Windows Analysis Report
1V4gPPcQvB.dll

Overview

General Information

Sample Name: 1V4gPPcQvB.dll
Analysis ID: 626498
MD5: 571f80cb1a81eddf1fb399a4cd96582c
SHA1: 9e12d3add0890234365af3ea43e94ec9b271aaa1
SHA256: c117963618d01c8c1b37a8dbc31409318e343ae03493569bfa6d66e0ebdf8dbd
Tags: exetrojan
Infos:

Detection

Emotet
Score: 88
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Changes security center settings (notifications, updates, antivirus, firewall)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Found evasive API chain (may stop execution after checking a module file name)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
IP address seen in connection with other malware
AV process strings found (often used to terminate AV products)
PE file contains an invalid checksum
Tries to load missing DLLs
Drops PE files to the windows directory (C:\Windows)
Checks if the current process is being debugged
Registers a DLL
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries disk information (often used to detect virtual machines)
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection

barindex
Source: 1V4gPPcQvB.dll Virustotal: Detection: 39% Perma Link
Source: https://23.239.0.12/#mWwn Avira URL Cloud: Label: malware
Source: https://23.239.0.12/#mWwn Virustotal: Detection: 9% Perma Link
Source: unknown HTTPS traffic detected: 23.239.0.12:443 -> 192.168.2.4:49763 version: TLS 1.2
Source: 1V4gPPcQvB.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: Binary string: msacm32.pdb source: regsvr32.exe, 00000006.00000002.648362301.00000000004B5000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: msacm32.pdbGCTL source: regsvr32.exe, 00000006.00000002.648362301.00000000004B5000.00000004.00000010.00020000.00000000.sdmp
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_000000018000D26C FindFirstFileW,FindNextFileW,FindClose, 6_2_000000018000D26C

