Windows Analysis Report
548IrCt4hj.dll

Overview

General Information

Sample Name: 548IrCt4hj.dll
Analysis ID: 672062
MD5: 7301880b88f87cd3a593f7106d5743cc
SHA1: c8a2b0ae061b612f4d4a4cfc4ee3e1f7079b4240
SHA256: c409ad4f64a1ad925ffbfdb88f57dd9177123364a1875caf6cbb6f5ba3970cc3
Tags: exeOpenCTIBRSandboxed
Infos:

Detection

Emotet
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Snort IDS alert for network traffic
Changes security center settings (notifications, updates, antivirus, firewall)
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
AV process strings found (often used to terminate AV products)
PE file contains an invalid checksum
Tries to load missing DLLs
Drops PE files to the windows directory (C:\Windows)
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Connects to several IPs in different countries
Registers a DLL
Queries disk information (often used to detect virtual machines)
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: 548IrCt4hj.dll Virustotal: Detection: 70% Perma Link
Source: 548IrCt4hj.dll Metadefender: Detection: 45% Perma Link
Source: 548IrCt4hj.dll ReversingLabs: Detection: 88%
Antivirus detection for URL or domain
Source: https://174.138.33.49/U Avira URL Cloud: Label: malware
Source: https://174.138.33.49:7080/hIn Avira URL Cloud: Label: malware
Source: https://174.138.33.49/Q Avira URL Cloud: Label: malware
Source: 00000005.00000002.638413256.0000000000EA8000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: Emotet {"C2 list": ["118.98.72.86:443", "85.214.67.203:8080", "103.254.12.236:7080", "43.129.209.178:443", "88.217.172.165:8080", "78.47.204.80:443", "103.41.204.169:8080", "178.238.225.252:8080", "188.165.79.151:443", "104.244.79.94:443", "157.245.111.0:8080", "93.104.209.107:8080", "178.62.112.199:8080", "103.56.149.105:8080", "198.199.70.22:8080", "175.126.176.79:8080", "46.101.98.60:8080", "202.28.34.99:8080", "165.22.254.236:8080", "139.59.80.108:8080", "5.253.30.17:7080", "190.145.8.4:443", "54.37.228.122:443", "54.37.106.167:8080", "188.225.32.231:4143", "103.126.216.86:443", "196.44.98.190:8080", "104.248.225.227:8080", "37.44.244.177:8080", "87.106.97.83:7080", "64.227.55.231:8080", "210.57.209.142:8080", "83.229.80.93:8080", "174.138.33.49:7080", "85.25.120.45:8080", "139.196.72.155:8080", "190.107.19.179:443", "103.85.95.4:8080", "157.230.99.206:8080", "195.77.239.39:8080", "128.199.242.164:8080"], "Public Key": ["RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0ObJw/wAXAJA=", "RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCWwrKX/wAcAJA="]}
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018006680C FindFirstFileExW,FindNextFileW,FindClose,FindClose, 2_2_000000018006680C
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00000001800671B0 FindFirstFileExW, 2_2_00000001800671B0
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00000001800677BC FindFirstFileExW,FindNextFileW,FindClose,FindClose, 2_2_00000001800677BC
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E8C9F0 FindFirstFileW,FindNextFileW, 5_2_00E8C9F0

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\regsvr32.exe Network Connect: 174.138.33.49 7080 Jump to behavior
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2404316 ET CNC Feodo Tracker Reported CnC Server TCP group 9 192.168.2.5:49768 -> 174.138.33.49:7080
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 118.98.72.86:443
Source: Malware configuration extractor IPs: 85.214.67.203:8080
Source: Malware configuration extractor IPs: 103.254.12.236:7080
Source: Malware configuration extractor IPs: 43.129.209.178:443
Source: Malware configuration extractor IPs: 88.217.172.165:8080
Source: Malware configuration extractor IPs: 78.47.204.80:443
Source: Malware configuration extractor IPs: 103.41.204.169:8080
Source: Malware configuration extractor IPs: 178.238.225.252:8080
Source: Malware configuration extractor IPs: 188.165.79.151:443
Source: Malware configuration extractor IPs: 104.244.79.94:443
Source: Malware configuration extractor IPs: 157.245.111.0:8080
Source: Malware configuration extractor IPs: 93.104.209.107:8080
Source: Malware configuration extractor IPs: 178.62.112.199:8080
Source: Malware configuration extractor IPs: 103.56.149.105:8080
Source: Malware configuration extractor IPs: 198.199.70.22:8080
Source: Malware configuration extractor IPs: 175.126.176.79:8080
Source: Malware configuration extractor IPs: 46.101.98.60:8080
Source: Malware configuration extractor IPs: 202.28.34.99:8080
Source: Malware configuration extractor IPs: 165.22.254.236:8080
Source: Malware configuration extractor IPs: 139.59.80.108:8080
Source: Malware configuration extractor IPs: 5.253.30.17:7080
Source: Malware configuration extractor IPs: 190.145.8.4:443
Source: Malware configuration extractor IPs: 54.37.228.122:443
Source: Malware configuration extractor IPs: 54.37.106.167:8080
Source: Malware configuration extractor IPs: 188.225.32.231:4143
Source: Malware configuration extractor IPs: 103.126.216.86:443
Source: Malware configuration extractor IPs: 196.44.98.190:8080
Source: Malware configuration extractor IPs: 104.248.225.227:8080
Source: Malware configuration extractor IPs: 37.44.244.177:8080
Source: Malware configuration extractor IPs: 87.106.97.83:7080
Source: Malware configuration extractor IPs: 64.227.55.231:8080
Source: Malware configuration extractor IPs: 210.57.209.142:8080
Source: Malware configuration extractor IPs: 83.229.80.93:8080
Source: Malware configuration extractor IPs: 174.138.33.49:7080
Source: Malware configuration extractor IPs: 85.25.120.45:8080
Source: Malware configuration extractor IPs: 139.196.72.155:8080
Source: Malware configuration extractor IPs: 190.107.19.179:443
Source: Malware configuration extractor IPs: 103.85.95.4:8080
Source: Malware configuration extractor IPs: 157.230.99.206:8080
Source: Malware configuration extractor IPs: 195.77.239.39:8080
Source: Malware configuration extractor IPs: 128.199.242.164:8080
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
Source: Joe Sandbox View ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 157.245.111.0 157.245.111.0
Source: Joe Sandbox View IP Address: 157.230.99.206 157.230.99.206
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49758 -> 174.138.33.49:7080
Connects to several IPs in different countries
Source: unknown Network traffic detected: IP country count 20
Source: unknown TCP traffic detected without corresponding DNS query: 174.138.33.49
Source: unknown TCP traffic detected without corresponding DNS query: 174.138.33.49
