Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
UC2DFXQIBiE2kQ.dll

Overview

General Information

Sample Name:UC2DFXQIBiE2kQ.dll
Analysis ID:747451
MD5:e2ec88ae31e147d1976368c6a8988d3c
SHA1:937a21ced7f2663c923c9c614cbe06d95def511a
SHA256:ae7e655db35a71a3b2df96051d722d7995ec94feea3cbd59bec501042ab40847
Infos:

Detection

Emotet
Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Snort IDS alert for network traffic
Creates an autostart registry key pointing to binary in C:\Windows
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Tries to load missing DLLs
Drops PE files to the windows directory (C:\Windows)
Checks if the current process is being debugged
Connects to several IPs in different countries
Registers a DLL
Found large amount of non-executed APIs
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)

Classification

  • System is w10x64
  • loaddll64.exe (PID: 6100 cmdline: loaddll64.exe "C:\Users\user\Desktop\UC2DFXQIBiE2kQ.dll" MD5: C676FC0263EDD17D4CE7D644B8F3FCD6)
    • conhost.exe (PID: 6088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 4804 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\UC2DFXQIBiE2kQ.dll",#1 MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • rundll32.exe (PID: 4688 cmdline: rundll32.exe "C:\Users\user\Desktop\UC2DFXQIBiE2kQ.dll",#1 MD5: 73C519F050C20580F8A62C849D49215A)
    • regsvr32.exe (PID: 5220 cmdline: regsvr32.exe /s C:\Users\user\Desktop\UC2DFXQIBiE2kQ.dll MD5: D78B75FC68247E8A63ACBA846182740E)
      • regsvr32.exe (PID: 1392 cmdline: C:\Windows\system32\regsvr32.exe "C:\Windows\system32\IUvcffQnjRFArsrM\JZgYREHBQT.dll" MD5: D78B75FC68247E8A63ACBA846182740E)
    • rundll32.exe (PID: 4720 cmdline: rundll32.exe C:\Users\user\Desktop\UC2DFXQIBiE2kQ.dll,ACeujVZMknFDjv MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 2608 cmdline: rundll32.exe C:\Users\user\Desktop\UC2DFXQIBiE2kQ.dll,AHuDGMflBfPryOEYjuTfbzJdEM MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 5292 cmdline: rundll32.exe C:\Users\user\Desktop\UC2DFXQIBiE2kQ.dll,ATjQPkInxPUGuUu MD5: 73C519F050C20580F8A62C849D49215A)
  • regsvr32.exe (PID: 3952 cmdline: C:\Windows\system32\regsvr32.exe" "C:\Windows\system32\IUvcffQnjRFArsrM\JZgYREHBQT.dll MD5: D78B75FC68247E8A63ACBA846182740E)
    • regsvr32.exe (PID: 2220 cmdline: C:\Windows\system32\regsvr32.exe "C:\Users\user\AppData\Local\ZamKJmwegN\JeCOx.dll" MD5: D78B75FC68247E8A63ACBA846182740E)
  • cleanup
{"C2 list": ["172.105.115.71:8080", "218.38.121.17:443", "186.250.48.5:443", "103.71.99.57:8080", "85.214.67.203:8080", "85.25.120.45:8080", "139.196.72.155:8080", "103.85.95.4:8080", "198.199.70.22:8080", "209.239.112.82:8080", "78.47.204.80:443", "36.67.23.59:443", "104.244.79.94:443", "62.171.178.147:8080", "195.77.239.39:8080", "103.56.149.105:8080", "80.211.107.116:8080", "93.104.209.107:8080", "174.138.33.49:7080", "202.28.34.99:8080", "178.62.112.199:8080", "114.79.130.68:443", "118.98.72.86:443", "103.41.204.169:8080", "178.238.225.252:8080", "83.229.80.93:8080", "46.101.98.60:8080", "82.98.180.154:7080", "87.106.97.83:7080", "196.44.98.190:8080", "139.59.80.108:8080", "103.224.241.74:8080", "103.254.12.236:7080", "185.148.169.10:8080", "165.22.254.236:8080", "37.44.244.177:8080", "54.37.228.122:443", "51.75.33.122:443", "128.199.217.206:443", "188.165.79.151:443", "210.57.209.142:8080", "160.16.143.191:8080", "175.126.176.79:8080", "202.134.4.210:7080", "103.126.216.86:443", "190.145.8.4:443", "128.199.242.164:8080", "64.227.55.231:8080"], "Public Key": ["RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0IzjStTgSAJI=", "RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW/zgWtVYeAJA="]}
SourceRuleDescriptionAuthorStrings
00000007.00000002.769739205.0000000002E41000.00000020.00001000.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
    00000007.00000002.769387929.0000000001540000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
      00000004.00000002.250855705.000001D676C81000.00000020.00001000.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
        00000005.00000002.251110585.000001FB00141000.00000020.00001000.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
          00000005.00000002.250957440.000001FB00100000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
            Click to see the 7 entries
            SourceRuleDescriptionAuthorStrings
            5.2.rundll32.exe.1fb00100000.0.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
              3.2.regsvr32.exe.960000.0.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                5.2.rundll32.exe.1fb00100000.0.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                  4.2.rundll32.exe.1d676b30000.0.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                    6.2.rundll32.exe.1cc28be0000.0.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                      Click to see the 7 entries
                      No Sigma rule has matched
                      Timestamp:192.168.2.6115.178.55.2249714802404304 11/16/22-11:49:29.070302
                      SID:2404304
                      Source Port:49714
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Source: UC2DFXQIBiE2kQ.dllReversingLabs: Detection: 80%
                      Source: 00000007.00000002.768477022.0000000001318000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Emotet {"C2 list": ["172.105.115.71:8080", "218.38.121.17:443", "186.250.48.5:443", "103.71.99.57:8080", "85.214.67.203:8080", "85.25.120.45:8080", "139.196.72.155:8080", "103.85.95.4:8080", "198.199.70.22:8080", "209.239.112.82:8080", "78.47.204.80:443", "36.67.23.59:443", "104.244.79.94:443", "62.171.178.147:8080", "195.77.239.39:8080", "103.56.149.105:8080", "80.211.107.116:8080", "93.104.209.107:8080", "174.138.33.49:7080", "202.28.34.99:8080", "178.62.112.199:8080", "114.79.130.68:443", "118.98.72.86:443", "103.41.204.169:8080", "178.238.225.252:8080", "83.229.80.93:8080", "46.101.98.60:8080", "82.98.180.154:7080", "87.106.97.83:7080", "196.44.98.190:8080", "139.59.80.108:8080", "103.224.241.74:8080", "103.254.12.236:7080", "185.148.169.10:8080", "165.22.254.236:8080", "37.44.244.177:8080", "54.37.228.122:443", "51.75.33.122:443", "128.199.217.206:443", "188.165.79.151:443", "210.57.209.142:8080", "160.16.143.191:8080", "175.126.176.79:8080", "202.134.4.210:7080", "103.126.216.86:443", "190.145.8.4:443", "128.199.242.164:8080", "64.227.55.231:8080"], "Public Key": ["RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0IzjStTgSAJI=", "RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW/zgWtVYeAJA="]}
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018004A020 CryptStringToBinaryA,CryptStringToBinaryA,
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180029290 FindFirstFileExW,
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018002972C FindFirstFileExW,FindNextFileW,FindClose,
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180028B30 _invalid_parameter_noinfo,_invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,FindClose,
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180028B30 _invalid_parameter_noinfo,_invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,FindClose,