Networking

barindex
Source: C:\Windows\System32\regsvr32.exe Network Connect: 23.239.0.12 443 Jump to behavior
Source: Joe Sandbox View ASN Name: LINODE-APLinodeLLCUS LINODE-APLinodeLLCUS
Source: Joe Sandbox View JA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Cookie: hIRJjqHMHdV=nZwxi8WPWIMXNXTCUv3V5ewCiVaqak0UnFrOh9HPxFaBO28go/9+xWRpiaD+OvdLdpaS3KmMe0NROXF7P/v2uFUR2mdZcEYfCsU7esjRj8UoaBpR90xnOAMLNZb4Zf/GkJR+k0zKRYQ4snDyWIl1vlaP/fyz8s1xkPFTUva4UqN6kwBO8dE+yFUfheBRQWksHoH2WbfRu/bRMIQmJ6ipsT+oAAYPWV1JFEYVPpdNR6o=Host: 23.239.0.12Connection: Keep-AliveCache-Control: no-cache
Source: Joe Sandbox View IP Address: 23.239.0.12 23.239.0.12
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown TCP traffic detected without corresponding DNS query: 23.239.0.12
Source: unknown TCP traffic detected without corresponding DNS query: 23.239.0.12
Source: unknown TCP traffic detected without corresponding DNS query: 23.239.0.12
Source: unknown TCP traffic detected without corresponding DNS query: 23.239.0.12
Source: unknown TCP traffic detected without corresponding DNS query: 23.239.0.12
Source: unknown TCP traffic detected without corresponding DNS query: 23.239.0.12
Source: unknown TCP traffic detected without corresponding DNS query: 23.239.0.12
Source: unknown TCP traffic detected without corresponding DNS query: 23.239.0.12
Source: unknown TCP traffic detected without corresponding DNS query: 23.239.0.12
Source: unknown TCP traffic detected without corresponding DNS query: 23.239.0.12
Source: svchost.exe, 0000001C.00000003.493716426.000001F50975E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO"," equals www.facebook.com (Facebook)
Source: svchost.exe, 0000001C.00000003.493716426.000001F50975E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO"," equals www.twitter.com (Twitter)
Source: svchost.exe, 0000001C.00000003.493716426.000001F50975E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-05-13T10:00:01.2192622Z||.||8adb3f26-c14b-4fc0-afb3-91b3c6daaa3f||1152921505694830749||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
Source: svchost.exe, 0000001C.00000003.493716426.000001F50975E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-05-13T10:00:01.2192622Z||.||8adb3f26-c14b-4fc0-afb3-91b3c6daaa3f||1152921505694830749||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
Source: svchost.exe, 0000001C.00000003.493716426.000001F50975E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-05-13T10:00:01.2192622Z||.||8adb3f26-c14b-4fc0-afb3-91b3c6daaa3f||1152921505694830749||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
Source: svchost.exe, 0000001C.00000003.493716426.000001F50975E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-05-13T10:00:01.2192622Z||.||8adb3f26-c14b-4fc0-afb3-91b3c6daaa3f||1152921505694830749||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
Source: regsvr32.exe, 00000006.00000002.649046694.0000000000670000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.323483995.0000000000670000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.605035022.000001D2BDC65000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000002.534926379.000001F509722000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 00000012.00000002.604912010.000001D2BDC15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.ver)
Source: svchost.exe, 0000001C.00000003.513071382.000001F509775000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://help.disneyplus.com.
Source: svchost.exe, 0000000D.00000002.317375524.00000243CC413000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 0000000B.00000002.649002780.000002577343D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 0000000B.00000002.649002780.000002577343D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://%s.xboxlive.com
Source: regsvr32.exe, 00000006.00000002.648685140.0000000000611000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.323873760.0000000000611000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://23.239.0.12/
Source: regsvr32.exe, 00000006.00000002.648685140.0000000000611000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.323873760.0000000000611000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://23.239.0.12/#mWwn
Source: svchost.exe, 0000000B.00000002.649002780.000002577343D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 0000000D.00000003.317075778.00000243CC461000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 0000000B.00000002.649002780.000002577343D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 0000000B.00000002.649002780.000002577343D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 0000000D.00000003.317086705.00000243CC45E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000D.00000002.317537582.00000243CC45A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.317096728.00000243CC459000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 0000000D.00000003.317075778.00000243CC461000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 0000000D.00000002.317469413.00000243CC43D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 0000000D.00000002.317537582.00000243CC45A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.317096728.00000243CC459000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
Source: svchost.exe, 0000000D.00000002.317551870.00000243CC46A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.317069787.00000243CC467000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
Source: svchost.exe, 0000000D.00000003.317075778.00000243CC461000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 0000000D.00000003.317124705.00000243CC447000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.317526098.00000243CC44E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.317108861.00000243CC440000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000000D.00000002.317537582.00000243CC45A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.317096728.00000243CC459000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 0000000D.00000003.317075778.00000243CC461000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 0000000D.00000002.317469413.00000243CC43D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 0000000D.00000003.317075778.00000243CC461000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 0000000D.00000003.317075778.00000243CC461000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 0000000D.00000003.317075778.00000243CC461000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 0000000D.00000003.317108861.00000243CC440000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.317141842.00000243CC441000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.317475430.00000243CC442000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 0000000D.00000003.317108861.00000243CC440000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.317141842.00000243CC441000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.317475430.00000243CC442000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 0000000D.00000003.317075778.00000243CC461000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 0000000D.00000002.317537582.00000243CC45A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.317108861.00000243CC440000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.317096728.00000243CC459000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 0000001C.00000003.513071382.000001F509775000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://disneyplus.com/legal.
Source: svchost.exe, 0000000D.00000003.317086705.00000243CC45E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000D.00000002.317537582.00000243CC45A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.317096728.00000243CC459000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000D.00000002.317537582.00000243CC45A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.317096728.00000243CC459000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000D.00000002.317542755.00000243CC462000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dynamic.t
Source: svchost.exe, 0000000D.00000003.317075778.00000243CC461000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 0000000D.00000002.317469413.00000243CC43D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000D.00000003.295407264.00000243CC432000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000001C.00000003.507378636.000001F509C02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000003.507537378.000001F509C19000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000003.507451898.000001F509C03000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000003.507505148.000001F50979F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000003.508895507.000001F509775000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000003.507491854.000001F50978E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.hotspotshield.com/
Source: svchost.exe, 0000000D.00000002.317469413.00000243CC43D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 0000000D.00000002.317469413.00000243CC43D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.317375524.00000243CC413000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000D.00000003.317136899.00000243CC445000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.317108861.00000243CC440000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000D.00000003.317136899.00000243CC445000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.317108861.00000243CC440000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000D.00000003.317108861.00000243CC440000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 0000000D.00000002.317464357.00000243CC43B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.295407264.00000243CC432000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 0000000D.00000003.317124705.00000243CC447000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.317526098.00000243CC44E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.317108861.00000243CC440000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
Source: svchost.exe, 0000001C.00000003.513071382.000001F509775000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
Source: svchost.exe, 0000001C.00000003.513071382.000001F509775000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
Source: svchost.exe, 0000001C.00000003.507378636.000001F509C02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000003.507537378.000001F509C19000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000003.507451898.000001F509C03000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000003.507505148.000001F50979F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000003.508895507.000001F509775000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000003.507491854.000001F50978E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.hotspotshield.com/terms/
Source: svchost.exe, 0000001C.00000003.507378636.000001F509C02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000003.507537378.000001F509C19000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000003.507451898.000001F509C03000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000003.507505148.000001F50979F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000003.508895507.000001F509775000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000003.507491854.000001F50978E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.pango.co/privacy
Source: svchost.exe, 0000001C.00000003.517705075.000001F509775000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.tiktok.com/legal/report
Source: svchost.exe, 0000001C.00000003.516238842.000001F509C02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000003.516180464.000001F5097B0000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000003.516163337.000001F5097B0000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000003.517705075.000001F509775000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000003.516211178.000001F50979A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.tiktok.com/legal/report/feedback
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_00000001800132F0 InternetReadFile,RtlAllocateHeap, 6_2_00000001800132F0
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Cookie: hIRJjqHMHdV=nZwxi8WPWIMXNXTCUv3V5ewCiVaqak0UnFrOh9HPxFaBO28go/9+xWRpiaD+OvdLdpaS3KmMe0NROXF7P/v2uFUR2mdZcEYfCsU7esjRj8UoaBpR90xnOAMLNZb4Zf/GkJR+k0zKRYQ4snDyWIl1vlaP/fyz8s1xkPFTUva4UqN6kwBO8dE+yFUfheBRQWksHoH2WbfRu/bRMIQmJ6ipsT+oAAYPWV1JFEYVPpdNR6o=Host: 23.239.0.12Connection: Keep-AliveCache-Control: no-cache
Source: unknown HTTPS traffic detected: 23.239.0.12:443 -> 192.168.2.4:49763 version: TLS 1.2