Source: unknown TCP traffic detected without corresponding DNS query: 174.138.33.49
Source: unknown TCP traffic detected without corresponding DNS query: 174.138.33.49
Source: unknown TCP traffic detected without corresponding DNS query: 174.138.33.49
Source: unknown TCP traffic detected without corresponding DNS query: 174.138.33.49
Source: unknown TCP traffic detected without corresponding DNS query: 174.138.33.49
Source: unknown TCP traffic detected without corresponding DNS query: 174.138.33.49
Source: unknown TCP traffic detected without corresponding DNS query: 174.138.33.49
Source: unknown TCP traffic detected without corresponding DNS query: 174.138.33.49
Source: unknown TCP traffic detected without corresponding DNS query: 174.138.33.49
Source: unknown TCP traffic detected without corresponding DNS query: 174.138.33.49
Source: unknown TCP traffic detected without corresponding DNS query: 174.138.33.49
Source: regsvr32.exe, 00000005.00000003.542886608.0000000000F40000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000002.639255153.0000000000F40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.326942278.0000019CF2EA9000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000002.603738336.0000019CF2E8B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000019.00000002.428654266.000001A111500000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 00000015.00000002.603534517.0000019CF2E11000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000019.00000002.428413004.000001A110CEC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.ver)
Source: regsvr32.exe, 00000005.00000002.639099518.0000000000F0E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.543111893.0000000000EE2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.543343608.0000000000F0D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en#j
Source: regsvr32.exe, 00000005.00000003.542807166.0000000000F6C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000002.639354379.0000000000F6C000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.5.dr String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: regsvr32.exe, 00000005.00000003.542807166.0000000000F6C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000002.639354379.0000000000F6C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab8
Source: svchost.exe, 00000019.00000003.408103656.000001A111599000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://help.disneyplus.com.
Source: svchost.exe, 0000000F.00000002.316348056.00000226FA013000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 0000000C.00000002.638484661.0000024093E3E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 0000000C.00000002.638484661.0000024093E3E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://%s.xboxlive.com
Source: regsvr32.exe, 00000005.00000003.543111893.0000000000EE2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000002.638784137.0000000000EE2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://174.138.33.49/Q
Source: regsvr32.exe, 00000005.00000003.543111893.0000000000EE2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000002.638784137.0000000000EE2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://174.138.33.49/U
Source: regsvr32.exe, 00000005.00000003.543111893.0000000000EE2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000002.638413256.0000000000EA8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000002.638784137.0000000000EE2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://174.138.33.49:7080/
Source: regsvr32.exe, 00000005.00000002.638413256.0000000000EA8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://174.138.33.49:7080/hIn
Source: svchost.exe, 0000000C.00000002.638484661.0000024093E3E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 0000000F.00000003.315897201.00000226FA04F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 0000000C.00000002.638484661.0000024093E3E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 0000000C.00000002.638484661.0000024093E3E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 0000000F.00000003.315949220.00000226FA04B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000F.00000003.315897201.00000226FA04F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 0000000F.00000002.316427386.00000226FA03D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 0000000F.00000003.315897201.00000226FA04F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 0000000F.00000003.291933590.00000226FA02F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000F.00000003.291933590.00000226FA02F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 0000000F.00000003.315897201.00000226FA04F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.291933590.00000226FA02F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 0000000F.00000002.316427386.00000226FA03D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 0000000F.00000003.315897201.00000226FA04F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 0000000F.00000003.315897201.00000226FA04F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 0000000F.00000003.315897201.00000226FA04F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 0000000F.00000003.291933590.00000226FA02F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
Source: svchost.exe, 0000000F.00000002.316448338.00000226FA042000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.316013437.00000226FA03F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.316054783.00000226FA041000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 0000000F.00000003.291933590.00000226FA02F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Stops/
Source: svchost.exe, 0000000F.00000002.316448338.00000226FA042000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.316013437.00000226FA03F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.316054783.00000226FA041000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 0000000F.00000003.315897201.00000226FA04F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 0000000F.00000002.316465691.00000226FA047000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.316013437.00000226FA03F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.316032557.00000226FA046000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 0000000F.00000003.291933590.00000226FA02F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?entry=
Source: svchost.exe, 00000019.00000003.408103656.000001A111599000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://disneyplus.com/legal.