                      Networking

                      barindex
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 115.178.55.22 80
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 172.105.115.71 8080
                      Source: TrafficSnort IDS: 2404304 ET CNC Feodo Tracker Reported CnC Server TCP group 3 192.168.2.6:49714 -> 115.178.55.22:80
                      Source: Malware configuration extractorIPs: 172.105.115.71:8080
                      Source: Malware configuration extractorIPs: 218.38.121.17:443
                      Source: Malware configuration extractorIPs: 186.250.48.5:443
                      Source: Malware configuration extractorIPs: 103.71.99.57:8080
                      Source: Malware configuration extractorIPs: 85.214.67.203:8080
                      Source: Malware configuration extractorIPs: 85.25.120.45:8080
                      Source: Malware configuration extractorIPs: 139.196.72.155:8080
                      Source: Malware configuration extractorIPs: 103.85.95.4:8080
                      Source: Malware configuration extractorIPs: 198.199.70.22:8080
                      Source: Malware configuration extractorIPs: 209.239.112.82:8080
                      Source: Malware configuration extractorIPs: 78.47.204.80:443
                      Source: Malware configuration extractorIPs: 36.67.23.59:443
                      Source: Malware configuration extractorIPs: 104.244.79.94:443
                      Source: Malware configuration extractorIPs: 62.171.178.147:8080
                      Source: Malware configuration extractorIPs: 195.77.239.39:8080
                      Source: Malware configuration extractorIPs: 103.56.149.105:8080
                      Source: Malware configuration extractorIPs: 80.211.107.116:8080
                      Source: Malware configuration extractorIPs: 93.104.209.107:8080
                      Source: Malware configuration extractorIPs: 174.138.33.49:7080
                      Source: Malware configuration extractorIPs: 202.28.34.99:8080
                      Source: Malware configuration extractorIPs: 178.62.112.199:8080
                      Source: Malware configuration extractorIPs: 114.79.130.68:443
                      Source: Malware configuration extractorIPs: 118.98.72.86:443
                      Source: Malware configuration extractorIPs: 103.41.204.169:8080
                      Source: Malware configuration extractorIPs: 178.238.225.252:8080
                      Source: Malware configuration extractorIPs: 83.229.80.93:8080
                      Source: Malware configuration extractorIPs: 46.101.98.60:8080
                      Source: Malware configuration extractorIPs: 82.98.180.154:7080
                      Source: Malware configuration extractorIPs: 87.106.97.83:7080
                      Source: Malware configuration extractorIPs: 196.44.98.190:8080
                      Source: Malware configuration extractorIPs: 139.59.80.108:8080
                      Source: Malware configuration extractorIPs: 103.224.241.74:8080
                      Source: Malware configuration extractorIPs: 103.254.12.236:7080
                      Source: Malware configuration extractorIPs: 185.148.169.10:8080
                      Source: Malware configuration extractorIPs: 165.22.254.236:8080
                      Source: Malware configuration extractorIPs: 37.44.244.177:8080
                      Source: Malware configuration extractorIPs: 54.37.228.122:443
                      Source: Malware configuration extractorIPs: 51.75.33.122:443
                      Source: Malware configuration extractorIPs: 128.199.217.206:443
                      Source: Malware configuration extractorIPs: 188.165.79.151:443
                      Source: Malware configuration extractorIPs: 210.57.209.142:8080
                      Source: Malware configuration extractorIPs: 160.16.143.191:8080
                      Source: Malware configuration extractorIPs: 175.126.176.79:8080
                      Source: Malware configuration extractorIPs: 202.134.4.210:7080
                      Source: Malware configuration extractorIPs: 103.126.216.86:443
                      Source: Malware configuration extractorIPs: 190.145.8.4:443
                      Source: Malware configuration extractorIPs: 128.199.242.164:8080
                      Source: Malware configuration extractorIPs: 64.227.55.231:8080
                      Source: Joe Sandbox ViewASN Name: LINODE-APLinodeLLCUS LINODE-APLinodeLLCUS
                      Source: Joe Sandbox ViewASN Name: OVHFR OVHFR
                      Source: Joe Sandbox ViewIP Address: 172.105.115.71 172.105.115.71
                      Source: Joe Sandbox ViewIP Address: 188.165.79.151 188.165.79.151
                      Source: unknownNetwork traffic detected: IP country count 20
                      Source: unknownTCP traffic detected without corresponding DNS query: 115.178.55.22
                      Source: unknownTCP traffic detected without corresponding DNS query: 115.178.55.22
                      Source: unknownTCP traffic detected without corresponding DNS query: 115.178.55.22
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.105.115.71
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.105.115.71
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.105.115.71
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.105.115.71
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.105.115.71
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.105.115.71
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.105.115.71
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.105.115.71
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.105.115.71
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.105.115.71
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.105.115.71
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.105.115.71
                      Source: regsvr32.exe, 00000007.00000003.493404883.0000000001357000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.768679116.0000000001357000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: regsvr32.exe, 00000007.00000002.768740454.000000000136C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.493786263.000000000136C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.493440386.000000000136C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
                      Source: regsvr32.exe, 00000007.00000002.768979503.00000000013A1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.493501113.00000000013A1000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.7.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                      Source: regsvr32.exe, 00000007.00000002.768979503.00000000013A1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.493501113.00000000013A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabw
                      Source: regsvr32.exe, 00000007.00000003.493459160.000000000137D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.493884642.0000000001383000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.768834712.0000000001383000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.493725445.0000000001380000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://112.105.115.71:8080/
                      Source: regsvr32.exe, 00000007.00000002.768740454.000000000136C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.493786263.000000000136C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.493440386.000000000136C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://172.105.115.71:8080/
                      Source: regsvr32.exe, 00000007.00000003.493459160.000000000137D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.768740454.000000000136C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.493786263.000000000136C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.493884642.0000000001383000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.768834712.0000000001383000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.493440386.000000000136C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.493725445.0000000001380000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://172.105.115.71:8080/lskyxdliqorbrr/wjoazpr/kccttvfhu/
                      Source: regsvr32.exe, 00000007.00000002.768740454.000000000136C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.493786263.000000000136C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.493440386.000000000136C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://172.105.115.71:8080/lskyxdliqorbrr/wjoazpr/kccttvfhu/dll

                      E-Banking Fraud

                      barindex
                      Source: Yara matchFile source: 5.2.rundll32.exe.1fb00100000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.regsvr32.exe.960000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.1fb00100000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.1d676b30000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.1cc28be0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.1d676b30000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.regsvr32.exe.970000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.1cc28be0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.regsvr32.exe.1540000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.regsvr32.exe.970000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.regsvr32.exe.1540000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.regsvr32.exe.960000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000007.00000002.769739205.0000000002E41000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.769387929.0000000001540000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.250855705.000001D676C81000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.251110585.000001FB00141000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.250957440.000001FB00100000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.258012521.0000000000C41000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.257855329.0000000000960000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.255048362.000001CC2A6A1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.407582886.0000000000970000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.250572025.000001D676B30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.408383126.0000000000B41000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.254840159.000001CC28BE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: C:\Windows\System32\regsvr32.exeFile deleted: C:\Windows\System32\IUvcffQnjRFArsrM\JZgYREHBQT.dll:Zone.IdentifierJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeFile created: C:\Windows\system32\IUvcffQnjRFArsrM\Jump to behavior
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180044C30
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180031018
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800391F8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180020204
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018001F22C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018003D23C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180029290
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180024460
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018001F4B0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800204D0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018003459C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018003B5A0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800305F8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180017604
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018001F74C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180032824
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180037854
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018002B890
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000A93C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018003A9A0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018001F9B4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180026A0C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180028B30
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018002B890
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018001FC30
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180031C3C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180028B30
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018003AE50
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018001FF10
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180032F94
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00990000
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C648E0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C438A5
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C4B1E0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C68C94
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C60454
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C44DDC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C45DB4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C49E38
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C4B8D0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C438DC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C598DC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C46880
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C5308C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C5B898
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C64098
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C510AC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C478B6
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C548B0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C6005C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C41000
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C4E828
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C42834
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C469C0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C4A1D4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C5C1DC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C479D8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C4D1E0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C499EC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C599E8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C57198
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C559A0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C4D1AC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C49144
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C50954
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C4F174
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C5C974
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C52110
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C69124
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C42128
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C60930
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C4EAC4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C47AF0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C5B2F0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C62A84
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C5629C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C6629C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C49298
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C52244
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C5827C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C68A04
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C5FA08
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C41A1C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C4BA24
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C61A2C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C59230
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C4F3E0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C49BEC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C43BE8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C573F8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C57BF8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C4CB8D
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C62B8C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C5FB88
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C53B88
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C44B4C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C67348
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C41B5C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C46B5C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C41364
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C4C364
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C4E368
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C50310
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C55B18
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C5D32C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C55334
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C41CCC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C484F8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C664F8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C6748C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C4C498
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C44CA0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C54C48
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C56464
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C45478
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C55400
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C4741C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C65D84
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C45590
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C51DAC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C60D54
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C5F550
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C58560
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C4E570
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C4BD00
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C58D0C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C55508
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C49D24
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C53524
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C5B520
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C63D28
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C58ECC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C4AE84
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C64680
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C47694
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C55694
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C68690
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C4569C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C53698
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C67EA4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C496B8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C46650
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C51664
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C41660
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C5E614
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C4BE34
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C53FE0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C52780
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C54FA4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C48FA0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C597AC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C657B4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C4FF64
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C5E76C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C58778
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C4E708
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C4871C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C61728
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C4A734
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C5CF30
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000001D676B60000
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000001FB00130000
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000001CC28C10000
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_01420000
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E42A7C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E49E38
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E5FA08
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E43BE8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E573F8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E5E76C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E5D718
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E648E0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E438DC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E62CBC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E4B1E0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E44DDC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E45DB4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E49144
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E47AF0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E5B2F0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E4EAC4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E58ECC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E67EA4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E4C6A2
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E496B8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E4AE84
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E62A84
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E64680
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E47694
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E55694
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E68690
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E4569C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E5629C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E6629C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E49298
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E53698
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E51664
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E41660
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E5827C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E52244
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E46650
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E4BA24
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E61A2C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E4BE34
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E59230
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E68A04
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E5E614
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E41A1C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E4F3E0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E53FE0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E49BEC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E57BF8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E54FA4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E48FA0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E597AC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E657B4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E647B0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E52780
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E62B8C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E53B88
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E5FB88
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E41364
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E4FF64
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E4C364
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E4E368
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E58778
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E44B4C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E67348
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E41B5C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E46B5C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E5D32C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E61728
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E65B28
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E4A734
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E55334
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E5CF30
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E4E708
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E50310
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E4871C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E55B18
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E484F8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E664F8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E41CCC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E4B8D0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E598DC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E44CA0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E510AC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E478B6
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E548B0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E46880
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E5308C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E6748C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E68C94
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E4C498
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E5B898
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E64098
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E56464
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E45478
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E54C48
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E60454
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E6005C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E4E828
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E42834
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E4CC06
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E41000
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E55400
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E63C0C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E4741C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E4D1E0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E499EC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E599E8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E469C0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E4A1D4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E5C1DC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E479D8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E559A0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E4D1AC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E51DAC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E65D84
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E45590
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E57198
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E58560
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E69568
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E4F174
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E5C974
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E4E570
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E50954
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E60D54
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E5F550
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E49D24
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E53524
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E69124
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E5B520
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E42128
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E63D28
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E60930
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E4BD00
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E58D0C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E55508
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E52110
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_009A0000
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B438A5
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B68C94
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B648E0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B60454
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B45DB4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B4B1E0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B44DDC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B49E38
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B55B18
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B478B6
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B548B0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B44CA0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B510AC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B4C498
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B5B898
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B64098
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B46880
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B5308C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B6748C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B484F8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B664F8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B4B8D0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B438DC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B598DC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B41CCC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B42834
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B4E828
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B4741C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B41000
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B55400
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B63C0C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B45478
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B4D864
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B56464
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B6005C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B54C48
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B559A0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B4D1AC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B51DAC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B45590
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B57198
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B65D84
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B499EC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B599E8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B4A1D4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B5C1DC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B479D8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B469C0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B4D1CA
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B60930
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B49D24
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B53524
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B69124
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B5B520
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B42128
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B63D28
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B52110
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B4BD00
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B58D0C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B55508
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B4F174
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B5C974
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B4E570
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B58560
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B69568
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B50954
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B60D54
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B5F550
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B49144
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B496B8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B67EA4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B47694
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B55694
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B68690
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B4569C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B5629C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B6629C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B49298
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B53698
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B4AE84
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B62A84
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B64680
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B47AF0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B5B2F0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B4EAC4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B58ECC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B4BE34
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B59230
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B4BA24
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B61A2C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B5E614
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B41A1C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B68A04
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B5FA08
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B5827C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B51664
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B41660
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B46650
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B52244
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B657B4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B647B0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B54FA4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B48FA0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B597AC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B52780
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B4CB8D
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B62B8C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B5FB88
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B53B88
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B573F8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B57BF8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B4F3E0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B53FE0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B49BEC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B43BE8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B4A734
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B55334
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B5CF30
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B5D32C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B61728
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B65B28
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B50310
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B4871C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B4E708
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B58778
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B41364
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B4FF64
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B4C364
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B5E76C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B4E368
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B46B5C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B41B5C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B44B4C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B67348
                      Source: C:\Windows\System32\regsvr32.exeCode function: String function: 000000018002CA30 appears 48 times
                      Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dll
                      Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dll
                      Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dll
                      Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dll
                      Source: UC2DFXQIBiE2kQ.dllReversingLabs: Detection: 80%
                      Source: UC2DFXQIBiE2kQ.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: C:\Windows\System32\loaddll64.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: unknownProcess created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\UC2DFXQIBiE2kQ.dll"
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\UC2DFXQIBiE2kQ.dll",#1
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\UC2DFXQIBiE2kQ.dll
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\UC2DFXQIBiE2kQ.dll",#1
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\UC2DFXQIBiE2kQ.dll,ACeujVZMknFDjv
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\UC2DFXQIBiE2kQ.dll,AHuDGMflBfPryOEYjuTfbzJdEM
                      Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\IUvcffQnjRFArsrM\JZgYREHBQT.dll"
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\UC2DFXQIBiE2kQ.dll,ATjQPkInxPUGuUu
                      Source: unknownProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe" "C:\Windows\system32\IUvcffQnjRFArsrM\JZgYREHBQT.dll
                      Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Users\user\AppData\Local\ZamKJmwegN\JeCOx.dll"
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\UC2DFXQIBiE2kQ.dll",#1
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\UC2DFXQIBiE2kQ.dll
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\UC2DFXQIBiE2kQ.dll,ACeujVZMknFDjv
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\UC2DFXQIBiE2kQ.dll,AHuDGMflBfPryOEYjuTfbzJdEM
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\UC2DFXQIBiE2kQ.dll,ATjQPkInxPUGuUu
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\UC2DFXQIBiE2kQ.dll",#1
                      Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\IUvcffQnjRFArsrM\JZgYREHBQT.dll"
                      Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Users\user\AppData\Local\ZamKJmwegN\JeCOx.dll"
                      Source: C:\Windows\System32\regsvr32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32
                      Source: C:\Windows\System32\regsvr32.exeFile created: C:\Users\user\AppData\Local\ZamKJmwegN\Jump to behavior
                      Source: classification engineClassification label: mal84.troj.evad.winDLL@19/2@0/49
                      Source: C:\Windows\System32\regsvr32.exeFile read: C:\Users\desktop.iniJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C45DB4 FindCloseChangeNotification,Process32NextW,CreateToolhelp32Snapshot,Process32FirstW,
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\UC2DFXQIBiE2kQ.dll",#1
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6088:120:WilError_01
                      Source: C:\Windows\System32\regsvr32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\rundll32.exeAutomated click: OK
                      Source: C:\Windows\System32\regsvr32.exeAutomated click: OK
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: UC2DFXQIBiE2kQ.dllStatic PE information: More than 250 > 100 exports found
                      Source: UC2DFXQIBiE2kQ.dllStatic PE information: Image base 0x180000000 > 0x60000000
                      Source: UC2DFXQIBiE2kQ.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                      Source: UC2DFXQIBiE2kQ.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                      Source: UC2DFXQIBiE2kQ.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                      Source: UC2DFXQIBiE2kQ.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: UC2DFXQIBiE2kQ.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                      Source: UC2DFXQIBiE2kQ.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                      Source: UC2DFXQIBiE2kQ.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: UC2DFXQIBiE2kQ.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                      Source: UC2DFXQIBiE2kQ.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                      Source: UC2DFXQIBiE2kQ.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                      Source: UC2DFXQIBiE2kQ.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                      Source: UC2DFXQIBiE2kQ.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800131BD push rdi; ret
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180013749 push rdi; ret
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C5E0D3 push 09B8E1F7h; retf
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C5E0E9 push 8B48E1F7h; retf
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C63127 push ebp; ret
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C63A7E push ebp; ret
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C4838C push eax; ret
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C5E5C5 pushad ; ret
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C62E55 push ebp; retf
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C62F5E push ebp; ret
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_02E4838C push eax; ret
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B5E0E9 push 8B48E1F7h; retf
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B5E0D3 push 09B8E1F7h; retf
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B5E5C5 pushad ; ret
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B63127 push ebp; ret
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B63A7E push ebp; ret
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B62E55 push ebp; retf
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B4838C push eax; ret
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B63BE1 push ebp; ret
                      Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00B62F5E push ebp; ret
                      Source: UC2DFXQIBiE2kQ.dllStatic PE information: section name: _RDATA
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\UC2DFXQIBiE2kQ.dll
                      Source: C:\Windows\System32\regsvr32.exePE file moved: C:\Windows\System32\IUvcffQnjRFArsrM\JZgYREHBQT.dllJump to behavior

                      Boot Survival

                      barindex
                      Source: C:\Windows\System32\regsvr32.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run JZgYREHBQT.dllJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run JZgYREHBQT.dllJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run JZgYREHBQT.dllJump to behavior

                      Hooking and other Techniques for Hiding and Protection

                      barindex
                      Source: C:\Windows\System32\regsvr32.exeFile opened: C:\Windows\system32\IUvcffQnjRFArsrM\JZgYREHBQT.dll:Zone.Identifier read attributes | delete
                      Source: C:\Windows\System32\regsvr32.exeFile opened: C:\Users\user\AppData\Local\ZamKJmwegN\JeCOx.dll:Zone.Identifier read attributes | delete
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\regsvr32.exe TID: 4824Thread sleep time: -60000s >= -30000s
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\regsvr32.exeAPI coverage: 7.5 %
                      Source: C:\Windows\System32\regsvr32.exeProcess information queried: ProcessInformation
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180029290 FindFirstFileExW,
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018002972C FindFirstFileExW,FindNextFileW,FindClose,
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180028B30 _invalid_parameter_noinfo,_invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,FindClose,
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180028B30 _invalid_parameter_noinfo,_invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,FindClose,
                      Source: C:\Windows\System32\regsvr32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\System32\regsvr32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: regsvr32.exe, 00000007.00000003.493938602.0000000001394000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.493459160.000000000137D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.768933726.0000000001398000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.493884642.0000000001383000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.768632966.000000000134F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.493390937.000000000134F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.493725445.0000000001380000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                      Source: regsvr32.exe, 00000007.00000003.493938602.0000000001394000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.493459160.000000000137D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.768933726.0000000001398000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.493884642.0000000001383000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.493725445.0000000001380000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180003460 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018002DE88 GetProcessHeap,
                      Source: C:\Windows\System32\loaddll64.exeProcess queried: DebugPort
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180003460 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180003648 SetUnhandledExceptionFilter,
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800156F8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180002E94 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 115.178.55.22 80
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 172.105.115.71 8080
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\UC2DFXQIBiE2kQ.dll",#1
                      Source: C:\Windows\System32\regsvr32.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\regsvr32.exeCode function: EnumSystemLocalesW,
                      Source: C:\Windows\System32\regsvr32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,
                      Source: C:\Windows\System32\regsvr32.exeCode function: EnumSystemLocalesW,
                      Source: C:\Windows\System32\regsvr32.exeCode function: GetLocaleInfoW,
                      Source: C:\Windows\System32\regsvr32.exeCode function: try_get_function,GetLocaleInfoW,
                      Source: C:\Windows\System32\regsvr32.exeCode function: EnumSystemLocalesW,
                      Source: C:\Windows\System32\regsvr32.exeCode function: EnumSystemLocalesW,
                      Source: C:\Windows\System32\regsvr32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
                      Source: C:\Windows\System32\regsvr32.exeCode function: GetLocaleInfoW,
                      Source: C:\Windows\System32\regsvr32.exeCode function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
                      Source: C:\Windows\System32\regsvr32.exeCode function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,
                      Source: C:\Windows\System32\regsvr32.exeCode function: EnumSystemLocalesW,
                      Source: C:\Windows\System32\regsvr32.exeCode function: EnumSystemLocalesW,
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800243D0 cpuid
                      Source: C:\Windows\System32\regsvr32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018002D450 try_get_function,GetSystemTimeAsFileTime,

