Windows Analysis Report
5CUFfVMSaQ.dll

Overview

General Information

Sample Name: 5CUFfVMSaQ.dll
Analysis ID: 671666
MD5: 5d4728494832d03bbfb75367836fef4e
SHA1: abcbd283801a05390995862f59dcb5310f3d3d88
SHA256: caa60b9025dfba07efac6cae5438a8e20d9b7c210a721a4cf1f9d7b6df4d7d90
Tags: exeOpenCTIBRSandboxed
Infos:

Detection

Emotet
Score: 96
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Snort IDS alert for network traffic
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Deletes files inside the Windows folder
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Program does not show much activity (idle)
IP address seen in connection with other malware
Tries to load missing DLLs
Drops PE files to the windows directory (C:\Windows)
Checks if the current process is being debugged
Connects to several IPs in different countries
Registers a DLL
PE file contains more sections than normal
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: 5CUFfVMSaQ.dll Virustotal: Detection: 21% Perma Link
Source: 5CUFfVMSaQ.dll Metadefender: Detection: 45% Perma Link
Source: 5CUFfVMSaQ.dll ReversingLabs: Detection: 80%
Source: 00000007.00000002.783905665.0000000000EE8000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: Emotet {"C2 list": ["188.165.79.151:443", "93.104.209.107:8080", "83.229.80.93:8080", "196.44.98.190:8080", "165.232.185.110:8080", "46.101.234.246:8080", "5.253.30.17:7080", "103.224.241.74:8080", "88.217.172.165:8080", "198.199.70.22:8080", "36.67.23.59:443", "157.245.111.0:8080", "128.199.242.164:8080", "139.196.72.155:8080", "202.29.239.162:443", "37.44.244.177:8080", "104.248.225.227:8080", "103.56.149.105:8080", "175.126.176.79:8080", "118.98.72.86:443", "157.230.99.206:8080", "103.85.95.4:8080", "103.71.99.57:8080", "104.244.79.94:443", "85.214.67.203:8080", "46.101.98.60:8080", "54.37.106.167:8080", "128.199.217.206:443", "178.62.112.199:8080", "103.41.204.169:8080", "103.254.12.236:7080", "116.124.128.206:8080", "54.37.228.122:443", "210.57.209.142:8080", "195.77.239.39:8080", "165.22.254.236:8080", "37.187.114.15:8080", "85.25.120.45:8080", "190.107.19.179:443", "62.171.178.147:8080", "87.106.97.83:7080", "139.59.80.108:8080", "103.126.216.86:443", "188.225.32.231:4143", "64.227.55.231:8080", "43.129.209.178:443", "202.134.4.210:7080", "202.28.34.99:8080", "190.145.8.4:443", "78.47.204.80:443"], "Public Key": ["RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0F12ZrwACAIg=", "RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCWSV3XrwAMAIg="]}
Source: unknown HTTPS traffic detected: 188.165.79.151:443 -> 192.168.2.6:49750 version: TLS 1.2
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800426C8 _invalid_parameter_noinfo,_invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose, 3_2_00000001800426C8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800436B4 FindFirstFileExW, 3_2_00000001800436B4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018004383C FindFirstFileExW,FindNextFileW,FindClose,FindClose, 3_2_000000018004383C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180043DBC FindFirstFileExW,FindNextFileW,FindClose,FindClose, 3_2_0000000180043DBC
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00EA0A20 FindFirstFileW,FindNextFileW, 7_2_00EA0A20

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\regsvr32.exe Network Connect: 188.165.79.151 443 Jump to behavior
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2404320 ET CNC Feodo Tracker Reported CnC Server TCP group 11 192.168.2.5:49772 -> 188.165.79.151:443
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 188.165.79.151:443
Source: Malware configuration extractor IPs: 93.104.209.107:8080
Source: Malware configuration extractor IPs: 83.229.80.93:8080
Source: Malware configuration extractor IPs: 196.44.98.190:8080
Source: Malware configuration extractor IPs: 165.232.185.110:8080
Source: Malware configuration extractor IPs: 46.101.234.246:8080
Source: Malware configuration extractor IPs: 5.253.30.17:7080
Source: Malware configuration extractor IPs: 103.224.241.74:8080
Source: Malware configuration extractor IPs: 88.217.172.165:8080
Source: Malware configuration extractor IPs: 198.199.70.22:8080
Source: Malware configuration extractor IPs: 36.67.23.59:443
Source: Malware configuration extractor IPs: 157.245.111.0:8080
Source: Malware configuration extractor IPs: 128.199.242.164:8080
Source: Malware configuration extractor IPs: 139.196.72.155:8080
Source: Malware configuration extractor IPs: 202.29.239.162:443
Source: Malware configuration extractor IPs: 37.44.244.177:8080
Source: Malware configuration extractor IPs: 104.248.225.227:8080
Source: Malware configuration extractor IPs: 103.56.149.105:8080
Source: Malware configuration extractor IPs: 175.126.176.79:8080
Source: Malware configuration extractor IPs: 118.98.72.86:443
Source: Malware configuration extractor IPs: 157.230.99.206:8080
Source: Malware configuration extractor IPs: 103.85.95.4:8080
Source: Malware configuration extractor IPs: 103.71.99.57:8080
Source: Malware configuration extractor IPs: 104.244.79.94:443
Source: Malware configuration extractor IPs: 85.214.67.203:8080
Source: Malware configuration extractor IPs: 46.101.98.60:8080
Source: Malware configuration extractor IPs: 54.37.106.167:8080
Source: Malware configuration extractor IPs: 128.199.217.206:443
Source: Malware configuration extractor IPs: 178.62.112.199:8080
Source: Malware configuration extractor IPs: 103.41.204.169:8080
Source: Malware configuration extractor IPs: 103.254.12.236:7080
Source: Malware configuration extractor IPs: 116.124.128.206:8080
Source: Malware configuration extractor IPs: 54.37.228.122:443
Source: Malware configuration extractor IPs: 210.57.209.142:8080
Source: Malware configuration extractor IPs: 195.77.239.39:8080
Source: Malware configuration extractor IPs: 165.22.254.236:8080
Source: Malware configuration extractor IPs: 37.187.114.15:8080
Source: Malware configuration extractor IPs: 85.25.120.45:8080
Source: Malware configuration extractor IPs: 190.107.19.179:443
Source: Malware configuration extractor IPs: 62.171.178.147:8080
Source: Malware configuration extractor IPs: 87.106.97.83:7080
Source: Malware configuration extractor IPs: 139.59.80.108:8080
Source: Malware configuration extractor IPs: 103.126.216.86:443
Source: Malware configuration extractor IPs: 188.225.32.231:4143
Source: Malware configuration extractor IPs: 64.227.55.231:8080
Source: Malware configuration extractor IPs: 43.129.209.178:443
Source: Malware configuration extractor IPs: 202.134.4.210:7080
Source: Malware configuration extractor IPs: 202.28.34.99:8080
Source: Malware configuration extractor IPs: 190.145.8.4:443
Source: Malware configuration extractor IPs: 78.47.204.80:443
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
Source: Joe Sandbox View ASN Name: OVHFR OVHFR
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Cookie: CQHd=zROF5f0ZV1ZxZOeiJnhhFnLT/eIdAOEXkS+UqWmvXeeUa5HALooquXLstVuCCdmOVXvsMahuGIil7Z/r6qOuFjhQfDI8A2ofEM43G9ttUICAE9uNx6Fhx1n2lrRsMMMTx3azM7U+3k65+iRIhu5mKmMzhsnLsyfOfT+iQxewJc6NKVR9NE+e3qcP1Y3CnYPdyxgLKnYwwKKfunxCRdsXDWoB+OQyPwn+AGHfjdB6T5vGh5leD3pSUO5Ugv+Zrf4TmbS68/7svPcIMrtO2sDXc6RbVzCzf0fXaatnTZT1WjG8ZjSZDVfUeqe5k106rGD3Tg==Host: 188.165.79.151Connection: Keep-AliveCache-Control: no-cache