Source: svchost.exe, 0000000F.00000003.315949220.00000226FA04B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000F.00000002.316465691.00000226FA047000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.316013437.00000226FA03F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.316032557.00000226FA046000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000F.00000002.316465691.00000226FA047000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.316013437.00000226FA03F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.316032557.00000226FA046000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000F.00000003.316013437.00000226FA03F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.316054783.00000226FA041000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.315949220.00000226FA04B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dynamic.t
Source: svchost.exe, 0000000F.00000003.315897201.00000226FA04F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 0000000F.00000002.316427386.00000226FA03D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.291933590.00000226FA02F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000F.00000003.291933590.00000226FA02F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000000F.00000003.291933590.00000226FA02F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/roadshield.ashx?bucket=
Source: svchost.exe, 00000019.00000003.404927903.000001A111A02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000019.00000003.404982809.000001A111593000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000019.00000003.405001225.000001A1115A4000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000019.00000003.405032312.000001A111A02000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.hotspotshield.com/
Source: svchost.exe, 0000000F.00000002.316440979.00000226FA040000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.316013437.00000226FA03F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 0000000F.00000002.316427386.00000226FA03D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.316348056.00000226FA013000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000F.00000003.316049267.00000226FA045000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.316013437.00000226FA03F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000F.00000003.316049267.00000226FA045000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.316013437.00000226FA03F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000F.00000003.291933590.00000226FA02F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 0000000F.00000002.316383374.00000226FA029000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.291933590.00000226FA02F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 0000000F.00000002.316383374.00000226FA029000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
Source: svchost.exe, 00000019.00000003.408103656.000001A111599000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
Source: svchost.exe, 00000019.00000003.408103656.000001A111599000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
Source: svchost.exe, 00000019.00000003.404927903.000001A111A02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000019.00000003.404982809.000001A111593000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000019.00000003.405001225.000001A1115A4000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000019.00000003.405032312.000001A111A02000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.hotspotshield.com/terms/
Source: svchost.exe, 00000019.00000003.404927903.000001A111A02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000019.00000003.404982809.000001A111593000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000019.00000003.405001225.000001A1115A4000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000019.00000003.405032312.000001A111A02000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.pango.co/privacy
Source: svchost.exe, 00000019.00000003.410454678.000001A11159B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000019.00000003.410402002.000001A1115B1000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000019.00000003.410518422.000001A111A02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000019.00000003.410348749.000001A1115B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.tiktok.com/legal/report/feedback

E-Banking Fraud
barindex
Source: Yara match File source: 00000005.00000002.638413256.0000000000EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Yara detected Emotet
Source: Yara match File source: 2.2.regsvr32.exe.2060000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.1f26fd40000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.regsvr32.exe.e40000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.regsvr32.exe.2060000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.regsvr32.exe.e40000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.1c7434e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.1c7434e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.1f26fd40000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.637949653.0000000000E40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.249040025.000001C7434E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.248792041.000001F26FD71000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.638139112.0000000000E71000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.248763264.000001F26FD40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.252638967.0000000002091000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.252607659.0000000002060000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.249084413.000001C743541000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Deletes files inside the Windows folder
Source: C:\Windows\System32\regsvr32.exe File deleted: C:\Windows\System32\MbnmzGnNg\joXcB.dll:Zone.Identifier Jump to behavior
Creates files inside the system directory
Source: C:\Windows\System32\regsvr32.exe File created: C:\Windows\system32\MbnmzGnNg\ Jump to behavior
Detected potential crypto function
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180001F87 2_2_0000000180001F87
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180003026 2_2_0000000180003026
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018005E068 2_2_000000018005E068
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180036074 2_2_0000000180036074
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180001D57 2_2_0000000180001D57
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00000001800640D0 2_2_00000001800640D0
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018003A148 2_2_000000018003A148
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180034174 2_2_0000000180034174
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00000001800019B5 2_2_00000001800019B5
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00000001800361BC 2_2_00000001800361BC
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018003E218 2_2_000000018003E218
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00000001800013F7 2_2_00000001800013F7
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00000001800011D6 2_2_00000001800011D6
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180036304 2_2_0000000180036304
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018003A3B0 2_2_000000018003A3B0
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00000001800018B6 2_2_00000001800018B6
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018003442C 2_2_000000018003442C
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00000001800034F9 2_2_00000001800034F9
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180003634 2_2_0000000180003634
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00000001800464AC 2_2_00000001800464AC
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180003459 2_2_0000000180003459
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180034574 2_2_0000000180034574
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018006A5B0 2_2_000000018006A5B0
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00000001800365F4 2_2_00000001800365F4
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018003A618 2_2_000000018003A618
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018000427D 2_2_000000018000427D
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00000001800346BC 2_2_00000001800346BC
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018003C6D4 2_2_000000018003C6D4
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00000001800042AF 2_2_00000001800042AF
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00000001800013F7 2_2_00000001800013F7
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00000001800013F7 2_2_00000001800013F7
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180034808 2_2_0000000180034808
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018006680C 2_2_000000018006680C
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180002CDE 2_2_0000000180002CDE