                      Stealing of Sensitive Information

                      barindex
                      Source: Yara matchFile source: 5.2.rundll32.exe.1fb00100000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.regsvr32.exe.960000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.1fb00100000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.1d676b30000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.1cc28be0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.1d676b30000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.regsvr32.exe.970000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.1cc28be0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.regsvr32.exe.1540000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.regsvr32.exe.970000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.regsvr32.exe.1540000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.regsvr32.exe.960000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000007.00000002.769739205.0000000002E41000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.769387929.0000000001540000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.250855705.000001D676C81000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.251110585.000001FB00141000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.250957440.000001FB00100000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.258012521.0000000000C41000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.257855329.0000000000960000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.255048362.000001CC2A6A1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.407582886.0000000000970000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.250572025.000001D676B30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.408383126.0000000000B41000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.254840159.000001CC28BE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation11
                      Registry Run Keys / Startup Folder
                      111
                      Process Injection
                      21
                      Masquerading
                      OS Credential Dumping1
                      System Time Discovery
                      Remote Services1
                      Archive Collected Data
                      Exfiltration Over Other Network Medium2
                      Encrypted Channel
                      Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/Job1
                      DLL Side-Loading
                      11
                      Registry Run Keys / Startup Folder
                      2
                      Virtualization/Sandbox Evasion
                      LSASS Memory31
                      Security Software Discovery
                      Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
                      Application Layer Protocol
                      Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)1
                      DLL Side-Loading
                      111
                      Process Injection
                      Security Account Manager2
                      Virtualization/Sandbox Evasion
                      SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
                      Deobfuscate/Decode Files or Information
                      NTDS2
                      Process Discovery
                      Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                      Hidden Files and Directories
                      LSA Secrets1
                      Remote System Discovery
                      SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.common2
                      Obfuscated Files or Information
                      Cached Domain Credentials2
                      File and Directory Discovery
                      VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup Items1
                      Regsvr32
                      DCSync34
                      System Information Discovery
                      Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
                      Rundll32
                      Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)1
                      DLL Side-Loading
                      /etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                      Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)1
                      File Deletion
                      Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 747451 Sample: UC2DFXQIBiE2kQ.dll Startdate: 16/11/2022 Architecture: WINDOWS Score: 84 30 103.224.241.74 WEBWERKS-AS-INWebWerksIndiaPvtLtdIN India 2->30 32 210.57.209.142 UNAIR-AS-IDUniversitasAirlanggaID Indonesia 2->32 34 45 other IPs or domains 2->34 40 Snort IDS alert for network traffic 2->40 42 Multi AV Scanner detection for submitted file 2->42 44 Yara detected Emotet 2->44 46 C2 URLs / IPs found in malware configuration 2->46 8 loaddll64.exe 1 2->8         started        10 regsvr32.exe 2 2->10         started        signatures3 process4 signatures5 13 regsvr32.exe 2 8->13         started        16 cmd.exe 1 8->16         started        18 rundll32.exe 8->18         started        22 3 other processes 8->22 52 Hides that the sample has been downloaded from the Internet (zone.identifier) 10->52 20 regsvr32.exe 10->20         started        process6 signatures7 54 Hides that the sample has been downloaded from the Internet (zone.identifier) 13->54 24 regsvr32.exe 1 13->24         started        28 rundll32.exe 16->28         started        process8 dnsIp9 36 115.178.55.22, 49714, 80 SIMAYA-AS-IDPTSimayaJejaringMandiriID Indonesia 24->36 38 172.105.115.71, 49718, 8080 LINODE-APLinodeLLCUS United States 24->38 48 System process connects to network (likely due to code injection or exploit) 24->48 50 Creates an autostart registry key pointing to binary in C:\Windows 24->50 signatures10

