Windows Analysis Report
UC2DFXQIBiE2kQ.dll

Overview

General Information

Sample Name: UC2DFXQIBiE2kQ.dll
Analysis ID: 747450
MD5: e2ec88ae31e147d1976368c6a8988d3c
SHA1: 937a21ced7f2663c923c9c614cbe06d95def511a
SHA256: ae7e655db35a71a3b2df96051d722d7995ec94feea3cbd59bec501042ab40847
Infos:

Detection

Emotet
Score: 84
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Snort IDS alert for network traffic
Creates an autostart registry key pointing to binary in C:\Windows
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Tries to load missing DLLs
Drops PE files to the windows directory (C:\Windows)
Checks if the current process is being debugged
Connects to several IPs in different countries
Registers a DLL
Found large amount of non-executed APIs
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: UC2DFXQIBiE2kQ.dll ReversingLabs: Detection: 80%
Source: UC2DFXQIBiE2kQ.dll Virustotal: Detection: 65% Perma Link
Source: 00000007.00000002.825271099.00000000005B8000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: Emotet {"C2 list": ["172.105.115.71:8080", "218.38.121.17:443", "186.250.48.5:443", "103.71.99.57:8080", "85.214.67.203:8080", "85.25.120.45:8080", "139.196.72.155:8080", "103.85.95.4:8080", "198.199.70.22:8080", "209.239.112.82:8080", "78.47.204.80:443", "36.67.23.59:443", "104.244.79.94:443", "62.171.178.147:8080", "195.77.239.39:8080", "103.56.149.105:8080", "80.211.107.116:8080", "93.104.209.107:8080", "174.138.33.49:7080", "202.28.34.99:8080", "178.62.112.199:8080", "114.79.130.68:443", "118.98.72.86:443", "103.41.204.169:8080", "178.238.225.252:8080", "83.229.80.93:8080", "46.101.98.60:8080", "82.98.180.154:7080", "87.106.97.83:7080", "196.44.98.190:8080", "139.59.80.108:8080", "103.224.241.74:8080", "103.254.12.236:7080", "185.148.169.10:8080", "165.22.254.236:8080", "37.44.244.177:8080", "54.37.228.122:443", "51.75.33.122:443", "128.199.217.206:443", "188.165.79.151:443", "210.57.209.142:8080", "160.16.143.191:8080", "175.126.176.79:8080", "202.134.4.210:7080", "103.126.216.86:443", "190.145.8.4:443", "128.199.242.164:8080", "64.227.55.231:8080"], "Public Key": ["RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0mhn6vQAbAJA=", "RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCWaBkovQARAJA="]}
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018004A020 CryptStringToBinaryA,CryptStringToBinaryA, 3_2_000000018004A020
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180029290 FindFirstFileExW, 3_2_0000000180029290
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018002972C FindFirstFileExW,FindNextFileW,FindClose, 3_2_000000018002972C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180028B30 _invalid_parameter_noinfo,_invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,FindClose, 3_2_0000000180028B30
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180028B30 _invalid_parameter_noinfo,_invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,FindClose, 3_2_0000000180028B30

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\regsvr32.exe Network Connect: 115.178.55.22 80 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 172.105.115.71 8080 Jump to behavior
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2404304 ET CNC Feodo Tracker Reported CnC Server TCP group 3 192.168.2.5:49702 -> 115.178.55.22:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 172.105.115.71:8080
Source: Malware configuration extractor IPs: 218.38.121.17:443
Source: Malware configuration extractor IPs: 186.250.48.5:443
Source: Malware configuration extractor IPs: 103.71.99.57:8080
Source: Malware configuration extractor IPs: 85.214.67.203:8080
Source: Malware configuration extractor IPs: 85.25.120.45:8080
Source: Malware configuration extractor IPs: 139.196.72.155:8080
Source: Malware configuration extractor IPs: 103.85.95.4:8080
Source: Malware configuration extractor IPs: 198.199.70.22:8080
Source: Malware configuration extractor IPs: 209.239.112.82:8080
Source: Malware configuration extractor IPs: 78.47.204.80:443
Source: Malware configuration extractor IPs: 36.67.23.59:443
Source: Malware configuration extractor IPs: 104.244.79.94:443
Source: Malware configuration extractor IPs: 62.171.178.147:8080
Source: Malware configuration extractor IPs: 195.77.239.39:8080
Source: Malware configuration extractor IPs: 103.56.149.105:8080
Source: Malware configuration extractor IPs: 80.211.107.116:8080
Source: Malware configuration extractor IPs: 93.104.209.107:8080
Source: Malware configuration extractor IPs: 174.138.33.49:7080
Source: Malware configuration extractor IPs: 202.28.34.99:8080
Source: Malware configuration extractor IPs: 178.62.112.199:8080
Source: Malware configuration extractor IPs: 114.79.130.68:443
Source: Malware configuration extractor IPs: 118.98.72.86:443
Source: Malware configuration extractor IPs: 103.41.204.169:8080
Source: Malware configuration extractor IPs: 178.238.225.252:8080
Source: Malware configuration extractor IPs: 83.229.80.93:8080
Source: Malware configuration extractor IPs: 46.101.98.60:8080
Source: Malware configuration extractor IPs: 82.98.180.154:7080
Source: Malware configuration extractor IPs: 87.106.97.83:7080
Source: Malware configuration extractor IPs: 196.44.98.190:8080
Source: Malware configuration extractor IPs: 139.59.80.108:8080
Source: Malware configuration extractor IPs: 103.224.241.74:8080
Source: Malware configuration extractor IPs: 103.254.12.236:7080
Source: Malware configuration extractor IPs: 185.148.169.10:8080
Source: Malware configuration extractor IPs: 165.22.254.236:8080
Source: Malware configuration extractor IPs: 37.44.244.177:8080
Source: Malware configuration extractor IPs: 54.37.228.122:443
Source: Malware configuration extractor IPs: 51.75.33.122:443
Source: Malware configuration extractor IPs: 128.199.217.206:443
Source: Malware configuration extractor IPs: 188.165.79.151:443
Source: Malware configuration extractor IPs: 210.57.209.142:8080
Source: Malware configuration extractor IPs: 160.16.143.191:8080
Source: Malware configuration extractor IPs: 175.126.176.79:8080
Source: Malware configuration extractor IPs: 202.134.4.210:7080
Source: Malware configuration extractor IPs: 103.126.216.86:443
Source: Malware configuration extractor IPs: 190.145.8.4:443
Source: Malware configuration extractor IPs: 128.199.242.164:8080
Source: Malware configuration extractor IPs: 64.227.55.231:8080
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: LINODE-APLinodeLLCUS LINODE-APLinodeLLCUS
Source: Joe Sandbox View ASN Name: OVHFR OVHFR
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 172.105.115.71 172.105.115.71
Source: Joe Sandbox View IP Address: 188.165.79.151 188.165.79.151
Connects to several IPs in different countries
Source: unknown Network traffic detected: IP country count 20
Source: unknown TCP traffic detected without corresponding DNS query: 115.178.55.22
Source: unknown TCP traffic detected without corresponding DNS query: 115.178.55.22
Source: unknown TCP traffic detected without corresponding DNS query: 115.178.55.22
Source: unknown TCP traffic detected without corresponding DNS query: 172.105.115.71
Source: unknown TCP traffic detected without corresponding DNS query: 172.105.115.71
Source: unknown TCP traffic detected without corresponding DNS query: 172.105.115.71
Source: unknown TCP traffic detected without corresponding DNS query: 172.105.115.71
Source: unknown TCP traffic detected without corresponding DNS query: 172.105.115.71