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180001721 2_2_0000000180001721
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180002F7C 2_2_0000000180002F7C
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00000001800039EA 2_2_00000001800039EA
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180046920 2_2_0000000180046920
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018004E924 2_2_000000018004E924
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180002C61 2_2_0000000180002C61
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00000001800349B4 2_2_00000001800349B4
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180002D1F 2_2_0000000180002D1F
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180060A88 2_2_0000000180060A88
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018004CAEC 2_2_000000018004CAEC
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180034AFC 2_2_0000000180034AFC
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180003CB0 2_2_0000000180003CB0
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180060A88 2_2_0000000180060A88
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180036B84 2_2_0000000180036B84
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180002F5E 2_2_0000000180002F5E
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180001041 2_2_0000000180001041
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180036CCC 2_2_0000000180036CCC
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00000001800026CB 2_2_00000001800026CB
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180034D8C 2_2_0000000180034D8C
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180003206 2_2_0000000180003206
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180036E14 2_2_0000000180036E14
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180046E30 2_2_0000000180046E30
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00000001800034EF 2_2_00000001800034EF
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180060F1C 2_2_0000000180060F1C
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180003297 2_2_0000000180003297
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180034F34 2_2_0000000180034F34
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180036F5C 2_2_0000000180036F5C
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180002C11 2_2_0000000180002C11
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180002FCC 2_2_0000000180002FCC
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00000001800011DB 2_2_00000001800011DB
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180003C83 2_2_0000000180003C83
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180002DE2 2_2_0000000180002DE2
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180004142 2_2_0000000180004142
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018003507C 2_2_000000018003507C
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018003D0B0 2_2_000000018003D0B0
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00000001800330BC 2_2_00000001800330BC
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180037104 2_2_0000000180037104
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018000285B 2_2_000000018000285B
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180003C33 2_2_0000000180003C33
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180073160 2_2_0000000180073160
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00000001800671B0 2_2_00000001800671B0
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00000001800351C4 2_2_00000001800351C4
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00000001800631C4 2_2_00000001800631C4
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180033204 2_2_0000000180033204
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018003724C 2_2_000000018003724C
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180002F72 2_2_0000000180002F72
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180001023 2_2_0000000180001023
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018003530C 2_2_000000018003530C
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00000001800019E2 2_2_00000001800019E2
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00000001800021C6 2_2_00000001800021C6
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018003334C 2_2_000000018003334C
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180037394 2_2_0000000180037394
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180001DE3 2_2_0000000180001DE3
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180033498 2_2_0000000180033498
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00000001800394B0 2_2_00000001800394B0
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00000001800354B4 2_2_00000001800354B4
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00000001800374DC 2_2_00000001800374DC
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018003B510 2_2_000000018003B510
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180002103 2_2_0000000180002103
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180003477 2_2_0000000180003477
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018004D588 2_2_000000018004D588
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180071584 2_2_0000000180071584
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018003D5C4 2_2_000000018003D5C4
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00000001800029E1 2_2_00000001800029E1
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180033654 2_2_0000000180033654
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180037684 2_2_0000000180037684
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180002829 2_2_0000000180002829
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180002900 2_2_0000000180002900
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180039710 2_2_0000000180039710
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00000001800016AE 2_2_00000001800016AE
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018003379C 2_2_000000018003379C
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00000001800637A4 2_2_00000001800637A4
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180001D2F 2_2_0000000180001D2F
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180002C93 2_2_0000000180002C93
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00000001800029AA 2_2_00000001800029AA
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180002BE4 2_2_0000000180002BE4
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00000001800338E4 2_2_00000001800338E4
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180037914 2_2_0000000180037914
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018000321A 2_2_000000018000321A
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180004200 2_2_0000000180004200
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00000001800043DB 2_2_00000001800043DB
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180001280 2_2_0000000180001280
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180001AC3 2_2_0000000180001AC3
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00000001800012DF 2_2_00000001800012DF
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018000322E 2_2_000000018000322E
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180001302 2_2_0000000180001302
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180045B0C 2_2_0000000180045B0C
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018000269E 2_2_000000018000269E
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180001721 2_2_0000000180001721
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180033BDC 2_2_0000000180033BDC
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00000001800019D8 2_2_00000001800019D8
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180002E00 2_2_0000000180002E00
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00000001800019A6 2_2_00000001800019A6
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180033D24 2_2_0000000180033D24
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018003DD48 2_2_000000018003DD48
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180035D6C 2_2_0000000180035D6C
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180001721 2_2_0000000180001721
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180033E6C 2_2_0000000180033E6C
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180003D8C 2_2_0000000180003D8C
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180002095 2_2_0000000180002095
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180035EFC 2_2_0000000180035EFC
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00000001800013F7 2_2_00000001800013F7
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180002586 2_2_0000000180002586
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180002AA9 2_2_0000000180002AA9
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00000001800025BD 2_2_00000001800025BD
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180033FB8 2_2_0000000180033FB8