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 157.230.99.206 157.230.99.206
Connects to several IPs in different countries
Source: unknown Network traffic detected: IP country count 21
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown TCP traffic detected without corresponding DNS query: 188.165.79.151
Source: unknown TCP traffic detected without corresponding DNS query: 188.165.79.151
Source: unknown TCP traffic detected without corresponding DNS query: 188.165.79.151
Source: unknown TCP traffic detected without corresponding DNS query: 188.165.79.151
Source: unknown TCP traffic detected without corresponding DNS query: 188.165.79.151
Source: unknown TCP traffic detected without corresponding DNS query: 188.165.79.151
Source: unknown TCP traffic detected without corresponding DNS query: 188.165.79.151
Source: unknown TCP traffic detected without corresponding DNS query: 188.165.79.151
Source: unknown TCP traffic detected without corresponding DNS query: 188.165.79.151
Source: unknown TCP traffic detected without corresponding DNS query: 188.165.79.151
Source: regsvr32.exe, 00000007.00000002.784206191.0000000000F84000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.475529987.0000000000F84000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: regsvr32.exe, 00000007.00000002.784206191.0000000000F84000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.475529987.0000000000F84000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.v
Source: regsvr32.exe, 00000007.00000003.475792765.0000000000F33000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.784016944.0000000000F33000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.784076102.0000000000F51000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.475615056.0000000000F33000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.475742934.0000000000F50000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://188.165.79.151/
Source: regsvr32.exe, 00000007.00000002.783905665.0000000000EE8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://188.165.79.151/6S#
Source: regsvr32.exe, 00000007.00000003.475792765.0000000000F33000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.784016944.0000000000F33000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.475615056.0000000000F33000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://188.165.79.151/~r
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00E9C324 InternetReadFile, 7_2_00E9C324
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Cookie: CQHd=zROF5f0ZV1ZxZOeiJnhhFnLT/eIdAOEXkS+UqWmvXeeUa5HALooquXLstVuCCdmOVXvsMahuGIil7Z/r6qOuFjhQfDI8A2ofEM43G9ttUICAE9uNx6Fhx1n2lrRsMMMTx3azM7U+3k65+iRIhu5mKmMzhsnLsyfOfT+iQxewJc6NKVR9NE+e3qcP1Y3CnYPdyxgLKnYwwKKfunxCRdsXDWoB+OQyPwn+AGHfjdB6T5vGh5leD3pSUO5Ugv+Zrf4TmbS68/7svPcIMrtO2sDXc6RbVzCzf0fXaatnTZT1WjG8ZjSZDVfUeqe5k106rGD3Tg==Host: 188.165.79.151Connection: Keep-AliveCache-Control: no-cache
Source: unknown HTTPS traffic detected: 188.165.79.151:443 -> 192.168.2.6:49750 version: TLS 1.2

E-Banking Fraud
barindex
Source: Yara match File source: 00000007.00000002.783905665.0000000000EE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Yara detected Emotet
Source: Yara match File source: 6.2.rundll32.exe.26bab700000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.regsvr32.exe.e50000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.1766c2b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.26bab700000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.1766c2b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.regsvr32.exe.e50000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.2650000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.1ed72500000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.2650000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.1ed72500000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.404900294.0000000002681000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.404253356.0000026BAB700000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.398318822.000001ED72500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.399047583.000001766C2B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.398411719.000001ED72641000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.404280554.0000026BAB731000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.783816835.0000000000E81000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.399210556.000001766C3F1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.783761119.0000000000E50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.404818681.0000000002650000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 5CUFfVMSaQ.dll, type: SAMPLE
Source: Yara match File source: 3.2.regsvr32.exe.180000000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.regsvr32.exe.180000000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.784489149.0000000180001000.00000020.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.406068538.0000000180001000.00000020.00000001.01000000.00000006.sdmp, type: MEMORY
Deletes files inside the Windows folder
Source: C:\Windows\System32\regsvr32.exe File deleted: C:\Windows\System32\ZJPGATOTIe\uLEHsZT.dll:Zone.Identifier Jump to behavior
Creates files inside the system directory
Source: C:\Windows\System32\regsvr32.exe File created: C:\Windows\system32\ZJPGATOTIe\ Jump to behavior
Detected potential crypto function
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001C00C 3_2_000000018001C00C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001E038 3_2_000000018001E038
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001E224 3_2_000000018001E224
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001C23C 3_2_000000018001C23C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001A248 3_2_000000018001A248
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001A390 3_2_000000018001A390
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800143D4 3_2_00000001800143D4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001E424 3_2_000000018001E424
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001C46C 3_2_000000018001C46C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001A4D8 3_2_000000018001A4D8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180056540 3_2_0000000180056540
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001C574 3_2_000000018001C574
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180018598 3_2_0000000180018598
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001A5E4 3_2_000000018001A5E4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001E60C 3_2_000000018001E60C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001C67C 3_2_000000018001C67C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800126AC 3_2_00000001800126AC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800426C8 3_2_00000001800426C8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800086C4 3_2_00000001800086C4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001A6EC 3_2_000000018001A6EC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000A734 3_2_000000018000A734