E-Banking Fraud

barindex
Source: Yara match File source: 4.2.rundll32.exe.20701410000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.regsvr32.exe.22e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.regsvr32.exe.760000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.regsvr32.exe.22e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.20701410000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.23396dc0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.regsvr32.exe.760000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.23396dc0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.649155251.0000000000760000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.264793383.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.265168643.0000023396DC0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.649306435.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.264939318.0000020701410000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.267070861.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.266871028.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.264935281.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: C:\Windows\System32\regsvr32.exe File deleted: C:\Windows\System32\TvcDyJjJQ\NcAvRfvDRbwLFn.dll:Zone.Identifier Jump to behavior
Source: C:\Windows\System32\regsvr32.exe File created: C:\Windows\system32\TvcDyJjJQ\ Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00007FFFE2316F0C 2_2_00007FFFE2316F0C
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00007FFFE231E6C0 2_2_00007FFFE231E6C0
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00007FFFE231EB60 2_2_00007FFFE231EB60
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00007FFFE231FB6C 2_2_00007FFFE231FB6C
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00007FFFE231AF70 2_2_00007FFFE231AF70
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00007FFFE231A77C 2_2_00007FFFE231A77C
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00007FFFE231FCA0 2_2_00007FFFE231FCA0
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00007FFFE2315944 2_2_00007FFFE2315944
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00007FFFE231895C 2_2_00007FFFE231895C
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00007FFFE231AA0C 2_2_00007FFFE231AA0C
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00007FFFE231B5CC 2_2_00007FFFE231B5CC
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_022D0000 2_2_022D0000
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180010FF4 2_2_0000000180010FF4
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180028C20 2_2_0000000180028C20
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018002C058 2_2_000000018002C058
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180009100 2_2_0000000180009100
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180007958 2_2_0000000180007958
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018000C608 2_2_000000018000C608
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180021618 2_2_0000000180021618
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180013E28 2_2_0000000180013E28
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018001E3AC 2_2_000000018001E3AC
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018001DBE8 2_2_000000018001DBE8
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018001FC0C 2_2_000000018001FC0C
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018000580C 2_2_000000018000580C
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180022010 2_2_0000000180022010
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018001481C 2_2_000000018001481C
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018002A42C 2_2_000000018002A42C
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180011834 2_2_0000000180011834
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180023831 2_2_0000000180023831
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180021C3C 2_2_0000000180021C3C
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018000703C 2_2_000000018000703C
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018000AC48 2_2_000000018000AC48
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018000FC48 2_2_000000018000FC48
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180006458 2_2_0000000180006458
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018001C05C 2_2_000000018001C05C
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018001A460 2_2_000000018001A460
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180029888 2_2_0000000180029888
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018001D49C 2_2_000000018001D49C
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180008CA0 2_2_0000000180008CA0
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00000001800248A8 2_2_00000001800248A8
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180015CB0 2_2_0000000180015CB0
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00000001800124B4 2_2_00000001800124B4
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018000C4B4 2_2_000000018000C4B4
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00000001800288B8 2_2_00000001800288B8
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00000001800024B8 2_2_00000001800024B8
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018000D8C4 2_2_000000018000D8C4
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00000001800250CC 2_2_00000001800250CC
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00000001800190D4 2_2_00000001800190D4
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180017CE4 2_2_0000000180017CE4
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00000001800264F0 2_2_00000001800264F0
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00000001800014F8 2_2_00000001800014F8
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180020CFC 2_2_0000000180020CFC
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018002C904 2_2_000000018002C904
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180017908 2_2_0000000180017908
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180021510 2_2_0000000180021510
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018000F917 2_2_000000018000F917
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018000551C 2_2_000000018000551C
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018000F128 2_2_000000018000F128
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018001CD38 2_2_000000018001CD38
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180016D3C 2_2_0000000180016D3C
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018001F944 2_2_000000018001F944
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180018148 2_2_0000000180018148
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018001D950 2_2_000000018001D950
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180013150 2_2_0000000180013150
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018001ED50 2_2_000000018001ED50
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018001E960 2_2_000000018001E960
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180019D60 2_2_0000000180019D60
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018001C964 2_2_000000018001C964
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180001D68 2_2_0000000180001D68
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018001496C 2_2_000000018001496C
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180002D70 2_2_0000000180002D70
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180002178 2_2_0000000180002178
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180024D80 2_2_0000000180024D80
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180018598 2_2_0000000180018598
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180003598 2_2_0000000180003598
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018002A9A8 2_2_000000018002A9A8
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00000001800119A8 2_2_00000001800119A8
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180025DAC 2_2_0000000180025DAC
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180018DAC 2_2_0000000180018DAC
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00000001800269B0 2_2_00000001800269B0
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00000001800059B8 2_2_00000001800059B8
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00000001800029BC 2_2_00000001800029BC
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00000001800141C0 2_2_00000001800141C0
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00000001800125C4 2_2_00000001800125C4
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00000001800121CC 2_2_00000001800121CC
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00000001800075D4 2_2_00000001800075D4
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00000001800095DC 2_2_00000001800095DC
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018000F9E8 2_2_000000018000F9E8
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180002610 2_2_0000000180002610
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180019618 2_2_0000000180019618
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018001FA38 2_2_000000018001FA38
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018000A270 2_2_000000018000A270
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180019E78 2_2_0000000180019E78
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018001DA80 2_2_000000018001DA80
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180024698 2_2_0000000180024698
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018000EE98 2_2_000000018000EE98
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00000001800176B8 2_2_00000001800176B8
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018001AAB8 2_2_000000018001AAB8
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180011AD0 2_2_0000000180011AD0
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180008AD8 2_2_0000000180008AD8
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00000001800296EC 2_2_00000001800296EC
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018000A6EC 2_2_000000018000A6EC