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00670000 2_2_00670000
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_020AEB08 2_2_020AEB08
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_020A8B3C 2_2_020A8B3C
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_020AA804 2_2_020AA804
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_020AC8C0 2_2_020AC8C0
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0209CCC8 2_2_0209CCC8
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_020BB6BC 2_2_020BB6BC
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_020A7414 2_2_020A7414
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_02095B18 2_2_02095B18
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_020A1B88 2_2_020A1B88
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_020B7E28 2_2_020B7E28
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_020ABD64 2_2_020ABD64
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0209E254 2_2_0209E254
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_020BA304 2_2_020BA304
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_020B632C 2_2_020B632C
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_020B4330 2_2_020B4330
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_020A4368 2_2_020A4368
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_020B4020 2_2_020B4020
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_020A406C 2_2_020A406C
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_02094078 2_2_02094078
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_020BA088 2_2_020BA088
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_020A6110 2_2_020A6110
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_020AA130 2_2_020AA130
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_020941A8 2_2_020941A8
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_020B2638 2_2_020B2638
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_020A0680 2_2_020A0680
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_02096698 2_2_02096698
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_020A46B4 2_2_020A46B4
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_02092708 2_2_02092708
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_020AC720 2_2_020AC720
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_020AE7A4 2_2_020AE7A4
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_020A27A4 2_2_020A27A4
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_020B07D0 2_2_020B07D0
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_020AA408 2_2_020AA408
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_020A6418 2_2_020A6418
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0209C458 2_2_0209C458
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_020AE4A8 2_2_020AE4A8
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_020B84DC 2_2_020B84DC
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_020A24E4 2_2_020A24E4
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_020B6520 2_2_020B6520
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_020A0578 2_2_020A0578
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_020A4594 2_2_020A4594
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_020A6594 2_2_020A6594
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_020AC5AC 2_2_020AC5AC
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_020925D8 2_2_020925D8
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_020B0AC4 2_2_020B0AC4
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_02092AE4 2_2_02092AE4
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_020B2AFC 2_2_020B2AFC
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_020B8B28 2_2_020B8B28
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_020B6B40 2_2_020B6B40
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0209CB6C 2_2_0209CB6C
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_020A0B60 2_2_020A0B60
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_020AABD8 2_2_020AABD8
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_02092820 2_2_02092820
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_02094848 2_2_02094848
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_020A484C 2_2_020A484C
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_020B4918 2_2_020B4918
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_020B093C 2_2_020B093C
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_02094948 2_2_02094948
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_020A6978 2_2_020A6978
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_020B8990 2_2_020B8990
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_020A29BC 2_2_020A29BC
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_020AC9F0 2_2_020AC9F0
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_020B2E04 2_2_020B2E04
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_020AEE5C 2_2_020AEE5C
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_020B8EE8 2_2_020B8EE8
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_020B4EF4 2_2_020B4EF4
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_020B2F3C 2_2_020B2F3C
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_020B6F3C 2_2_020B6F3C
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_02098F5C 2_2_02098F5C
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_020A2F94 2_2_020A2F94
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_020AEFAC 2_2_020AEFAC
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0209EFCC 2_2_0209EFCC
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0209AFE4 2_2_0209AFE4
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_020B2C48 2_2_020B2C48
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_020A0C68 2_2_020A0C68
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_020B0C68 2_2_020B0C68
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_02094C64 2_2_02094C64
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_020AACEC 2_2_020AACEC
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_02098CE0 2_2_02098CE0
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0209ED84 2_2_0209ED84
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_020B0DBC 2_2_020B0DBC
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_02092DC0 2_2_02092DC0
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_020A3210 2_2_020A3210
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_020AF238 2_2_020AF238
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_020AD254 2_2_020AD254
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0209F290 2_2_0209F290
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0209B2BC 2_2_0209B2BC
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_020972E0 2_2_020972E0
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_020B12FC 2_2_020B12FC
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0209D300 2_2_0209D300
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_020B3304 2_2_020B3304
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_02091368 2_2_02091368
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_020993AC 2_2_020993AC
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_020A93E0 2_2_020A93E0
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0209B3E4 2_2_0209B3E4
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_020B13FC 2_2_020B13FC
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_02091014 2_2_02091014
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_020AB028 2_2_020AB028
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_020930BC 2_2_020930BC
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_020990D4 2_2_020990D4
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_020BB0EC 2_2_020BB0EC
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0209B0F8 2_2_0209B0F8
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_020A7144 2_2_020A7144
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_02095198 2_2_02095198
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0209B1A8 2_2_0209B1A8
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000001F26FD30000 3_2_000001F26FD30000
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000001C741C20000 4_2_000001C741C20000
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E30000 5_2_00E30000
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E77CAC 5_2_00E77CAC
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E9B6BC 5_2_00E9B6BC
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E93894 5_2_00E93894
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E97E28 5_2_00E97E28
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E8A804 5_2_00E8A804
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E87FEC 5_2_00E87FEC
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E8C9F0 5_2_00E8C9F0
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E741A8 5_2_00E741A8
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E84368 5_2_00E84368
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E8BD64 5_2_00E8BD64
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E71368 5_2_00E71368
