Windows Analysis Report
jYzNEOocXJ.dll

Overview

General Information

Sample Name: jYzNEOocXJ.dll
Analysis ID: 745049
MD5: c0f0068b25ecdd1a5cd3c6d38143b15a
SHA1: d8d3ca380c13761b9f78407caa626000d150c289
SHA256: fbfd3ffa1c73410da17ad4f695976a4667b6e47361fbc459e1d3c60973cc8bf6
Tags: dllexe
Infos:

Detection

Emotet
Score: 84
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Snort IDS alert for network traffic
Creates an autostart registry key pointing to binary in C:\Windows
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Tries to load missing DLLs
Drops PE files to the windows directory (C:\Windows)
Connects to several IPs in different countries
Registers a DLL
Found large amount of non-executed APIs
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection

barindex
Source: jYzNEOocXJ.dll Virustotal: Detection: 43% Perma Link
Source: 00000006.00000002.697148413.00000000010C8000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: Emotet {"C2 list": ["172.105.115.71:8080", "218.38.121.17:443", "186.250.48.5:443", "103.71.99.57:8080", "85.214.67.203:8080", "85.25.120.45:8080", "139.196.72.155:8080", "103.85.95.4:8080", "198.199.70.22:8080", "209.239.112.82:8080", "78.47.204.80:443", "36.67.23.59:443", "104.244.79.94:443", "62.171.178.147:8080", "195.77.239.39:8080", "103.56.149.105:8080", "80.211.107.116:8080", "93.104.209.107:8080", "174.138.33.49:7080", "202.28.34.99:8080", "178.62.112.199:8080", "114.79.130.68:443", "118.98.72.86:443", "103.41.204.169:8080", "178.238.225.252:8080", "83.229.80.93:8080", "46.101.98.60:8080", "82.98.180.154:7080", "87.106.97.83:7080", "196.44.98.190:8080", "139.59.80.108:8080", "103.224.241.74:8080", "103.254.12.236:7080", "185.148.169.10:8080", "165.22.254.236:8080", "37.44.244.177:8080", "54.37.228.122:443", "51.75.33.122:443", "128.199.217.206:443", "188.165.79.151:443", "210.57.209.142:8080", "160.16.143.191:8080", "175.126.176.79:8080", "202.134.4.210:7080", "103.126.216.86:443", "190.145.8.4:443", "128.199.242.164:8080", "64.227.55.231:8080"]}
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF875ED9410 CryptStringToBinaryA,CryptStringToBinaryA, 0_2_00007FF875ED9410
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FF875ED9410 CryptStringToBinaryA,CryptStringToBinaryA, 3_2_00007FF875ED9410
Source: jYzNEOocXJ.dll Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF875ECC334 FindFirstFileExW, 0_2_00007FF875ECC334
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FF875ECC334 FindFirstFileExW, 3_2_00007FF875ECC334