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00000001800132F0 2_2_00000001800132F0
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180019300 2_2_0000000180019300
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018001BB04 2_2_000000018001BB04
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018002870C 2_2_000000018002870C
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180026B10 2_2_0000000180026B10
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018000131C 2_2_000000018000131C
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018000671C 2_2_000000018000671C
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180029B28 2_2_0000000180029B28
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180012F28 2_2_0000000180012F28
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018000BB28 2_2_000000018000BB28
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018001EB30 2_2_000000018001EB30
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180020334 2_2_0000000180020334
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180010758 2_2_0000000180010758
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018001435C 2_2_000000018001435C
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180009F5C 2_2_0000000180009F5C
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180029368 2_2_0000000180029368
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180020768 2_2_0000000180020768
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180017378 2_2_0000000180017378
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180013780 2_2_0000000180013780
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180015388 2_2_0000000180015388
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018000338C 2_2_000000018000338C
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018000738C 2_2_000000018000738C
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180002790 2_2_0000000180002790
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180027F9C 2_2_0000000180027F9C
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00000001800197A0 2_2_00000001800197A0
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018002C7B4 2_2_000000018002C7B4
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018001DFB4 2_2_000000018001DFB4
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018001F7C0 2_2_000000018001F7C0
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00000001800097C0 2_2_00000001800097C0
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00000001800157D8 2_2_00000001800157D8
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180019FDC 2_2_0000000180019FDC
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180017BDC 2_2_0000000180017BDC
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018000F7E0 2_2_000000018000F7E0
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180001FE0 2_2_0000000180001FE0
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180010FF4 3_2_0000000180010FF4
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018002C058 3_2_000000018002C058
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180009100 3_2_0000000180009100
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018000C608 3_2_000000018000C608
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180021618 3_2_0000000180021618
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018001E3AC 3_2_000000018001E3AC
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018001DBE8 3_2_000000018001DBE8
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018001FC0C 3_2_000000018001FC0C
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018000580C 3_2_000000018000580C
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180022010 3_2_0000000180022010
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018001481C 3_2_000000018001481C
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018002A42C 3_2_000000018002A42C
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180011834 3_2_0000000180011834
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180021C3C 3_2_0000000180021C3C
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018000703C 3_2_000000018000703C
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018000AC48 3_2_000000018000AC48
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018000FC48 3_2_000000018000FC48
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180006458 3_2_0000000180006458
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018001C05C 3_2_000000018001C05C
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018001A460 3_2_000000018001A460
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180029888 3_2_0000000180029888
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018001D49C 3_2_000000018001D49C
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180008CA0 3_2_0000000180008CA0
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00000001800248A8 3_2_00000001800248A8
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180015CB0 3_2_0000000180015CB0
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00000001800124B4 3_2_00000001800124B4
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018000C4B4 3_2_000000018000C4B4
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00000001800288B8 3_2_00000001800288B8
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00000001800024B8 3_2_00000001800024B8
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018000D8C4 3_2_000000018000D8C4
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00000001800250CC 3_2_00000001800250CC
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00000001800190D4 3_2_00000001800190D4
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180017CE4 3_2_0000000180017CE4
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00000001800264F0 3_2_00000001800264F0
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00000001800014F8 3_2_00000001800014F8
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180020CFC 3_2_0000000180020CFC
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018002C904 3_2_000000018002C904
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180017908 3_2_0000000180017908
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180021510 3_2_0000000180021510
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018000F917 3_2_000000018000F917
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018000551C 3_2_000000018000551C
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018000F128 3_2_000000018000F128
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018001CD38 3_2_000000018001CD38
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180016D3C 3_2_0000000180016D3C
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018001F944 3_2_000000018001F944
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180018148 3_2_0000000180018148
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018001ED50 3_2_000000018001ED50
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180013150 3_2_0000000180013150
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018001D950 3_2_000000018001D950
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018001E960 3_2_000000018001E960
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180019D60 3_2_0000000180019D60
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018001C964 3_2_000000018001C964
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180001D68 3_2_0000000180001D68
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018001496C 3_2_000000018001496C
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180002D70 3_2_0000000180002D70
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180002178 3_2_0000000180002178
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180024D80 3_2_0000000180024D80
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180018598 3_2_0000000180018598
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180003598 3_2_0000000180003598
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018002A9A8 3_2_000000018002A9A8
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00000001800119A8 3_2_00000001800119A8
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180025DAC 3_2_0000000180025DAC
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180018DAC 3_2_0000000180018DAC
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00000001800269B0 3_2_00000001800269B0
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00000001800059B8 3_2_00000001800059B8
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00000001800029BC 3_2_00000001800029BC
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00000001800141C0 3_2_00000001800141C0
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00000001800125C4 3_2_00000001800125C4
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00000001800121CC 3_2_00000001800121CC
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00000001800075D4 3_2_00000001800075D4
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00000001800095DC 3_2_00000001800095DC
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018000F9E8 3_2_000000018000F9E8
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180002610 3_2_0000000180002610
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180019618 3_2_0000000180019618
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180013E28 3_2_0000000180013E28
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018001FA38 3_2_000000018001FA38
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018000A270 3_2_000000018000A270
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180019E78 3_2_0000000180019E78
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018001DA80 3_2_000000018001DA80
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180024698 3_2_0000000180024698
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018000EE98 3_2_000000018000EE98
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00000001800176B8 3_2_00000001800176B8
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018001AAB8 3_2_000000018001AAB8
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180011AD0 3_2_0000000180011AD0
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180008AD8 3_2_0000000180008AD8