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand
                      SourceDetectionScannerLabelLink
                      UC2DFXQIBiE2kQ.dll81%ReversingLabsWin64.Trojan.Emotet
                      No Antivirus matches
                      SourceDetectionScannerLabelLinkDownload
                      6.2.rundll32.exe.1cc28be0000.0.unpack100%AviraHEUR/AGEN.1215461Download File
                      7.2.regsvr32.exe.1540000.0.unpack100%AviraHEUR/AGEN.1215461Download File
                      5.2.rundll32.exe.1fb00100000.0.unpack100%AviraHEUR/AGEN.1215461Download File
                      3.2.regsvr32.exe.960000.0.unpack100%AviraHEUR/AGEN.1215461Download File
                      16.2.regsvr32.exe.970000.0.unpack100%AviraHEUR/AGEN.1215461Download File
                      4.2.rundll32.exe.1d676b30000.0.unpack100%AviraHEUR/AGEN.1215461Download File
                      No Antivirus matches
                      SourceDetectionScannerLabelLink
                      https://172.105.115.71:8080/0%Avira URL Cloudsafe
                      https://172.105.115.71:8080/lskyxdliqorbrr/wjoazpr/kccttvfhu/dll0%Avira URL Cloudsafe
                      https://172.105.115.71:8080/lskyxdliqorbrr/wjoazpr/kccttvfhu/0%Avira URL Cloudsafe
                      https://112.105.115.71:8080/0%Avira URL Cloudsafe
                      NameIPActiveMaliciousAntivirus DetectionReputation
                      windowsupdatebg.s.llnwi.net
                      41.63.96.128
                      truefalse
                        unknown
                        NameSourceMaliciousAntivirus DetectionReputation
                        https://172.105.115.71:8080/regsvr32.exe, 00000007.00000002.768740454.000000000136C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.493786263.000000000136C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.493440386.000000000136C000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        unknown
                        https://112.105.115.71:8080/regsvr32.exe, 00000007.00000003.493459160.000000000137D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.493884642.0000000001383000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.768834712.0000000001383000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.493725445.0000000001380000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        unknown
                        https://172.105.115.71:8080/lskyxdliqorbrr/wjoazpr/kccttvfhu/regsvr32.exe, 00000007.00000003.493459160.000000000137D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.768740454.000000000136C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.493786263.000000000136C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.493884642.0000000001383000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.768834712.0000000001383000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.493440386.000000000136C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.493725445.0000000001380000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        unknown
                        https://172.105.115.71:8080/lskyxdliqorbrr/wjoazpr/kccttvfhu/dllregsvr32.exe, 00000007.00000002.768740454.000000000136C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.493786263.000000000136C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.493440386.000000000136C000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        unknown
                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs
                        IPDomainCountryFlagASNASN NameMalicious
                        172.105.115.71
                        unknownUnited States
                        63949LINODE-APLinodeLLCUStrue
                        188.165.79.151
                        unknownFrance
                        16276OVHFRtrue
                        196.44.98.190
                        unknownGhana
                        327814EcobandGHtrue
                        174.138.33.49
                        unknownUnited States
                        14061DIGITALOCEAN-ASNUStrue
                        36.67.23.59
                        unknownIndonesia
                        17974TELKOMNET-AS2-APPTTelekomunikasiIndonesiaIDtrue
                        103.41.204.169
                        unknownIndonesia
                        58397INFINYS-AS-IDPTInfinysSystemIndonesiaIDtrue
                        85.214.67.203
                        unknownGermany
                        6724STRATOSTRATOAGDEtrue
                        83.229.80.93
                        unknownUnited Kingdom
                        8513SKYVISIONGBtrue
                        198.199.70.22
                        unknownUnited States
                        14061DIGITALOCEAN-ASNUStrue
                        93.104.209.107
                        unknownGermany
                        8767MNET-ASGermanyDEtrue
                        186.250.48.5
                        unknownBrazil
                        262807RedfoxTelecomunicacoesLtdaBRtrue
                        209.239.112.82
                        unknownUnited States
                        30083AS-30083-GO-DADDY-COM-LLCUStrue
                        175.126.176.79
                        unknownKorea Republic of
                        9523MOKWON-AS-KRMokwonUniversityKRtrue
                        128.199.242.164
                        unknownUnited Kingdom
                        14061DIGITALOCEAN-ASNUStrue
                        178.238.225.252
                        unknownGermany
                        51167CONTABODEtrue
                        46.101.98.60
                        unknownNetherlands
                        14061DIGITALOCEAN-ASNUStrue
                        190.145.8.4
                        unknownColombia
                        14080TelmexColombiaSACOtrue
                        82.98.180.154
                        unknownSpain
                        42612DINAHOSTING-ASEStrue
                        103.71.99.57
                        unknownIndia
                        135682AWDHPL-AS-INAdvikaWebDevelopmentsHostingPvtLtdINtrue
                        87.106.97.83
                        unknownGermany
                        8560ONEANDONE-ASBrauerstrasse48DEtrue
                        103.254.12.236
                        unknownViet Nam
                        56151DIGISTAR-VNDigiStarCompanyLimitedVNtrue
                        103.85.95.4
                        unknownIndonesia
                        136077IDNIC-UNSRAT-AS-IDUniversitasIslamNegeriMataramIDtrue
                        202.134.4.210
                        unknownIndonesia
                        7713TELKOMNET-AS-APPTTelekomunikasiIndonesiaIDtrue
                        165.22.254.236
                        unknownUnited States
                        14061DIGITALOCEAN-ASNUStrue
                        78.47.204.80
                        unknownGermany
                        24940HETZNER-ASDEtrue
                        118.98.72.86
                        unknownIndonesia
                        7713TELKOMNET-AS-APPTTelekomunikasiIndonesiaIDtrue
                        139.59.80.108
                        unknownSingapore
                        14061DIGITALOCEAN-ASNUStrue
                        104.244.79.94
                        unknownUnited States
                        53667PONYNETUStrue
                        37.44.244.177
                        unknownGermany
                        47583AS-HOSTINGERLTtrue
                        51.75.33.122
                        unknownFrance
                        16276OVHFRtrue
                        160.16.143.191
                        unknownJapan9370SAKURA-BSAKURAInternetIncJPtrue
                        103.56.149.105
                        unknownIndonesia
                        55688BEON-AS-IDPTBeonIntermediaIDtrue
                        85.25.120.45
                        unknownGermany
                        8972GD-EMEA-DC-SXB1DEtrue
                        139.196.72.155
                        unknownChina
                        37963CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtdtrue
                        115.178.55.22
                        unknownIndonesia
                        38783SIMAYA-AS-IDPTSimayaJejaringMandiriIDtrue
                        103.126.216.86
                        unknownBangladesh
                        138482SKYVIEW-AS-APSKYVIEWONLINELTDBDtrue
                        128.199.217.206
                        unknownUnited Kingdom
                        14061DIGITALOCEAN-ASNUStrue
                        114.79.130.68
                        unknownIndia
                        45769DVOIS-IND-VoisBroadbandPvtLtdINtrue
                        103.224.241.74
                        unknownIndia
                        133296WEBWERKS-AS-INWebWerksIndiaPvtLtdINtrue
                        210.57.209.142
                        unknownIndonesia
                        38142UNAIR-AS-IDUniversitasAirlanggaIDtrue
                        202.28.34.99
                        unknownThailand
                        9562MSU-TH-APMahasarakhamUniversityTHtrue
                        80.211.107.116
                        unknownItaly
                        31034ARUBA-ASNITtrue
                        54.37.228.122
                        unknownFrance
                        16276OVHFRtrue
                        218.38.121.17
                        unknownKorea Republic of
                        9318SKB-ASSKBroadbandCoLtdKRtrue
                        185.148.169.10
                        unknownGermany
                        44780EVERSCALE-ASDEtrue
                        195.77.239.39
                        unknownSpain
                        60493FICOSA-ASEStrue
                        178.62.112.199
                        unknownEuropean Union
                        14061DIGITALOCEAN-ASNUStrue
                        62.171.178.147
                        unknownUnited Kingdom
                        51167CONTABODEtrue
                        64.227.55.231
                        unknownUnited States
                        14061DIGITALOCEAN-ASNUStrue
                        Joe Sandbox Version:36.0.0 Rainbow Opal
                        Analysis ID:747451
                        Start date and time:2022-11-16 11:47:48 +01:00
                        Joe Sandbox Product:CloudBasic
                        Overall analysis duration:0h 9m 51s
                        Hypervisor based Inspection enabled:false
                        Report type:light
                        Sample file name:UC2DFXQIBiE2kQ.dll
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                        Number of analysed new started processes analysed:21
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • HDC enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Detection:MAL
                        Classification:mal84.troj.evad.winDLL@19/2@0/49
                        EGA Information:
                        • Successful, ratio: 100%
                        HDC Information:
                        • Successful, ratio: 82% (good quality ratio 74.8%)
                        • Quality average: 72.8%
                        • Quality standard deviation: 32.3%
                        HCA Information:
                        • Successful, ratio: 99%
                        • Number of executed functions: 0
                        • Number of non-executed functions: 0
                        Cookbook Comments:
                        • Found application associated with file extension: .dll
                        • Override analysis time to 240s for rundll32
                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                        • Excluded IPs from analysis (whitelisted): 173.222.108.210, 173.222.108.226
                        • Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, ctldl.windowsupdate.com, a767.dspw65.akamai.net, wu-bg-shim.trafficmanager.net, download.windowsupdate.com.edgesuite.net
                        • Not all processes where analyzed, report is missing behavior information
                        • Report size exceeded maximum capacity and may have missing behavior information.
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.
                        • VT rate limit hit for: UC2DFXQIBiE2kQ.dll
                        TimeTypeDescription
                        11:49:30API Interceptor2x Sleep call for process: regsvr32.exe modified
                        11:49:42AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run JZgYREHBQT.dll C:\Windows\system32\regsvr32.exe "C:\Windows\system32\IUvcffQnjRFArsrM\JZgYREHBQT.dll"
                        No context
                        No context
                        No context
                        No context
                        No context
                        Process:C:\Windows\System32\regsvr32.exe
                        File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 62919 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                        Category:dropped
                        Size (bytes):62919
                        Entropy (8bit):7.995280921994772
                        Encrypted:true
                        SSDEEP:1536:d+OfVxHl7Wyf11lYom3xQcRVOtPHwQV4rP6Ji7:d+OxHxJlZcuPt4b6q
                        MD5:3DCF580A93972319E82CAFBC047D34D5
                        SHA1:8528D2A1363E5DE77DC3B1142850E51EAD0F4B6B
                        SHA-256:40810E31F1B69075C727E6D557F9614D5880112895FF6F4DF1767E87AE5640D1
                        SHA-512:98384BE7218340F95DAE88D1CB865F23A0B4E12855BEB6E74A3752274C9B4C601E493864DB777BCA677A370D0A9DBFFD68D94898A82014537F3A801CCE839C42
                        Malicious:false