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E88B3C 5_2_00E88B3C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E92F3C 5_2_00E92F3C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E9A304 5_2_00E9A304
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E75B18 5_2_00E75B18
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E98EE8 5_2_00E98EE8
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E72AE4 5_2_00E72AE4
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E8ACEC 5_2_00E8ACEC
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E9B0EC 5_2_00E9B0EC
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E736E0 5_2_00E736E0
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E772E0 5_2_00E772E0
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E78CE0 5_2_00E78CE0
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E91AE0 5_2_00E91AE0
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E824E4 5_2_00E824E4
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E73CE8 5_2_00E73CE8
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E912FC 5_2_00E912FC
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E92AFC 5_2_00E92AFC
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E94EF4 5_2_00E94EF4
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E7B0F8 5_2_00E7B0F8
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E8C8C0 5_2_00E8C8C0
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E89EC0 5_2_00E89EC0
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E878C4 5_2_00E878C4
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E90AC4 5_2_00E90AC4
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E7CCC8 5_2_00E7CCC8
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E790D4 5_2_00E790D4
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E984DC 5_2_00E984DC
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E7FAD0 5_2_00E7FAD0
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E8D4D0 5_2_00E8D4D0
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E8E4A8 5_2_00E8E4A8
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E916A8 5_2_00E916A8
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E814A0 5_2_00E814A0
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E976A4 5_2_00E976A4
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E730BC 5_2_00E730BC
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E7B2BC 5_2_00E7B2BC
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E846B4 5_2_00E846B4
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E9A088 5_2_00E9A088
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E75484 5_2_00E75484
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E80680 5_2_00E80680
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E9369C 5_2_00E9369C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E7F290 5_2_00E7F290
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E9BE90 5_2_00E9BE90
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E73A9C 5_2_00E73A9C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E76698 5_2_00E76698
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E7B698 5_2_00E7B698
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E80C68 5_2_00E80C68
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E90C68 5_2_00E90C68
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E74C64 5_2_00E74C64
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E8406C 5_2_00E8406C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E8FC70 5_2_00E8FC70
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E74078 5_2_00E74078
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E92C48 5_2_00E92C48
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E8484C 5_2_00E8484C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E9344C 5_2_00E9344C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E99A40 5_2_00E99A40
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E74848 5_2_00E74848
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E7E254 5_2_00E7E254
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E8EE5C 5_2_00E8EE5C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E7F850 5_2_00E7F850
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E85C50 5_2_00E85C50
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E8D254 5_2_00E8D254
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E7FE58 5_2_00E7FE58
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E7C458 5_2_00E7C458
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E8B028 5_2_00E8B028
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E8762C 5_2_00E8762C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E72820 5_2_00E72820
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E8D620 5_2_00E8D620
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E94020 5_2_00E94020
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E8F238 5_2_00E8F238
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E92638 5_2_00E92638
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E87C30 5_2_00E87C30
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E95E30 5_2_00E95E30
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E8A408 5_2_00E8A408
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E92E04 5_2_00E92E04
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E7BC08 5_2_00E7BC08
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E86418 5_2_00E86418
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E83E18 5_2_00E83E18
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E71014 5_2_00E71014
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E8F61C 5_2_00E8F61C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E83210 5_2_00E83210
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E83610 5_2_00E83610
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E87414 5_2_00E87414
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E7AFE4 5_2_00E7AFE4
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E7B3E4 5_2_00E7B3E4
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E893E0 5_2_00E893E0
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E913FC 5_2_00E913FC
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E731F0 5_2_00E731F0
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E899F4 5_2_00E899F4
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E72DC0 5_2_00E72DC0
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E7DFCC 5_2_00E7DFCC
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E7EFCC 5_2_00E7EFCC
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E8D9C4 5_2_00E8D9C4
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E8ABD8 5_2_00E8ABD8
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E907D0 5_2_00E907D0
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E93DD4 5_2_00E93DD4
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E725D8 5_2_00E725D8
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E99DA8 5_2_00E99DA8
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E8C5AC 5_2_00E8C5AC
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E8EFAC 5_2_00E8EFAC
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E793AC 5_2_00E793AC
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E8E7A4 5_2_00E8E7A4
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E827A4 5_2_00E827A4
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E7B1A8 5_2_00E7B1A8
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E77BB4 5_2_00E77BB4
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E829BC 5_2_00E829BC
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E90DBC 5_2_00E90DBC
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E87DB0 5_2_00E87DB0
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E83BB4 5_2_00E83BB4
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E81B88 5_2_00E81B88
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E7ED84 5_2_00E7ED84
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E7F580 5_2_00E7F580
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E98990 5_2_00E98990
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E82F94 5_2_00E82F94
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E84594 5_2_00E84594
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E86594 5_2_00E86594
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E75198 5_2_00E75198
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E9796C 5_2_00E9796C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E80B60 5_2_00E80B60
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E7CB6C 5_2_00E7CB6C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E8F764 5_2_00E8F764
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E86978 5_2_00E86978
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E80578 5_2_00E80578
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E7DB74 5_2_00E7DB74
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E9B570 5_2_00E9B570
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E73F40 5_2_00E73F40
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E96B40 5_2_00E96B40