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001C784 3_2_000000018001C784
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800227D0 3_2_00000001800227D0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001E7F4 3_2_000000018001E7F4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180016828 3_2_0000000180016828
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001C88C 3_2_000000018001C88C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800228DC 3_2_00000001800228DC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001A918 3_2_000000018001A918
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180024934 3_2_0000000180024934
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018004E9B0 3_2_000000018004E9B0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800229E4 3_2_00000001800229E4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001E9F0 3_2_000000018001E9F0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180024A40 3_2_0000000180024A40
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180008A50 3_2_0000000180008A50
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001CAB8 3_2_000000018001CAB8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180022AF0 3_2_0000000180022AF0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001EB0C 3_2_000000018001EB0C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001AB44 3_2_000000018001AB44
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180024B48 3_2_0000000180024B48
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000EB58 3_2_000000018000EB58
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180022BF8 3_2_0000000180022BF8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001EC14 3_2_000000018001EC14
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180024C54 3_2_0000000180024C54
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001CCE4 3_2_000000018001CCE4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180022D00 3_2_0000000180022D00
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001ED54 3_2_000000018001ED54
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180024D5C 3_2_0000000180024D5C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001AD70 3_2_000000018001AD70
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180022E08 3_2_0000000180022E08
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180044E04 3_2_0000000180044E04
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001EE60 3_2_000000018001EE60
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180024E64 3_2_0000000180024E64
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001AE78 3_2_000000018001AE78
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180022F10 3_2_0000000180022F10
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001CF10 3_2_000000018001CF10
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001EF68 3_2_000000018001EF68
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180024F6C 3_2_0000000180024F6C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000EF80 3_2_000000018000EF80
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001AFA8 3_2_000000018001AFA8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180020FCC 3_2_0000000180020FCC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018004AFD0 3_2_000000018004AFD0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018004CFEC 3_2_000000018004CFEC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001D018 3_2_000000018001D018
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180013044 3_2_0000000180013044
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180009070 3_2_0000000180009070
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180025074 3_2_0000000180025074
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001B0C4 3_2_000000018001B0C4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001D120 3_2_000000018001D120
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018002713C 3_2_000000018002713C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001D23C 3_2_000000018001D23C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018003D290 3_2_000000018003D290
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001B2B0 3_2_000000018001B2B0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180027328 3_2_0000000180027328
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018004B380 3_2_000000018004B380
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000D3A0 3_2_000000018000D3A0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001D428 3_2_000000018001D428
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001B49C 3_2_000000018001B49C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001F4C0 3_2_000000018001F4C0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800234CC 3_2_00000001800234CC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180027514 3_2_0000000180027514
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180011540 3_2_0000000180011540
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018002557C 3_2_000000018002557C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800235D4 3_2_00000001800235D4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000B5D8 3_2_000000018000B5D8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018003F5E4 3_2_000000018003F5E4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000F608 3_2_000000018000F608
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001D614 3_2_000000018001D614
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018002964C 3_2_000000018002964C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018003D650 3_2_000000018003D650
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180025684 3_2_0000000180025684
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800436B4 3_2_00000001800436B4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800236DC 3_2_00000001800236DC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001B6DC 3_2_000000018001B6DC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180027714 3_2_0000000180027714
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018002578C 3_2_000000018002578C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800237E4 3_2_00000001800237E4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018004383C 3_2_000000018004383C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018005784C 3_2_000000018005784C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001D854 3_2_000000018001D854
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180025894 3_2_0000000180025894
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001B8C4 3_2_000000018001B8C4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800238EC 3_2_00000001800238EC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800498EC 3_2_00000001800498EC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800278FC 3_2_00000001800278FC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018004B940 3_2_000000018004B940