                        Preview:MSCF............,...................I.......Q.........GU.\ .authroot.stl..O..5..CK..<Tk...c_.d....A.K...+.d.-;%.BJII!.QIR..$t)Kd.-QQ*...g......^..~|N=...y....{. .4{...W....b.i...j.I.......1:..b\.0.....Ait.2t......w.%.&.",tL_...4.8L[G..;.57....AT.k.......V..K......(....mzS...G....r.".=H.?>.........x&...S%....X.M^..j...A..x.9`.9...A../.s..#.4#.....Id.w..B....s.8..(...dj....=L.)..s.d.]NxQX8....stV#.K.'7.tH..9u~.2..!..2./.....!..9C../...mP $..../y.....@p.6.}.`...5. 0r.w...@(.. .Q....)g.........m..z*.8rR..).].T9r<.L....0..`.........c.....;-.g..;.wk.)......i..c5.....{v.u...AS..=.....&.:.........+..P.N..9..EAQ.V.$s.......B.`.Mfe..8.......$...y-.q9J........W...2.Q8...O.......i..@\^.=X..dG$.M..#=....m.h..{9.'...-.v..Z...!....z.....N....i..^..,........d...%Xa~q.@D|0...Y.m...........&d.4..A..{t=...../.t.3._.....?-.....uroP?.d.Z..S..{...$.i....X..$.O..4..N.)....U.Z..P....X,.... ...Lg..35..W..s.!c...Ap.].P..8..M..W.......U..,...m.u..|=.m1..~..!..b...._.
                        Process:C:\Windows\System32\regsvr32.exe
                        File Type:data
                        Category:modified
                        Size (bytes):328
                        Entropy (8bit):3.1108374798811247
                        Encrypted:false
                        SSDEEP:6:kKN9EN1HlNiN+SkQlPlEGYRMY9z+4KlDA3RUeKlTAlWRyf1:Fe/kPlE99SNxAhUexYo1
                        MD5:CE7B8F5DF882BFCE74A8B2154265437D
                        SHA1:8465FBC36EC5944C577DA4961D305A69B37F3324
                        SHA-256:61659BA7C4AAE84B438FD6BC067914FB068194A0133E8D2D7370A95E1E469BFA
                        SHA-512:6A409E836EB5797AD83AF5889CA7F7C52284C15F249652FEB6DA0608C2D57A4B3F1E58556A1647F4FFAD93162975E40039C37EC6E9413005031C7317AE5021A9
                        Malicious:false
                        Preview:p...... .........X.....(....................................................... ..................&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.e.d.e.4.d.3.9.b.e.8.d.8.1.:.0."...
                        File type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                        Entropy (8bit):6.82554843363977
                        TrID:
                        • Win64 Dynamic Link Library (generic) (102004/3) 86.43%
                        • Win64 Executable (generic) (12005/4) 10.17%
                        • Generic Win/DOS Executable (2004/3) 1.70%
                        • DOS Executable Generic (2002/1) 1.70%
                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
                        File name:UC2DFXQIBiE2kQ.dll
                        File size:636416
                        MD5:e2ec88ae31e147d1976368c6a8988d3c
                        SHA1:937a21ced7f2663c923c9c614cbe06d95def511a
                        SHA256:ae7e655db35a71a3b2df96051d722d7995ec94feea3cbd59bec501042ab40847
                        SHA512:ce9c95d721ee389dbbe3d7758d51bdde38f608675c7123d61fa6e0fde500e677651c043be3ef1d52d424b4a1d80d7191cb180887a8944059634ca55042bfa278
                        SSDEEP:6144:S6/ptuaN+qWUILr1HRf/9Mu1vHLI7U9XWi9gQ30/bP/09Xls9HV6MExbnyDAzlsH:S6/ptu/qerXtU7U9XUZWYobyDAzl+
                        TLSH:A7D4BE04B2AC40B5D5BBC17AC8A3592AE2B27C524764D7CB13A107BA1F2B7E11D3FB51
                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................\.......\.......\.r.............\.......Rich...
                        Icon Hash:74f0e4ecccdce0e4
                        Entrypoint:0x180002e54
                        Entrypoint Section:.text
                        Digitally signed:false
                        Imagebase:0x180000000
                        Subsystem:windows gui
                        Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DLL
                        DLL Characteristics:HIGH_ENTROPY_VA, NX_COMPAT
                        Time Stamp:0x636C09DF [Wed Nov 9 20:13:19 2022 UTC]
                        TLS Callbacks:
                        CLR (.Net) Version:
                        OS Version Major:6
                        OS Version Minor:0
                        File Version Major:6
                        File Version Minor:0
                        Subsystem Version Major:6
                        Subsystem Version Minor:0
                        Import Hash:bf309f28e2e75a572eb2f2244be62b26
                        Instruction
                        dec eax
                        mov dword ptr [esp+08h], ebx
                        dec eax
                        mov dword ptr [esp+10h], esi
                        push edi
                        dec eax
                        sub esp, 20h
                        dec ecx
                        mov edi, eax
                        mov ebx, edx
                        dec eax
                        mov esi, ecx
                        cmp edx, 01h
                        jne 00007FC3E8BA0707h
                        call 00007FC3E8BA115Ch
                        dec esp
                        mov eax, edi
                        mov edx, ebx
                        dec eax
                        mov ecx, esi
                        dec eax
                        mov ebx, dword ptr [esp+30h]
                        dec eax
                        mov esi, dword ptr [esp+38h]
                        dec eax
                        add esp, 20h
                        pop edi
                        jmp 00007FC3E8BA0570h
                        int3
                        int3
                        int3
                        inc eax
                        push ebx
                        dec eax
                        sub esp, 20h
                        dec eax
                        mov ebx, ecx
                        xor ecx, ecx
                        call dword ptr [00049283h]
                        dec eax
                        mov ecx, ebx
                        call dword ptr [00049272h]
                        call dword ptr [0004927Ch]
                        dec eax
                        mov ecx, eax
                        mov edx, C0000409h
                        dec eax
                        add esp, 20h
                        pop ebx
                        dec eax
                        jmp dword ptr [00049270h]
                        dec eax
                        mov dword ptr [esp+08h], ecx
                        dec eax
                        sub esp, 38h
                        mov ecx, 00000017h
                        call dword ptr [00049264h]
                        test eax, eax
                        je 00007FC3E8BA0709h
                        mov ecx, 00000002h
                        int 29h
                        dec eax
                        lea ecx, dword ptr [00095FC2h]
                        call 00007FC3E8BA09DEh
                        dec eax
                        mov eax, dword ptr [esp+38h]
                        dec eax
                        mov dword ptr [000960A9h], eax
                        dec eax
                        lea eax, dword ptr [esp+38h]
                        dec eax
                        add eax, 08h
                        dec eax
                        mov dword ptr [00096039h], eax
                        dec eax
                        mov eax, dword ptr [00096092h]
                        dec eax
                        mov dword ptr [00095F03h], eax
                        NameVirtual AddressVirtual Size Is in Section
                        IMAGE_DIRECTORY_ENTRY_EXPORT0x94ef00x1a30.rdata
                        IMAGE_DIRECTORY_ENTRY_IMPORT0x969200x78.rdata
                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xa00000x268.rsrc
                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x9b0000x3b34.pdata
                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                        IMAGE_DIRECTORY_ENTRY_BASERELOC0xa10000x860.reloc
                        IMAGE_DIRECTORY_ENTRY_DEBUG0x916a80x1c.rdata
                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x916d00x138.rdata
                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IAT0x4c0000x3b0.rdata
                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                        .text0x10000x4a1e50x4a200False0.48174009274873525data6.479787977595784IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        .rdata0x4c0000x4b5920x4b600False0.611217998548922data6.281987992518068IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                        .data0x980000x2a440xe00False0.18052455357142858DOS executable (block device driver \322f\324\377\3772)2.7637122521836313IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .pdata0x9b0000x3b340x3c00False0.46953125data5.536843174034769IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                        _RDATA0x9f0000xf40x200False0.30078125data1.982153456785509IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                        .rsrc0xa00000x2680x400False0.3173828125data3.200437559634333IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                        .reloc0xa10000x8600xa00False0.46796875data5.031424688639632IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                        NameRVASizeTypeLanguageCountry
                        RT_STRING0xa00a00x48dataEnglishUnited States
                        RT_MANIFEST0xa00e80x17dXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States
                        DLLImport
                        USER32.dllMessageBoxA, InvalidateRect, GetMessageW, DefWindowProcW, DestroyWindow, CreateWindowExW, RegisterClassExW, LoadStringW, ShowWindow, DispatchMessageW, SetGestureConfig, GetGestureInfo, TranslateAcceleratorW, TranslateMessage, LoadCursorW, PostQuitMessage, UpdateWindow, BeginPaint, EndPaint, CloseGestureInfoHandle, ScreenToClient
                        GDI32.dllPolyline, LineTo, CreatePen, MoveToEx, DeleteObject, SelectObject
                        ole32.dllCoLoadLibrary
                        CRYPT32.dllCryptStringToBinaryA
                        KERNEL32.dllGetConsoleMode, GetConsoleCP, WriteFile, FlushFileBuffers, SetStdHandle, HeapReAlloc, GetFileSizeEx, WriteConsoleW, SetConsoleCtrlHandler, GetFileType, GetStdHandle, GetProcessHeap, EnumSystemLocalesW, SetFilePointerEx, ReadFile, ReadConsoleW, OutputDebugStringW, CreateFileW, HeapSize, CloseHandle, GetUserDefaultLCID, IsValidLocale, GetStringTypeW, DeleteCriticalSection, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwindEx, RtlPcToFileHeader, RaiseException, InterlockedPushEntrySList, InterlockedFlushSList, GetLastError, SetLastError, EncodePointer, EnterCriticalSection, LeaveCriticalSection, RtlUnwind, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, GetProcAddress, LoadLibraryExW, ExitProcess, GetModuleHandleExW, GetModuleFileNameW, GetCurrentThread, HeapFree, HeapAlloc, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, MultiByteToWideChar, WideCharToMultiByte, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableW, GetDateFormatW, GetTimeFormatW, CompareStringW, LCMapStringW, GetLocaleInfoW
                        NameOrdinalAddress
                        ACeujVZMknFDjv10x180043600
                        AHuDGMflBfPryOEYjuTfbzJdEM20x180043f30
                        ATjQPkInxPUGuUu30x180043890
                        AmbryhtjKWGeCnsRXR40x180043690
                        AukYzjkZpQjlyb50x180043e80
                        BEHGKvjtYm60x1800438c0
                        BRUFxz70x180043b50
                        BUZBRSzPLxRhY80x180043ba0
                        BZCzGXtURmWdIZoaE90x180043a50
                        BZqjzJIejob100x1800439a0
                        BmZYhYQxzCQQ110x180043810
                        BubGPfVJvMw120x180043420
                        CBkyPEXjXbRUHKXJo130x180043330
                        CEsNfdgPgd140x180044070
                        CVPqxJEtookkvK150x180043e70
                        CaJBhuFKGDiSQoojdQF160x180044120
                        CcKlmw170x1800434f0
                        CfrkXlNpYveSkH180x180043730
                        CtcUKaNM190x180043d60
                        CtmIxtaSEWrJoeKFHYsQVRF200x180043f20
                        DCcTBPjgUmKACiowmtURUFfgN210x180043290
                        DRpUgpG220x1800432d0
                        DYDsOtWxMUufQk230x1800434c0
                        DacmPRKwn240x180043ca0
                        DdBIgVVvJpDDYojhSveGWyVC250x1800440d0
                        DllRegisterServer260x180044a60
                        EDkUTFetsWTlyEplV270x180043bd0
                        EZveIcVQbxXQvHAc280x180043960
                        EetKwkljiiO290x1800440e0
                        EiwSmYwuw300x180043410
                        EjKZnNkyirwOPcLJfvNShOHV310x180043250
                        ElumsVBNoiVQFecpcx320x1800438f0
                        FVCmCSsewcOgpmVCPhNN330x180043e90
                        FeniiccJDJZQOquCQEDZFbp340x180043490
                        GhuZhUSaPqDNPQyLmKmMs350x180043530
                        GidoxoYzkYTZBUKjTczrNz360x180043240
                        GmOuZYJiGNspxqOxoBCu370x180043af0
                        GoueteXAa380x180043de0
                        HZyUwOgdhWiacaSFvYDsgUbdhh390x180043370
                        HtmqUvH400x1800437f0
                        HvKfMTiGc410x180043ad0
                        HwiGZdXrkhPSBdQhcNF420x180043d80
                        IOKBBQdlpeQCrqGhE430x180043f80
                        IftUczqAOEEpksLc440x1800440b0
                        IujIKjACwijLXf450x180043a80
                        JPOlfklrHwimOYpdWU460x180043980
                        JldHyQJYHPfgwSota470x180043f70
                        KHRcAfeWiWXczrzetcsf480x1800435c0
                        KSBSWsMPLKrvLpLuQEVBQaA490x1800437b0
                        KXPHHrx500x180043cc0
                        KqKYPtMNYPZwVVbFgnJskTDgXZ510x180044080
                        KrLeibTbke520x180043da0
                        KtNQbfYVcdlRzCxJLbItSH530x180043fc0
                        KtZFnRWCN540x180043c50
                        KyUDQzimOqrGaUdqnpHCadI550x180043950
                        LNVXKJhSBOeqiQPpxZuBrf560x180043770
                        LbOnTCPkjmOOEdhEeyEy570x180043cf0
                        LlFIOHcteRaL580x180043990
                        MAmiSwkyFlQMDaCByXR590x1800438d0
                        MHyRvOCLFO600x180043c00
                        MbZnllsXkfnyOmtthLrL610x180043640