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E87144 5_2_00E87144
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E74948 5_2_00E74948
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E8B558 5_2_00E8B558
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E89D5C 5_2_00E89D5C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E9155C 5_2_00E9155C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E78F5C 5_2_00E78F5C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E98B28 5_2_00E98B28
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E7BD24 5_2_00E7BD24
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E91D2C 5_2_00E91D2C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E9632C 5_2_00E9632C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E8C720 5_2_00E8C720
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E89720 5_2_00E89720
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E9BD20 5_2_00E9BD20
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E96520 5_2_00E96520
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E7D92C 5_2_00E7D92C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E83724 5_2_00E83724
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E87B24 5_2_00E87B24
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E9093C 5_2_00E9093C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E96F3C 5_2_00E96F3C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E8A130 5_2_00E8A130
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E94330 5_2_00E94330
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E8EB08 5_2_00E8EB08
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E7D300 5_2_00E7D300
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E93304 5_2_00E93304
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E72708 5_2_00E72708
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E94918 5_2_00E94918
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E83D1C 5_2_00E83D1C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E86110 5_2_00E86110
Found potential string decryption / allocating functions
Source: C:\Windows\System32\regsvr32.exe Code function: String function: 000000018006BC48 appears 58 times
Source: C:\Windows\System32\regsvr32.exe Code function: String function: 00000001800019CE appears 79 times
Tries to load missing DLLs
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: xboxlivetitleid.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cdpsgshims.dll Jump to behavior
Source: 548IrCt4hj.dll Virustotal: Detection: 70%
Source: 548IrCt4hj.dll Metadefender: Detection: 45%
Source: 548IrCt4hj.dll ReversingLabs: Detection: 88%
Source: 548IrCt4hj.dll Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll64.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\548IrCt4hj.dll"
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\548IrCt4hj.dll",#1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\548IrCt4hj.dll
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\548IrCt4hj.dll",#1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\548IrCt4hj.dll,DllCanUnloadNow
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\MbnmzGnNg\joXcB.dll"
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\548IrCt4hj.dll,DllGetClassObject
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\548IrCt4hj.dll,DllRegisterServer
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k unistacksvcgroup
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\svchost.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\548IrCt4hj.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\548IrCt4hj.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\548IrCt4hj.dll,DllCanUnloadNow Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\548IrCt4hj.dll,DllGetClassObject Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\548IrCt4hj.dll,DllRegisterServer Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\548IrCt4hj.dll",#1 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\MbnmzGnNg\joXcB.dll" Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D105A4D4-344C-48EB-9866-EE378D90658B}\InProcServer32 Jump to behavior
Source: C:\Windows\System32\svchost.exe File created: C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winDLL@31/8@0/43
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00000001800013F7 GetModuleFileNameW,CharNextW,LoadTypeLib,LoadTypeLib,SysAllocString,CoCreateInstance,StringFromGUID2,RegOpenKeyExW,RegQueryInfoKeyW,RegCloseKey,RegDeleteKeyW,RegOpenKeyExW,RegCloseKey,RegQueryInfoKeyW,RegCloseKey,RegDeleteKeyW,RegCloseKey,RegCloseKey,GetModuleHandleW,GetProcAddress,UnRegisterTypeLib,UnRegisterTypeLib,SysFreeString, 2_2_00000001800013F7
Source: C:\Windows\System32\regsvr32.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_020AA804 Process32FirstW,CreateToolhelp32Snapshot,FindCloseChangeNotification, 2_2_020AA804
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\548IrCt4hj.dll",#1
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:5948:120:WilError_01
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180001721 LoadLibraryExW,LoadLibraryExW,FindResourceW,LoadResource,SizeofResource,MultiByteToWideChar,FreeLibrary,lstrcmpiW,lstrcmpiW,CharNextW,lstrcmpiW,lstrcmpiW,lstrcmpiW,RegOpenKeyExW,RegDeleteValueW,RegCloseKey,CharNextW,RegOpenKeyExW,RegCloseKey,RegOpenKeyExW,RegCloseKey,RegCreateKeyExW,RegCloseKey,RegCloseKey,RegOpenKeyExW,RegCloseKey,RegQueryInfoKeyW,lstrcmpiW,RegQueryInfoKeyW,RegCloseKey,RegDeleteKeyW,RegCloseKey,RegSetValueExW, 2_2_0000000180001721
Source: C:\Windows\System32\regsvr32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\rundll32.exe Automated click: OK
Source: C:\Windows\System32\rundll32.exe Automated click: OK
Source: 548IrCt4hj.dll Static PE information: Image base 0x180000000 > 0x60000000
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_02098C72 push ebp; ret 2_2_02098C7D
PE file contains sections with non-standard names
Source: 548IrCt4hj.dll Static PE information: section name: .00cfg
Source: 548IrCt4hj.dll Static PE information: section name: _RDATA
PE file contains an invalid checksum
Source: 548IrCt4hj.dll Static PE information: real checksum: 0xf69e3 should be: 0xf8045
Registers a DLL
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\548IrCt4hj.dll
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\System32\regsvr32.exe PE file moved: C:\Windows\System32\MbnmzGnNg\joXcB.dll Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\System32\regsvr32.exe File opened: C:\Windows\system32\MbnmzGnNg\joXcB.dll:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\svchost.exe TID: 6308 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6304 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6784 Thread sleep time: -30000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Queries disk information (often used to detect virtual machines)
Source: C:\Windows\System32\svchost.exe File opened: PhysicalDrive0 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Windows\System32\regsvr32.exe API coverage: 3.4 %
Source: C:\Windows\System32\regsvr32.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018006680C FindFirstFileExW,FindNextFileW,FindClose,FindClose, 2_2_000000018006680C
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00000001800671B0 FindFirstFileExW, 2_2_00000001800671B0
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00000001800677BC FindFirstFileExW,FindNextFileW,FindClose,FindClose, 2_2_00000001800677BC
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00E8C9F0 FindFirstFileW,FindNextFileW, 5_2_00E8C9F0
Source: C:\Windows\System32\regsvr32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: svchost.exe, 00000019.00000002.428439293.000001A110CF4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: "@Hyper-V RAW
Source: svchost.exe, 00000015.00000002.603630722.0000019CF2E4B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: @Hyper-V RAW
Source: regsvr32.exe, 00000005.00000002.639099518.0000000000F0E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.543111893.0000000000EE2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.543343608.0000000000F0D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000002.603173316.0000019CED629000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000002.603630722.0000019CF2E4B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000019.00000002.428413004.000001A110CEC000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000019.00000002.428169475.000001A110C88000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: svchost.exe, 0000000B.00000002.638070495.000001E16CA02000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
Source: regsvr32.exe, 00000005.00000003.543111893.0000000000EE2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.543364688.0000000000EF7000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000002.638935248.0000000000EF8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: regsvr32.exe, 00000005.00000002.639099518.0000000000F0E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.543111893.0000000000EE2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.543343608.0000000000F0D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW:VH