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00000001800296EC 3_2_00000001800296EC
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018000A6EC 3_2_000000018000A6EC
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00000001800132F0 3_2_00000001800132F0
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180019300 3_2_0000000180019300
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018001BB04 3_2_000000018001BB04
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018002870C 3_2_000000018002870C
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180026B10 3_2_0000000180026B10
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018000131C 3_2_000000018000131C
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018000671C 3_2_000000018000671C
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180029B28 3_2_0000000180029B28
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180012F28 3_2_0000000180012F28
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018000BB28 3_2_000000018000BB28
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018001EB30 3_2_000000018001EB30
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180020334 3_2_0000000180020334
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180010758 3_2_0000000180010758
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018001435C 3_2_000000018001435C
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180009F5C 3_2_0000000180009F5C
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180029368 3_2_0000000180029368
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180020768 3_2_0000000180020768
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180017378 3_2_0000000180017378
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180013780 3_2_0000000180013780
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180015388 3_2_0000000180015388
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018000338C 3_2_000000018000338C
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018000738C 3_2_000000018000738C
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180002790 3_2_0000000180002790
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00000001800197A0 3_2_00000001800197A0
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018002C7B4 3_2_000000018002C7B4
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018001DFB4 3_2_000000018001DFB4
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018001F7C0 3_2_000000018001F7C0
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00000001800097C0 3_2_00000001800097C0
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00000001800157D8 3_2_00000001800157D8
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180019FDC 3_2_0000000180019FDC
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180017BDC 3_2_0000000180017BDC
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018000F7E0 3_2_000000018000F7E0
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180001FE0 3_2_0000000180001FE0
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000023396DB0000 3_2_0000023396DB0000
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180010FF4 4_2_0000000180010FF4
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018002C058 4_2_000000018002C058
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180009100 4_2_0000000180009100
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018000C608 4_2_000000018000C608
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180021618 4_2_0000000180021618
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018001E3AC 4_2_000000018001E3AC
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018001DBE8 4_2_000000018001DBE8
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018001FC0C 4_2_000000018001FC0C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018000580C 4_2_000000018000580C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180022010 4_2_0000000180022010
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018001481C 4_2_000000018001481C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018002A42C 4_2_000000018002A42C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180011834 4_2_0000000180011834
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180021C3C 4_2_0000000180021C3C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018000703C 4_2_000000018000703C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018000AC48 4_2_000000018000AC48
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018000FC48 4_2_000000018000FC48
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180006458 4_2_0000000180006458
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018001C05C 4_2_000000018001C05C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018001A460 4_2_000000018001A460
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180029888 4_2_0000000180029888
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018001D49C 4_2_000000018001D49C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180008CA0 4_2_0000000180008CA0
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000001800248A8 4_2_00000001800248A8
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180015CB0 4_2_0000000180015CB0
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000001800124B4 4_2_00000001800124B4
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018000C4B4 4_2_000000018000C4B4
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000001800288B8 4_2_00000001800288B8
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000001800024B8 4_2_00000001800024B8
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018000D8C4 4_2_000000018000D8C4
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000001800250CC 4_2_00000001800250CC
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000001800190D4 4_2_00000001800190D4
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180017CE4 4_2_0000000180017CE4
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000001800264F0 4_2_00000001800264F0
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000001800014F8 4_2_00000001800014F8
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180020CFC 4_2_0000000180020CFC
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018002C904 4_2_000000018002C904
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180017908 4_2_0000000180017908
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180021510 4_2_0000000180021510
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018000F917 4_2_000000018000F917
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018000551C 4_2_000000018000551C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018000F128 4_2_000000018000F128
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018001CD38 4_2_000000018001CD38
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180016D3C 4_2_0000000180016D3C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018001F944 4_2_000000018001F944
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180018148 4_2_0000000180018148
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018001ED50 4_2_000000018001ED50
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180013150 4_2_0000000180013150
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018001D950 4_2_000000018001D950
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018001E960 4_2_000000018001E960
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180019D60 4_2_0000000180019D60
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018001C964 4_2_000000018001C964
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180001D68 4_2_0000000180001D68
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018001496C 4_2_000000018001496C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180002D70 4_2_0000000180002D70
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180002178 4_2_0000000180002178
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180024D80 4_2_0000000180024D80
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180018598 4_2_0000000180018598
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180003598 4_2_0000000180003598
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018002A9A8 4_2_000000018002A9A8
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000001800119A8 4_2_00000001800119A8
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180025DAC 4_2_0000000180025DAC
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180018DAC 4_2_0000000180018DAC
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000001800269B0 4_2_00000001800269B0
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000001800059B8 4_2_00000001800059B8
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000001800029BC 4_2_00000001800029BC
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000001800141C0 4_2_00000001800141C0
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000001800125C4 4_2_00000001800125C4
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000001800121CC 4_2_00000001800121CC
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000001800075D4 4_2_00000001800075D4
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000001800095DC 4_2_00000001800095DC
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018000F9E8 4_2_000000018000F9E8
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180002610 4_2_0000000180002610
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180019618 4_2_0000000180019618
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180013E28 4_2_0000000180013E28
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018001FA38 4_2_000000018001FA38
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018000A270 4_2_000000018000A270
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180019E78 4_2_0000000180019E78
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018001DA80 4_2_000000018001DA80
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180024698 4_2_0000000180024698
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018000EE98 4_2_000000018000EE98
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000001800176B8 4_2_00000001800176B8
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018001AAB8 4_2_000000018001AAB8