Networking

barindex
Source: C:\Windows\System32\regsvr32.exe Network Connect: 115.178.55.22 80 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 172.105.115.71 8080 Jump to behavior
Source: Traffic Snort IDS: 2404304 ET CNC Feodo Tracker Reported CnC Server TCP group 3 192.168.2.4:49695 -> 115.178.55.22:80
Source: Malware configuration extractor IPs: 172.105.115.71:8080
Source: Malware configuration extractor IPs: 218.38.121.17:443
Source: Malware configuration extractor IPs: 186.250.48.5:443
Source: Malware configuration extractor IPs: 103.71.99.57:8080
Source: Malware configuration extractor IPs: 85.214.67.203:8080
Source: Malware configuration extractor IPs: 85.25.120.45:8080
Source: Malware configuration extractor IPs: 139.196.72.155:8080
Source: Malware configuration extractor IPs: 103.85.95.4:8080
Source: Malware configuration extractor IPs: 198.199.70.22:8080
Source: Malware configuration extractor IPs: 209.239.112.82:8080
Source: Malware configuration extractor IPs: 78.47.204.80:443
Source: Malware configuration extractor IPs: 36.67.23.59:443
Source: Malware configuration extractor IPs: 104.244.79.94:443
Source: Malware configuration extractor IPs: 62.171.178.147:8080
Source: Malware configuration extractor IPs: 195.77.239.39:8080
Source: Malware configuration extractor IPs: 103.56.149.105:8080
Source: Malware configuration extractor IPs: 80.211.107.116:8080
Source: Malware configuration extractor IPs: 93.104.209.107:8080
Source: Malware configuration extractor IPs: 174.138.33.49:7080
Source: Malware configuration extractor IPs: 202.28.34.99:8080
Source: Malware configuration extractor IPs: 178.62.112.199:8080
Source: Malware configuration extractor IPs: 114.79.130.68:443
Source: Malware configuration extractor IPs: 118.98.72.86:443
Source: Malware configuration extractor IPs: 103.41.204.169:8080
Source: Malware configuration extractor IPs: 178.238.225.252:8080
Source: Malware configuration extractor IPs: 83.229.80.93:8080
Source: Malware configuration extractor IPs: 46.101.98.60:8080
Source: Malware configuration extractor IPs: 82.98.180.154:7080
Source: Malware configuration extractor IPs: 87.106.97.83:7080
Source: Malware configuration extractor IPs: 196.44.98.190:8080
Source: Malware configuration extractor IPs: 139.59.80.108:8080
Source: Malware configuration extractor IPs: 103.224.241.74:8080
Source: Malware configuration extractor IPs: 103.254.12.236:7080
Source: Malware configuration extractor IPs: 185.148.169.10:8080
Source: Malware configuration extractor IPs: 165.22.254.236:8080
Source: Malware configuration extractor IPs: 37.44.244.177:8080
Source: Malware configuration extractor IPs: 54.37.228.122:443
Source: Malware configuration extractor IPs: 51.75.33.122:443
Source: Malware configuration extractor IPs: 128.199.217.206:443
Source: Malware configuration extractor IPs: 188.165.79.151:443
Source: Malware configuration extractor IPs: 210.57.209.142:8080
Source: Malware configuration extractor IPs: 160.16.143.191:8080
Source: Malware configuration extractor IPs: 175.126.176.79:8080
Source: Malware configuration extractor IPs: 202.134.4.210:7080
Source: Malware configuration extractor IPs: 103.126.216.86:443
Source: Malware configuration extractor IPs: 190.145.8.4:443
Source: Malware configuration extractor IPs: 128.199.242.164:8080
Source: Malware configuration extractor IPs: 64.227.55.231:8080
Source: Joe Sandbox View ASN Name: LINODE-APLinodeLLCUS LINODE-APLinodeLLCUS
Source: Joe Sandbox View IP Address: 172.105.115.71 172.105.115.71
Source: Joe Sandbox View IP Address: 188.165.79.151 188.165.79.151
Source: unknown Network traffic detected: IP country count 20
Source: unknown TCP traffic detected without corresponding DNS query: 115.178.55.22
Source: unknown TCP traffic detected without corresponding DNS query: 115.178.55.22
Source: unknown TCP traffic detected without corresponding DNS query: 115.178.55.22
Source: unknown TCP traffic detected without corresponding DNS query: 172.105.115.71
Source: unknown TCP traffic detected without corresponding DNS query: 172.105.115.71
Source: unknown TCP traffic detected without corresponding DNS query: 172.105.115.71
Source: unknown TCP traffic detected without corresponding DNS query: 172.105.115.71
Source: unknown TCP traffic detected without corresponding DNS query: 172.105.115.71
Source: unknown TCP traffic detected without corresponding DNS query: 172.105.115.71
Source: unknown TCP traffic detected without corresponding DNS query: 172.105.115.71
Source: unknown TCP traffic detected without corresponding DNS query: 172.105.115.71
Source: unknown TCP traffic detected without corresponding DNS query: 172.105.115.71
Source: unknown TCP traffic detected without corresponding DNS query: 172.105.115.71
Source: unknown TCP traffic detected without corresponding DNS query: 172.105.115.71
Source: unknown TCP traffic detected without corresponding DNS query: 172.105.115.71
Source: regsvr32.exe, 00000006.00000003.423421853.0000000001150000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.552082559.000000000115B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.697366684.000000000115B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.423232290.000000000114B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.423043947.000000000113E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: regsvr32.exe, 00000006.00000003.418946388.00000000011AE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/
Source: regsvr32.exe, 00000006.00000003.423278323.0000000001197000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.423165900.0000000001197000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.553312101.0000000001197000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.697455015.0000000001197000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/Low
Source: regsvr32.exe, 00000006.00000003.423278323.0000000001197000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.423165900.0000000001197000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.553312101.0000000001197000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.697455015.0000000001197000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/i
Source: regsvr32.exe, 00000006.00000003.551063183.0000000001116000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.422986320.0000000001116000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.697259240.000000000111D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.553461267.000000000111C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: regsvr32.exe, 00000006.00000003.423421853.0000000001150000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.552082559.000000000115B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.697366684.000000000115B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.423232290.000000000114B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.423043947.000000000113E000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.6.dr String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: regsvr32.exe, 00000006.00000003.423421853.0000000001150000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.552082559.000000000115B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.697366684.000000000115B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.423232290.000000000114B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.423043947.000000000113E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab&r
Source: regsvr32.exe, 00000006.00000003.418946388.00000000011AE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?3ed396b023d22
Source: regsvr32.exe, 00000006.00000003.422986320.0000000001116000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://112.105.115.71:8080/
Source: regsvr32.exe, 00000006.00000003.423028643.0000000001136000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.697148413.00000000010C8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.423390565.0000000001136000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.554202021.0000000001136000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.697284267.0000000001138000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.551296638.0000000001136000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://172.105.115.71:8080/bdelrzrlgxme/diymyxue/
Source: regsvr32.exe, 00000006.00000002.697148413.00000000010C8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://172.105.115.71:8080/bdelrzrlgxme/diymyxue/tJZyzW
Source: regsvr32.exe, 00000006.00000003.551063183.0000000001116000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.422986320.0000000001116000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.697259240.000000000111D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.553461267.000000000111C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://172.105.115.71:8080/li.dll