Source: svchost.exe, 0000000B.00000002.638410575.000001E16CA42000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.638762672.0000024093E79000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.638340118.00000176A9E29000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00000001800016F9 IsDebuggerPresent, 2_2_00000001800016F9
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00000001800041E7 GetLastError,IsDebuggerPresent,OutputDebugStringW, 2_2_00000001800041E7
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180002CD9 GetProcessHeap, 2_2_0000000180002CD9
Checks if the current process is being debugged
Source: C:\Windows\System32\loaddll64.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018002BAEC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_000000018002BAEC
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180003841 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_0000000180003841

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\regsvr32.exe Network Connect: 174.138.33.49 7080 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\548IrCt4hj.dll",#1 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\regsvr32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\System32\regsvr32.exe Code function: EnumSystemLocalesW, 2_2_0000000180072138
Source: C:\Windows\System32\regsvr32.exe Code function: EnumSystemLocalesW, 2_2_00000001800721DC
Source: C:\Windows\System32\regsvr32.exe Code function: EnumSystemLocalesW, 2_2_00000001800722DC
Source: C:\Windows\System32\regsvr32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 2_2_00000001800723C8
Source: C:\Windows\System32\regsvr32.exe Code function: GetLocaleInfoW, 2_2_00000001800726A4
Source: C:\Windows\System32\regsvr32.exe Code function: GetLocaleInfoW, 2_2_0000000180002B08
Source: C:\Windows\System32\regsvr32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 2_2_0000000180072854
Source: C:\Windows\System32\regsvr32.exe Code function: GetLocaleInfoW, 2_2_0000000180072960
Source: C:\Windows\System32\regsvr32.exe Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 2_2_0000000180072AD8
Source: C:\Windows\System32\regsvr32.exe Code function: EnumSystemLocalesW, 2_2_000000018006B3D0
Source: C:\Windows\System32\regsvr32.exe Code function: EnumSystemLocalesW, 2_2_000000018006B534
Source: C:\Windows\System32\regsvr32.exe Code function: EnumSystemLocalesW, 2_2_000000018006B5DC
Source: C:\Windows\System32\regsvr32.exe Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW, 2_2_0000000180071D18
Source: C:\Windows\System32\regsvr32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00000001800031CA __security_init_cookie,GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 2_2_00000001800031CA

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Changes security center settings (notifications, updates, antivirus, firewall)
Source: C:\Windows\System32\svchost.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval Jump to behavior
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct
AV process strings found (often used to terminate AV products)
Source: svchost.exe, 00000011.00000002.638678517.000001689CF02000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Files%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 00000011.00000002.638678517.000001689CF02000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Stealing of Sensitive Information
barindex
Source: Yara match File source: 00000005.00000002.638413256.0000000000EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Yara detected Emotet
Source: Yara match File source: 2.2.regsvr32.exe.2060000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.1f26fd40000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.regsvr32.exe.e40000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.regsvr32.exe.2060000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.regsvr32.exe.e40000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.1c7434e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.1c7434e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.1f26fd40000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.637949653.0000000000E40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.249040025.000001C7434E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.248792041.000001F26FD71000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.638139112.0000000000E71000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.248763264.000001F26FD40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.252638967.0000000002091000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.252607659.0000000002060000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.249084413.000001C743541000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 672062 Sample: 548IrCt4hj.dll Startdate: 23/07/2022 Architecture: WINDOWS Score: 100 37 210.57.209.142 UNAIR-AS-IDUniversitasAirlanggaID Indonesia 2->37 39 190.145.8.4 TelmexColombiaSACO Colombia 2->39 41 38 other IPs or domains 2->41 51 Snort IDS alert for network traffic 2->51 53 Antivirus detection for URL or domain 2->53 55 Multi AV Scanner detection for submitted file 2->55 57 3 other signatures 2->57 8 loaddll64.exe 1 2->8         started        10 svchost.exe 2->10         started        13 svchost.exe 1 1 2->13         started        16 11 other processes 2->16 signatures3 process4 dnsIp5 18 regsvr32.exe 5 8->18         started        21 cmd.exe 1 8->21         started        23 rundll32.exe 8->23         started        27 2 other processes 8->27 59 Changes security center settings (notifications, updates, antivirus, firewall) 10->59 25 MpCmdRun.exe 1 10->25         started        43 127.0.0.1 unknown unknown 13->43 45 192.168.2.1 unknown unknown 16->45 signatures6 process7 signatures8 49 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->49 29 regsvr32.exe 18->29         started        33 rundll32.exe 21->33         started        35 conhost.exe 25->35         started        process9 dnsIp10 47 174.138.33.49, 49758, 7080 DIGITALOCEAN-ASNUS United States 29->47 61 System process connects to network (likely due to code injection or exploit) 29->61 signatures11
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
157.245.111.0
 unknown United States
14061 DIGITALOCEAN-ASNUS true
157.230.99.206
 unknown United States
14061 DIGITALOCEAN-ASNUS true
54.37.106.167
 unknown France
16276 OVHFR true
188.165.79.151
 unknown France
16276 OVHFR true
196.44.98.190
 unknown Ghana
327814 EcobandGH true
174.138.33.49
 unknown United States
14061 DIGITALOCEAN-ASNUS true
43.129.209.178
 unknown Japan 4249 LILLY-ASUS true
103.41.204.169
 unknown Indonesia
58397 INFINYS-AS-IDPTInfinysSystemIndonesiaID true
5.253.30.17
 unknown Latvia
18978 ENZUINC-US true
85.214.67.203
 unknown Germany
6724 STRATOSTRATOAGDE true
103.56.149.105
 unknown Indonesia
55688 BEON-AS-IDPTBeonIntermediaID true
83.229.80.93
 unknown United Kingdom
8513 SKYVISIONGB true
85.25.120.45
 unknown Germany
8972 GD-EMEA-DC-SXB1DE true
198.199.70.22
 unknown United States
14061 DIGITALOCEAN-ASNUS true
93.104.209.107
 unknown Germany
8767 MNET-ASGermanyDE true
188.225.32.231
 unknown Russian Federation
9123 TIMEWEB-ASRU true
175.126.176.79
 unknown Korea Republic of
9523 MOKWON-AS-KRMokwonUniversityKR true
139.196.72.155
 unknown China
37963 CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd true
128.199.242.164
 unknown United Kingdom
14061 DIGITALOCEAN-ASNUS true
103.126.216.86
 unknown Bangladesh
138482 SKYVIEW-AS-APSKYVIEWONLINELTDBD true
104.248.225.227
 unknown United States
14061 DIGITALOCEAN-ASNUS true
178.238.225.252
 unknown Germany
51167 CONTABODE true
46.101.98.60
 unknown Netherlands
14061 DIGITALOCEAN-ASNUS true
190.145.8.4
 unknown Colombia
14080 TelmexColombiaSACO true
210.57.209.142
 unknown Indonesia
38142 UNAIR-AS-IDUniversitasAirlanggaID true
190.107.19.179
 unknown Colombia
27951 MediaCommercePartnersSACO true
202.28.34.99
 unknown Thailand
9562 MSU-TH-APMahasarakhamUniversityTH true
87.106.97.83
 unknown Germany
8560 ONEANDONE-ASBrauerstrasse48DE true
103.254.12.236
 unknown Viet Nam
56151 DIGISTAR-VNDigiStarCompanyLimitedVN true
103.85.95.4
 unknown Indonesia
136077 IDNIC-UNSRAT-AS-IDUniversitasIslamNegeriMataramID true
54.37.228.122
 unknown France
16276 OVHFR true
88.217.172.165
 unknown Germany
8767 MNET-ASGermanyDE true
165.22.254.236
 unknown United States
14061 DIGITALOCEAN-ASNUS true
195.77.239.39
 unknown Spain
60493 FICOSA-ASES true
78.47.204.80
 unknown Germany
24940 HETZNER-ASDE true
118.98.72.86
 unknown Indonesia
7713 TELKOMNET-AS-APPTTelekomunikasiIndonesiaID true
139.59.80.108
 unknown Singapore
14061 DIGITALOCEAN-ASNUS true
104.244.79.94
 unknown United States
53667 PONYNETUS true
178.62.112.199
 unknown European Union
14061 DIGITALOCEAN-ASNUS true
37.44.244.177
 unknown Germany
47583 AS-HOSTINGERLT true
64.227.55.231
 unknown United States
14061 DIGITALOCEAN-ASNUS true

Private

IP
192.168.2.1
127.0.0.1