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180011AD0 4_2_0000000180011AD0
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180008AD8 4_2_0000000180008AD8
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000001800296EC 4_2_00000001800296EC
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018000A6EC 4_2_000000018000A6EC
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000001800132F0 4_2_00000001800132F0
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180019300 4_2_0000000180019300
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018001BB04 4_2_000000018001BB04
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018002870C 4_2_000000018002870C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180026B10 4_2_0000000180026B10
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018000131C 4_2_000000018000131C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018000671C 4_2_000000018000671C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180029B28 4_2_0000000180029B28
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180012F28 4_2_0000000180012F28
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018000BB28 4_2_000000018000BB28
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018001EB30 4_2_000000018001EB30
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180020334 4_2_0000000180020334
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180010758 4_2_0000000180010758
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018001435C 4_2_000000018001435C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180009F5C 4_2_0000000180009F5C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180029368 4_2_0000000180029368
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180020768 4_2_0000000180020768
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180017378 4_2_0000000180017378
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180013780 4_2_0000000180013780
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180015388 4_2_0000000180015388
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018000338C 4_2_000000018000338C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018000738C 4_2_000000018000738C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180002790 4_2_0000000180002790
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000001800197A0 4_2_00000001800197A0
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018002C7B4 4_2_000000018002C7B4
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018001DFB4 4_2_000000018001DFB4
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018001F7C0 4_2_000000018001F7C0
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000001800097C0 4_2_00000001800097C0
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000001800157D8 4_2_00000001800157D8
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180019FDC 4_2_0000000180019FDC
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180017BDC 4_2_0000000180017BDC
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018000F7E0 4_2_000000018000F7E0
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180001FE0 4_2_0000000180001FE0
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000002077EEB0000 4_2_000002077EEB0000
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_00750000 6_2_00750000
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0000000180010FF4 6_2_0000000180010FF4
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0000000180028C20 6_2_0000000180028C20
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_000000018002C058 6_2_000000018002C058
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_000000018001ACA4 6_2_000000018001ACA4
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_000000018000551C 6_2_000000018000551C
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0000000180018148 6_2_0000000180018148
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_000000018001496C 6_2_000000018001496C
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_000000018000E1E0 6_2_000000018000E1E0
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_000000018000C608 6_2_000000018000C608
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0000000180021618 6_2_0000000180021618
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0000000180013E28 6_2_0000000180013E28
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_000000018002AE44 6_2_000000018002AE44
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_000000018000D26C 6_2_000000018000D26C
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0000000180025278 6_2_0000000180025278
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_000000018000EE98 6_2_000000018000EE98
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_00000001800046A8 6_2_00000001800046A8
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_000000018001AAB8 6_2_000000018001AAB8
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0000000180004ACA 6_2_0000000180004ACA
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_00000001800132F0 6_2_00000001800132F0
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0000000180026B10 6_2_0000000180026B10
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_000000018001DBE8 6_2_000000018001DBE8
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_000000018001FC0C 6_2_000000018001FC0C
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_000000018000580C 6_2_000000018000580C
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0000000180022010 6_2_0000000180022010
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_000000018001481C 6_2_000000018001481C
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_000000018002A42C 6_2_000000018002A42C
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0000000180011834 6_2_0000000180011834
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0000000180021C3C 6_2_0000000180021C3C
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_000000018000703C 6_2_000000018000703C
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_000000018000AC48 6_2_000000018000AC48
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_000000018000FC48 6_2_000000018000FC48
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0000000180024458 6_2_0000000180024458
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0000000180006458 6_2_0000000180006458
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_000000018001C05C 6_2_000000018001C05C
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_000000018001A460 6_2_000000018001A460
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0000000180029888 6_2_0000000180029888
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_000000018001D49C 6_2_000000018001D49C
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0000000180008CA0 6_2_0000000180008CA0
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_00000001800248A8 6_2_00000001800248A8
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0000000180015CB0 6_2_0000000180015CB0
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_00000001800124B4 6_2_00000001800124B4
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_000000018000C4B4 6_2_000000018000C4B4
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_00000001800288B8 6_2_00000001800288B8
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_00000001800024B8 6_2_00000001800024B8
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_000000018000D8C4 6_2_000000018000D8C4
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_00000001800250CC 6_2_00000001800250CC
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_00000001800190D4 6_2_00000001800190D4
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0000000180017CE4 6_2_0000000180017CE4
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_00000001800264F0 6_2_00000001800264F0
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_00000001800014F8 6_2_00000001800014F8
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0000000180020CFC 6_2_0000000180020CFC
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0000000180009100 6_2_0000000180009100
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_000000018002C904 6_2_000000018002C904
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0000000180017908 6_2_0000000180017908
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0000000180021510 6_2_0000000180021510
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_000000018000F917 6_2_000000018000F917
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_000000018000F128 6_2_000000018000F128
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_000000018001CD38 6_2_000000018001CD38
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0000000180016D3C 6_2_0000000180016D3C
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_000000018001F944 6_2_000000018001F944
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_000000018001D950 6_2_000000018001D950
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0000000180013150 6_2_0000000180013150
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_000000018001ED50 6_2_000000018001ED50
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_000000018001E960 6_2_000000018001E960
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0000000180019D60 6_2_0000000180019D60
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_000000018001C964 6_2_000000018001C964
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_000000018001C568 6_2_000000018001C568
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0000000180001D68 6_2_0000000180001D68
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0000000180002D70 6_2_0000000180002D70
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0000000180024574 6_2_0000000180024574
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0000000180002178 6_2_0000000180002178
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0000000180024D80 6_2_0000000180024D80
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0000000180018598 6_2_0000000180018598
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0000000180003598 6_2_0000000180003598
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_000000018001F1A4 6_2_000000018001F1A4