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000B96C 3_2_000000018000B96C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018002599C 3_2_000000018002599C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800199DC 3_2_00000001800199DC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800239F4 3_2_00000001800239F4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180059A0C 3_2_0000000180059A0C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001DA3C 3_2_000000018001DA3C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180025AA4 3_2_0000000180025AA4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001BAAC 3_2_000000018001BAAC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018003DAC0 3_2_000000018003DAC0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180027AE4 3_2_0000000180027AE4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180019AE4 3_2_0000000180019AE4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180023AF8 3_2_0000000180023AF8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180031B10 3_2_0000000180031B10
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180045B80 3_2_0000000180045B80
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180025BA8 3_2_0000000180025BA8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180023C00 3_2_0000000180023C00
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001DC24 3_2_000000018001DC24
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180025CB0 3_2_0000000180025CB0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001BCD4 3_2_000000018001BCD4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180019D14 3_2_0000000180019D14
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180015D9C 3_2_0000000180015D9C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180043DBC 3_2_0000000180043DBC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001BDDC 3_2_000000018001BDDC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018004BE14 3_2_000000018004BE14
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001DE4C 3_2_000000018001DE4C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001FE64 3_2_000000018001FE64
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180019F44 3_2_0000000180019F44
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000BF8C 3_2_000000018000BF8C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02640000 3_2_02640000
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_026A0358 3_2_026A0358
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_026983D8 3_2_026983D8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0269606C 3_2_0269606C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02692008 3_2_02692008
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0269061C 3_2_0269061C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0269BA54 3_2_0269BA54
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02681A84 3_2_02681A84
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02690B94 3_2_02690B94
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_026A29A0 3_2_026A29A0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02684FEC 3_2_02684FEC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02699DE4 3_2_02699DE4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0269327C 3_2_0269327C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02699270 3_2_02699270
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02681228 3_2_02681228
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0269223C 3_2_0269223C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_026892E8 3_2_026892E8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_026972F8 3_2_026972F8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0269A2DC 3_2_0269A2DC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02685360 3_2_02685360
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02691350 3_2_02691350
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0269F320 3_2_0269F320
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_026A1320 3_2_026A1320
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0269C324 3_2_0269C324
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_026A53DC 3_2_026A53DC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_026843A0 3_2_026843A0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0268E3B4 3_2_0268E3B4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0269C078 3_2_0269C078
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02693044 3_2_02693044
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02682050 3_2_02682050
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02681000 3_2_02681000
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0269101C 3_2_0269101C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0269D0E8 3_2_0269D0E8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_026940E0 3_2_026940E0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_026A60C8 3_2_026A60C8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_026A50D0 3_2_026A50D0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_026830B8 3_2_026830B8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02699084 3_2_02699084
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0268D148 3_2_0268D148
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0269115C 3_2_0269115C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_026A1150 3_2_026A1150
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02698154 3_2_02698154
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0268B1E0 3_2_0268B1E0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_026951F0 3_2_026951F0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_026971F0 3_2_026971F0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0269C18C 3_2_0269C18C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_026A4184 3_2_026A4184
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0269E668 3_2_0269E668
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_026A6644 3_2_026A6644
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_026A3604 3_2_026A3604
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_026926C4 3_2_026926C4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_026836D0 3_2_026836D0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0268E6B8 3_2_0268E6B8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0268175C 3_2_0268175C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0269373C 3_2_0269373C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0269B7C4 3_2_0269B7C4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_026997B0 3_2_026997B0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02697780 3_2_02697780
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02697468 3_2_02697468
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02696444 3_2_02696444
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_026A14EC 3_2_026A14EC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0268A4C8 3_2_0268A4C8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_026884B8 3_2_026884B8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0269D484 3_2_0269D484
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02694490 3_2_02694490
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0268F54C 3_2_0268F54C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_026A2528 3_2_026A2528
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0268E534 3_2_0268E534