E-Banking Fraud

barindex
Source: Yara match File source: 6.2.regsvr32.exe.1060000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.regsvr32.exe.1060000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.1a258030000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.e60000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll64.exe.23f52b30000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.e60000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.regsvr32.exe.2600000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.1a258030000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.27431870000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.regsvr32.exe.2600000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.27431870000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll64.exe.23f52b30000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.320621509.0000023F52B30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.463284106.0000000002600000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.319773366.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.697070975.0000000001060000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.315142366.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.697818333.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.318472309.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.463484464.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.318117264.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.316112609.0000000000E60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.319585082.000001A258030000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.316330831.0000027431870000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: C:\Windows\System32\rundll32.exe File deleted: C:\Windows\System32\YhqMukqR\WKPbtCt.dll:Zone.Identifier Jump to behavior
Source: C:\Windows\System32\loaddll64.exe File created: C:\Windows\system32\JrmcekIAugfRaJga\ Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF875ED3FB0 0_2_00007FF875ED3FB0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF875ED1910 0_2_00007FF875ED1910
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF875ECABC0 0_2_00007FF875ECABC0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF875ECA370 0_2_00007FF875ECA370
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF875ECC334 0_2_00007FF875ECC334
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000180020454 0_2_0000000180020454
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000180028C94 0_2_0000000180028C94
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001800038A5 0_2_00000001800038A5
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001800248E0 0_2_00000001800248E0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000180009144 0_2_0000000180009144
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000180005DB4 0_2_0000000180005DB4
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000180004DDC 0_2_0000000180004DDC
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000018000B1E0 0_2_000000018000B1E0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000180009E38 0_2_0000000180009E38
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000180003BE8 0_2_0000000180003BE8
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000180009BEC 0_2_0000000180009BEC
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001800173F8 0_2_00000001800173F8
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000180017BF8 0_2_0000000180017BF8
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000180015400 0_2_0000000180015400
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000180001000 0_2_0000000180001000
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000018000741C 0_2_000000018000741C
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000018000E828 0_2_000000018000E828
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000180002834 0_2_0000000180002834
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000180014C48 0_2_0000000180014C48
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000018002005C 0_2_000000018002005C
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000180016464 0_2_0000000180016464
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000180005478 0_2_0000000180005478
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000180006880 0_2_0000000180006880
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000018002748C 0_2_000000018002748C
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000018001308C 0_2_000000018001308C
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000180024098 0_2_0000000180024098
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000018001B898 0_2_000000018001B898
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000018000C498 0_2_000000018000C498
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000180004CA0 0_2_0000000180004CA0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001800110AC 0_2_00000001800110AC
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001800148B0 0_2_00000001800148B0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001800078B6 0_2_00000001800078B6
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000180001CCC 0_2_0000000180001CCC
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000018000B8D0 0_2_000000018000B8D0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001800198DC 0_2_00000001800198DC
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001800038DC 0_2_00000001800038DC
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001800264F8 0_2_00000001800264F8
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001800084F8 0_2_00000001800084F8
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000018000BD00 0_2_000000018000BD00
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000180015508 0_2_0000000180015508
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000180018D0C 0_2_0000000180018D0C
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000180012110 0_2_0000000180012110
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000018001B520 0_2_000000018001B520
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000180029124 0_2_0000000180029124
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000180013524 0_2_0000000180013524
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000180009D24 0_2_0000000180009D24
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000180023D28 0_2_0000000180023D28
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000180002128 0_2_0000000180002128
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000180020930 0_2_0000000180020930
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000018001F550 0_2_000000018001F550
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000180020D54 0_2_0000000180020D54
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000180010954 0_2_0000000180010954
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000180018560 0_2_0000000180018560
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000018000E570 0_2_000000018000E570
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000018001C974 0_2_000000018001C974
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000018000F174 0_2_000000018000F174
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000180025D84 0_2_0000000180025D84
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000180005590 0_2_0000000180005590
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000180017198 0_2_0000000180017198
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001800159A0 0_2_00000001800159A0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000180011DAC 0_2_0000000180011DAC
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000018000D1AC 0_2_000000018000D1AC
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001800069C0 0_2_00000001800069C0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000018000A1D4 0_2_000000018000A1D4
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001800079D8 0_2_00000001800079D8
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000018001C1DC 0_2_000000018001C1DC
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000018000D1E0 0_2_000000018000D1E0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001800199E8 0_2_00000001800199E8
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001800099EC 0_2_00000001800099EC
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000180028A04 0_2_0000000180028A04
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000018001FA08 0_2_000000018001FA08
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000018001E614 0_2_000000018001E614
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000180001A1C 0_2_0000000180001A1C
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000018000BA24 0_2_000000018000BA24
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000180021A2C 0_2_0000000180021A2C
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000180019230 0_2_0000000180019230
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000018000BE34 0_2_000000018000BE34
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000180012244 0_2_0000000180012244
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000180006650 0_2_0000000180006650
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000180001660 0_2_0000000180001660
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000180011664 0_2_0000000180011664
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000018001827C 0_2_000000018001827C
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000180024680 0_2_0000000180024680
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000180022A84 0_2_0000000180022A84
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000018000AE84 0_2_000000018000AE84
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000180028690 0_2_0000000180028690
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000180015694 0_2_0000000180015694
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000180007694 0_2_0000000180007694
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000180013698 0_2_0000000180013698
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000180009298 0_2_0000000180009298
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000018002629C 0_2_000000018002629C
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000018001629C 0_2_000000018001629C