Source: unknown TCP traffic detected without corresponding DNS query: 172.105.115.71
Source: unknown TCP traffic detected without corresponding DNS query: 172.105.115.71
Source: unknown TCP traffic detected without corresponding DNS query: 172.105.115.71
Source: unknown TCP traffic detected without corresponding DNS query: 172.105.115.71
Source: unknown TCP traffic detected without corresponding DNS query: 172.105.115.71
Source: unknown TCP traffic detected without corresponding DNS query: 172.105.115.71
Source: unknown TCP traffic detected without corresponding DNS query: 172.105.115.71
Source: regsvr32.exe, 00000007.00000002.825572065.0000000000648000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.557007338.0000000000635000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.558194793.0000000000647000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: regsvr32.exe, 00000007.00000003.423458103.000000000069A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/
Source: regsvr32.exe, 00000007.00000002.825572065.0000000000648000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.557007338.0000000000635000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.558194793.0000000000647000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/U
Source: regsvr32.exe, 00000007.00000003.558194793.0000000000647000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.7.dr String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: regsvr32.exe, 00000007.00000002.825572065.0000000000648000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.557007338.0000000000635000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.558194793.0000000000647000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.423458103.000000000069A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?f88184c2e0311
Source: regsvr32.exe, 00000007.00000002.825452249.0000000000609000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.558130605.0000000000608000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.557978959.00000000005FE000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.556670848.00000000005FE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en7
Source: regsvr32.exe, 00000007.00000002.825452249.0000000000609000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.558149444.000000000060F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://172.105.115.71:8080/
Source: regsvr32.exe, 00000007.00000002.825452249.0000000000609000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.558149444.000000000060F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://172.105.115.71:8080/xkripgcuqclmh/pzukcvmjdrcsjp/ovittxpu/
Source: regsvr32.exe, 00000007.00000003.556869652.0000000000623000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.825513789.0000000000623000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.558725504.0000000000623000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://172.105.115.71:8080/xkripgcuqclmh/pzukcvmjdrcsjp/ovittxpu/d

E-Banking Fraud
barindex
Yara detected Emotet
Source: Yara match File source: 4.2.rundll32.exe.1e000100000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.c90000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.regsvr32.exe.1350000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.2a2c4510000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.regsvr32.exe.4d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.1eea9950000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.c90000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.regsvr32.exe.1350000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.1eea9950000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.2a2c4510000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.regsvr32.exe.4d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.1e000100000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.309988911.000002A2C5F01000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.315862116.000001EEA9950000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.463359188.0000000001350000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.825157778.00000000004D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.309304798.000002A2C4510000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.825690145.0000000000731000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.307121322.000001E000100000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.314073232.0000000000C90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.307321524.000001E000141000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.463986640.0000000002C41000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.314301645.0000000002731000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.315937172.000001EEA9991000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Deletes files inside the Windows folder
Source: C:\Windows\System32\regsvr32.exe File deleted: C:\Windows\System32\NzmNpNPvo\tzEWj.dll:Zone.Identifier Jump to behavior
Creates files inside the system directory
Source: C:\Windows\System32\regsvr32.exe File created: C:\Windows\system32\NzmNpNPvo\ Jump to behavior
Detected potential crypto function
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180044C30 3_2_0000000180044C30
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180031018 3_2_0000000180031018
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800391F8 3_2_00000001800391F8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180020204 3_2_0000000180020204
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001F22C 3_2_000000018001F22C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018003D23C 3_2_000000018003D23C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180029290 3_2_0000000180029290
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180024460 3_2_0000000180024460
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001F4B0 3_2_000000018001F4B0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800204D0 3_2_00000001800204D0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018003459C 3_2_000000018003459C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018003B5A0 3_2_000000018003B5A0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800305F8 3_2_00000001800305F8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180017604 3_2_0000000180017604
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001F74C 3_2_000000018001F74C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180032824 3_2_0000000180032824
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180037854 3_2_0000000180037854
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018002B890 3_2_000000018002B890
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000A93C 3_2_000000018000A93C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018003A9A0 3_2_000000018003A9A0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001F9B4 3_2_000000018001F9B4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180026A0C 3_2_0000000180026A0C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180028B30 3_2_0000000180028B30
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018002B890 3_2_000000018002B890
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001FC30 3_2_000000018001FC30
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180031C3C 3_2_0000000180031C3C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180028B30 3_2_0000000180028B30
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018003AE50 3_2_000000018003AE50
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001FF10 3_2_000000018001FF10
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180032F94 3_2_0000000180032F94
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00C70000 3_2_00C70000
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_027548E0 3_2_027548E0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_027338A5 3_2_027338A5
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0273B1E0 3_2_0273B1E0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02739E38 3_2_02739E38
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02750454 3_2_02750454
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02758C94 3_2_02758C94
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02734DDC 3_2_02734DDC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02735DB4 3_2_02735DB4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0274827C 3_2_0274827C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02742244 3_2_02742244
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02749230 3_2_02749230
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0273BA24 3_2_0273BA24
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02751A2C 3_2_02751A2C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02731A1C 3_2_02731A1C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02758A04 3_2_02758A04
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0274FA08 3_2_0274FA08
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02737AF0 3_2_02737AF0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0274B2F0 3_2_0274B2F0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0273EAC4 3_2_0273EAC4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0274629C 3_2_0274629C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0275629C 3_2_0275629C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02739298 3_2_02739298
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02752A84 3_2_02752A84
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02731364 3_2_02731364
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0273C364 3_2_0273C364
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0273E368 3_2_0273E368
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02731B5C 3_2_02731B5C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02736B5C 3_2_02736B5C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02757348 3_2_02757348
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02734B4C 3_2_02734B4C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02745334 3_2_02745334
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0274D32C 3_2_0274D32C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02740310 3_2_02740310
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02745B18 3_2_02745B18
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_027473F8 3_2_027473F8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02747BF8 3_2_02747BF8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0273F3E0 3_2_0273F3E0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02733BE8 3_2_02733BE8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02739BEC 3_2_02739BEC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02752B8C 3_2_02752B8C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0274FB88 3_2_0274FB88
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02743B88 3_2_02743B88
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0273CB8D 3_2_0273CB8D
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0275005C 3_2_0275005C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02732834 3_2_02732834
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0273E828 3_2_0273E828
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02731000 3_2_02731000
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0273B8D0 3_2_0273B8D0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_027498DC 3_2_027498DC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_027338DC 3_2_027338DC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_027448B0 3_2_027448B0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_027378B6 3_2_027378B6
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_027410AC 3_2_027410AC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0274B898 3_2_0274B898
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02754098 3_2_02754098
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02736880 3_2_02736880
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0274308C 3_2_0274308C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0274C974 3_2_0274C974
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0273F174 3_2_0273F174
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02740954 3_2_02740954
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02739144 3_2_02739144
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02750930 3_2_02750930
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02759124 3_2_02759124
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02732128 3_2_02732128
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02742110 3_2_02742110
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0273D1E0 3_2_0273D1E0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_027499E8 3_2_027499E8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_027399EC 3_2_027399EC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0273A1D4 3_2_0273A1D4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0274C1DC 3_2_0274C1DC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_027379D8 3_2_027379D8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_027369C0 3_2_027369C0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_027459A0 3_2_027459A0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0273D1AC 3_2_0273D1AC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02747198 3_2_02747198
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02741664 3_2_02741664
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02731660 3_2_02731660
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02736650 3_2_02736650
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0273BE34 3_2_0273BE34
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0274E614 3_2_0274E614
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02748ECC 3_2_02748ECC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_027396B8 3_2_027396B8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02757EA4 3_2_02757EA4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02745694 3_2_02745694
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02758690 3_2_02758690
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02737694 3_2_02737694
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02743698 3_2_02743698
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0273569C 3_2_0273569C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02754680 3_2_02754680
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0273AE84 3_2_0273AE84
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02748778 3_2_02748778
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0273FF64 3_2_0273FF64
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0274E76C 3_2_0274E76C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000001E000130000 4_2_000001E000130000
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000002A2C4540000 5_2_000002A2C4540000
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000001EEA9980000 6_2_000001EEA9980000
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00500000 7_2_00500000
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_007548E0 7_2_007548E0
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_007338DC 7_2_007338DC
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00752CBC 7_2_00752CBC
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00739144 7_2_00739144
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0073B1E0 7_2_0073B1E0
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00734DDC 7_2_00734DDC
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00735DB4 7_2_00735DB4
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00732A7C 7_2_00732A7C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00739E38 7_2_00739E38
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0074FA08 7_2_0074FA08
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0074E76C 7_2_0074E76C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0074D718 7_2_0074D718
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_007473F8 7_2_007473F8
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00733BE8 7_2_00733BE8
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00735478 7_2_00735478
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00746464 7_2_00746464
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00750454 7_2_00750454
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0075005C 7_2_0075005C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00744C48 7_2_00744C48
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00732834 7_2_00732834
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0073E828 7_2_0073E828
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0073741C 7_2_0073741C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00731000 7_2_00731000
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00745400 7_2_00745400
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0073CC06 7_2_0073CC06
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00753C0C 7_2_00753C0C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_007384F8 7_2_007384F8
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_007564F8 7_2_007564F8
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0073B8D0 7_2_0073B8D0
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_007498DC 7_2_007498DC
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00731CCC 7_2_00731CCC
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_007448B0 7_2_007448B0
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_007378B6 7_2_007378B6
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00734CA0 7_2_00734CA0
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_007410AC 7_2_007410AC
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00758C94 7_2_00758C94
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0073C498 7_2_0073C498
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0074B898 7_2_0074B898
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00754098 7_2_00754098
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00736880 7_2_00736880
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0074308C 7_2_0074308C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0075748C 7_2_0075748C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0074C974 7_2_0074C974
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0073E570 7_2_0073E570
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0073F174 7_2_0073F174
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00748560 7_2_00748560
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00759568 7_2_00759568
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00740954 7_2_00740954
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00750D54 7_2_00750D54
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0074F550 7_2_0074F550
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00750930 7_2_00750930
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00743524 7_2_00743524
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00759124 7_2_00759124
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0074B520 7_2_0074B520
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00739D24 7_2_00739D24
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00732128 7_2_00732128
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00753D28 7_2_00753D28
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00742110 7_2_00742110
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0073BD00 7_2_0073BD00
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00748D0C 7_2_00748D0C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00745508 7_2_00745508
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0073D1E0 7_2_0073D1E0
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_007499E8 7_2_007499E8
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_007399EC 7_2_007399EC
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0073A1D4 7_2_0073A1D4
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0074C1DC 7_2_0074C1DC
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_007379D8 7_2_007379D8
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_007369C0 7_2_007369C0
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_007459A0 7_2_007459A0
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00741DAC 7_2_00741DAC
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0073D1AC 7_2_0073D1AC
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00735590 7_2_00735590
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00747198 7_2_00747198
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00755D84 7_2_00755D84
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0074827C 7_2_0074827C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00741664 7_2_00741664
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00731660 7_2_00731660
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00736650 7_2_00736650
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00742244 7_2_00742244
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00749230 7_2_00749230
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0073BE34 7_2_0073BE34
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0073BA24 7_2_0073BA24
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00751A2C 7_2_00751A2C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0074E614 7_2_0074E614
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00731A1C 7_2_00731A1C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00758A04 7_2_00758A04
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00737AF0 7_2_00737AF0
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0074B2F0 7_2_0074B2F0
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0073EAC4 7_2_0073EAC4
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00748ECC 7_2_00748ECC
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_007396B8 7_2_007396B8
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00757EA4 7_2_00757EA4
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0073C6A2 7_2_0073C6A2
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00745694 7_2_00745694
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00758690 7_2_00758690
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00737694 7_2_00737694
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0074629C 7_2_0074629C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0075629C 7_2_0075629C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00739298 7_2_00739298
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00743698 7_2_00743698
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0073569C 7_2_0073569C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00752A84 7_2_00752A84
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00754680 7_2_00754680
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0073AE84 7_2_0073AE84
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00748778 7_2_00748778
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00731364 7_2_00731364
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0073FF64 7_2_0073FF64
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0073C364 7_2_0073C364
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0073E368 7_2_0073E368
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00736B5C 7_2_00736B5C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00731B5C 7_2_00731B5C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00757348 7_2_00757348
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00734B4C 7_2_00734B4C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00745334 7_2_00745334
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0074CF30 7_2_0074CF30
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0073A734 7_2_0073A734
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0074D32C 7_2_0074D32C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00751728 7_2_00751728
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00755B28 7_2_00755B28
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00740310 7_2_00740310
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00745B18 7_2_00745B18
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0073871C 7_2_0073871C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0073E708 7_2_0073E708
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00747BF8 7_2_00747BF8
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0073F3E0 7_2_0073F3E0
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00743FE0 7_2_00743FE0
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00739BEC 7_2_00739BEC
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_007557B4 7_2_007557B4
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_007547B0 7_2_007547B0
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00744FA4 7_2_00744FA4
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00738FA0 7_2_00738FA0
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_007497AC 7_2_007497AC
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00742780 7_2_00742780
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00752B8C 7_2_00752B8C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00743B88 7_2_00743B88
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0074FB88 7_2_0074FB88
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C30000 11_2_02C30000
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C49E38 11_2_02C49E38
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C55B18 11_2_02C55B18
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C648E0 11_2_02C648E0
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C68C94 11_2_02C68C94
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C438A5 11_2_02C438A5
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C60454 11_2_02C60454
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C44DDC 11_2_02C44DDC
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C4B1E0 11_2_02C4B1E0
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C45DB4 11_2_02C45DB4
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C4EAC4 11_2_02C4EAC4
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C58ECC 11_2_02C58ECC
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C47AF0 11_2_02C47AF0
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C5B2F0 11_2_02C5B2F0
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C4AE84 11_2_02C4AE84
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C62A84 11_2_02C62A84
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C64680 11_2_02C64680
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C47694 11_2_02C47694
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C55694 11_2_02C55694
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C68690 11_2_02C68690
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C4569C 11_2_02C4569C
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C5629C 11_2_02C5629C
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C6629C 11_2_02C6629C
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C49298 11_2_02C49298
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C53698 11_2_02C53698
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C67EA4 11_2_02C67EA4
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C496B8 11_2_02C496B8
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C52244 11_2_02C52244
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C46650 11_2_02C46650
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C51664 11_2_02C51664
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C41660 11_2_02C41660
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C5827C 11_2_02C5827C
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C68A04 11_2_02C68A04
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C5FA08 11_2_02C5FA08
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C5E614 11_2_02C5E614
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C41A1C 11_2_02C41A1C
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C4BA24 11_2_02C4BA24
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C61A2C 11_2_02C61A2C
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C4BE34 11_2_02C4BE34
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C59230 11_2_02C59230
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C4F3E0 11_2_02C4F3E0
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C53FE0 11_2_02C53FE0
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C49BEC 11_2_02C49BEC
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C43BE8 11_2_02C43BE8
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C573F8 11_2_02C573F8
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C57BF8 11_2_02C57BF8
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C52780 11_2_02C52780
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C4CB8D 11_2_02C4CB8D
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C62B8C 11_2_02C62B8C
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C5FB88 11_2_02C5FB88
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C53B88 11_2_02C53B88
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C54FA4 11_2_02C54FA4
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C48FA0 11_2_02C48FA0
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C597AC 11_2_02C597AC
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C657B4 11_2_02C657B4
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C647B0 11_2_02C647B0
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C44B4C 11_2_02C44B4C
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C67348 11_2_02C67348
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C46B5C 11_2_02C46B5C
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C41B5C 11_2_02C41B5C
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C41364 11_2_02C41364
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C4FF64 11_2_02C4FF64
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C4C364 11_2_02C4C364
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C5E76C 11_2_02C5E76C
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C4E368 11_2_02C4E368
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C58778 11_2_02C58778
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C4E708 11_2_02C4E708
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C50310 11_2_02C50310
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C4871C 11_2_02C4871C
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C5D32C 11_2_02C5D32C
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C61728 11_2_02C61728
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C65B28 11_2_02C65B28
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C4A734 11_2_02C4A734
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C55334 11_2_02C55334
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C5CF30 11_2_02C5CF30
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C41CCC 11_2_02C41CCC
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C4B8D0 11_2_02C4B8D0
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C438DC 11_2_02C438DC
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C598DC 11_2_02C598DC
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C484F8 11_2_02C484F8
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C664F8 11_2_02C664F8
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C46880 11_2_02C46880
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C5308C 11_2_02C5308C
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C6748C 11_2_02C6748C
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C4C498 11_2_02C4C498
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C5B898 11_2_02C5B898
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C64098 11_2_02C64098
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C44CA0 11_2_02C44CA0
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C510AC 11_2_02C510AC
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C478B6 11_2_02C478B6
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C548B0 11_2_02C548B0
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C54C48 11_2_02C54C48
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C6005C 11_2_02C6005C
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C4D864 11_2_02C4D864
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C56464 11_2_02C56464
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C45478 11_2_02C45478
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C41000 11_2_02C41000
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C55400 11_2_02C55400
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C63C0C 11_2_02C63C0C
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C4741C 11_2_02C4741C
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C4E828 11_2_02C4E828
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C42834 11_2_02C42834
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C469C0 11_2_02C469C0
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C4D1CA 11_2_02C4D1CA
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C4A1D4 11_2_02C4A1D4
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C5C1DC 11_2_02C5C1DC
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C479D8 11_2_02C479D8
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C499EC 11_2_02C499EC
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C599E8 11_2_02C599E8
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C65D84 11_2_02C65D84
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C45590 11_2_02C45590
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C57198 11_2_02C57198
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C559A0 11_2_02C559A0
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C4D1AC 11_2_02C4D1AC
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C51DAC 11_2_02C51DAC
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C49144 11_2_02C49144
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C50954 11_2_02C50954
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C60D54 11_2_02C60D54
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C5F550 11_2_02C5F550
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C58560 11_2_02C58560
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C69568 11_2_02C69568
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C4F174 11_2_02C4F174
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C5C974 11_2_02C5C974
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C4E570 11_2_02C4E570
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C4BD00 11_2_02C4BD00
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C58D0C 11_2_02C58D0C
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C55508 11_2_02C55508
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C52110 11_2_02C52110
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C49D24 11_2_02C49D24
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C53524 11_2_02C53524
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C69124 11_2_02C69124
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C5B520 11_2_02C5B520
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C42128 11_2_02C42128
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C63D28 11_2_02C63D28
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C60930 11_2_02C60930
Found potential string decryption / allocating functions
Source: C:\Windows\System32\regsvr32.exe Code function: String function: 000000018002CA30 appears 48 times
Tries to load missing DLLs
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: UC2DFXQIBiE2kQ.dll ReversingLabs: Detection: 80%
Source: UC2DFXQIBiE2kQ.dll Virustotal: Detection: 65%
Source: UC2DFXQIBiE2kQ.dll Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll64.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\UC2DFXQIBiE2kQ.dll"
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\UC2DFXQIBiE2kQ.dll",#1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\UC2DFXQIBiE2kQ.dll
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\UC2DFXQIBiE2kQ.dll",#1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\UC2DFXQIBiE2kQ.dll,ACeujVZMknFDjv
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\UC2DFXQIBiE2kQ.dll,AHuDGMflBfPryOEYjuTfbzJdEM
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\NzmNpNPvo\tzEWj.dll"
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\UC2DFXQIBiE2kQ.dll,ATjQPkInxPUGuUu
Source: unknown Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe" "C:\Windows\system32\NzmNpNPvo\tzEWj.dll
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Users\user\AppData\Local\VfjAKsbRVDLoO\aeuwPIzDFvIwK.dll"
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\UC2DFXQIBiE2kQ.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\UC2DFXQIBiE2kQ.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\UC2DFXQIBiE2kQ.dll,ACeujVZMknFDjv Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\UC2DFXQIBiE2kQ.dll,AHuDGMflBfPryOEYjuTfbzJdEM Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\UC2DFXQIBiE2kQ.dll,ATjQPkInxPUGuUu Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\UC2DFXQIBiE2kQ.dll",#1 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\NzmNpNPvo\tzEWj.dll" Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Users\user\AppData\Local\VfjAKsbRVDLoO\aeuwPIzDFvIwK.dll" Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe File created: C:\Users\user\AppData\Local\VfjAKsbRVDLoO\ Jump to behavior
Source: classification engine Classification label: mal84.troj.evad.winDLL@19/2@0/49
Source: C:\Windows\System32\regsvr32.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02735DB4 FindCloseChangeNotification,CreateToolhelp32Snapshot,Process32FirstW, 3_2_02735DB4
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\UC2DFXQIBiE2kQ.dll",#1
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2260:120:WilError_01
Source: C:\Windows\System32\regsvr32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\rundll32.exe Automated click: OK
Source: C:\Windows\System32\regsvr32.exe Automated click: OK
Source: Window Recorder Window detected: More than 3 window changes detected
Source: UC2DFXQIBiE2kQ.dll Static PE information: More than 250 > 100 exports found
Source: UC2DFXQIBiE2kQ.dll Static PE information: Image base 0x180000000 > 0x60000000
Source: UC2DFXQIBiE2kQ.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: UC2DFXQIBiE2kQ.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: UC2DFXQIBiE2kQ.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: UC2DFXQIBiE2kQ.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: UC2DFXQIBiE2kQ.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: UC2DFXQIBiE2kQ.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: UC2DFXQIBiE2kQ.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: UC2DFXQIBiE2kQ.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: UC2DFXQIBiE2kQ.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: UC2DFXQIBiE2kQ.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: UC2DFXQIBiE2kQ.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: UC2DFXQIBiE2kQ.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800131BD push rdi; ret 3_2_00000001800131C4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180013749 push rdi; ret 3_2_0000000180013752
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02753A7E push ebp; ret 3_2_02753A86
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0273838C push eax; ret 3_2_0273838E
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0274E0E9 push 8B48E1F7h; retf 3_2_0274E0F1
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0274E0D3 push 09B8E1F7h; retf 3_2_0274E0DD
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02753127 push ebp; ret 3_2_02753128
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02752E55 push ebp; retf 3_2_02752E56
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0073838C push eax; ret 7_2_0073838E
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C62E55 push ebp; retf 11_2_02C62E56
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C63A7E push ebp; ret 11_2_02C63A86
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C63BE1 push ebp; ret 11_2_02C63BE4
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C4838C push eax; ret 11_2_02C4838E
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C62F5E push ebp; ret 11_2_02C62F64
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C5E0D3 push 09B8E1F7h; retf 11_2_02C5E0DD
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C5E0E9 push 8B48E1F7h; retf 11_2_02C5E0F1
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C5E5C5 pushad ; ret 11_2_02C5E5C7
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02C63127 push ebp; ret 11_2_02C63128
PE file contains sections with non-standard names
Source: UC2DFXQIBiE2kQ.dll Static PE information: section name: _RDATA
Registers a DLL
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\UC2DFXQIBiE2kQ.dll
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\System32\regsvr32.exe PE file moved: C:\Windows\System32\NzmNpNPvo\tzEWj.dll Jump to behavior

Boot Survival
barindex
Creates an autostart registry key pointing to binary in C:\Windows
Source: C:\Windows\System32\regsvr32.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run tzEWj.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run tzEWj.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run tzEWj.dll Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\System32\regsvr32.exe File opened: C:\Windows\system32\NzmNpNPvo\tzEWj.dll:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\System32\regsvr32.exe File opened: C:\Users\user\AppData\Local\VfjAKsbRVDLoO\aeuwPIzDFvIwK.dll:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\regsvr32.exe TID: 4500 Thread sleep time: -60000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Found large amount of non-executed APIs
Source: C:\Windows\System32\regsvr32.exe API coverage: 7.5 %
Source: C:\Windows\System32\regsvr32.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180029290 FindFirstFileExW, 3_2_0000000180029290
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018002972C FindFirstFileExW,FindNextFileW,FindClose, 3_2_000000018002972C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180028B30 _invalid_parameter_noinfo,_invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,FindClose, 3_2_0000000180028B30
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180028B30 _invalid_parameter_noinfo,_invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,FindClose, 3_2_0000000180028B30
Source: C:\Windows\System32\regsvr32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\regsvr32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: regsvr32.exe, 00000007.00000002.825398466.00000000005EF000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.556613536.00000000005EF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW0
Source: regsvr32.exe, 00000007.00000002.825546472.000000000063C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.557007338.0000000000635000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.558412431.0000000000635000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180003460 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_0000000180003460
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018002DE88 GetProcessHeap, 3_2_000000018002DE88
Checks if the current process is being debugged
Source: C:\Windows\System32\loaddll64.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180003460 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_0000000180003460
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180003648 SetUnhandledExceptionFilter, 3_2_0000000180003648
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800156F8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_00000001800156F8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180002E94 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_0000000180002E94

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\regsvr32.exe Network Connect: 115.178.55.22 80 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 172.105.115.71 8080 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\UC2DFXQIBiE2kQ.dll",#1 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\regsvr32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\System32\regsvr32.exe Code function: EnumSystemLocalesW, 3_2_0000000180035058
Source: C:\Windows\System32\regsvr32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 3_2_0000000180035118
Source: C:\Windows\System32\regsvr32.exe Code function: EnumSystemLocalesW, 3_2_000000018002C360
Source: C:\Windows\System32\regsvr32.exe Code function: GetLocaleInfoW, 3_2_0000000180035364
Source: C:\Windows\System32\regsvr32.exe Code function: try_get_function,GetLocaleInfoW, 3_2_000000018002D3CC
Source: C:\Windows\System32\regsvr32.exe Code function: EnumSystemLocalesW, 3_2_000000018002C40C
Source: C:\Windows\System32\regsvr32.exe Code function: EnumSystemLocalesW, 3_2_000000018002C488
Source: C:\Windows\System32\regsvr32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 3_2_00000001800354BC
Source: C:\Windows\System32\regsvr32.exe Code function: GetLocaleInfoW, 3_2_0000000180035590
Source: C:\Windows\System32\regsvr32.exe Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 3_2_00000001800356BC
Source: C:\Windows\System32\regsvr32.exe Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW, 3_2_0000000180034BB8
Source: C:\Windows\System32\regsvr32.exe Code function: EnumSystemLocalesW, 3_2_0000000180034F04
Source: C:\Windows\System32\regsvr32.exe Code function: EnumSystemLocalesW, 3_2_0000000180034F88
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800243D0 cpuid 3_2_00000001800243D0
Source: C:\Windows\System32\regsvr32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018002D450 try_get_function,GetSystemTimeAsFileTime, 3_2_000000018002D450

Stealing of Sensitive Information
barindex
Yara detected Emotet
Source: Yara match File source: 4.2.rundll32.exe.1e000100000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.c90000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.regsvr32.exe.1350000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.2a2c4510000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.regsvr32.exe.4d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.1eea9950000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.c90000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.regsvr32.exe.1350000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.1eea9950000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.2a2c4510000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.regsvr32.exe.4d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.1e000100000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.309988911.000002A2C5F01000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.315862116.000001EEA9950000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.463359188.0000000001350000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.825157778.00000000004D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.309304798.000002A2C4510000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.825690145.0000000000731000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.307121322.000001E000100000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.314073232.0000000000C90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.307321524.000001E000141000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.463986640.0000000002C41000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.314301645.0000000002731000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.315937172.000001EEA9991000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 747450 Sample: UC2DFXQIBiE2kQ.dll Startdate: 16/11/2022 Architecture: WINDOWS Score: 84 30 103.224.241.74 WEBWERKS-AS-INWebWerksIndiaPvtLtdIN India 2->30 32 210.57.209.142 UNAIR-AS-IDUniversitasAirlanggaID Indonesia 2->32 34 45 other IPs or domains 2->34 40 Snort IDS alert for network traffic 2->40 42 Multi AV Scanner detection for submitted file 2->42 44 Yara detected Emotet 2->44 46 C2 URLs / IPs found in malware configuration 2->46 8 loaddll64.exe 1 2->8         started        10 regsvr32.exe 2 2->10         started        signatures3 process4 signatures5 13 regsvr32.exe 2 8->13         started        16 cmd.exe 1 8->16         started        18 rundll32.exe 8->18         started        22 3 other processes 8->22 52 Hides that the sample has been downloaded from the Internet (zone.identifier) 10->52 20 regsvr32.exe 10->20         started        process6 signatures7 54 Hides that the sample has been downloaded from the Internet (zone.identifier) 13->54 24 regsvr32.exe 1 13->24         started        28 rundll32.exe 16->28         started        process8 dnsIp9 36 115.178.55.22, 49702, 80 SIMAYA-AS-IDPTSimayaJejaringMandiriID Indonesia 24->36 38 172.105.115.71, 49704, 8080 LINODE-APLinodeLLCUS United States 24->38 48 System process connects to network (likely due to code injection or exploit) 24->48 50 Creates an autostart registry key pointing to binary in C:\Windows 24->50 signatures10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
172.105.115.71
 unknown United States
63949 LINODE-APLinodeLLCUS true
188.165.79.151
 unknown France
16276 OVHFR true
196.44.98.190
 unknown Ghana
327814 EcobandGH true
174.138.33.49
 unknown United States
14061 DIGITALOCEAN-ASNUS true
36.67.23.59
 unknown Indonesia
17974 TELKOMNET-AS2-APPTTelekomunikasiIndonesiaID true
103.41.204.169
 unknown Indonesia
58397 INFINYS-AS-IDPTInfinysSystemIndonesiaID true
85.214.67.203
 unknown Germany
6724 STRATOSTRATOAGDE true
83.229.80.93
 unknown United Kingdom
8513 SKYVISIONGB true
198.199.70.22
 unknown United States
14061 DIGITALOCEAN-ASNUS true
93.104.209.107
 unknown Germany
8767 MNET-ASGermanyDE true
186.250.48.5
 unknown Brazil
262807 RedfoxTelecomunicacoesLtdaBR true
209.239.112.82
 unknown United States
30083 AS-30083-GO-DADDY-COM-LLCUS true
175.126.176.79
 unknown Korea Republic of
9523 MOKWON-AS-KRMokwonUniversityKR true
128.199.242.164
 unknown United Kingdom
14061 DIGITALOCEAN-ASNUS true
178.238.225.252
 unknown Germany
51167 CONTABODE true
46.101.98.60
 unknown Netherlands
14061 DIGITALOCEAN-ASNUS true
190.145.8.4
 unknown Colombia
14080 TelmexColombiaSACO true
82.98.180.154
 unknown Spain
42612 DINAHOSTING-ASES true
103.71.99.57
 unknown India
135682 AWDHPL-AS-INAdvikaWebDevelopmentsHostingPvtLtdIN true
87.106.97.83
 unknown Germany
8560 ONEANDONE-ASBrauerstrasse48DE true
103.254.12.236
 unknown Viet Nam
56151 DIGISTAR-VNDigiStarCompanyLimitedVN true
103.85.95.4
 unknown Indonesia
136077 IDNIC-UNSRAT-AS-IDUniversitasIslamNegeriMataramID true
202.134.4.210
 unknown Indonesia
7713 TELKOMNET-AS-APPTTelekomunikasiIndonesiaID true
165.22.254.236
 unknown United States
14061 DIGITALOCEAN-ASNUS true
78.47.204.80
 unknown Germany
24940 HETZNER-ASDE true
118.98.72.86
 unknown Indonesia
7713 TELKOMNET-AS-APPTTelekomunikasiIndonesiaID true
139.59.80.108
 unknown Singapore
14061 DIGITALOCEAN-ASNUS true
104.244.79.94
 unknown United States
53667 PONYNETUS true
37.44.244.177
 unknown Germany
47583 AS-HOSTINGERLT true
51.75.33.122
 unknown France
16276 OVHFR true
160.16.143.191
 unknown Japan 9370 SAKURA-BSAKURAInternetIncJP true
103.56.149.105
 unknown Indonesia
55688 BEON-AS-IDPTBeonIntermediaID true
85.25.120.45
 unknown Germany
8972 GD-EMEA-DC-SXB1DE true
139.196.72.155
 unknown China
37963 CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd true
115.178.55.22
 unknown Indonesia
38783 SIMAYA-AS-IDPTSimayaJejaringMandiriID true
103.126.216.86
 unknown Bangladesh
138482 SKYVIEW-AS-APSKYVIEWONLINELTDBD true
128.199.217.206
 unknown United Kingdom
14061 DIGITALOCEAN-ASNUS true
114.79.130.68
 unknown India
45769 DVOIS-IND-VoisBroadbandPvtLtdIN true
103.224.241.74
 unknown India
133296 WEBWERKS-AS-INWebWerksIndiaPvtLtdIN true
210.57.209.142
 unknown Indonesia
38142 UNAIR-AS-IDUniversitasAirlanggaID true
202.28.34.99
 unknown Thailand
9562 MSU-TH-APMahasarakhamUniversityTH true
80.211.107.116
 unknown Italy
31034 ARUBA-ASNIT true
54.37.228.122
 unknown France
16276 OVHFR true
218.38.121.17
 unknown Korea Republic of
9318 SKB-ASSKBroadbandCoLtdKR true
185.148.169.10
 unknown Germany
44780 EVERSCALE-ASDE true
195.77.239.39
 unknown Spain
60493 FICOSA-ASES true
178.62.112.199
 unknown European Union
14061 DIGITALOCEAN-ASNUS true
62.171.178.147
 unknown United Kingdom
51167 CONTABODE true
64.227.55.231
 unknown United States
14061 DIGITALOCEAN-ASNUS true