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0269051C 3_2_0269051C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_026885EC 3_2_026885EC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_026835B8 3_2_026835B8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0268CA68 3_2_0268CA68
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02694A38 3_2_02694A38
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02691A08 3_2_02691A08
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02696A00 3_2_02696A00
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_026A3AE8 3_2_026A3AE8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02692AB4 3_2_02692AB4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_026A6A84 3_2_026A6A84
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02693B28 3_2_02693B28
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02687B30 3_2_02687B30
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0268AB08 3_2_0268AB08
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02682B04 3_2_02682B04
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02689BF8 3_2_02689BF8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02692BF0 3_2_02692BF0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0269ABBC 3_2_0269ABBC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_026A386C 3_2_026A386C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0269F854 3_2_0269F854
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02683800 3_2_02683800
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0268881C 3_2_0268881C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0269C810 3_2_0269C810
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02689814 3_2_02689814
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_026A5898 3_2_026A5898
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02689938 3_2_02689938
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0269D93C 3_2_0269D93C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_026A19AC 3_2_026A19AC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_026A4980 3_2_026A4980
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02688E6C 3_2_02688E6C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_026A3E4C 3_2_026A3E4C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0269EE18 3_2_0269EE18
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0269BE10 3_2_0269BE10
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02682EA8 3_2_02682EA8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_026A5F48 3_2_026A5F48
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0268CF5C 3_2_0268CF5C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02696F5C 3_2_02696F5C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0268AF54 3_2_0268AF54
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_026A1F54 3_2_026A1F54
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02699F24 3_2_02699F24
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02693F18 3_2_02693F18
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_026A3FD8 3_2_026A3FD8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02685FBC 3_2_02685FBC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02686F8C 3_2_02686F8C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02687C64 3_2_02687C64
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_026A1C50 3_2_026A1C50
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_026A5C18 3_2_026A5C18
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02681CAC 3_2_02681CAC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02696D48 3_2_02696D48
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02694D40 3_2_02694D40
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02689D50 3_2_02689D50
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0268DD20 3_2_0268DD20
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02684D84 3_2_02684D84
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000001ED724F0000 4_2_000001ED724F0000
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001766C2A0000 5_2_000001766C2A0000
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000026BAB520000 6_2_0000026BAB520000
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00E40000 7_2_00E40000
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00EA3AE8 7_2_00EA3AE8
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00E8A4C8 7_2_00E8A4C8
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00E81A84 7_2_00E81A84
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00E9606C 7_2_00E9606C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00E9F854 7_2_00E9F854
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00E9BA54 7_2_00E9BA54
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00EA0A20 7_2_00EA0A20
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00E9061C 7_2_00E9061C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00E84FEC 7_2_00E84FEC
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00E99DE4 7_2_00E99DE4
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00E951F0 7_2_00E951F0
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00E983D8 7_2_00E983D8
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00E85FBC 7_2_00E85FBC
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00E86F8C 7_2_00E86F8C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00EA0358 7_2_00EA0358
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00E9C324 7_2_00E9C324
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00E9AD10 7_2_00E9AD10
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00E892E8 7_2_00E892E8
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00E9D0E8 7_2_00E9D0E8
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00EA14EC 7_2_00EA14EC
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00E940E0 7_2_00E940E0
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00E972F8 7_2_00E972F8
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00EA60C8 7_2_00EA60C8
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00E926C4 7_2_00E926C4
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00E9A2DC 7_2_00E9A2DC
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00E836D0 7_2_00E836D0
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00EA50D0 7_2_00EA50D0
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00E82EA8 7_2_00E82EA8
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00E81CAC 7_2_00E81CAC
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00E830B8 7_2_00E830B8
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00E884B8 7_2_00E884B8
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00E8E6B8 7_2_00E8E6B8
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00E92AB4 7_2_00E92AB4
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00E9D484 7_2_00E9D484
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00E99084 7_2_00E99084
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00EA6A84 7_2_00EA6A84
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00EA5898 7_2_00EA5898
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00E94490 7_2_00E94490
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00E8CA68 7_2_00E8CA68
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00E9E668 7_2_00E9E668
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00E97468 7_2_00E97468
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00E88E6C 7_2_00E88E6C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00EA386C 7_2_00EA386C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00E87C64 7_2_00E87C64
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00E9C078 7_2_00E9C078
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00E9327C 7_2_00E9327C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00E99270 7_2_00E99270
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00EA3E4C 7_2_00EA3E4C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00E93044 7_2_00E93044
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00E96444 7_2_00E96444
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00EA6644 7_2_00EA6644
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00E82050 7_2_00E82050
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00EA1C50 7_2_00EA1C50
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00E81228 7_2_00E81228
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00E94A38 7_2_00E94A38
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00E9223C 7_2_00E9223C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00E91A08 7_2_00E91A08
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00E92008 7_2_00E92008
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00E83800 7_2_00E83800
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00E81000 7_2_00E81000
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00E96A00 7_2_00E96A00
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00EA3604 7_2_00EA3604
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00E9EE18 7_2_00E9EE18
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00EA5C18 7_2_00EA5C18
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00E8881C 7_2_00E8881C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00E9101C 7_2_00E9101C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00E9C810 7_2_00E9C810
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00E9BE10 7_2_00E9BE10
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00E89814 7_2_00E89814
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00E885EC 7_2_00E885EC
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00E8B1E0 7_2_00E8B1E0
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00E89BF8 7_2_00E89BF8
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00E92BF0 7_2_00E92BF0
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00E971F0 7_2_00E971F0
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00E9B7C4 7_2_00E9B7C4
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00EA3FD8 7_2_00EA3FD8
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00EA53DC 7_2_00EA53DC
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00EA19AC 7_2_00EA19AC
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00E843A0 7_2_00E843A0
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00EA29A0 7_2_00EA29A0
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00E835B8 7_2_00E835B8
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00E9ABBC 7_2_00E9ABBC
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00E997B0 7_2_00E997B0
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00E8E3B4 7_2_00E8E3B4
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00E9C18C 7_2_00E9C18C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00E97780 7_2_00E97780
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00EA4980 7_2_00EA4980
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00E84D84 7_2_00E84D84
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00EA4184 7_2_00EA4184
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00E90B94 7_2_00E90B94
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00E85360 7_2_00E85360
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00E8D148 7_2_00E8D148
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00E96D48 7_2_00E96D48
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00EA5F48 7_2_00EA5F48
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00E8F54C 7_2_00E8F54C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00E94D40 7_2_00E94D40
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00E8175C 7_2_00E8175C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00E8CF5C 7_2_00E8CF5C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00E96F5C 7_2_00E96F5C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00E9115C 7_2_00E9115C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00E89D50 7_2_00E89D50
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00E91350 7_2_00E91350
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00EA1150 7_2_00EA1150
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00E8AF54 7_2_00E8AF54
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00E98154 7_2_00E98154
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00EA1F54 7_2_00EA1F54
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00E93B28 7_2_00E93B28
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00EA2528 7_2_00EA2528
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00E8DD20 7_2_00E8DD20
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00E9F320 7_2_00E9F320
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00EA1320 7_2_00EA1320
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00E99F24 7_2_00E99F24
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00E89938 7_2_00E89938
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00E9D93C 7_2_00E9D93C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00E9373C 7_2_00E9373C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00E87B30 7_2_00E87B30
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00E8E534 7_2_00E8E534
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00E8AB08 7_2_00E8AB08
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00E82B04 7_2_00E82B04
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00E93F18 7_2_00E93F18
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00E9051C 7_2_00E9051C
Found potential string decryption / allocating functions
Source: C:\Windows\System32\regsvr32.exe Code function: String function: 0000000180037D34 appears 44 times
Tries to load missing DLLs
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc.dll Jump to behavior
PE file contains more sections than normal
Source: 5CUFfVMSaQ.dll Static PE information: Number of sections : 12 > 10
Source: 5CUFfVMSaQ.dll Virustotal: Detection: 21%
Source: 5CUFfVMSaQ.dll Metadefender: Detection: 45%
Source: 5CUFfVMSaQ.dll ReversingLabs: Detection: 80%
Source: 5CUFfVMSaQ.dll Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll64.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\5CUFfVMSaQ.dll"
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\5CUFfVMSaQ.dll",#1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\5CUFfVMSaQ.dll
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\5CUFfVMSaQ.dll",#1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\5CUFfVMSaQ.dll,ABeFtrnwmgAedx
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\5CUFfVMSaQ.dll,AEjATaIExpQg
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\ZJPGATOTIe\uLEHsZT.dll"
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\5CUFfVMSaQ.dll,AbfBlUFQKbpevAFdaCpElBdscB
