Windows Analysis Report
UC2DFXQIBiE2kQ.dll

Overview

General Information

Sample Name: UC2DFXQIBiE2kQ.dll
Analysis ID: 747450
MD5: e2ec88ae31e147d1976368c6a8988d3c
SHA1: 937a21ced7f2663c923c9c614cbe06d95def511a
SHA256: ae7e655db35a71a3b2df96051d722d7995ec94feea3cbd59bec501042ab40847
Infos:

Detection

Emotet
Score: 84
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Snort IDS alert for network traffic
Creates an autostart registry key pointing to binary in C:\Windows
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Tries to load missing DLLs
Drops PE files to the windows directory (C:\Windows)
Checks if the current process is being debugged
Connects to several IPs in different countries
Registers a DLL
Found large amount of non-executed APIs
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: UC2DFXQIBiE2kQ.dll ReversingLabs: Detection: 80%
Source: UC2DFXQIBiE2kQ.dll Virustotal: Detection: 65% Perma Link
Source: 00000007.00000002.643867915.0000000000768000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: Emotet {"C2 list": ["172.105.115.71:8080", "218.38.121.17:443", "186.250.48.5:443", "103.71.99.57:8080", "85.214.67.203:8080", "85.25.120.45:8080", "139.196.72.155:8080", "103.85.95.4:8080", "198.199.70.22:8080", "209.239.112.82:8080", "78.47.204.80:443", "36.67.23.59:443", "104.244.79.94:443", "62.171.178.147:8080", "195.77.239.39:8080", "103.56.149.105:8080", "80.211.107.116:8080", "93.104.209.107:8080", "174.138.33.49:7080", "202.28.34.99:8080", "178.62.112.199:8080", "114.79.130.68:443", "118.98.72.86:443", "103.41.204.169:8080", "178.238.225.252:8080", "83.229.80.93:8080", "46.101.98.60:8080", "82.98.180.154:7080", "87.106.97.83:7080", "196.44.98.190:8080", "139.59.80.108:8080", "103.224.241.74:8080", "103.254.12.236:7080", "185.148.169.10:8080", "165.22.254.236:8080", "37.44.244.177:8080", "54.37.228.122:443", "51.75.33.122:443", "128.199.217.206:443", "188.165.79.151:443", "210.57.209.142:8080", "160.16.143.191:8080", "175.126.176.79:8080", "202.134.4.210:7080", "103.126.216.86:443", "190.145.8.4:443", "128.199.242.164:8080", "64.227.55.231:8080"]}
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018004A020 CryptStringToBinaryA,CryptStringToBinaryA, 3_2_000000018004A020
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180029290 FindFirstFileExW, 3_2_0000000180029290
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018002972C FindFirstFileExW,FindNextFileW,FindClose, 3_2_000000018002972C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180028B30 _invalid_parameter_noinfo,_invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,FindClose, 3_2_0000000180028B30
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180028B30 _invalid_parameter_noinfo,_invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,FindClose, 3_2_0000000180028B30

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\regsvr32.exe Network Connect: 115.178.55.22 80 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 172.105.115.71 8080 Jump to behavior
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2404304 ET CNC Feodo Tracker Reported CnC Server TCP group 3 192.168.2.5:49702 -> 115.178.55.22:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 172.105.115.71:8080
Source: Malware configuration extractor IPs: 218.38.121.17:443
Source: Malware configuration extractor IPs: 186.250.48.5:443
Source: Malware configuration extractor IPs: 103.71.99.57:8080
Source: Malware configuration extractor IPs: 85.214.67.203:8080
Source: Malware configuration extractor IPs: 85.25.120.45:8080
Source: Malware configuration extractor IPs: 139.196.72.155:8080
Source: Malware configuration extractor IPs: 103.85.95.4:8080
Source: Malware configuration extractor IPs: 198.199.70.22:8080
Source: Malware configuration extractor IPs: 209.239.112.82:8080
Source: Malware configuration extractor IPs: 78.47.204.80:443
Source: Malware configuration extractor IPs: 36.67.23.59:443
Source: Malware configuration extractor IPs: 104.244.79.94:443
Source: Malware configuration extractor IPs: 62.171.178.147:8080
Source: Malware configuration extractor IPs: 195.77.239.39:8080
Source: Malware configuration extractor IPs: 103.56.149.105:8080
Source: Malware configuration extractor IPs: 80.211.107.116:8080
Source: Malware configuration extractor IPs: 93.104.209.107:8080
Source: Malware configuration extractor IPs: 174.138.33.49:7080
Source: Malware configuration extractor IPs: 202.28.34.99:8080
Source: Malware configuration extractor IPs: 178.62.112.199:8080
Source: Malware configuration extractor IPs: 114.79.130.68:443
Source: Malware configuration extractor IPs: 118.98.72.86:443
Source: Malware configuration extractor IPs: 103.41.204.169:8080
Source: Malware configuration extractor IPs: 178.238.225.252:8080
Source: Malware configuration extractor IPs: 83.229.80.93:8080
Source: Malware configuration extractor IPs: 46.101.98.60:8080
Source: Malware configuration extractor IPs: 82.98.180.154:7080
Source: Malware configuration extractor IPs: 87.106.97.83:7080
Source: Malware configuration extractor IPs: 196.44.98.190:8080
Source: Malware configuration extractor IPs: 139.59.80.108:8080
Source: Malware configuration extractor IPs: 103.224.241.74:8080
Source: Malware configuration extractor IPs: 103.254.12.236:7080
Source: Malware configuration extractor IPs: 185.148.169.10:8080
Source: Malware configuration extractor IPs: 165.22.254.236:8080
Source: Malware configuration extractor IPs: 37.44.244.177:8080
Source: Malware configuration extractor IPs: 54.37.228.122:443
Source: Malware configuration extractor IPs: 51.75.33.122:443
Source: Malware configuration extractor IPs: 128.199.217.206:443
Source: Malware configuration extractor IPs: 188.165.79.151:443
Source: Malware configuration extractor IPs: 210.57.209.142:8080
Source: Malware configuration extractor IPs: 160.16.143.191:8080
Source: Malware configuration extractor IPs: 175.126.176.79:8080
Source: Malware configuration extractor IPs: 202.134.4.210:7080
Source: Malware configuration extractor IPs: 103.126.216.86:443
Source: Malware configuration extractor IPs: 190.145.8.4:443
Source: Malware configuration extractor IPs: 128.199.242.164:8080
Source: Malware configuration extractor IPs: 64.227.55.231:8080
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: LINODE-APLinodeLLCUS LINODE-APLinodeLLCUS
Source: Joe Sandbox View ASN Name: OVHFR OVHFR
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 172.105.115.71 172.105.115.71
Source: Joe Sandbox View IP Address: 188.165.79.151 188.165.79.151
Connects to several IPs in different countries
Source: unknown Network traffic detected: IP country count 20
Source: unknown TCP traffic detected without corresponding DNS query: 115.178.55.22
Source: unknown TCP traffic detected without corresponding DNS query: 115.178.55.22
Source: unknown TCP traffic detected without corresponding DNS query: 115.178.55.22
Source: unknown TCP traffic detected without corresponding DNS query: 172.105.115.71
Source: unknown TCP traffic detected without corresponding DNS query: 172.105.115.71
Source: unknown TCP traffic detected without corresponding DNS query: 172.105.115.71
Source: unknown TCP traffic detected without corresponding DNS query: 172.105.115.71
Source: unknown TCP traffic detected without corresponding DNS query: 172.105.115.71
Source: unknown TCP traffic detected without corresponding DNS query: 172.105.115.71
Source: unknown TCP traffic detected without corresponding DNS query: 172.105.115.71
Source: unknown TCP traffic detected without corresponding DNS query: 172.105.115.71
Source: unknown TCP traffic detected without corresponding DNS query: 172.105.115.71
Source: unknown TCP traffic detected without corresponding DNS query: 172.105.115.71
Source: unknown TCP traffic detected without corresponding DNS query: 172.105.115.71
Source: unknown TCP traffic detected without corresponding DNS query: 172.105.115.71
Source: regsvr32.exe, 00000007.00000003.498656108.00000000007E5000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.376956234.00000000007E5000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.376593045.00000000007E5000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.644389698.00000000007EB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: regsvr32.exe, 00000007.00000003.498656108.00000000007E5000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.367569904.000000000084F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.376956234.00000000007E5000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.376593045.00000000007E5000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.366938622.000000000084E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.644389698.00000000007EB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/
Source: regsvr32.exe, 00000007.00000003.498656108.00000000007E5000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.376956234.00000000007E5000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.376593045.00000000007E5000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.644389698.00000000007EB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/Low
Source: regsvr32.exe, 00000007.00000002.644389698.00000000007EB000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.7.dr String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: regsvr32.exe, 00000007.00000002.644987249.0000000002188000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.367737765.0000000002161000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.367595710.0000000002119000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.367854580.0000000002188000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?88ebd9d8707cc
Source: regsvr32.exe, 00000007.00000002.644205882.00000000007B9000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.377022283.00000000007AE000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.498731511.00000000007AF000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.498831398.00000000007B8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enQ
Source: regsvr32.exe, 00000007.00000002.643867915.0000000000768000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://172.105.115.71:8080/qfmakzntwajcoi/xgtrfra/
Source: regsvr32.exe, 00000007.00000003.376938490.00000000007D1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.644320880.00000000007D5000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.376525428.00000000007CE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://172.105.115.71:8080/qfmakzntwajcoi/xgtrfra/O
Source: regsvr32.exe, 00000007.00000002.644205882.00000000007B9000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.377022283.00000000007AE000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.498731511.00000000007AF000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.498831398.00000000007B8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://172.105.115.71:8080/s

E-Banking Fraud
barindex
Yara detected Emotet
Source: Yara match File source: 4.2.rundll32.exe.24188500000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.1220000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.regsvr32.exe.2080000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.regsvr32.exe.2080000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.1b505730000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.regsvr32.exe.13d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.1220000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.1deaae80000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.24188500000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.regsvr32.exe.13d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.1deaae80000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.1b505730000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.256991395.000001B505A51000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.261455242.0000000002D51000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.260696945.0000000001220000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.254973039.0000024188500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.409592549.00000000013D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.256810706.000001B505730000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.645047092.00000000021E1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.261815497.000001DEAC681000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.644659709.0000000002080000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.409741112.0000000002CD1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.255048336.0000024188541000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.261734338.000001DEAAE80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Deletes files inside the Windows folder
Source: C:\Windows\System32\regsvr32.exe File deleted: C:\Windows\System32\CqZilJuzKBQGflL\PYmtZH.dll:Zone.Identifier Jump to behavior
Creates files inside the system directory
Source: C:\Windows\System32\regsvr32.exe File created: C:\Windows\system32\CqZilJuzKBQGflL\ Jump to behavior
Detected potential crypto function
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180044C30 3_2_0000000180044C30
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180031018 3_2_0000000180031018
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800391F8 3_2_00000001800391F8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180020204 3_2_0000000180020204
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001F22C 3_2_000000018001F22C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018003D23C 3_2_000000018003D23C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180029290 3_2_0000000180029290
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180024460 3_2_0000000180024460
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001F4B0 3_2_000000018001F4B0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800204D0 3_2_00000001800204D0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018003459C 3_2_000000018003459C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018003B5A0 3_2_000000018003B5A0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800305F8 3_2_00000001800305F8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180017604 3_2_0000000180017604
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001F74C 3_2_000000018001F74C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180032824 3_2_0000000180032824
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180037854 3_2_0000000180037854
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018002B890 3_2_000000018002B890
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000A93C 3_2_000000018000A93C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018003A9A0 3_2_000000018003A9A0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001F9B4 3_2_000000018001F9B4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180026A0C 3_2_0000000180026A0C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180028B30 3_2_0000000180028B30
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018002B890 3_2_000000018002B890
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001FC30 3_2_000000018001FC30
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180031C3C 3_2_0000000180031C3C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180028B30 3_2_0000000180028B30
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018003AE50 3_2_000000018003AE50
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001FF10 3_2_000000018001FF10
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180032F94 3_2_0000000180032F94
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_01250000 3_2_01250000
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D748E0 3_2_02D748E0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D538A5 3_2_02D538A5
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D5B1E0 3_2_02D5B1E0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D59E38 3_2_02D59E38
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D78C94 3_2_02D78C94
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D70454 3_2_02D70454
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D54DDC 3_2_02D54DDC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D55DB4 3_2_02D55DB4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D5EAC4 3_2_02D5EAC4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D57AF0 3_2_02D57AF0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D6B2F0 3_2_02D6B2F0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D6629C 3_2_02D6629C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D7629C 3_2_02D7629C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D59298 3_2_02D59298
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D72A84 3_2_02D72A84
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D62244 3_2_02D62244
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D6827C 3_2_02D6827C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D51A1C 3_2_02D51A1C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D78A04 3_2_02D78A04
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D6FA08 3_2_02D6FA08
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D69230 3_2_02D69230
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D5BA24 3_2_02D5BA24
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D71A2C 3_2_02D71A2C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D673F8 3_2_02D673F8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D67BF8 3_2_02D67BF8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D5F3E0 3_2_02D5F3E0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D59BEC 3_2_02D59BEC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D53BE8 3_2_02D53BE8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D5CB8D 3_2_02D5CB8D
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D72B8C 3_2_02D72B8C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D6FB88 3_2_02D6FB88
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D63B88 3_2_02D63B88
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D51B5C 3_2_02D51B5C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D56B5C 3_2_02D56B5C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D54B4C 3_2_02D54B4C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D77348 3_2_02D77348
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D51364 3_2_02D51364
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D5C364 3_2_02D5C364
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D5E368 3_2_02D5E368
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D60310 3_2_02D60310
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D65B18 3_2_02D65B18
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D65334 3_2_02D65334
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D6D32C 3_2_02D6D32C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D5B8D0 3_2_02D5B8D0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D538DC 3_2_02D538DC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D698DC 3_2_02D698DC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D6B898 3_2_02D6B898
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D74098 3_2_02D74098
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D56880 3_2_02D56880
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D6308C 3_2_02D6308C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D578B6 3_2_02D578B6
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D648B0 3_2_02D648B0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D610AC 3_2_02D610AC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D7005C 3_2_02D7005C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D51000 3_2_02D51000
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D52834 3_2_02D52834
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D5E828 3_2_02D5E828
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D5A1D4 3_2_02D5A1D4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D6C1DC 3_2_02D6C1DC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D579D8 3_2_02D579D8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D569C0 3_2_02D569C0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D5D1E0 3_2_02D5D1E0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D599EC 3_2_02D599EC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D699E8 3_2_02D699E8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D67198 3_2_02D67198
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D659A0 3_2_02D659A0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D5D1AC 3_2_02D5D1AC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D60954 3_2_02D60954
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D59144 3_2_02D59144
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D5F174 3_2_02D5F174
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D6C974 3_2_02D6C974
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D62110 3_2_02D62110
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D70930 3_2_02D70930
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D79124 3_2_02D79124
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D52128 3_2_02D52128
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D68ECC 3_2_02D68ECC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D57694 3_2_02D57694
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D65694 3_2_02D65694
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D78690 3_2_02D78690
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D5569C 3_2_02D5569C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D63698 3_2_02D63698
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D5AE84 3_2_02D5AE84
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D74680 3_2_02D74680
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D596B8 3_2_02D596B8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D77EA4 3_2_02D77EA4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D56650 3_2_02D56650
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D61664 3_2_02D61664
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D51660 3_2_02D51660
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D6E614 3_2_02D6E614
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D5BE34 3_2_02D5BE34
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D63FE0 3_2_02D63FE0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D62780 3_2_02D62780
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D757B4 3_2_02D757B4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D64FA4 3_2_02D64FA4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D58FA0 3_2_02D58FA0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D697AC 3_2_02D697AC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D68778 3_2_02D68778
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D5FF64 3_2_02D5FF64
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D6E76C 3_2_02D6E76C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D5871C 3_2_02D5871C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D5E708 3_2_02D5E708
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D5A734 3_2_02D5A734
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D6CF30 3_2_02D6CF30
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D71728 3_2_02D71728
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D51CCC 3_2_02D51CCC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D584F8 3_2_02D584F8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D764F8 3_2_02D764F8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D5C498 3_2_02D5C498
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D7748C 3_2_02D7748C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D54CA0 3_2_02D54CA0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D64C48 3_2_02D64C48
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D55478 3_2_02D55478
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D66464 3_2_02D66464
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D5741C 3_2_02D5741C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D65400 3_2_02D65400
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D55590 3_2_02D55590
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D75D84 3_2_02D75D84
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D61DAC 3_2_02D61DAC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D70D54 3_2_02D70D54
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D6F550 3_2_02D6F550
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D5E570 3_2_02D5E570
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D68560 3_2_02D68560
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D5BD00 3_2_02D5BD00
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D68D0C 3_2_02D68D0C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D65508 3_2_02D65508
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D59D24 3_2_02D59D24
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D63524 3_2_02D63524
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D6B520 3_2_02D6B520
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D73D28 3_2_02D73D28
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000024188530000 4_2_0000024188530000
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001B505760000 5_2_000001B505760000
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000001DEAAEB0000 6_2_000001DEAAEB0000
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_003E0000 7_2_003E0000
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_021FFA08 7_2_021FFA08
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_021E9E38 7_2_021E9E38
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_021E2A7C 7_2_021E2A7C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_021FD718 7_2_021FD718
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_021FE76C 7_2_021FE76C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_021F73F8 7_2_021F73F8
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_021E3BE8 7_2_021E3BE8
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_02202CBC 7_2_02202CBC
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_022048E0 7_2_022048E0
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_021E38DC 7_2_021E38DC
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_021E9144 7_2_021E9144
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_021E5DB4 7_2_021E5DB4
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_021E4DDC 7_2_021E4DDC
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_021EB1E0 7_2_021EB1E0
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_021E1A1C 7_2_021E1A1C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_021FE614 7_2_021FE614
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_02201A2C 7_2_02201A2C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_02208A04 7_2_02208A04
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_021EBE34 7_2_021EBE34
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_021F9230 7_2_021F9230
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_021EBA24 7_2_021EBA24
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_021E6650 7_2_021E6650
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_021F2244 7_2_021F2244
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_021F827C 7_2_021F827C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_021F1664 7_2_021F1664
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_021E1660 7_2_021E1660
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_021E569C 7_2_021E569C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_021F629C 7_2_021F629C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_02207EA4 7_2_02207EA4
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_021E9298 7_2_021E9298
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_021F3698 7_2_021F3698
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_021E7694 7_2_021E7694
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_021F5694 7_2_021F5694
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_021EAE84 7_2_021EAE84
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_02204680 7_2_02204680
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_02202A84 7_2_02202A84
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_021E96B8 7_2_021E96B8
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_02208690 7_2_02208690
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_021EC6A2 7_2_021EC6A2
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0220629C 7_2_0220629C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_021F8ECC 7_2_021F8ECC
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_021EEAC4 7_2_021EEAC4
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_021E7AF0 7_2_021E7AF0
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_021FB2F0 7_2_021FB2F0
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_021E871C 7_2_021E871C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_021F5B18 7_2_021F5B18
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_02201728 7_2_02201728
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_02205B28 7_2_02205B28
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_021F0310 7_2_021F0310
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_021EE708 7_2_021EE708
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_021EA734 7_2_021EA734
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_021F5334 7_2_021F5334
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_021FCF30 7_2_021FCF30
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_021FD32C 7_2_021FD32C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_021E1B5C 7_2_021E1B5C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_021E6B5C 7_2_021E6B5C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_021E4B4C 7_2_021E4B4C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_021F8778 7_2_021F8778
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_02207348 7_2_02207348
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_021EE368 7_2_021EE368
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_021E1364 7_2_021E1364
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_021EFF64 7_2_021EFF64
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_021EC364 7_2_021EC364
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_022047B0 7_2_022047B0
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_022057B4 7_2_022057B4
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_021F3B88 7_2_021F3B88
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_021FFB88 7_2_021FFB88
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_021F2780 7_2_021F2780
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_02202B8C 7_2_02202B8C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_021F97AC 7_2_021F97AC
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_021F4FA4 7_2_021F4FA4
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_021E8FA0 7_2_021E8FA0
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_021F7BF8 7_2_021F7BF8
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_021E9BEC 7_2_021E9BEC
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_021EF3E0 7_2_021EF3E0
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_021F3FE0 7_2_021F3FE0
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_021E741C 7_2_021E741C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_021ECC06 7_2_021ECC06
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_021E1000 7_2_021E1000
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_021F5400 7_2_021F5400
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_021E2834 7_2_021E2834
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_02203C0C 7_2_02203C0C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_021EE828 7_2_021EE828
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_021F4C48 7_2_021F4C48
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_021E5478 7_2_021E5478
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_02200454 7_2_02200454
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_021F6464 7_2_021F6464
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0220005C 7_2_0220005C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_021EC498 7_2_021EC498
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_021FB898 7_2_021FB898
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_021F308C 7_2_021F308C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_021E6880 7_2_021E6880
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_021E78B6 7_2_021E78B6
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0220748C 7_2_0220748C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_021F48B0 7_2_021F48B0
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_021F10AC 7_2_021F10AC
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_02208C94 7_2_02208C94
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_02204098 7_2_02204098
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_021E4CA0 7_2_021E4CA0
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_021F98DC 7_2_021F98DC
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_021EB8D0 7_2_021EB8D0
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_021E1CCC 7_2_021E1CCC
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_022064F8 7_2_022064F8
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_021E84F8 7_2_021E84F8
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_02209124 7_2_02209124
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_02203D28 7_2_02203D28
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_021F2110 7_2_021F2110
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_02200930 7_2_02200930
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_021F8D0C 7_2_021F8D0C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_021F5508 7_2_021F5508
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_021EBD00 7_2_021EBD00
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_021E2128 7_2_021E2128
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_021E9D24 7_2_021E9D24
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_021F3524 7_2_021F3524
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_021FB520 7_2_021FB520
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_02209568 7_2_02209568
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_021F0954 7_2_021F0954
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_021FF550 7_2_021FF550
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_021EF174 7_2_021EF174
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_021FC974 7_2_021FC974
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_021EE570 7_2_021EE570
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_02200D54 7_2_02200D54
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_021F8560 7_2_021F8560
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_021F7198 7_2_021F7198
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_021E5590 7_2_021E5590
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_02205D84 7_2_02205D84
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_021ED1AC 7_2_021ED1AC
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_021F1DAC 7_2_021F1DAC
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_021F59A0 7_2_021F59A0
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_021FC1DC 7_2_021FC1DC
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_021E79D8 7_2_021E79D8
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_021EA1D4 7_2_021EA1D4
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_021E69C0 7_2_021E69C0
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_021E99EC 7_2_021E99EC
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_021F99E8 7_2_021F99E8
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_021ED1E0 7_2_021ED1E0
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_01400000 18_2_01400000
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CD9E38 18_2_02CD9E38
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CE5B18 18_2_02CE5B18
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CF48E0 18_2_02CF48E0
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CF8C94 18_2_02CF8C94
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CD38A5 18_2_02CD38A5
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CF0454 18_2_02CF0454
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CD4DDC 18_2_02CD4DDC
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CDB1E0 18_2_02CDB1E0
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CD5DB4 18_2_02CD5DB4
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CE8ECC 18_2_02CE8ECC
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CDEAC4 18_2_02CDEAC4
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CD7AF0 18_2_02CD7AF0
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CEB2F0 18_2_02CEB2F0
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CDAE84 18_2_02CDAE84
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CF2A84 18_2_02CF2A84
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CF4680 18_2_02CF4680
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CD569C 18_2_02CD569C
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CE629C 18_2_02CE629C
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CF629C 18_2_02CF629C
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CD9298 18_2_02CD9298
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CE3698 18_2_02CE3698
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CD7694 18_2_02CD7694
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CE5694 18_2_02CE5694
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CF8690 18_2_02CF8690
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CF7EA4 18_2_02CF7EA4
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CD96B8 18_2_02CD96B8
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CE2244 18_2_02CE2244
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CD6650 18_2_02CD6650
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CE1664 18_2_02CE1664
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CD1660 18_2_02CD1660
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CE827C 18_2_02CE827C
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CEFA08 18_2_02CEFA08
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CF8A04 18_2_02CF8A04
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CD1A1C 18_2_02CD1A1C
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CEE614 18_2_02CEE614
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CF1A2C 18_2_02CF1A2C
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CDBA24 18_2_02CDBA24
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CDBE34 18_2_02CDBE34
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CE9230 18_2_02CE9230
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CD9BEC 18_2_02CD9BEC
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CD3BE8 18_2_02CD3BE8
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CDF3E0 18_2_02CDF3E0
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CE3FE0 18_2_02CE3FE0
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CE73F8 18_2_02CE73F8
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CE7BF8 18_2_02CE7BF8
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CDCB8D 18_2_02CDCB8D
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CF2B8C 18_2_02CF2B8C
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CEFB88 18_2_02CEFB88
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CE3B88 18_2_02CE3B88
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CE2780 18_2_02CE2780
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CE97AC 18_2_02CE97AC
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CE4FA4 18_2_02CE4FA4
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CD8FA0 18_2_02CD8FA0
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CF57B4 18_2_02CF57B4
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CF47B0 18_2_02CF47B0
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CD4B4C 18_2_02CD4B4C
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CF7348 18_2_02CF7348
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CD6B5C 18_2_02CD6B5C
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CD1B5C 18_2_02CD1B5C
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CEE76C 18_2_02CEE76C
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CDE368 18_2_02CDE368
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CD1364 18_2_02CD1364
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CDFF64 18_2_02CDFF64
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CDC364 18_2_02CDC364
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CE8778 18_2_02CE8778
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CDE708 18_2_02CDE708
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CD871C 18_2_02CD871C
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CE0310 18_2_02CE0310
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CED32C 18_2_02CED32C
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CF1728 18_2_02CF1728
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CF5B28 18_2_02CF5B28
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CDA734 18_2_02CDA734
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CE5334 18_2_02CE5334
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CECF30 18_2_02CECF30
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CD1CCC 18_2_02CD1CCC
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CD38DC 18_2_02CD38DC
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CE98DC 18_2_02CE98DC
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CDB8D0 18_2_02CDB8D0
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CD84F8 18_2_02CD84F8
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CF64F8 18_2_02CF64F8
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CE308C 18_2_02CE308C
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CF748C 18_2_02CF748C
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CD6880 18_2_02CD6880
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CDC498 18_2_02CDC498
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CEB898 18_2_02CEB898
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CF4098 18_2_02CF4098
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CE10AC 18_2_02CE10AC
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CD4CA0 18_2_02CD4CA0
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CD78B6 18_2_02CD78B6
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CE48B0 18_2_02CE48B0
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CE4C48 18_2_02CE4C48
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CF005C 18_2_02CF005C
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CDD864 18_2_02CDD864
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CE6464 18_2_02CE6464
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CD5478 18_2_02CD5478
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CF3C0C 18_2_02CF3C0C
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CD1000 18_2_02CD1000
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CE5400 18_2_02CE5400
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CD741C 18_2_02CD741C
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CDE828 18_2_02CDE828
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CD2834 18_2_02CD2834
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CDD1CA 18_2_02CDD1CA
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CD69C0 18_2_02CD69C0
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CEC1DC 18_2_02CEC1DC
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CD79D8 18_2_02CD79D8
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CDA1D4 18_2_02CDA1D4
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CD99EC 18_2_02CD99EC
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CE99E8 18_2_02CE99E8
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CF5D84 18_2_02CF5D84
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CE7198 18_2_02CE7198
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CD5590 18_2_02CD5590
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CDD1AC 18_2_02CDD1AC
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CE1DAC 18_2_02CE1DAC
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CE59A0 18_2_02CE59A0
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CD9144 18_2_02CD9144
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CE0954 18_2_02CE0954
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CF0D54 18_2_02CF0D54
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CEF550 18_2_02CEF550
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CF9568 18_2_02CF9568
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CE8560 18_2_02CE8560
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CDF174 18_2_02CDF174
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CEC974 18_2_02CEC974
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CDE570 18_2_02CDE570
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CE8D0C 18_2_02CE8D0C
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CE5508 18_2_02CE5508
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CDBD00 18_2_02CDBD00
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CE2110 18_2_02CE2110
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CD2128 18_2_02CD2128
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CF3D28 18_2_02CF3D28
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CD9D24 18_2_02CD9D24
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CE3524 18_2_02CE3524
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CF9124 18_2_02CF9124
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CEB520 18_2_02CEB520
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CF0930 18_2_02CF0930
Found potential string decryption / allocating functions
Source: C:\Windows\System32\regsvr32.exe Code function: String function: 000000018002CA30 appears 48 times
Tries to load missing DLLs
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: UC2DFXQIBiE2kQ.dll ReversingLabs: Detection: 80%
Source: UC2DFXQIBiE2kQ.dll Virustotal: Detection: 65%
Source: UC2DFXQIBiE2kQ.dll Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll64.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\UC2DFXQIBiE2kQ.dll"
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\UC2DFXQIBiE2kQ.dll",#1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\UC2DFXQIBiE2kQ.dll
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\UC2DFXQIBiE2kQ.dll",#1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\UC2DFXQIBiE2kQ.dll,ACeujVZMknFDjv
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\UC2DFXQIBiE2kQ.dll,AHuDGMflBfPryOEYjuTfbzJdEM
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\CqZilJuzKBQGflL\PYmtZH.dll"
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\UC2DFXQIBiE2kQ.dll,ATjQPkInxPUGuUu
Source: unknown Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe" "C:\Windows\system32\CqZilJuzKBQGflL\PYmtZH.dll
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Users\user\AppData\Local\OKCYiYOFwZjDcIsn\OYsSlVLvWy.dll"
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\UC2DFXQIBiE2kQ.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\UC2DFXQIBiE2kQ.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\UC2DFXQIBiE2kQ.dll,ACeujVZMknFDjv Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\UC2DFXQIBiE2kQ.dll,AHuDGMflBfPryOEYjuTfbzJdEM Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\UC2DFXQIBiE2kQ.dll,ATjQPkInxPUGuUu Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\UC2DFXQIBiE2kQ.dll",#1 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\CqZilJuzKBQGflL\PYmtZH.dll" Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Users\user\AppData\Local\OKCYiYOFwZjDcIsn\OYsSlVLvWy.dll" Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe File created: C:\Users\user\AppData\Local\OKCYiYOFwZjDcIsn\ Jump to behavior
Source: classification engine Classification label: mal84.troj.evad.winDLL@19/2@0/49
Source: C:\Windows\System32\regsvr32.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D55DB4 FindCloseChangeNotification,CreateToolhelp32Snapshot,Process32FirstW, 3_2_02D55DB4
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\UC2DFXQIBiE2kQ.dll",#1
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6100:120:WilError_01
Source: C:\Windows\System32\regsvr32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\rundll32.exe Automated click: OK
Source: C:\Windows\System32\regsvr32.exe Automated click: OK
Source: Window Recorder Window detected: More than 3 window changes detected
Source: UC2DFXQIBiE2kQ.dll Static PE information: More than 250 > 100 exports found
Source: UC2DFXQIBiE2kQ.dll Static PE information: Image base 0x180000000 > 0x60000000
Source: UC2DFXQIBiE2kQ.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: UC2DFXQIBiE2kQ.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: UC2DFXQIBiE2kQ.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: UC2DFXQIBiE2kQ.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: UC2DFXQIBiE2kQ.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: UC2DFXQIBiE2kQ.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: UC2DFXQIBiE2kQ.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: UC2DFXQIBiE2kQ.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: UC2DFXQIBiE2kQ.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: UC2DFXQIBiE2kQ.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: UC2DFXQIBiE2kQ.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: UC2DFXQIBiE2kQ.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800131BD push rdi; ret 3_2_00000001800131C4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180013749 push rdi; ret 3_2_0000000180013752
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D73A7E push ebp; ret 3_2_02D73A86
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D5838C push eax; ret 3_2_02D5838E
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D6E0D3 push 09B8E1F7h; retf 3_2_02D6E0DD
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D6E0E9 push 8B48E1F7h; retf 3_2_02D6E0F1
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D73127 push ebp; ret 3_2_02D73128
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D72E55 push ebp; retf 3_2_02D72E56
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D72F5E push ebp; ret 3_2_02D72F64
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02D6E5C5 pushad ; ret 3_2_02D6E5C7
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_021E838C push eax; ret 7_2_021E838E
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CF2E55 push ebp; retf 18_2_02CF2E56
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CF3A7E push ebp; ret 18_2_02CF3A86
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CF3BE1 push ebp; ret 18_2_02CF3BE4
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CD838C push eax; ret 18_2_02CD838E
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CF2F5E push ebp; ret 18_2_02CF2F64
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CEE0D3 push 09B8E1F7h; retf 18_2_02CEE0DD
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CEE0E9 push 8B48E1F7h; retf 18_2_02CEE0F1
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CEE5C5 pushad ; ret 18_2_02CEE5C7
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_02CF3127 push ebp; ret 18_2_02CF3128
PE file contains sections with non-standard names
Source: UC2DFXQIBiE2kQ.dll Static PE information: section name: _RDATA
Registers a DLL
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\UC2DFXQIBiE2kQ.dll
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\System32\regsvr32.exe PE file moved: C:\Windows\System32\CqZilJuzKBQGflL\PYmtZH.dll Jump to behavior

Boot Survival
barindex
Creates an autostart registry key pointing to binary in C:\Windows
Source: C:\Windows\System32\regsvr32.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PYmtZH.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PYmtZH.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PYmtZH.dll Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\System32\regsvr32.exe File opened: C:\Windows\system32\CqZilJuzKBQGflL\PYmtZH.dll:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\System32\regsvr32.exe File opened: C:\Users\user\AppData\Local\OKCYiYOFwZjDcIsn\OYsSlVLvWy.dll:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\regsvr32.exe TID: 6000 Thread sleep time: -60000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Found large amount of non-executed APIs
Source: C:\Windows\System32\regsvr32.exe API coverage: 7.5 %
Source: C:\Windows\System32\regsvr32.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180029290 FindFirstFileExW, 3_2_0000000180029290
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018002972C FindFirstFileExW,FindNextFileW,FindClose, 3_2_000000018002972C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180028B30 _invalid_parameter_noinfo,_invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,FindClose, 3_2_0000000180028B30
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180028B30 _invalid_parameter_noinfo,_invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,FindClose, 3_2_0000000180028B30
Source: C:\Windows\System32\regsvr32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\regsvr32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: regsvr32.exe, 00000007.00000003.498656108.00000000007E5000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.376956234.00000000007E5000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.376593045.00000000007E5000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.644389698.00000000007EB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWX
Source: regsvr32.exe, 00000007.00000003.498656108.00000000007E5000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.376956234.00000000007E5000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.376593045.00000000007E5000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.376435706.00000000007A0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.644104549.00000000007A0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.644389698.00000000007EB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180003460 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_0000000180003460
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018002DE88 GetProcessHeap, 3_2_000000018002DE88
Checks if the current process is being debugged
Source: C:\Windows\System32\loaddll64.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180003460 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_0000000180003460
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180003648 SetUnhandledExceptionFilter, 3_2_0000000180003648
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800156F8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_00000001800156F8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180002E94 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_0000000180002E94

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\regsvr32.exe Network Connect: 115.178.55.22 80 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 172.105.115.71 8080 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\UC2DFXQIBiE2kQ.dll",#1 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\regsvr32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\System32\regsvr32.exe Code function: EnumSystemLocalesW, 3_2_0000000180035058
Source: C:\Windows\System32\regsvr32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 3_2_0000000180035118
Source: C:\Windows\System32\regsvr32.exe Code function: EnumSystemLocalesW, 3_2_000000018002C360
Source: C:\Windows\System32\regsvr32.exe Code function: GetLocaleInfoW, 3_2_0000000180035364
Source: C:\Windows\System32\regsvr32.exe Code function: try_get_function,GetLocaleInfoW, 3_2_000000018002D3CC
Source: C:\Windows\System32\regsvr32.exe Code function: EnumSystemLocalesW, 3_2_000000018002C40C
Source: C:\Windows\System32\regsvr32.exe Code function: EnumSystemLocalesW, 3_2_000000018002C488
Source: C:\Windows\System32\regsvr32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 3_2_00000001800354BC
Source: C:\Windows\System32\regsvr32.exe Code function: GetLocaleInfoW, 3_2_0000000180035590
Source: C:\Windows\System32\regsvr32.exe Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 3_2_00000001800356BC
Source: C:\Windows\System32\regsvr32.exe Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW, 3_2_0000000180034BB8
Source: C:\Windows\System32\regsvr32.exe Code function: EnumSystemLocalesW, 3_2_0000000180034F04
Source: C:\Windows\System32\regsvr32.exe Code function: EnumSystemLocalesW, 3_2_0000000180034F88
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800243D0 cpuid 3_2_00000001800243D0
Source: C:\Windows\System32\regsvr32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018002D450 try_get_function,GetSystemTimeAsFileTime, 3_2_000000018002D450

Stealing of Sensitive Information
barindex
Yara detected Emotet
Source: Yara match File source: 4.2.rundll32.exe.24188500000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.1220000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.regsvr32.exe.2080000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.regsvr32.exe.2080000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.1b505730000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.regsvr32.exe.13d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.1220000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.1deaae80000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.24188500000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.regsvr32.exe.13d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.1deaae80000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.1b505730000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.256991395.000001B505A51000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.261455242.0000000002D51000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.260696945.0000000001220000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.254973039.0000024188500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.409592549.00000000013D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.256810706.000001B505730000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.645047092.00000000021E1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.261815497.000001DEAC681000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.644659709.0000000002080000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.409741112.0000000002CD1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.255048336.0000024188541000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.261734338.000001DEAAE80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 747450 Sample: UC2DFXQIBiE2kQ.dll Startdate: 16/11/2022 Architecture: WINDOWS Score: 84 30 103.224.241.74 WEBWERKS-AS-INWebWerksIndiaPvtLtdIN India 2->30 32 210.57.209.142 UNAIR-AS-IDUniversitasAirlanggaID Indonesia 2->32 34 45 other IPs or domains 2->34 40 Snort IDS alert for network traffic 2->40 42 Multi AV Scanner detection for submitted file 2->42 44 Yara detected Emotet 2->44 46 C2 URLs / IPs found in malware configuration 2->46 8 loaddll64.exe 1 2->8         started        10 regsvr32.exe 2 2->10         started        signatures3 process4 signatures5 13 regsvr32.exe 2 8->13         started        16 cmd.exe 1 8->16         started        18 rundll32.exe 8->18         started        22 3 other processes 8->22 52 Hides that the sample has been downloaded from the Internet (zone.identifier) 10->52 20 regsvr32.exe 10->20         started        process6 signatures7 54 Hides that the sample has been downloaded from the Internet (zone.identifier) 13->54 24 regsvr32.exe 1 13->24         started        28 rundll32.exe 16->28         started        process8 dnsIp9 36 115.178.55.22, 49699, 80 SIMAYA-AS-IDPTSimayaJejaringMandiriID Indonesia 24->36 38 172.105.115.71, 49700, 8080 LINODE-APLinodeLLCUS United States 24->38 48 System process connects to network (likely due to code injection or exploit) 24->48 50 Creates an autostart registry key pointing to binary in C:\Windows 24->50 signatures10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
172.105.115.71
 unknown United States
63949 LINODE-APLinodeLLCUS true
188.165.79.151
 unknown France
16276 OVHFR true
196.44.98.190
 unknown Ghana
327814 EcobandGH true
174.138.33.49
 unknown United States
14061 DIGITALOCEAN-ASNUS true
36.67.23.59
 unknown Indonesia
17974 TELKOMNET-AS2-APPTTelekomunikasiIndonesiaID true
103.41.204.169
 unknown Indonesia
58397 INFINYS-AS-IDPTInfinysSystemIndonesiaID true
85.214.67.203
 unknown Germany
6724 STRATOSTRATOAGDE true
83.229.80.93
 unknown United Kingdom
8513 SKYVISIONGB true
198.199.70.22
 unknown United States
14061 DIGITALOCEAN-ASNUS true
93.104.209.107
 unknown Germany
8767 MNET-ASGermanyDE true
186.250.48.5
 unknown Brazil
262807 RedfoxTelecomunicacoesLtdaBR true
209.239.112.82
 unknown United States
30083 AS-30083-GO-DADDY-COM-LLCUS true
175.126.176.79
 unknown Korea Republic of
9523 MOKWON-AS-KRMokwonUniversityKR true
128.199.242.164
 unknown United Kingdom
14061 DIGITALOCEAN-ASNUS true
178.238.225.252
 unknown Germany
51167 CONTABODE true
46.101.98.60
 unknown Netherlands
14061 DIGITALOCEAN-ASNUS true
190.145.8.4
 unknown Colombia
14080 TelmexColombiaSACO true
82.98.180.154
 unknown Spain
42612 DINAHOSTING-ASES true
103.71.99.57
 unknown India
135682 AWDHPL-AS-INAdvikaWebDevelopmentsHostingPvtLtdIN true
87.106.97.83
 unknown Germany
8560 ONEANDONE-ASBrauerstrasse48DE true
103.254.12.236
 unknown Viet Nam
56151 DIGISTAR-VNDigiStarCompanyLimitedVN true
103.85.95.4
 unknown Indonesia
136077 IDNIC-UNSRAT-AS-IDUniversitasIslamNegeriMataramID true
202.134.4.210
 unknown Indonesia
7713 TELKOMNET-AS-APPTTelekomunikasiIndonesiaID true
165.22.254.236
 unknown United States
14061 DIGITALOCEAN-ASNUS true
78.47.204.80
 unknown Germany
24940 HETZNER-ASDE true
118.98.72.86
 unknown Indonesia
7713 TELKOMNET-AS-APPTTelekomunikasiIndonesiaID true
139.59.80.108
 unknown Singapore
14061 DIGITALOCEAN-ASNUS true
104.244.79.94
 unknown United States
53667 PONYNETUS true
37.44.244.177
 unknown Germany
47583 AS-HOSTINGERLT true
51.75.33.122
 unknown France
16276 OVHFR true
160.16.143.191
 unknown Japan 9370 SAKURA-BSAKURAInternetIncJP true
103.56.149.105
 unknown Indonesia
55688 BEON-AS-IDPTBeonIntermediaID true
85.25.120.45
 unknown Germany
8972 GD-EMEA-DC-SXB1DE true
139.196.72.155
 unknown China
37963 CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd true
115.178.55.22
 unknown Indonesia
38783 SIMAYA-AS-IDPTSimayaJejaringMandiriID true
103.126.216.86
 unknown Bangladesh
138482 SKYVIEW-AS-APSKYVIEWONLINELTDBD true
128.199.217.206
 unknown United Kingdom
14061 DIGITALOCEAN-ASNUS true
114.79.130.68
 unknown India
45769 DVOIS-IND-VoisBroadbandPvtLtdIN true
103.224.241.74
 unknown India
133296 WEBWERKS-AS-INWebWerksIndiaPvtLtdIN true
210.57.209.142
 unknown Indonesia
38142 UNAIR-AS-IDUniversitasAirlanggaID true
202.28.34.99
 unknown Thailand
9562 MSU-TH-APMahasarakhamUniversityTH true
80.211.107.116
 unknown Italy
31034 ARUBA-ASNIT true
54.37.228.122
 unknown France
16276 OVHFR true
218.38.121.17
 unknown Korea Republic of
9318 SKB-ASSKBroadbandCoLtdKR true
185.148.169.10
 unknown Germany
44780 EVERSCALE-ASDE true
195.77.239.39
 unknown Spain
60493 FICOSA-ASES true
178.62.112.199
 unknown European Union
14061 DIGITALOCEAN-ASNUS true
62.171.178.147
 unknown United Kingdom
51167 CONTABODE true
64.227.55.231
 unknown United States
14061 DIGITALOCEAN-ASNUS true

Contacted Domains

Name IP Active
windowsupdatebg.s.llnwi.net 95.140.236.0 true