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_000000018002A9A8 6_2_000000018002A9A8
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_00000001800119A8 6_2_00000001800119A8
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0000000180025DAC 6_2_0000000180025DAC
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0000000180018DAC 6_2_0000000180018DAC
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_00000001800269B0 6_2_00000001800269B0
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_00000001800059B8 6_2_00000001800059B8
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_00000001800029BC 6_2_00000001800029BC
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_00000001800141C0 6_2_00000001800141C0
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_00000001800125C4 6_2_00000001800125C4
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_00000001800121CC 6_2_00000001800121CC
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_000000018000BDD0 6_2_000000018000BDD0
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_00000001800075D4 6_2_00000001800075D4
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_00000001800095DC 6_2_00000001800095DC
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_000000018000F9E8 6_2_000000018000F9E8
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0000000180002610 6_2_0000000180002610
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0000000180019618 6_2_0000000180019618
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_000000018001FA38 6_2_000000018001FA38
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_000000018000A270 6_2_000000018000A270
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0000000180019E78 6_2_0000000180019E78
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_000000018001DA80 6_2_000000018001DA80
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0000000180024698 6_2_0000000180024698
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_00000001800176B8 6_2_00000001800176B8
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_000000018002CAD0 6_2_000000018002CAD0
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0000000180011AD0 6_2_0000000180011AD0
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0000000180008AD8 6_2_0000000180008AD8
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_00000001800296EC 6_2_00000001800296EC
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_000000018000A6EC 6_2_000000018000A6EC
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0000000180019300 6_2_0000000180019300
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_000000018001BB04 6_2_000000018001BB04
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_000000018002870C 6_2_000000018002870C
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_000000018000131C 6_2_000000018000131C
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_000000018000671C 6_2_000000018000671C
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0000000180029B28 6_2_0000000180029B28
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0000000180012F28 6_2_0000000180012F28
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_000000018000BB28 6_2_000000018000BB28
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_000000018001EB30 6_2_000000018001EB30
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0000000180020334 6_2_0000000180020334
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0000000180010758 6_2_0000000180010758
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_000000018001435C 6_2_000000018001435C
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0000000180009F5C 6_2_0000000180009F5C
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0000000180029368 6_2_0000000180029368
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0000000180020768 6_2_0000000180020768
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0000000180017378 6_2_0000000180017378
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0000000180013780 6_2_0000000180013780
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0000000180015388 6_2_0000000180015388
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_000000018000338C 6_2_000000018000338C
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: xboxlivetitleid.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cdpsgshims.dll Jump to behavior
Source: 1V4gPPcQvB.dll Virustotal: Detection: 39%
Source: 1V4gPPcQvB.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll64.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\1V4gPPcQvB.dll"
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\1V4gPPcQvB.dll",#1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\1V4gPPcQvB.dll
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1V4gPPcQvB.dll",#1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\1V4gPPcQvB.dll,DllRegisterServer
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\1V4gPPcQvB.dll,DllUnregisterServer
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\TvcDyJjJQ\NcAvRfvDRbwLFn.dll"
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k unistacksvcgroup
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\svchost.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\1V4gPPcQvB.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\1V4gPPcQvB.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\1V4gPPcQvB.dll,DllRegisterServer Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\1V4gPPcQvB.dll,DllUnregisterServer Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1V4gPPcQvB.dll",#1 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\TvcDyJjJQ\NcAvRfvDRbwLFn.dll" Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D105A4D4-344C-48EB-9866-EE378D90658B}\InProcServer32 Jump to behavior
Source: C:\Windows\System32\svchost.exe File created: C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl Jump to behavior
Source: classification engine Classification label: mal88.troj.evad.winDLL@28/6@0/2
Source: C:\Windows\System32\regsvr32.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_00000001800046A8 CreateToolhelp32Snapshot,Process32NextW,Process32FirstW,FindCloseChangeNotification, 6_2_00000001800046A8
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1V4gPPcQvB.dll",#1
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:3820:120:WilError_01
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: 1V4gPPcQvB.dll Static PE information: Image base 0x180000000 > 0x60000000
Source: 1V4gPPcQvB.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: Binary string: msacm32.pdb source: regsvr32.exe, 00000006.00000002.648362301.00000000004B5000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: msacm32.pdbGCTL source: regsvr32.exe, 00000006.00000002.648362301.00000000004B5000.00000004.00000010.00020000.00000000.sdmp
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018001AFFD push ebp; retf 2_2_000000018001AFFE
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00000001800051D1 push ebp; iretd 2_2_00000001800051D2
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018001BA32 push ebp; retf 2_2_000000018001BA33
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_0000000180004E83 push es; ret 2_2_0000000180004E84
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018001B694 push es; ret 2_2_000000018001B6E9
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018001BADD push ebp; iretd 2_2_000000018001BADE
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018001B717 push ebp; iretd 2_2_000000018001B718
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_000000018001AF4E push ebp; retf 2_2_000000018001AF4F
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018001AFFD push ebp; retf 3_2_000000018001AFFE
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00000001800051D1 push ebp; iretd 3_2_00000001800051D2
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018001BA32 push ebp; retf 3_2_000000018001BA33
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180004E83 push es; ret 3_2_0000000180004E84
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018001B694 push es; ret 3_2_000000018001B6E9
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018001BADD push ebp; iretd 3_2_000000018001BADE
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018001B717 push ebp; iretd 3_2_000000018001B718
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180007B3F push esp; retf 3_2_0000000180007B40
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018001AF4E push ebp; retf 3_2_000000018001AF4F
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018001AFFD push ebp; retf 4_2_000000018001AFFE
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000001800051D1 push ebp; iretd 4_2_00000001800051D2
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018001BA32 push ebp; retf 4_2_000000018001BA33
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180004E83 push es; ret 4_2_0000000180004E84
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018001B694 push es; ret 4_2_000000018001B6E9
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018001BADD push ebp; iretd 4_2_000000018001BADE
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018001B717 push ebp; iretd 4_2_000000018001B718
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180007B3F push esp; retf 4_2_0000000180007B40
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018001AF4E push ebp; retf 4_2_000000018001AF4F
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_00000001800051D1 push ebp; iretd 6_2_00000001800051D2
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0000000180004E83 push es; ret 6_2_0000000180004E84
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0000000180007B3F push esp; retf 6_2_0000000180007B40
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00007FFFE2317BE8 DecodePointer,_errno,LoadLibraryA,GetProcAddress,_errno,GetLastError,GetLastError,EncodePointer,FreeLibrary,_errno,_errno, 2_2_00007FFFE2317BE8
Source: 1V4gPPcQvB.dll Static PE information: real checksum: 0x85ab6 should be: 0x872c4
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\1V4gPPcQvB.dll
Source: C:\Windows\System32\regsvr32.exe PE file moved: C:\Windows\System32\TvcDyJjJQ\NcAvRfvDRbwLFn.dll Jump to behavior