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\5CUFfVMSaQ.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\5CUFfVMSaQ.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\5CUFfVMSaQ.dll,ABeFtrnwmgAedx Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\5CUFfVMSaQ.dll,AEjATaIExpQg Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\5CUFfVMSaQ.dll,AbfBlUFQKbpevAFdaCpElBdscB Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\5CUFfVMSaQ.dll",#1 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\ZJPGATOTIe\uLEHsZT.dll" Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D105A4D4-344C-48EB-9866-EE378D90658B}\InProcServer32 Jump to behavior
Source: classification engine Classification label: mal96.troj.evad.winDLL@19/0@0/51
Source: C:\Windows\System32\regsvr32.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0269BA54 CreateToolhelp32Snapshot,Process32FirstW,FindCloseChangeNotification, 3_2_0269BA54
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\5CUFfVMSaQ.dll",#1
Source: 5CUFfVMSaQ.dll Static PE information: More than 133 > 100 exports found
Source: 5CUFfVMSaQ.dll Static PE information: Image base 0x180000000 > 0x60000000
Source: 5CUFfVMSaQ.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 5CUFfVMSaQ.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 5CUFfVMSaQ.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 5CUFfVMSaQ.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 5CUFfVMSaQ.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018007CB0E push rsp; retf 3_2_000000018007CB1F
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018007CEE0 push rsp; retf 3_2_000000018007CEFF
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018007D180 push rsp; retf 3_2_000000018007D19F
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018002D2C9 push rdi; ret 3_2_000000018002D2D2
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018007D420 push rsp; retf 3_2_000000018007D43F
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018007D7C0 push rsp; retf 3_2_000000018007D7DF
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018002D8FD push rdi; ret 3_2_000000018002D904
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0269B61A push ebp; retf 3_2_0269B61E
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0269B540 push esi; iretd 3_2_0269B541
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0269AE42 push ebp; iretd 3_2_0269AE43
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00E8236C push esp; retf 7_2_00E82383
PE file contains sections with non-standard names
Source: 5CUFfVMSaQ.dll Static PE information: section name: .00cfg
Source: 5CUFfVMSaQ.dll Static PE information: section name: .gehcont
Source: 5CUFfVMSaQ.dll Static PE information: section name: .gxfg
Source: 5CUFfVMSaQ.dll Static PE information: section name: .retplne
Source: 5CUFfVMSaQ.dll Static PE information: section name: .voltbl
Source: 5CUFfVMSaQ.dll Static PE information: section name: _RDATA
Registers a DLL
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\5CUFfVMSaQ.dll
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\System32\regsvr32.exe PE file moved: C:\Windows\System32\ZJPGATOTIe\uLEHsZT.dll Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\System32\regsvr32.exe File opened: C:\Windows\system32\ZJPGATOTIe\uLEHsZT.dll:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Found large amount of non-executed APIs
Source: C:\Windows\System32\regsvr32.exe API coverage: 4.9 %
Source: C:\Windows\System32\regsvr32.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800426C8 _invalid_parameter_noinfo,_invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose, 3_2_00000001800426C8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800436B4 FindFirstFileExW, 3_2_00000001800436B4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018004383C FindFirstFileExW,FindNextFileW,FindClose,FindClose, 3_2_000000018004383C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180043DBC FindFirstFileExW,FindNextFileW,FindClose,FindClose, 3_2_0000000180043DBC
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00EA0A20 FindFirstFileW,FindNextFileW, 7_2_00EA0A20
Source: C:\Windows\System32\regsvr32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: regsvr32.exe, 00000007.00000003.475792765.0000000000F33000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.784016944.0000000000F33000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.475615056.0000000000F33000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWP
Source: regsvr32.exe, 00000007.00000002.784076102.0000000000F51000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.475615056.0000000000F33000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.475742934.0000000000F50000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: svchost.exe, 0000000C.00000002.783802892.000001FB92800000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
Source: svchost.exe, 0000000C.00000002.783857058.000001FB92824000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018003A8BC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_000000018003A8BC
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800385E0 GetProcessHeap, 3_2_00000001800385E0
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Checks if the current process is being debugged
Source: C:\Windows\System32\loaddll64.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018003A8BC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_000000018003A8BC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180003794 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_0000000180003794
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180003A24 SetUnhandledExceptionFilter, 3_2_0000000180003A24
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180003A34 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_0000000180003A34

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\regsvr32.exe Network Connect: 188.165.79.151 443 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\5CUFfVMSaQ.dll",#1 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\regsvr32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\System32\regsvr32.exe Code function: EnumSystemLocalesW, 3_2_00000001800382D4
Source: C:\Windows\System32\regsvr32.exe Code function: EnumSystemLocalesW, 3_2_00000001800383D4
Source: C:\Windows\System32\regsvr32.exe Code function: EnumSystemLocalesW, 3_2_0000000180038478
Source: C:\Windows\System32\regsvr32.exe Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 3_2_0000000180050A74
Source: C:\Windows\System32\regsvr32.exe Code function: GetLocaleInfoW, 3_2_0000000180036CD0
Source: C:\Windows\System32\regsvr32.exe Code function: EnumSystemLocalesW, 3_2_0000000180050D74
Source: C:\Windows\System32\regsvr32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 3_2_0000000180050E44
Source: C:\Windows\System32\regsvr32.exe Code function: EnumSystemLocalesW, 3_2_0000000180051090
Source: C:\Windows\System32\regsvr32.exe Code function: GetLocaleInfoW, 3_2_0000000180051128
Source: C:\Windows\System32\regsvr32.exe Code function: EnumSystemLocalesW, 3_2_0000000180051230
Source: C:\Windows\System32\regsvr32.exe Code function: GetLocaleInfoW, 3_2_0000000180051290
Source: C:\Windows\System32\regsvr32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 3_2_000000018005139C
Source: C:\Windows\System32\regsvr32.exe Code function: GetLocaleInfoW, 3_2_0000000180051470
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180045B10 cpuid 3_2_0000000180045B10
Source: C:\Windows\System32\regsvr32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180004050 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 3_2_0000000180004050

Stealing of Sensitive Information
barindex
Source: Yara match File source: 00000007.00000002.783905665.0000000000EE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Yara detected Emotet
Source: Yara match File source: 6.2.rundll32.exe.26bab700000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.regsvr32.exe.e50000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.1766c2b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.26bab700000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.1766c2b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.regsvr32.exe.e50000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.2650000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.1ed72500000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.2650000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.1ed72500000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.404900294.0000000002681000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.404253356.0000026BAB700000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.398318822.000001ED72500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.399047583.000001766C2B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.398411719.000001ED72641000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.404280554.0000026BAB731000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.783816835.0000000000E81000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.399210556.000001766C3F1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.783761119.0000000000E50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.404818681.0000000002650000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 5CUFfVMSaQ.dll, type: SAMPLE
Source: Yara match File source: 3.2.regsvr32.exe.180000000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.regsvr32.exe.180000000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.784489149.0000000180001000.00000020.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.406068538.0000000180001000.00000020.00000001.01000000.00000006.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 671666 Sample: 5CUFfVMSaQ.dll Startdate: 22/07/2022 Architecture: WINDOWS Score: 96 32 103.224.241.74 WEBWERKS-AS-INWebWerksIndiaPvtLtdIN India 2->32 34 202.29.239.162 UNINET-AS-APUNINET-TH Thailand 2->34 36 47 other IPs or domains 2->36 44 Snort IDS alert for network traffic 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 2->48 50 2 other signatures 2->50 8 loaddll64.exe 1 2->8         started        10 svchost.exe 2->10         started        13 svchost.exe 1 2->13         started        15 2 other processes 2->15 signatures3 process4 dnsIp5 17 regsvr32.exe 5 8->17         started        20 cmd.exe 1 8->20         started        22 rundll32.exe 8->22         started        24 2 other processes 8->24 38 192.168.2.1 unknown unknown 10->38 process6 signatures7 42 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->42 26 regsvr32.exe 17->26         started        30 rundll32.exe 20->30         started        process8 dnsIp9 40 188.165.79.151, 443, 49750 OVHFR France 26->40 52 System process connects to network (likely due to code injection or exploit) 26->52 signatures10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
157.230.99.206
 unknown United States
14061 DIGITALOCEAN-ASNUS true
188.165.79.151
 unknown France
16276 OVHFR true
196.44.98.190
 unknown Ghana
327814 EcobandGH true
43.129.209.178
 unknown Japan 4249 LILLY-ASUS true
36.67.23.59
 unknown Indonesia
17974 TELKOMNET-AS2-APPTTelekomunikasiIndonesiaID true
103.41.204.169
 unknown Indonesia
58397 INFINYS-AS-IDPTInfinysSystemIndonesiaID true
5.253.30.17
 unknown Latvia
18978 ENZUINC-US true
85.214.67.203
 unknown Germany
6724 STRATOSTRATOAGDE true
83.229.80.93
 unknown United Kingdom
8513 SKYVISIONGB true
198.199.70.22
 unknown United States
14061 DIGITALOCEAN-ASNUS true
93.104.209.107
 unknown Germany
8767 MNET-ASGermanyDE true
188.225.32.231
 unknown Russian Federation
9123 TIMEWEB-ASRU true
175.126.176.79
 unknown Korea Republic of
9523 MOKWON-AS-KRMokwonUniversityKR true
128.199.242.164
 unknown United Kingdom
14061 DIGITALOCEAN-ASNUS true
104.248.225.227
 unknown United States
14061 DIGITALOCEAN-ASNUS true
46.101.98.60
 unknown Netherlands
14061 DIGITALOCEAN-ASNUS true
190.145.8.4
 unknown Colombia
14080 TelmexColombiaSACO true
103.71.99.57
 unknown India
135682 AWDHPL-AS-INAdvikaWebDevelopmentsHostingPvtLtdIN true
87.106.97.83
 unknown Germany
8560 ONEANDONE-ASBrauerstrasse48DE true
103.254.12.236
 unknown Viet Nam
56151 DIGISTAR-VNDigiStarCompanyLimitedVN true
103.85.95.4
 unknown Indonesia
136077 IDNIC-UNSRAT-AS-IDUniversitasIslamNegeriMataramID true
202.134.4.210
 unknown Indonesia
7713 TELKOMNET-AS-APPTTelekomunikasiIndonesiaID true
88.217.172.165
 unknown Germany
8767 MNET-ASGermanyDE true
165.22.254.236
 unknown United States
14061 DIGITALOCEAN-ASNUS true
78.47.204.80
 unknown Germany
24940 HETZNER-ASDE true
118.98.72.86
 unknown Indonesia
7713 TELKOMNET-AS-APPTTelekomunikasiIndonesiaID true
139.59.80.108
 unknown Singapore
14061 DIGITALOCEAN-ASNUS true
37.44.244.177
 unknown Germany
47583 AS-HOSTINGERLT true
104.244.79.94
 unknown United States
53667 PONYNETUS true
157.245.111.0
 unknown United States
14061 DIGITALOCEAN-ASNUS true
54.37.106.167
 unknown France
16276 OVHFR true
202.29.239.162
 unknown Thailand
4621 UNINET-AS-APUNINET-TH true
103.56.149.105
 unknown Indonesia
55688 BEON-AS-IDPTBeonIntermediaID true
85.25.120.45
 unknown Germany
8972 GD-EMEA-DC-SXB1DE true
37.187.114.15
 unknown France
16276 OVHFR true
46.101.234.246
 unknown Netherlands
14061 DIGITALOCEAN-ASNUS true
139.196.72.155
 unknown China
37963 CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd true
165.232.185.110
 unknown United States
22255 ALLEGHENYHEALTHNETWORKUS true
103.126.216.86
 unknown Bangladesh
138482 SKYVIEW-AS-APSKYVIEWONLINELTDBD true
128.199.217.206
 unknown United Kingdom
14061 DIGITALOCEAN-ASNUS true
116.124.128.206
 unknown Korea Republic of
9318 SKB-ASSKBroadbandCoLtdKR true
103.224.241.74
 unknown India
133296 WEBWERKS-AS-INWebWerksIndiaPvtLtdIN true
210.57.209.142
 unknown Indonesia
38142 UNAIR-AS-IDUniversitasAirlanggaID true
190.107.19.179
 unknown Colombia
27951 MediaCommercePartnersSACO true
202.28.34.99
 unknown Thailand
9562 MSU-TH-APMahasarakhamUniversityTH true
54.37.228.122
 unknown France
16276 OVHFR true
195.77.239.39
 unknown Spain
60493 FICOSA-ASES true
178.62.112.199
 unknown European Union
14061 DIGITALOCEAN-ASNUS true
62.171.178.147
 unknown United Kingdom
51167 CONTABODE true
64.227.55.231
 unknown United States
14061 DIGITALOCEAN-ASNUS true

Private

IP
192.168.2.1

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://188.165.79.151/ true
  • URL Reputation: safe
 unknown