                        MbsuSbHtpeltWArBKaXuf620x180043eb0
                        MltZiwCXSxF630x180043440
                        NFzpzSbcGrv640x180043e20
                        NXasCwwz650x180043310
                        NfwIIEvnLCKXIrpxWtDCbXx660x180043bf0
                        NgkonMKeLNPfNxT670x180043b30
                        NlplQAUkkIZ680x1800437e0
                        OQruapyPUnukiDhEvANkgElZqh690x180043700
                        ORBMTIE700x180043e50
                        OdtvuFxrrpfsY710x180043d00
                        OoZePWcMAAdh720x1800432a0
                        PbgMOKpkqAeEgOBtpecKal730x180043a90
                        PhHcvOzcWKVEzqGUAuH740x180044020
                        PqcNviu750x1800439b0
                        PxhniQgzegWvoSCaIPorRhqOEt760x180043200
                        PzcLCLdBlIdqBxBTbNiI770x180043ab0
                        RFSoSJnzzPHjPzvZCOvWT780x180043f90
                        RSrAlLsSbnJmicoYtpKsPYkwFn790x180044040
                        ReujwDwTrVxLhVwaWvQS800x180044100
                        RqzpZDiLuFMWsJ810x180043630
                        SUemGjmeVuPs820x180043a70
                        ScnrskpiicPdg830x180043840
                        SeCKWgTgmmtDUvFC840x180043be0
                        SjnxUxHKGlth850x180043cd0
                        StNIEkqRHMtB860x180043ae0
                        StepECvENJONrwlynYAOx870x180043550
                        SyluAQQc880x180043800
                        SyvpWCmyZbMrEFnfTmyrBRH890x1800436d0
                        TLTUEROtrtYd900x1800434d0
                        TdNJCbJiInjtCOpp910x180043d20
                        TndRvx920x180043fe0
                        TpEywJZSeYXzmbHgod930x180043c70
                        TrziFVlHgMVVONOLNIfRem940x180043d90
                        TzKueUFolaHBJPFhx950x180043b40
                        UClTVsmfYtgzIL960x1800437c0
                        URuQMqrUPMSAGVyWQTqN970x180044010
                        UbLvGEZfkFcvnnw980x180044170
                        VXfdoDKAoHiAA990x180043390
                        VeRxloJdVvetDztDxLQT1000x180043dd0
                        VkIbTCoknzceJuPcnCXzzPj1010x180043e30
                        VqNxpzS1020x180043e00
                        WPumZrRRafooNh1030x1800435a0
                        WQIBBQj1040x1800431e0
                        WUVuwTliAyCBAOHuSOD1050x180043e40
                        WsADtJekvYjSfChaZ1060x1800434e0
                        XBRWcmDQWuUdmmFxx1070x180043570
                        XDLVzSefOKneeAsytcH1080x180043b60
                        XDecZDvu1090x180043ec0
                        XNmJlnrJjgZEjPQQeoOIT1100x180043860
                        XWdPewUOSEaHKCHnynymDhLttF1110x180044000
                        XmEMSisfXGvwdcnUI1120x180044130
                        XxYbsglQgKXTYWUmlX1130x1800433d0
                        YOqqPZdimbNEuvMaM1140x1800439d0
                        YXgNyXKelZfQK1150x180043220
                        YrlEvikMuwUvtjDbAASCV1160x180043b70
                        YrpQLSvKN1170x180043320
                        YtyiKWITImQlOTP1180x1800439f0
                        ZMAtbEQuVEpze1190x180043db0
                        ZOTjVFL1200x180043b20
                        ZXigMFrErZGCgnGQdpTo1210x180043790
                        ZcqfXQvmSIhHXuDEPmA1220x180043610
                        ZmNbZwqyJPRHpqmUZOmpJexK1230x1800436c0
                        aOxloUcrMaTBrKRkXkvrKaAy1240x180044050
                        aXDBQtKlOSCf1250x180043340
                        azZsnWvbQULjBuaCVG1260x180043650
                        bCHMpZKuNDwxXrs1270x180043f00
                        bFyNFHBUflbBAfRZV1280x180043560
                        bGaVPXQawxz1290x180043910
                        bVRtqQ1300x180043d40
                        bWXHfJrBjrdcVRLbuT1310x180043780
                        blakCcJabYayatiII1320x180043c40
                        bsEGIgCVUNZeSRsr1330x1800431f0
                        btMHyPMu1340x180043380
                        bteqpXpGuaIzWJWPXQj1350x1800433e0
                        buvNCuoglefZoipISdUp1360x1800433a0
                        bvumZozkETqFchaDGgv1370x180044150
                        cKgbFcy1380x180043260
                        chPwzpRWTYf1390x180043400
                        cliUpMkAyvnx1400x180043460
                        cpEBzofbApJInexgeY1410x180043520
                        cpNZFVzZSKe1420x180043c20
                        cpmbLfWGBjxaaZNR1430x1800437a0
                        csebqY1440x1800433c0
                        czlJGyv1450x180043430
                        dOrUqBBEUz1460x1800440f0
                        disvxAJjTCcpofcItH1470x180043850
                        djhGwwWdNkNOGnSMVhO1480x180043f50
                        drTNkYg1490x1800435d0
                        elaOoLpqFiyIbnyvaU1500x180043500
                        fAKHjGkpTjHcAAfMvshh1510x180043bc0
                        fBFgQesCsDDEqolwHzSbbSIs1520x180043f40
                        fDZRRfyfwlYoeFo1530x180043b00
                        fLcYUVhVDDHHRUryudAO1540x180043720
                        fWkhxqQSpEMsqhItVIr1550x1800432b0
                        fZQaoqMpByybzlfgG1560x180043a20
                        fadaIHaPgvjpA1570x180044160
                        fodVsUcqiRZtLe1580x1800434b0
                        fwWFiWowsdju1590x180043a00
                        gQiEYElmfk1600x180043480
                        gexCIfMSOkWBVEs1610x180044060
                        gnKyXNiVXhIQQVNkxutn1620x180043350
                        hHoSVYFgUoRXoGwPBdTY1630x1800436f0
                        hKiUTWNKTCBHARIejKtitX1640x180043970
                        hTcXrfT1650x180043b10
                        hdpzQLMeXdHLAXI1660x180043ef0
                        hqmMcxlMowrqdmwCD1670x1800432f0
                        huwZDnzyRrUuSv1680x180044110
                        hwwioGqcSiONSnnoqSgGGlYG1690x1800437d0
                        hwxiWyDPZ1700x180043300
                        iIMUBUcxlPgIoCou1710x180043ce0
                        iXVpeLZjxHYfZy1720x180043ed0
                        ickoyirauzuqSYooWRxIBKP1730x1800433b0
                        ixEhmcgYbORYTvwI1740x180043940
                        jXSCkxhrXSnIiziUsUkSa1750x1800438a0
                        jhMrQlkZnbNzE1760x1800435e0
                        jnmtHhyvcXOtUsFySuhzSRFwZ1770x180043c80
                        jqfPKICr1780x180043210
                        kFVNBreOaZSGgseVYXfZAQSt1790x180043e60
                        kLMzjQJrPZFPf1800x180043470
                        kONtiEAEi1810x180043510
                        kUNUwtZ1820x180043cb0
                        lIEZQCqZKko1830x180043ee0
                        lZiHnzEuXoXZIzRd1840x180043df0
                        larnkUFYFI1850x180043620
                        lfFBdv1860x180043e10
                        mJFTxuzjmKwZE1870x1800438e0
                        mJPUafqK1880x1800436b0
                        mRinbRZ1890x1800435b0
                        miGqUGeEk1900x180043f10
                        muHYTksHDRccMJtbMIVY1910x180043bb0
                        nEWvJUznqPuIORIkmbdcWjKd1920x180043fb0
                        nXCjDafayJLQ1930x180043fa0
                        nfPVFCecEC1940x180043fd0
                        ntSsSyvUegFeD1950x180043590
                        nttFqgw1960x180043f60
                        nuflNZYxVuFptSebTKUXxH1970x180043dc0
                        oFyUMrjmgKtGCEsn1980x180043d70
                        oJhfaaiLZFHiBCXJlPO1990x180043d30
                        oPpitKCbVriCZu2000x180043280
                        oTMlKNA2010x180043d10
                        pOQozXdpf2020x180043710
                        pqXsDgFAKqxqyeZwyCjZ2030x180043230
                        qhBjRUFjPgGnZCYf2040x180043a60
                        qnqswBvEbONoReovLIKnVYuSA2050x1800439c0
                        qpggbjTvfN2060x1800432c0
                        rGJIMlvpqBhxViL2070x180043880
                        rUmobKc2080x180043a10
                        rfqEeKHAx2090x180044140
                        rsgxCEvQpI2100x1800436e0
                        rstbQmhTSxcrhUlcaxRFhGIXK2110x180043c10
                        rxpoWUmUrHlSIHeznkyrivE2120x180043d50
                        rzgTPjoxRh2130x180044090
                        sFmMISJDeOoy2140x180043a40
                        sGzvLqVdsbQ2150x180043930
                        sRyuPhAwDlOgUlGVpIfduYySp2160x1800440a0
                        sTHzpfVYU2170x180043820
                        sUKvQIa2180x180043680
                        sVMFsGCCfvDfoTh2190x180043450
                        sfAGqCcFJlYOMkqZahTjTiAX2200x1800439e0
                        stMogsRXrfH2210x180043c30
                        tBAtJGzOlooKPbZ2220x1800438b0
                        tTdsornziSGMnYRGtlv2230x180043870
                        taVJVqMCMlkFIDWVCcDLV2240x180043ea0
                        twRKUF2250x180043a30
                        uTtYPS2260x180043920
                        ujLBGDEExK2270x1800435f0
                        ujfIFiuxQFuoWpBYlfPja2280x1800436a0
                        unVwakRZhbHEVJWGGZDyCZP2290x1800434a0
                        utlgNYXohozxx2300x180043aa0
                        uvBxDGCDNqLbDaufFb2310x180043740
                        vycQUvI2320x180043830
                        vzdSRyxeERBiXlOkqVUB2330x180043ff0
                        wAHuFSGPWcgVtPzRzoUTnbwo2340x180043660
                        wiIXJqSWsUXvPbq2350x180043360
                        wjeHVSTrDxCzMVNUFEQoz2360x180043b90
                        xPjfyQjUovqeohLapv2370x1800440c0
                        xeyyJZUMQlYiCHikxXoEko2380x180043670
                        xmDlQKqSmhiJfARRXzslVED2390x1800433f0
                        xzJluXH2400x180043580
                        yAYxFjbdwTSooJJzoq2410x180043b80
                        yBpkXiNAKugdWlxIPQKL2420x180043540
                        yIApLlDSJNmmOc2430x180043270
                        yMokeHArDgIyDvmsuwd2440x180044030
                        yVLTygbNjHTxXaOuZBkHmpajxq2450x180043ac0
                        yhCymcBLApUWyPqapsEDJtfjMV2460x180043760
                        yjGXMXnz2470x180043c90
                        yprPVXLUkdnzWv2480x1800432e0
                        yzkENTmBV2490x180043750
                        zQnFkEsglvSmYtKlkFDTme2500x180043900
                        zdMhYw2510x180043c60
                        Language of compilation systemCountry where language is spokenMap
                        EnglishUnited States
                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                        192.168.2.6115.178.55.2249714802404304 11/16/22-11:49:29.070302TCP2404304ET CNC Feodo Tracker Reported CnC Server TCP group 34971480192.168.2.6115.178.55.22
                        TimestampSource PortDest PortSource IPDest IP
                        Nov 16, 2022 11:49:29.070302010 CET4971480192.168.2.6115.178.55.22
                        Nov 16, 2022 11:49:29.350398064 CET8049714115.178.55.22192.168.2.6
                        Nov 16, 2022 11:49:29.855578899 CET4971480192.168.2.6115.178.55.22
                        Nov 16, 2022 11:49:30.137402058 CET8049714115.178.55.22192.168.2.6
                        Nov 16, 2022 11:49:30.652652025 CET4971480192.168.2.6115.178.55.22
                        Nov 16, 2022 11:49:30.935076952 CET8049714115.178.55.22192.168.2.6
                        Nov 16, 2022 11:49:36.584249020 CET497188080192.168.2.6172.105.115.71
                        Nov 16, 2022 11:49:36.750922918 CET808049718172.105.115.71192.168.2.6
                        Nov 16, 2022 11:49:36.751099110 CET497188080192.168.2.6172.105.115.71
                        Nov 16, 2022 11:49:36.771295071 CET497188080192.168.2.6172.105.115.71
                        Nov 16, 2022 11:49:36.937913895 CET808049718172.105.115.71192.168.2.6
                        Nov 16, 2022 11:49:36.953438997 CET808049718172.105.115.71192.168.2.6
                        Nov 16, 2022 11:49:36.953493118 CET808049718172.105.115.71192.168.2.6
                        Nov 16, 2022 11:49:36.953617096 CET497188080192.168.2.6172.105.115.71
                        Nov 16, 2022 11:49:37.113104105 CET497188080192.168.2.6172.105.115.71
                        Nov 16, 2022 11:49:37.280112982 CET808049718172.105.115.71192.168.2.6
                        Nov 16, 2022 11:49:37.281089067 CET808049718172.105.115.71192.168.2.6
                        Nov 16, 2022 11:49:37.324982882 CET497188080192.168.2.6172.105.115.71
                        Nov 16, 2022 11:49:38.895751953 CET497188080192.168.2.6172.105.115.71
                        Nov 16, 2022 11:49:38.895843029 CET497188080192.168.2.6172.105.115.71
                        Nov 16, 2022 11:49:39.062779903 CET808049718172.105.115.71192.168.2.6
                        Nov 16, 2022 11:49:39.062812090 CET808049718172.105.115.71192.168.2.6
                        Nov 16, 2022 11:49:39.691082001 CET808049718172.105.115.71192.168.2.6
                        Nov 16, 2022 11:49:39.747312069 CET497188080192.168.2.6172.105.115.71
                        Nov 16, 2022 11:49:42.688333035 CET808049718172.105.115.71192.168.2.6
                        Nov 16, 2022 11:49:42.688810110 CET497188080192.168.2.6172.105.115.71
                        Nov 16, 2022 11:49:42.688810110 CET497188080192.168.2.6172.105.115.71
                        Nov 16, 2022 11:49:42.688911915 CET808049718172.105.115.71192.168.2.6
                        Nov 16, 2022 11:49:42.689021111 CET497188080192.168.2.6172.105.115.71
                        Nov 16, 2022 11:49:42.855590105 CET808049718172.105.115.71192.168.2.6
                        Nov 16, 2022 11:49:42.855602026 CET808049718172.105.115.71192.168.2.6
                        Nov 16, 2022 11:49:42.855618000 CET808049718172.105.115.71192.168.2.6
                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                        Nov 16, 2022 11:49:30.262906075 CET8.8.8.8192.168.2.60xc912No error (0)windowsupdatebg.s.llnwi.net41.63.96.128A (IP address)IN (0x0001)false
                        Nov 16, 2022 11:49:30.262906075 CET8.8.8.8192.168.2.60xc912No error (0)windowsupdatebg.s.llnwi.net41.63.96.0A (IP address)IN (0x0001)false

                        Click to jump to process

                        Target ID:0
                        Start time:11:48:42
                        Start date:16/11/2022
                        Path:C:\Windows\System32\loaddll64.exe
                        Wow64 process (32bit):false
                        Commandline:loaddll64.exe "C:\Users\user\Desktop\UC2DFXQIBiE2kQ.dll"
                        Imagebase:0x7ff772b80000
                        File size:139776 bytes
                        MD5 hash:C676FC0263EDD17D4CE7D644B8F3FCD6
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high

                        Target ID:1
                        Start time:11:48:42
                        Start date:16/11/2022
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff6da640000
                        File size:625664 bytes
                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high

                        Target ID:2
                        Start time:11:48:42
                        Start date:16/11/2022
                        Path:C:\Windows\System32\cmd.exe
                        Wow64 process (32bit):false
                        Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\UC2DFXQIBiE2kQ.dll",#1
                        Imagebase:0x7ff7cb270000
                        File size:273920 bytes
                        MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high

                        Target ID:3
                        Start time:11:48:43
                        Start date:16/11/2022
                        Path:C:\Windows\System32\regsvr32.exe
                        Wow64 process (32bit):false
                        Commandline:regsvr32.exe /s C:\Users\user\Desktop\UC2DFXQIBiE2kQ.dll
                        Imagebase:0x7ff68a690000
                        File size:24064 bytes
                        MD5 hash:D78B75FC68247E8A63ACBA846182740E
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.258012521.0000000000C41000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.257855329.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                        Reputation:high

                        Target ID:4
                        Start time:11:48:43
                        Start date:16/11/2022
                        Path:C:\Windows\System32\rundll32.exe
                        Wow64 process (32bit):false
                        Commandline:rundll32.exe "C:\Users\user\Desktop\UC2DFXQIBiE2kQ.dll",#1
                        Imagebase:0x7ff6ffa10000
                        File size:69632 bytes
                        MD5 hash:73C519F050C20580F8A62C849D49215A
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.250855705.000001D676C81000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.250572025.000001D676B30000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                        Reputation:high

                        Target ID:5
                        Start time:11:48:43
                        Start date:16/11/2022
                        Path:C:\Windows\System32\rundll32.exe
                        Wow64 process (32bit):false
                        Commandline:rundll32.exe C:\Users\user\Desktop\UC2DFXQIBiE2kQ.dll,ACeujVZMknFDjv
                        Imagebase:0x7ff6ffa10000
                        File size:69632 bytes
                        MD5 hash:73C519F050C20580F8A62C849D49215A
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.251110585.000001FB00141000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.250957440.000001FB00100000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                        Reputation:high

                        Target ID:6
                        Start time:11:48:46
                        Start date:16/11/2022
                        Path:C:\Windows\System32\rundll32.exe
                        Wow64 process (32bit):false
                        Commandline:rundll32.exe C:\Users\user\Desktop\UC2DFXQIBiE2kQ.dll,AHuDGMflBfPryOEYjuTfbzJdEM
                        Imagebase:0x7ff6ffa10000
                        File size:69632 bytes
                        MD5 hash:73C519F050C20580F8A62C849D49215A
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.255048362.000001CC2A6A1000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.254840159.000001CC28BE0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security

                        Target ID:7
                        Start time:11:48:48
                        Start date:16/11/2022
                        Path:C:\Windows\System32\regsvr32.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\regsvr32.exe "C:\Windows\system32\IUvcffQnjRFArsrM\JZgYREHBQT.dll"
                        Imagebase:0x7ff68a690000
                        File size:24064 bytes
                        MD5 hash:D78B75FC68247E8A63ACBA846182740E
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.769739205.0000000002E41000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.769387929.0000000001540000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security

                        Target ID:8
                        Start time:11:48:49
                        Start date:16/11/2022
                        Path:C:\Windows\System32\rundll32.exe
                        Wow64 process (32bit):false
                        Commandline:rundll32.exe C:\Users\user\Desktop\UC2DFXQIBiE2kQ.dll,ATjQPkInxPUGuUu
                        Imagebase:0x7ff6ffa10000
                        File size:69632 bytes
                        MD5 hash:73C519F050C20580F8A62C849D49215A
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language

                        Target ID:16
                        Start time:11:49:50
                        Start date:16/11/2022
                        Path:C:\Windows\System32\regsvr32.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\regsvr32.exe" "C:\Windows\system32\IUvcffQnjRFArsrM\JZgYREHBQT.dll
                        Imagebase:0x7ff68a690000
                        File size:24064 bytes
                        MD5 hash:D78B75FC68247E8A63ACBA846182740E
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000010.00000002.407582886.0000000000970000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000010.00000002.408383126.0000000000B41000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security

                        Target ID:17
                        Start time:11:49:58
                        Start date:16/11/2022
                        Path:C:\Windows\System32\regsvr32.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\regsvr32.exe "C:\Users\user\AppData\Local\ZamKJmwegN\JeCOx.dll"
                        Imagebase:0x7ff68a690000
                        File size:24064 bytes
                        MD5 hash:D78B75FC68247E8A63ACBA846182740E
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language

                        No disassembly