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000018000569C 0_2_000000018000569C
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000180027EA4 0_2_0000000180027EA4
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001800096B8 0_2_00000001800096B8
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000018000EAC4 0_2_000000018000EAC4
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000180018ECC 0_2_0000000180018ECC
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000018001B2F0 0_2_000000018001B2F0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000180007AF0 0_2_0000000180007AF0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000018000E708 0_2_000000018000E708
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000180010310 0_2_0000000180010310
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000180015B18 0_2_0000000180015B18
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000018000871C 0_2_000000018000871C
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000180021728 0_2_0000000180021728
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000018001D32C 0_2_000000018001D32C
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000018001CF30 0_2_000000018001CF30
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000180015334 0_2_0000000180015334
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000018000A734 0_2_000000018000A734
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000180027348 0_2_0000000180027348
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000180004B4C 0_2_0000000180004B4C
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000180001B5C 0_2_0000000180001B5C
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000180006B5C 0_2_0000000180006B5C
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000180001364 0_2_0000000180001364
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000018000FF64 0_2_000000018000FF64
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000018000C364 0_2_000000018000C364
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000018000E368 0_2_000000018000E368
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000018001E76C 0_2_000000018001E76C
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000180018778 0_2_0000000180018778
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000180012780 0_2_0000000180012780
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000018001FB88 0_2_000000018001FB88
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000180013B88 0_2_0000000180013B88
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000180022B8C 0_2_0000000180022B8C
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000018000CB8D 0_2_000000018000CB8D
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000180008FA0 0_2_0000000180008FA0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000180014FA4 0_2_0000000180014FA4
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001800197AC 0_2_00000001800197AC
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001800257B4 0_2_00000001800257B4
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000180013FE0 0_2_0000000180013FE0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000018000F3E0 0_2_000000018000F3E0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000023F52B60000 0_2_0000023F52B60000
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FF875ED3FB0 3_2_00007FF875ED3FB0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FF875ED1910 3_2_00007FF875ED1910
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FF875ECABC0 3_2_00007FF875ECABC0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FF875ECA370 3_2_00007FF875ECA370
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FF875ECC334 3_2_00007FF875ECC334
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_011F0000 3_2_011F0000
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180020454 3_2_0000000180020454
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180028C94 3_2_0000000180028C94
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800038A5 3_2_00000001800038A5
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800248E0 3_2_00000001800248E0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180005DB4 3_2_0000000180005DB4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180004DDC 3_2_0000000180004DDC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000B1E0 3_2_000000018000B1E0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180009E38 3_2_0000000180009E38
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180003BE8 3_2_0000000180003BE8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180009BEC 3_2_0000000180009BEC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800173F8 3_2_00000001800173F8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180017BF8 3_2_0000000180017BF8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180015400 3_2_0000000180015400
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180001000 3_2_0000000180001000
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000741C 3_2_000000018000741C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000E828 3_2_000000018000E828
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180002834 3_2_0000000180002834
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180014C48 3_2_0000000180014C48
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018002005C 3_2_000000018002005C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180016464 3_2_0000000180016464
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180005478 3_2_0000000180005478
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180006880 3_2_0000000180006880
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018002748C 3_2_000000018002748C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001308C 3_2_000000018001308C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180024098 3_2_0000000180024098
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001B898 3_2_000000018001B898
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000C498 3_2_000000018000C498
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180004CA0 3_2_0000000180004CA0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800110AC 3_2_00000001800110AC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800148B0 3_2_00000001800148B0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800078B6 3_2_00000001800078B6
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180001CCC 3_2_0000000180001CCC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000B8D0 3_2_000000018000B8D0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800198DC 3_2_00000001800198DC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800038DC 3_2_00000001800038DC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800264F8 3_2_00000001800264F8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800084F8 3_2_00000001800084F8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000BD00 3_2_000000018000BD00
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180015508 3_2_0000000180015508
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180018D0C 3_2_0000000180018D0C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180012110 3_2_0000000180012110
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001B520 3_2_000000018001B520
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180029124 3_2_0000000180029124
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180013524 3_2_0000000180013524
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180009D24 3_2_0000000180009D24
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180023D28 3_2_0000000180023D28
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180002128 3_2_0000000180002128
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180020930 3_2_0000000180020930
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180009144 3_2_0000000180009144
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001F550 3_2_000000018001F550
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180020D54 3_2_0000000180020D54
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180010954 3_2_0000000180010954
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180018560 3_2_0000000180018560
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000E570 3_2_000000018000E570
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001C974 3_2_000000018001C974
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000F174 3_2_000000018000F174
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180025D84 3_2_0000000180025D84
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180005590 3_2_0000000180005590
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180017198 3_2_0000000180017198
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800159A0 3_2_00000001800159A0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180011DAC 3_2_0000000180011DAC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000D1AC 3_2_000000018000D1AC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800069C0 3_2_00000001800069C0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000A1D4 3_2_000000018000A1D4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800079D8 3_2_00000001800079D8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001C1DC 3_2_000000018001C1DC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000D1E0 3_2_000000018000D1E0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800199E8 3_2_00000001800199E8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800099EC 3_2_00000001800099EC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180028A04 3_2_0000000180028A04
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001FA08 3_2_000000018001FA08
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001E614 3_2_000000018001E614
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180001A1C 3_2_0000000180001A1C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000BA24 3_2_000000018000BA24
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180021A2C 3_2_0000000180021A2C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180019230 3_2_0000000180019230
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000BE34 3_2_000000018000BE34
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180012244 3_2_0000000180012244
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180006650 3_2_0000000180006650
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180001660 3_2_0000000180001660
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180011664 3_2_0000000180011664
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001827C 3_2_000000018001827C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180024680 3_2_0000000180024680
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180022A84 3_2_0000000180022A84
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000AE84 3_2_000000018000AE84
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180028690 3_2_0000000180028690
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180015694 3_2_0000000180015694
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180007694 3_2_0000000180007694
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180013698 3_2_0000000180013698
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180009298 3_2_0000000180009298
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018002629C 3_2_000000018002629C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001629C 3_2_000000018001629C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000569C 3_2_000000018000569C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180027EA4 3_2_0000000180027EA4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800096B8 3_2_00000001800096B8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000EAC4 3_2_000000018000EAC4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180018ECC 3_2_0000000180018ECC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001B2F0 3_2_000000018001B2F0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180007AF0 3_2_0000000180007AF0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000E708 3_2_000000018000E708
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180010310 3_2_0000000180010310
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180015B18 3_2_0000000180015B18
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000871C 3_2_000000018000871C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180021728 3_2_0000000180021728
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001D32C 3_2_000000018001D32C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001CF30 3_2_000000018001CF30
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180015334 3_2_0000000180015334
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000A734 3_2_000000018000A734
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180027348 3_2_0000000180027348
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180004B4C 3_2_0000000180004B4C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180001B5C 3_2_0000000180001B5C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180006B5C 3_2_0000000180006B5C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180001364 3_2_0000000180001364
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000FF64 3_2_000000018000FF64
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000C364 3_2_000000018000C364
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000E368 3_2_000000018000E368
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001E76C 3_2_000000018001E76C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180018778 3_2_0000000180018778
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180012780 3_2_0000000180012780
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001FB88 3_2_000000018001FB88
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180013B88 3_2_0000000180013B88
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180022B8C 3_2_0000000180022B8C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000CB8D 3_2_000000018000CB8D
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180008FA0 3_2_0000000180008FA0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180014FA4 3_2_0000000180014FA4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800197AC 3_2_00000001800197AC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800257B4 3_2_00000001800257B4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180013FE0 3_2_0000000180013FE0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000F3E0 3_2_000000018000F3E0
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180020454 4_2_0000000180020454
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180028C94 4_2_0000000180028C94
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000001800038A5 4_2_00000001800038A5
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000001800248E0 4_2_00000001800248E0
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180009144 4_2_0000000180009144
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180005DB4 4_2_0000000180005DB4
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180004DDC 4_2_0000000180004DDC
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018000B1E0 4_2_000000018000B1E0
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180009E38 4_2_0000000180009E38
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180003BE8 4_2_0000000180003BE8
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180009BEC 4_2_0000000180009BEC
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000001800173F8 4_2_00000001800173F8
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180017BF8 4_2_0000000180017BF8
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180015400 4_2_0000000180015400
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180001000 4_2_0000000180001000
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018000741C 4_2_000000018000741C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018000E828 4_2_000000018000E828
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180002834 4_2_0000000180002834
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180014C48 4_2_0000000180014C48
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018002005C 4_2_000000018002005C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180016464 4_2_0000000180016464
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180005478 4_2_0000000180005478
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180006880 4_2_0000000180006880
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018002748C 4_2_000000018002748C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018001308C 4_2_000000018001308C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180024098 4_2_0000000180024098
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018001B898 4_2_000000018001B898
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018000C498 4_2_000000018000C498
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180004CA0 4_2_0000000180004CA0
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000001800110AC 4_2_00000001800110AC
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000001800148B0 4_2_00000001800148B0
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000001800078B6 4_2_00000001800078B6
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180001CCC 4_2_0000000180001CCC
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018000B8D0 4_2_000000018000B8D0
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000001800198DC 4_2_00000001800198DC
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000001800038DC 4_2_00000001800038DC
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000001800264F8 4_2_00000001800264F8
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000001800084F8 4_2_00000001800084F8
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018000BD00 4_2_000000018000BD00
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180015508 4_2_0000000180015508
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180018D0C 4_2_0000000180018D0C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180012110 4_2_0000000180012110
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018001B520 4_2_000000018001B520
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180029124 4_2_0000000180029124
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180013524 4_2_0000000180013524
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180009D24 4_2_0000000180009D24
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180023D28 4_2_0000000180023D28
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180002128 4_2_0000000180002128
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180020930 4_2_0000000180020930
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018001F550 4_2_000000018001F550
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180020D54 4_2_0000000180020D54
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180010954 4_2_0000000180010954
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180018560 4_2_0000000180018560
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018000E570 4_2_000000018000E570
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018001C974 4_2_000000018001C974
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018000F174 4_2_000000018000F174
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180025D84 4_2_0000000180025D84
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180005590 4_2_0000000180005590
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180017198 4_2_0000000180017198
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000001800159A0 4_2_00000001800159A0
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180011DAC 4_2_0000000180011DAC
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018000D1AC 4_2_000000018000D1AC
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000001800069C0 4_2_00000001800069C0
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018000A1D4 4_2_000000018000A1D4
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000001800079D8 4_2_00000001800079D8
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018001C1DC 4_2_000000018001C1DC
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018000D1E0 4_2_000000018000D1E0
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000001800199E8 4_2_00000001800199E8
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000001800099EC 4_2_00000001800099EC
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180028A04 4_2_0000000180028A04
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018001FA08 4_2_000000018001FA08
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018001E614 4_2_000000018001E614
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180001A1C 4_2_0000000180001A1C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018000BA24 4_2_000000018000BA24
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180021A2C 4_2_0000000180021A2C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180019230 4_2_0000000180019230
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018000BE34 4_2_000000018000BE34
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180012244 4_2_0000000180012244
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180006650 4_2_0000000180006650
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180001660 4_2_0000000180001660
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180011664 4_2_0000000180011664
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018001827C 4_2_000000018001827C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180024680 4_2_0000000180024680
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180022A84 4_2_0000000180022A84
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018000AE84 4_2_000000018000AE84
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180028690 4_2_0000000180028690
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180015694 4_2_0000000180015694
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180007694 4_2_0000000180007694
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180013698 4_2_0000000180013698
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180009298 4_2_0000000180009298
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018002629C 4_2_000000018002629C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018001629C 4_2_000000018001629C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018000569C 4_2_000000018000569C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180027EA4 4_2_0000000180027EA4
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000001800096B8 4_2_00000001800096B8
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018000EAC4 4_2_000000018000EAC4
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180018ECC 4_2_0000000180018ECC
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018001B2F0 4_2_000000018001B2F0
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180007AF0 4_2_0000000180007AF0
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018000E708 4_2_000000018000E708
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180010310 4_2_0000000180010310
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180015B18 4_2_0000000180015B18
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018000871C 4_2_000000018000871C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180021728 4_2_0000000180021728
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018001D32C 4_2_000000018001D32C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018001CF30 4_2_000000018001CF30
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180015334 4_2_0000000180015334
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018000A734 4_2_000000018000A734
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180027348 4_2_0000000180027348
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180004B4C 4_2_0000000180004B4C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180006B5C 4_2_0000000180006B5C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180001B5C 4_2_0000000180001B5C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180001364 4_2_0000000180001364
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018000FF64 4_2_000000018000FF64
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018000C364 4_2_000000018000C364
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018000E368 4_2_000000018000E368
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018001E76C 4_2_000000018001E76C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180018778 4_2_0000000180018778
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180012780 4_2_0000000180012780
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018001FB88 4_2_000000018001FB88
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180013B88 4_2_0000000180013B88
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180022B8C 4_2_0000000180022B8C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018000CB8D 4_2_000000018000CB8D
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180008FA0 4_2_0000000180008FA0
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180014FA4 4_2_0000000180014FA4
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000001800197AC 4_2_00000001800197AC
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000001800257B4 4_2_00000001800257B4
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180013FE0 4_2_0000000180013FE0
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018000F3E0 4_2_000000018000F3E0
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000002742FDD0000 4_2_000002742FDD0000
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180020454 5_2_0000000180020454
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180028C94 5_2_0000000180028C94
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_00000001800038A5 5_2_00000001800038A5
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_00000001800248E0 5_2_00000001800248E0
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180009144 5_2_0000000180009144
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180005DB4 5_2_0000000180005DB4
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180004DDC 5_2_0000000180004DDC
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018000B1E0 5_2_000000018000B1E0
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180009E38 5_2_0000000180009E38
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180003BE8 5_2_0000000180003BE8
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180009BEC 5_2_0000000180009BEC
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_00000001800173F8 5_2_00000001800173F8
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180017BF8 5_2_0000000180017BF8
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180015400 5_2_0000000180015400
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180001000 5_2_0000000180001000
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018000741C 5_2_000000018000741C
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018000E828 5_2_000000018000E828
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180002834 5_2_0000000180002834
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180014C48 5_2_0000000180014C48
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018002005C 5_2_000000018002005C
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180016464 5_2_0000000180016464
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180005478 5_2_0000000180005478
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180006880 5_2_0000000180006880
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018002748C 5_2_000000018002748C
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018001308C 5_2_000000018001308C
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180024098 5_2_0000000180024098
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018001B898 5_2_000000018001B898
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018000C498 5_2_000000018000C498
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180004CA0 5_2_0000000180004CA0
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_00000001800110AC 5_2_00000001800110AC
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_00000001800148B0 5_2_00000001800148B0
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_00000001800078B6 5_2_00000001800078B6
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180001CCC 5_2_0000000180001CCC
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018000B8D0 5_2_000000018000B8D0
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_00000001800198DC 5_2_00000001800198DC
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_00000001800038DC 5_2_00000001800038DC
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_00000001800264F8 5_2_00000001800264F8
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_00000001800084F8 5_2_00000001800084F8
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018000BD00 5_2_000000018000BD00
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180015508 5_2_0000000180015508
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180018D0C 5_2_0000000180018D0C
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180012110 5_2_0000000180012110
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018001B520 5_2_000000018001B520
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180029124 5_2_0000000180029124
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180013524 5_2_0000000180013524
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180009D24 5_2_0000000180009D24
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180023D28 5_2_0000000180023D28
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180002128 5_2_0000000180002128
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180020930 5_2_0000000180020930
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018001F550 5_2_000000018001F550
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180020D54 5_2_0000000180020D54
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180010954 5_2_0000000180010954
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180018560 5_2_0000000180018560
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018000E570 5_2_000000018000E570
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018001C974 5_2_000000018001C974
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018000F174 5_2_000000018000F174
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180025D84 5_2_0000000180025D84
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180005590 5_2_0000000180005590
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180017198 5_2_0000000180017198
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_00000001800159A0 5_2_00000001800159A0
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180011DAC 5_2_0000000180011DAC
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018000D1AC 5_2_000000018000D1AC
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_00000001800069C0 5_2_00000001800069C0
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018000A1D4 5_2_000000018000A1D4
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_00000001800079D8 5_2_00000001800079D8
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018001C1DC 5_2_000000018001C1DC
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018000D1E0 5_2_000000018000D1E0
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_00000001800199E8 5_2_00000001800199E8
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_00000001800099EC 5_2_00000001800099EC
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180028A04 5_2_0000000180028A04
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018001FA08 5_2_000000018001FA08
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018001E614 5_2_000000018001E614
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180001A1C 5_2_0000000180001A1C
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018000BA24 5_2_000000018000BA24
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180021A2C 5_2_0000000180021A2C
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180019230 5_2_0000000180019230
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018000BE34 5_2_000000018000BE34
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180012244 5_2_0000000180012244
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180006650 5_2_0000000180006650
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180001660 5_2_0000000180001660
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180011664 5_2_0000000180011664
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018001827C 5_2_000000018001827C
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180024680 5_2_0000000180024680
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180022A84 5_2_0000000180022A84
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018000AE84 5_2_000000018000AE84
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180028690 5_2_0000000180028690
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180015694 5_2_0000000180015694
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180007694 5_2_0000000180007694
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180013698 5_2_0000000180013698
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180009298 5_2_0000000180009298
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018002629C 5_2_000000018002629C
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018001629C 5_2_000000018001629C
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018000569C 5_2_000000018000569C
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180027EA4 5_2_0000000180027EA4
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_00000001800096B8 5_2_00000001800096B8
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018000EAC4 5_2_000000018000EAC4
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180018ECC 5_2_0000000180018ECC
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018001B2F0 5_2_000000018001B2F0
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180007AF0 5_2_0000000180007AF0
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018000E708 5_2_000000018000E708
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: jYzNEOocXJ.dll Virustotal: Detection: 43%
Source: jYzNEOocXJ.dll Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll64.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\jYzNEOocXJ.dll"
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\jYzNEOocXJ.dll",#1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\jYzNEOocXJ.dll
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\jYzNEOocXJ.dll",#1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\jYzNEOocXJ.dll,DllRegisterServer
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\YhqMukqR\WKPbtCt.dll"
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\CnOJxSOHoIZ\XLOPNLSQKFeGDobG.dll"
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\LeIpJFXeWNrKp\WDkCewjz.dll"
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\JrmcekIAugfRaJga\wZoiQYtaqTdQWiU.dll"
Source: unknown Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe" "C:\Windows\system32\YhqMukqR\WKPbtCt.dll
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Users\user\AppData\Local\QsPhJsYAcWyHWDlz\rCROaieYUHXY.dll"
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\jYzNEOocXJ.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\jYzNEOocXJ.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\jYzNEOocXJ.dll,DllRegisterServer Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\JrmcekIAugfRaJga\wZoiQYtaqTdQWiU.dll" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\jYzNEOocXJ.dll",#1 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\CnOJxSOHoIZ\XLOPNLSQKFeGDobG.dll" Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\YhqMukqR\WKPbtCt.dll" Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\LeIpJFXeWNrKp\WDkCewjz.dll" Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Users\user\AppData\Local\QsPhJsYAcWyHWDlz\rCROaieYUHXY.dll" Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe File created: C:\Users\user\AppData\Local\QsPhJsYAcWyHWDlz\ Jump to behavior
Source: classification engine Classification label: mal84.troj.evad.winDLL@21/2@0/49
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF875ED3CB0 CreateWindowExW,RegisterTouchWindow,MessageBoxW,CoCreateInstance,new,ShowWindow,UpdateWindow, 0_2_00007FF875ED3CB0
Source: C:\Windows\System32\loaddll64.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000180005DB4 FindCloseChangeNotification,Process32NextW,CreateToolhelp32Snapshot,Process32FirstW, 0_2_0000000180005DB4
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\jYzNEOocXJ.dll",#1
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1400:120:WilError_01
Source: C:\Windows\System32\regsvr32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Automated click: OK
Source: C:\Windows\System32\regsvr32.exe Automated click: OK
Source: C:\Windows\System32\regsvr32.exe Automated click: OK
Source: C:\Windows\System32\regsvr32.exe Automated click: OK
Source: Window Recorder Window detected: More than 3 window changes detected
Source: jYzNEOocXJ.dll Static PE information: Image base 0x180000000 > 0x60000000
Source: jYzNEOocXJ.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: jYzNEOocXJ.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: jYzNEOocXJ.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: jYzNEOocXJ.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: jYzNEOocXJ.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: jYzNEOocXJ.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: jYzNEOocXJ.dll Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Source: jYzNEOocXJ.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: jYzNEOocXJ.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: jYzNEOocXJ.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: jYzNEOocXJ.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: jYzNEOocXJ.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: jYzNEOocXJ.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF875EC8909 push rdi; ret 0_2_00007FF875EC8912
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF875EC837D push rdi; ret 0_2_00007FF875EC8384
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000018001E0D3 push 09B8E1F7h; retf 0_2_000000018001E0DD
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000018001E0E9 push 8B48E1F7h; retf 0_2_000000018001E0F1
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000180023127 push ebp; ret 0_2_0000000180023128
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000018001E5C5 pushad ; ret 0_2_000000018001E5C7
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000180022E55 push ebp; retf 0_2_0000000180022E56
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000180023A7E push ebp; ret 0_2_0000000180023A86
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000180022F5E push ebp; ret 0_2_0000000180022F64
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000018000838C push eax; ret 0_2_000000018000838E
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FF875EC8909 push rdi; ret 3_2_00007FF875EC8912
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FF875EC837D push rdi; ret 3_2_00007FF875EC8384
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001E0D3 push 09B8E1F7h; retf 3_2_000000018001E0DD
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001E0E9 push 8B48E1F7h; retf 3_2_000000018001E0F1
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180023127 push ebp; ret 3_2_0000000180023128
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001E5C5 pushad ; ret 3_2_000000018001E5C7
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180022E55 push ebp; retf 3_2_0000000180022E56
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180023A7E push ebp; ret 3_2_0000000180023A86
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180022F5E push ebp; ret 3_2_0000000180022F64
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000838C push eax; ret 3_2_000000018000838E
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018001E0D3 push 09B8E1F7h; retf 4_2_000000018001E0DD
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018001E0E9 push 8B48E1F7h; retf 4_2_000000018001E0F1
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180023127 push ebp; ret 4_2_0000000180023128
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018001E5C5 pushad ; ret 4_2_000000018001E5C7
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180022E55 push ebp; retf 4_2_0000000180022E56
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180023A7E push ebp; ret 4_2_0000000180023A86
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180022F5E push ebp; ret 4_2_0000000180022F64
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018000838C push eax; ret 4_2_000000018000838E
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018001E0D3 push 09B8E1F7h; retf 5_2_000000018001E0DD
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018001E0E9 push 8B48E1F7h; retf 5_2_000000018001E0F1
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180023127 push ebp; ret 5_2_0000000180023128
Source: jYzNEOocXJ.dll Static PE information: section name: .gxfg
Source: jYzNEOocXJ.dll Static PE information: section name: .gehcont
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\jYzNEOocXJ.dll
Source: C:\Windows\System32\rundll32.exe PE file moved: C:\Windows\System32\YhqMukqR\WKPbtCt.dll Jump to behavior

Boot Survival

barindex
Source: C:\Windows\System32\regsvr32.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WKPbtCt.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WKPbtCt.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WKPbtCt.dll Jump to behavior

Hooking and other Techniques for Hiding and Protection

barindex
Source: C:\Windows\System32\loaddll64.exe File opened: C:\Windows\system32\JrmcekIAugfRaJga\wZoiQYtaqTdQWiU.dll:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\System32\regsvr32.exe File opened: C:\Windows\system32\CnOJxSOHoIZ\XLOPNLSQKFeGDobG.dll:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Windows\system32\YhqMukqR\WKPbtCt.dll:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Windows\system32\LeIpJFXeWNrKp\WDkCewjz.dll:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\System32\regsvr32.exe File opened: C:\Users\user\AppData\Local\QsPhJsYAcWyHWDlz\rCROaieYUHXY.dll:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 3000 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\regsvr32.exe API coverage: 9.0 %
Source: C:\Windows\System32\loaddll64.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF875ECC334 FindFirstFileExW, 0_2_00007FF875ECC334
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FF875ECC334 FindFirstFileExW, 3_2_00007FF875ECC334
Source: C:\Windows\System32\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\regsvr32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: regsvr32.exe, 00000006.00000003.423399767.000000000113E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.422904227.00000000010FE000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.552017745.0000000001140000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.554160218.00000000010FE000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.551335564.000000000113E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.554355868.0000000001146000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.423043947.000000000113E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: regsvr32.exe, 00000006.00000003.423399767.000000000113E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.552017745.0000000001140000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.697314998.0000000001148000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.551335564.000000000113E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.554355868.0000000001146000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.423043947.000000000113E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWK
Source: loaddll64.exe, 00000000.00000003.316815455.0000023F510FA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: loaddll64.exe, 00000000.00000003.316503837.0000023F510FA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}x
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF875EC4944 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF875EC4944
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF875ECDD90 GetProcessHeap, 0_2_00007FF875ECDD90
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF875EC3AD0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00007FF875EC3AD0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF875EC4944 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF875EC4944
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF875EC9474 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF875EC9474
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FF875EC3AD0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_00007FF875EC3AD0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FF875EC4944 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_00007FF875EC4944
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FF875EC9474 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_00007FF875EC9474

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Windows\System32\regsvr32.exe Network Connect: 115.178.55.22 80 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 172.105.115.71 8080 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\jYzNEOocXJ.dll",#1 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF875ECAB50 cpuid 0_2_00007FF875ECAB50
Source: C:\Windows\System32\regsvr32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF875EC4A94 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00007FF875EC4A94

Stealing of Sensitive Information

barindex
Source: Yara match File source: 6.2.regsvr32.exe.1060000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.regsvr32.exe.1060000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.1a258030000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.e60000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll64.exe.23f52b30000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.e60000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.regsvr32.exe.2600000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.1a258030000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.27431870000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.regsvr32.exe.2600000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.27431870000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll64.exe.23f52b30000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.320621509.0000023F52B30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.463284106.0000000002600000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.319773366.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.697070975.0000000001060000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.315142366.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.697818333.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.318472309.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.463484464.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.318117264.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.316112609.0000000000E60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.319585082.000001A258030000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.316330831.0000027431870000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs