007FFC66B98860

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Changes security center settings (notifications, updates, antivirus, firewall)
Source: C:\Windows\System32\svchost.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval Jump to behavior
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct
AV process strings found (often used to terminate AV products)
Source: svchost.exe, 00000016.00000002.633832303.000001FB1AE3D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ,@V%ProgramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 00000016.00000002.633859448.000001FB1AF02000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Files%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 00000016.00000002.633859448.000001FB1AF02000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Stealing of Sensitive Information
barindex
Yara detected Emotet
Source: Yara match File source: 3.0.rundll32.exe.1e8b52c0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.regsvr32.exe.1290000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.rundll32.exe.1e8b52c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.regsvr32.exe.ee0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.rundll32.exe.1e8b52c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.regsvr32.exe.1290000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.rundll32.exe.1e8b52c0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.1ef360c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.1e8b52c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.rundll32.exe.1ef360c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.rundll32.exe.1ef360c0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.1e8b52c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.rundll32.exe.1ef360c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.rundll32.exe.1ef360c0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.regsvr32.exe.ee0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.1ef360c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000000.250134876.000001E8B52C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.634375590.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.634110300.0000000001290000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.261630591.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.249906990.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.248944138.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.250231200.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.249310347.000001EF360C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.261749514.000001E8B52C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.249207974.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.261251343.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.249070931.000001E8B52C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.261348422.000001EF360C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.250685839.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.250432192.000001EF360C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.250530772.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 631916 Sample: 3vYbe1bYFd.dll Startdate: 22/05/2022 Architecture: WINDOWS Score: 84 45 Multi AV Scanner detection for domain / URL 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 Yara detected Emotet 2->49 51 Machine Learning detection for sample 2->51 8 loaddll64.exe 1 2->8         started        10 svchost.exe 2->10         started        13 svchost.exe 1 1 2->13         started        16 8 other processes 2->16 process3 dnsIp4 18 regsvr32.exe 5 8->18         started        21 cmd.exe 1 8->21         started        23 rundll32.exe 8->23         started        27 2 other processes 8->27 55 Changes security center settings (notifications, updates, antivirus, firewall) 10->55 25 MpCmdRun.exe 10->25         started        41 127.0.0.1 unknown unknown 13->41 signatures5 process6 signatures7 53 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->53 29 regsvr32.exe 18->29         started        33 rundll32.exe 21->33         started        35 WerFault.exe 9 23->35         started        37 conhost.exe 25->37         started        process8 dnsIp9 43 165.22.73.229, 49747, 8080 DIGITALOCEAN-ASNUS United States 29->43 57 System process connects to network (likely due to code injection or exploit) 29->57 39 WerFault.exe 20 9 33->39         started        signatures10 process11
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
165.22.73.229
 unknown United States
14061 DIGITALOCEAN-ASNUS true

Private

IP
127.0.0.1