Hooking and other Techniques for Hiding and Protection

barindex
Source: C:\Windows\System32\regsvr32.exe File opened: C:\Windows\system32\TvcDyJjJQ\NcAvRfvDRbwLFn.dll:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Windows\system32\XfePrOUYXgeoZAs\CtbDsfecx.dll:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Windows\system32\FLYyrZrfLeBKjbxn\mxVm.dll:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6356 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6436 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6272 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\regsvr32.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Windows\System32\svchost.exe File opened: PhysicalDrive0 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_000000018000D26C FindFirstFileW,FindNextFileW,FindClose, 6_2_000000018000D26C
Source: C:\Windows\System32\regsvr32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\regsvr32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: svchost.exe, 00000012.00000002.605035022.000001D2BDC65000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: "@Hyper-V RAW
Source: regsvr32.exe, 00000006.00000003.323905969.000000000062F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.648803355.000000000062F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000002.534715974.000001F508C8C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWP
Source: regsvr32.exe, 00000006.00000003.324070812.0000000000641000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.323919837.000000000063F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.324089080.0000000000644000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.649002102.0000000000644000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.604609331.000001D2B8229000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.605022460.000001D2BDC58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000002.534811285.000001F508CED000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000002.534802490.000001F508CE2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: svchost.exe, 0000000A.00000002.648559713.000001CCF8402000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
Source: svchost.exe, 0000000A.00000002.648615580.000001CCF8428000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.649094477.000002577346A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.648947309.0000023682E29000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00007FFFE23120E0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_00007FFFE23120E0
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00007FFFE2317BE8 DecodePointer,_errno,LoadLibraryA,GetProcAddress,_errno,GetLastError,GetLastError,EncodePointer,FreeLibrary,_errno,_errno, 2_2_00007FFFE2317BE8
Source: C:\Windows\System32\loaddll64.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00007FFFE231D318 RtlCaptureContext,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_00007FFFE231D318
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00007FFFE23120E0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_00007FFFE23120E0
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00007FFFE2316550 RtlCaptureContext,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_00007FFFE2316550

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Windows\System32\regsvr32.exe Network Connect: 23.239.0.12 443 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1V4gPPcQvB.dll",#1 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Code function: _getptd,GetLocaleInfoA, 2_2_00007FFFE231C6E4
Source: C:\Windows\System32\regsvr32.exe Code function: _getptd,GetLocaleInfoA, 2_2_00007FFFE231C2B4
Source: C:\Windows\System32\regsvr32.exe Code function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,free,GetLocaleInfoA, 2_2_00007FFFE231DF98
Source: C:\Windows\System32\regsvr32.exe Code function: GetLocaleInfoA, 2_2_00007FFFE231C39C
Source: C:\Windows\System32\regsvr32.exe Code function: GetLocaleInfoW, 2_2_00007FFFE231DF20
Source: C:\Windows\System32\regsvr32.exe Code function: GetLocaleInfoW, 2_2_00007FFFE231DF3C
Source: C:\Windows\System32\regsvr32.exe Code function: EnumSystemLocalesA, 2_2_00007FFFE231C7F4
Source: C:\Windows\System32\regsvr32.exe Code function: EnumSystemLocalesA, 2_2_00007FFFE231C834
Source: C:\Windows\System32\regsvr32.exe Code function: _getptd,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA, 2_2_00007FFFE231C450
Source: C:\Windows\System32\regsvr32.exe Code function: EnumSystemLocalesA, 2_2_00007FFFE231C8C8
Source: C:\Windows\System32\regsvr32.exe Code function: GetLocaleInfoA,GetLocaleInfoA,GetACP, 2_2_00007FFFE231C16C
Source: C:\Windows\System32\regsvr32.exe Code function: _getptd,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,GetLocaleInfoA,_itow_s, 2_2_00007FFFE231C934
Source: C:\Windows\System32\regsvr32.exe Code function: GetLocaleInfoA, 2_2_00007FFFE231E1E8
Source: C:\Windows\System32\regsvr32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00007FFFE2314558 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 2_2_00007FFFE2314558
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_00007FFFE231E6C0 _lock,___lc_codepage_func,free,free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte, 2_2_00007FFFE231E6C0

Lowering of HIPS / PFW / Operating System Security Settings

barindex
Source: C:\Windows\System32\svchost.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval Jump to behavior
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct
Source: svchost.exe, 0000000F.00000002.648636147.0000021C33640000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: (@V%ProgramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 0000000F.00000002.648737472.0000021C33702000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Stealing of Sensitive Information

barindex
Source: Yara match File source: 4.2.rundll32.exe.20701410000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.regsvr32.exe.22e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.regsvr32.exe.760000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.regsvr32.exe.22e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.20701410000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.23396dc0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.regsvr32.exe.760000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.23396dc0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.649155251.0000000000760000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.264793383.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.265168643.0000023396DC0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.649306435.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.264939318.0000020701410000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.267070861.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.266871028.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.264935281.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs