Windows Analysis Report
kOiaWLNKXpjayWeM.dll

Overview

General Information

Sample Name: kOiaWLNKXpjayWeM.dll
Analysis ID: 750456
MD5: b7d93d2b47d14264b8b986b2d8fc7a49
SHA1: 9310b16c2d7f9195c65cdbecf8c5648525cb80e5
SHA256: 139c1faa496ae6c7d7c5140b9f4ac4e34f153bf40cd080c856b96bbd7ae716d2
Infos:

Detection

Emotet
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Snort IDS alert for network traffic
Creates an autostart registry key pointing to binary in C:\Windows
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries the volume information (name, serial number etc) of a device
One or more processes crash
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to communicate with device drivers
Uses the system / local time for branch decision (may execute only at specific dates)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Tries to load missing DLLs
Drops PE files to the windows directory (C:\Windows)
Checks if the current process is being debugged
Connects to several IPs in different countries
Registers a DLL
Found large amount of non-executed APIs
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: kOiaWLNKXpjayWeM.dll ReversingLabs: Detection: 88%
Source: kOiaWLNKXpjayWeM.dll Virustotal: Detection: 73% Perma Link
Antivirus detection for URL or domain
Source: https://218.38.121.17/$ Avira URL Cloud: Label: malware
Source: 00000008.00000002.767607073.0000000000F14000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: Emotet {"C2 list": ["218.38.121.17:443", "186.250.48.5:443", "80.211.107.116:8080", "174.138.33.49:7080", "165.22.254.236:8080", "185.148.169.10:8080", "62.171.178.147:8080", "128.199.217.206:443", "210.57.209.142:8080", "36.67.23.59:443", "160.16.143.191:8080", "128.199.242.164:8080", "178.238.225.252:8080", "118.98.72.86:443", "202.134.4.210:7080", "82.98.180.154:7080", "54.37.228.122:443", "64.227.55.231:8080", "195.77.239.39:8080", "103.254.12.236:7080", "103.85.95.4:8080", "178.62.112.199:8080", "83.229.80.93:8080", "114.79.130.68:443", "51.75.33.122:443", "139.196.72.155:8080", "188.165.79.151:443", "190.145.8.4:443", "196.44.98.190:8080", "198.199.70.22:8080", "103.56.149.105:8080", "104.244.79.94:443", "87.106.97.83:7080", "103.71.99.57:8080", "46.101.98.60:8080", "103.126.216.86:443", "103.224.241.74:8080", "37.44.244.177:8080", "85.214.67.203:8080", "202.28.34.99:8080", "175.126.176.79:8080", "85.25.120.45:8080", "93.104.209.107:8080", "103.41.204.169:8080", "78.47.204.80:443", "139.59.80.108:8080"], "Public Key": ["RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0Hbtn0QADAJI=", "RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCWGLt60QACAIg="]}
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800017A0 CryptStringToBinaryA,CryptStringToBinaryA, 3_2_00000001800017A0
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000001800017A0 CryptStringToBinaryA,CryptStringToBinaryA, 4_2_00000001800017A0
Source: unknown HTTPS traffic detected: 218.38.121.17:443 -> 192.168.2.3:49714 version: TLS 1.2
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000E504 GetSystemTime,SystemTimeToFileTime,FindFirstFileW,swprintf,swprintf,CloseHandle,swprintf,FindNextFileW,FindClose, 3_2_000000018000E504
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018000E504 GetSystemTime,SystemTimeToFileTime,FindFirstFileW,swprintf,swprintf,CloseHandle,swprintf,FindNextFileW,FindClose, 4_2_000000018000E504
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_029D32FC FindNextFileW,FindFirstFileW,FindClose, 8_2_029D32FC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000DCA0 RegCreateKeyExW,RegQueryValueExW,RegCloseKey,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLastError, 3_2_000000018000DCA0

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\regsvr32.exe Network Connect: 218.38.121.17 443 Jump to behavior
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2404324 ET CNC Feodo Tracker Reported CnC Server TCP group 13 192.168.2.3:49714 -> 218.38.121.17:443
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 218.38.121.17:443
Source: Malware configuration extractor IPs: 186.250.48.5:443
Source: Malware configuration extractor IPs: 80.211.107.116:8080
Source: Malware configuration extractor IPs: 174.138.33.49:7080
Source: Malware configuration extractor IPs: 165.22.254.236:8080
Source: Malware configuration extractor IPs: 185.148.169.10:8080
Source: Malware configuration extractor IPs: 62.171.178.147:8080
Source: Malware configuration extractor IPs: 128.199.217.206:443
Source: Malware configuration extractor IPs: 210.57.209.142:8080
Source: Malware configuration extractor IPs: 36.67.23.59:443
Source: Malware configuration extractor IPs: 160.16.143.191:8080
Source: Malware configuration extractor IPs: 128.199.242.164:8080
Source: Malware configuration extractor IPs: 178.238.225.252:8080
Source: Malware configuration extractor IPs: 118.98.72.86:443
Source: Malware configuration extractor IPs: 202.134.4.210:7080
Source: Malware configuration extractor IPs: 82.98.180.154:7080
Source: Malware configuration extractor IPs: 54.37.228.122:443
Source: Malware configuration extractor IPs: 64.227.55.231:8080
Source: Malware configuration extractor IPs: 195.77.239.39:8080
Source: Malware configuration extractor IPs: 103.254.12.236:7080
Source: Malware configuration extractor IPs: 103.85.95.4:8080
Source: Malware configuration extractor IPs: 178.62.112.199:8080
Source: Malware configuration extractor IPs: 83.229.80.93:8080
Source: Malware configuration extractor IPs: 114.79.130.68:443
Source: Malware configuration extractor IPs: 51.75.33.122:443
Source: Malware configuration extractor IPs: 139.196.72.155:8080
Source: Malware configuration extractor IPs: 188.165.79.151:443
Source: Malware configuration extractor IPs: 190.145.8.4:443
Source: Malware configuration extractor IPs: 196.44.98.190:8080
Source: Malware configuration extractor IPs: 198.199.70.22:8080
Source: Malware configuration extractor IPs: 103.56.149.105:8080
Source: Malware configuration extractor IPs: 104.244.79.94:443
Source: Malware configuration extractor IPs: 87.106.97.83:7080
Source: Malware configuration extractor IPs: 103.71.99.57:8080
Source: Malware configuration extractor IPs: 46.101.98.60:8080
Source: Malware configuration extractor IPs: 103.126.216.86:443
Source: Malware configuration extractor IPs: 103.224.241.74:8080
Source: Malware configuration extractor IPs: 37.44.244.177:8080
Source: Malware configuration extractor IPs: 85.214.67.203:8080
Source: Malware configuration extractor IPs: 202.28.34.99:8080
Source: Malware configuration extractor IPs: 175.126.176.79:8080
Source: Malware configuration extractor IPs: 85.25.120.45:8080
Source: Malware configuration extractor IPs: 93.104.209.107:8080
Source: Malware configuration extractor IPs: 103.41.204.169:8080
Source: Malware configuration extractor IPs: 78.47.204.80:443
Source: Malware configuration extractor IPs: 139.59.80.108:8080
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: OVHFR OVHFR
Source: Joe Sandbox View ASN Name: EcobandGH EcobandGH
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 8916410db85077a5460817142dcbc8de
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Connection: Keep-AliveCookie: CZwFFyjqj=PsvUh5dfSTgXF3Yfky8rapppSN7mDiCvH+dhS2Yyfelw3Uamqit8NZor2F3Wy+WwSOWoqN5+2o3Zhw2FNT71LtRpaSkxFWR1Kg0o99Yo3iDlozWdXVbDKN+LNEQRdtHZJN1d10Z33/NnObB/sxIul9Ns9qbwBnIwcHleye3lvrsI/kzOGvqg3ckWLYjTGAiII7OQEACc/Vokb0xydc70YHeGOJ5LxNaj2PY1k1evPoZnUp8rd747CdSB5js=Host: 218.38.121.17
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 188.165.79.151 188.165.79.151
Source: Joe Sandbox View IP Address: 196.44.98.190 196.44.98.190
Connects to several IPs in different countries
Source: unknown Network traffic detected: IP country count 21
Source: unknown Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown TCP traffic detected without corresponding DNS query: 218.38.121.17
Source: unknown TCP traffic detected without corresponding DNS query: 218.38.121.17
Source: unknown TCP traffic detected without corresponding DNS query: 218.38.121.17
Source: unknown TCP traffic detected without corresponding DNS query: 218.38.121.17
Source: unknown TCP traffic detected without corresponding DNS query: 218.38.121.17
Source: unknown TCP traffic detected without corresponding DNS query: 218.38.121.17
Source: unknown TCP traffic detected without corresponding DNS query: 218.38.121.17
Source: unknown TCP traffic detected without corresponding DNS query: 218.38.121.17
Source: unknown TCP traffic detected without corresponding DNS query: 218.38.121.17
Source: unknown TCP traffic detected without corresponding DNS query: 218.38.121.17
Source: regsvr32.exe, 00000008.00000003.339955681.0000000000FB3000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000002.768245490.0000000000FB3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: regsvr32.exe, 00000008.00000003.468907128.0000000000F78000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000002.767607073.0000000000F14000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.468748774.0000000000F78000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000002.768041150.0000000000F78000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.339924936.0000000000F78000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://218.38.121.17/
Source: regsvr32.exe, 00000008.00000002.767607073.0000000000F14000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://218.38.121.17/$
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Connection: Keep-AliveCookie: CZwFFyjqj=PsvUh5dfSTgXF3Yfky8rapppSN7mDiCvH+dhS2Yyfelw3Uamqit8NZor2F3Wy+WwSOWoqN5+2o3Zhw2FNT71LtRpaSkxFWR1Kg0o99Yo3iDlozWdXVbDKN+LNEQRdtHZJN1d10Z33/NnObB/sxIul9Ns9qbwBnIwcHleye3lvrsI/kzOGvqg3ckWLYjTGAiII7OQEACc/Vokb0xydc70YHeGOJ5LxNaj2PY1k1evPoZnUp8rd747CdSB5js=Host: 218.38.121.17
Source: unknown HTTPS traffic detected: 218.38.121.17:443 -> 192.168.2.3:49714 version: TLS 1.2

E-Banking Fraud
barindex
Yara detected Emotet
Source: Yara match File source: 00000008.00000002.767607073.0000000000F14000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 5.2.rundll32.exe.21ce8590000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.21ce8590000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.b00000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.rundll32.exe.21ce8590000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.rundll32.exe.22ab0780000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.rundll32.exe.22ab0780000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.b00000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.regsvr32.exe.2a00000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.rundll32.exe.22ab0780000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.22ab0780000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.rundll32.exe.21ce8590000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.regsvr32.exe.2990000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.rundll32.exe.22ab0780000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.rundll32.exe.21ce8590000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.22ab0780000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.regsvr32.exe.2a00000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.rundll32.exe.21ce8590000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.regsvr32.exe.2990000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000000.253014513.0000022AB0991000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.254435708.0000000002401000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.253546936.0000021CE85C1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.371644938.0000000002A00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.254242832.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.371681565.0000000002A31000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.768911804.00000000029C1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.287369701.0000022AB0780000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.254193655.0000022AB0991000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.253580195.0000022AB0780000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.287814441.0000022AB0991000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.255111695.0000021CE8590000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.287467703.0000021CE8590000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.768771937.0000000002990000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.255327053.0000021CE85C1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.253497739.0000021CE8590000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.287612874.0000021CE85C1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.251796872.0000022AB0780000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
One or more processes crash
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6128 -s 480
Deletes files inside the Windows folder
Source: C:\Windows\System32\regsvr32.exe File deleted: C:\Windows\System32\WVVZhuligM\KuLiEStglluewHbC.dll:Zone.Identifier Jump to behavior
Creates files inside the system directory
Source: C:\Windows\System32\regsvr32.exe File created: C:\Windows\system32\WVVZhuligM\ Jump to behavior
Detected potential crypto function
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180033FF8 3_2_0000000180033FF8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018002C000 3_2_000000018002C000
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180032008 3_2_0000000180032008
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180006024 3_2_0000000180006024
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018005F03C 3_2_000000018005F03C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180035048 3_2_0000000180035048
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018003A05C 3_2_000000018003A05C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180037060 3_2_0000000180037060
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180047064 3_2_0000000180047064
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018002A098 3_2_000000018002A098
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800530E0 3_2_00000001800530E0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000D0E0 3_2_000000018000D0E0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800330E4 3_2_00000001800330E4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018003B0EC 3_2_000000018003B0EC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180042108 3_2_0000000180042108
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000B10C 3_2_000000018000B10C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180032114 3_2_0000000180032114
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180048120 3_2_0000000180048120
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180038120 3_2_0000000180038120
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180034148 3_2_0000000180034148
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180035154 3_2_0000000180035154
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018005C18C 3_2_000000018005C18C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800391A0 3_2_00000001800391A0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018005423C 3_2_000000018005423C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180033250 3_2_0000000180033250
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018003A260 3_2_000000018003A260
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180037264 3_2_0000000180037264
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180032280 3_2_0000000180032280
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180034298 3_2_0000000180034298
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018005F2B8 3_2_000000018005F2B8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800352C0 3_2_00000001800352C0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800072D8 3_2_00000001800072D8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018003B320 3_2_000000018003B320
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018003832C 3_2_000000018003832C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180033358 3_2_0000000180033358
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180049388 3_2_0000000180049388
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180032388 3_2_0000000180032388
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800293B0 3_2_00000001800293B0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800353C8 3_2_00000001800353C8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800393D4 3_2_00000001800393D4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800133E8 3_2_00000001800133E8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800343EC 3_2_00000001800343EC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180033460 3_2_0000000180033460
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018003A464 3_2_000000018003A464
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000F464 3_2_000000018000F464
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180010488 3_2_0000000180010488
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180037490 3_2_0000000180037490
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180032490 3_2_0000000180032490
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800354D0 3_2_00000001800354D0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800474CC 3_2_00000001800474CC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000E504 3_2_000000018000E504
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180034528 3_2_0000000180034528
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180048524 3_2_0000000180048524
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180038530 3_2_0000000180038530
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018006E538 3_2_000000018006E538
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018003356C 3_2_000000018003356C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018002C580 3_2_000000018002C580
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180011580 3_2_0000000180011580
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018003259C 3_2_000000018003259C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800355DC 3_2_00000001800355DC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800395E0 3_2_00000001800395E0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180034630 3_2_0000000180034630
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018003A690 3_2_000000018003A690
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180037694 3_2_0000000180037694
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800076A8 3_2_00000001800076A8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800066D4 3_2_00000001800066D4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800336D8 3_2_00000001800336D8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000B6FC 3_2_000000018000B6FC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180032708 3_2_0000000180032708
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180034738 3_2_0000000180034738
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180035748 3_2_0000000180035748
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018003875C 3_2_000000018003875C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800337E0 3_2_00000001800337E0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800397EC 3_2_00000001800397EC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800497EC 3_2_00000001800497EC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180032814 3_2_0000000180032814
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180034844 3_2_0000000180034844
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180035850 3_2_0000000180035850
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180001850 3_2_0000000180001850
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180013860 3_2_0000000180013860
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018003A894 3_2_000000018003A894
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800378A0 3_2_00000001800378A0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800748CC 3_2_00000001800748CC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800338E8 3_2_00000001800338E8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018005C8EC 3_2_000000018005C8EC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180047904 3_2_0000000180047904
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180032920 3_2_0000000180032920
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180035958 3_2_0000000180035958
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180038960 3_2_0000000180038960
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018004196C 3_2_000000018004196C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800349B0 3_2_00000001800349B0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800579B8 3_2_00000001800579B8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800489E8 3_2_00000001800489E8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800039EC 3_2_00000001800039EC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800339F0 3_2_00000001800339F0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000A9F4 3_2_000000018000A9F4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180039A20 3_2_0000000180039A20
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018002CA20 3_2_000000018002CA20
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180012A20 3_2_0000000180012A20
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180032A2C 3_2_0000000180032A2C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180036A2C 3_2_0000000180036A2C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180035A64 3_2_0000000180035A64
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018003AAA0 3_2_000000018003AAA0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180034AB8 3_2_0000000180034AB8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180007ABC 3_2_0000000180007ABC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180037AD4 3_2_0000000180037AD4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180029AE8 3_2_0000000180029AE8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180033B58 3_2_0000000180033B58
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180038B64 3_2_0000000180038B64
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180003B84 3_2_0000000180003B84
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180032B98 3_2_0000000180032B98
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180034BC0 3_2_0000000180034BC0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180068BC8 3_2_0000000180068BC8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180039C2C 3_2_0000000180039C2C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180036C30 3_2_0000000180036C30
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180046C2C 3_2_0000000180046C2C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180033C60 3_2_0000000180033C60
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180049C7C 3_2_0000000180049C7C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180032C9C 3_2_0000000180032C9C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000DCA0 3_2_000000018000DCA0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000CCC4 3_2_000000018000CCC4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180034CCC 3_2_0000000180034CCC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018003ACD4 3_2_000000018003ACD4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180037CE0 3_2_0000000180037CE0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180041CF0 3_2_0000000180041CF0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001CCF0 3_2_000000018001CCF0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018005BCF8 3_2_000000018005BCF8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180047D08 3_2_0000000180047D08
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000FD40 3_2_000000018000FD40
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180033D68 3_2_0000000180033D68
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180053D6C 3_2_0000000180053D6C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180038D90 3_2_0000000180038D90
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180032DC8 3_2_0000000180032DC8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180003DE0 3_2_0000000180003DE0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180031DF0 3_2_0000000180031DF0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180052E20 3_2_0000000180052E20
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180039E30 3_2_0000000180039E30
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180034E38 3_2_0000000180034E38
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180010E48 3_2_0000000180010E48
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180036E5C 3_2_0000000180036E5C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180033E74 3_2_0000000180033E74
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180048EC4 3_2_0000000180048EC4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180032ED0 3_2_0000000180032ED0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018003AEE0 3_2_000000018003AEE0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180004EE0 3_2_0000000180004EE0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180037EEC 3_2_0000000180037EEC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180031EFC 3_2_0000000180031EFC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180012F00 3_2_0000000180012F00
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180034F40 3_2_0000000180034F40
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180073F98 3_2_0000000180073F98
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180038F94 3_2_0000000180038F94
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180032FD8 3_2_0000000180032FD8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00B30000 3_2_00B30000
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02409AC0 3_2_02409AC0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_024143B4 3_2_024143B4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_024018F0 3_2_024018F0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0241A788 3_2_0241A788
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_024247AC 3_2_024247AC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0240DC7C 3_2_0240DC7C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0242AC7C 3_2_0242AC7C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_024184BC 3_2_024184BC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0242A244 3_2_0242A244
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0240D250 3_2_0240D250
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02427A68 3_2_02427A68
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02402A6C 3_2_02402A6C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02414274 3_2_02414274
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0240421C 3_2_0240421C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02423228 3_2_02423228
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0241CA34 3_2_0241CA34
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0241DA34 3_2_0241DA34
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0241EA38 3_2_0241EA38
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0242B23C 3_2_0242B23C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_024122C8 3_2_024122C8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_024072CC 3_2_024072CC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02406ADC 3_2_02406ADC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_024012F0 3_2_024012F0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02412288 3_2_02412288
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02412AA6 3_2_02412AA6
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02404B50 3_2_02404B50
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02429360 3_2_02429360
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02417B68 3_2_02417B68
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02403B78 3_2_02403B78
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0240FB04 3_2_0240FB04
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0241E30C 3_2_0241E30C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0240A31C 3_2_0240A31C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0241531C 3_2_0241531C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0241FBD8 3_2_0241FBD8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_024043F4 3_2_024043F4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0240C3F4 3_2_0240C3F4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0242539C 3_2_0242539C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_024033A8 3_2_024033A8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_024233B0 3_2_024233B0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_024243B8 3_2_024243B8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02406BBC 3_2_02406BBC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02423840 3_2_02423840
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0241B058 3_2_0241B058
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0240D87C 3_2_0240D87C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0240C800 3_2_0240C800
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0242B814 3_2_0242B814
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02403824 3_2_02403824
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02417824 3_2_02417824
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0242803C 3_2_0242803C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0242B0C4 3_2_0242B0C4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_024040EC 3_2_024040EC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_024288F8 3_2_024288F8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_024098AC 3_2_024098AC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_024168B0 3_2_024168B0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_024078B4 3_2_024078B4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_024190BC 3_2_024190BC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0241D150 3_2_0241D150
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02415958 3_2_02415958
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02422158 3_2_02422158
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02403970 3_2_02403970
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0241A170 3_2_0241A170
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02404918 3_2_02404918
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02421918 3_2_02421918
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0240C930 3_2_0240C930
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0240F138 3_2_0240F138
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02425938 3_2_02425938
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0240E93C 3_2_0240E93C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_024031C4 3_2_024031C4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0240C1E0 3_2_0240C1E0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0241298D 3_2_0241298D
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02411194 3_2_02411194
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0240A198 3_2_0240A198
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02429198 3_2_02429198
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02423E4C 3_2_02423E4C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02401650 3_2_02401650
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0240EE5C 3_2_0240EE5C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0242765C 3_2_0242765C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02415E70 3_2_02415E70
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02417E74 3_2_02417E74
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0240F60C 3_2_0240F60C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0241E61C 3_2_0241E61C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02407620 3_2_02407620
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0240BE20 3_2_0240BE20
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0241DE2C 3_2_0241DE2C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0242B6C0 3_2_0242B6C0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0241C6CC 3_2_0241C6CC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02420ED4 3_2_02420ED4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_024116DC 3_2_024116DC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_024166E8 3_2_024166E8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_024036FC 3_2_024036FC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0240FE84 3_2_0240FE84
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_024056BC 3_2_024056BC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02401744 3_2_02401744
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02418764 3_2_02418764
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02428768 3_2_02428768
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02410F74 3_2_02410F74
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0240D704 3_2_0240D704
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02415714 3_2_02415714
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0240E720 3_2_0240E720
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02424F30 3_2_02424F30
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02412FC8 3_2_02412FC8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0241FFD8 3_2_0241FFD8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_024117E0 3_2_024117E0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0241D7F8 3_2_0241D7F8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02418F80 3_2_02418F80
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02416F84 3_2_02416F84
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0242A784 3_2_0242A784
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_024027B8 3_2_024027B8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02426FBC 3_2_02426FBC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02419C4C 3_2_02419C4C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0240145C 3_2_0240145C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0241DC00 3_2_0241DC00
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0241EC08 3_2_0241EC08
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02407418 3_2_02407418
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02425C1C 3_2_02425C1C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0240A42C 3_2_0240A42C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0240E42C 3_2_0240E42C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02428C38 3_2_02428C38
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02417CC0 3_2_02417CC0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02426CD0 3_2_02426CD0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0240BCD8 3_2_0240BCD8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_024114E0 3_2_024114E0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_024154EC 3_2_024154EC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02402480 3_2_02402480
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02420490 3_2_02420490
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_024164B0 3_2_024164B0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02402D54 3_2_02402D54
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02410D54 3_2_02410D54
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0242B55C 3_2_0242B55C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02404D70 3_2_02404D70
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0241FD00 3_2_0241FD00
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0242A518 3_2_0242A518
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02420D20 3_2_02420D20
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0241A524 3_2_0241A524
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0240D52C 3_2_0240D52C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0241B5C4 3_2_0241B5C4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0241FDF4 3_2_0241FDF4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02424D84 3_2_02424D84
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0242358C 3_2_0242358C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02429590 3_2_02429590
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02421594 3_2_02421594
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0241D5B0 3_2_0241D5B0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02427DB8 3_2_02427DB8
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180033FF8 4_2_0000000180033FF8
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018002C000 4_2_000000018002C000
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180032008 4_2_0000000180032008
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180006024 4_2_0000000180006024
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018005F03C 4_2_000000018005F03C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180035048 4_2_0000000180035048
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018003A05C 4_2_000000018003A05C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180037060 4_2_0000000180037060
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180047064 4_2_0000000180047064
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018002A098 4_2_000000018002A098
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000001800530E0 4_2_00000001800530E0
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018000D0E0 4_2_000000018000D0E0
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000001800330E4 4_2_00000001800330E4
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018003B0EC 4_2_000000018003B0EC
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180042108 4_2_0000000180042108
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018000B10C 4_2_000000018000B10C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180032114 4_2_0000000180032114
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180048120 4_2_0000000180048120
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180038120 4_2_0000000180038120
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180034148 4_2_0000000180034148
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180035154 4_2_0000000180035154
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018005C18C 4_2_000000018005C18C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000001800391A0 4_2_00000001800391A0
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018005423C 4_2_000000018005423C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180033250 4_2_0000000180033250
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018003A260 4_2_000000018003A260
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180037264 4_2_0000000180037264
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180032280 4_2_0000000180032280
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180034298 4_2_0000000180034298
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018005F2B8 4_2_000000018005F2B8
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000001800352C0 4_2_00000001800352C0
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000001800072D8 4_2_00000001800072D8
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018003B320 4_2_000000018003B320
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018003832C 4_2_000000018003832C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180033358 4_2_0000000180033358
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180049388 4_2_0000000180049388
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180032388 4_2_0000000180032388
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000001800293B0 4_2_00000001800293B0
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000001800353C8 4_2_00000001800353C8
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000001800393D4 4_2_00000001800393D4
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000001800133E8 4_2_00000001800133E8
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000001800343EC 4_2_00000001800343EC
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180033460 4_2_0000000180033460
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018003A464 4_2_000000018003A464
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018000F464 4_2_000000018000F464
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180010488 4_2_0000000180010488
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180037490 4_2_0000000180037490
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180032490 4_2_0000000180032490
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000001800354D0 4_2_00000001800354D0
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000001800474CC 4_2_00000001800474CC
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018000E504 4_2_000000018000E504
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180034528 4_2_0000000180034528
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180048524 4_2_0000000180048524
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180038530 4_2_0000000180038530
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018006E538 4_2_000000018006E538
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018003356C 4_2_000000018003356C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018002C580 4_2_000000018002C580
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180011580 4_2_0000000180011580
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018003259C 4_2_000000018003259C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000001800355DC 4_2_00000001800355DC
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000001800395E0 4_2_00000001800395E0
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180034630 4_2_0000000180034630
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018003A690 4_2_000000018003A690
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180037694 4_2_0000000180037694
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000001800076A8 4_2_00000001800076A8
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000001800066D4 4_2_00000001800066D4
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000001800336D8 4_2_00000001800336D8
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018000B6FC 4_2_000000018000B6FC
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180032708 4_2_0000000180032708
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180034738 4_2_0000000180034738
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180035748 4_2_0000000180035748
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018003875C 4_2_000000018003875C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000001800337E0 4_2_00000001800337E0
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000001800397EC 4_2_00000001800397EC
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000001800497EC 4_2_00000001800497EC
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180032814 4_2_0000000180032814
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180034844 4_2_0000000180034844
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180035850 4_2_0000000180035850
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180001850 4_2_0000000180001850
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180013860 4_2_0000000180013860
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018003A894 4_2_000000018003A894
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000001800378A0 4_2_00000001800378A0
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000001800748CC 4_2_00000001800748CC
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000001800338E8 4_2_00000001800338E8
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018005C8EC 4_2_000000018005C8EC
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180047904 4_2_0000000180047904
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180032920 4_2_0000000180032920
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180035958 4_2_0000000180035958
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180038960 4_2_0000000180038960
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018004196C 4_2_000000018004196C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000001800349B0 4_2_00000001800349B0
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000001800579B8 4_2_00000001800579B8
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000001800489E8 4_2_00000001800489E8
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000001800039EC 4_2_00000001800039EC
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000001800339F0 4_2_00000001800339F0
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018000A9F4 4_2_000000018000A9F4
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180039A20 4_2_0000000180039A20
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018002CA20 4_2_000000018002CA20
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180012A20 4_2_0000000180012A20
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180032A2C 4_2_0000000180032A2C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180036A2C 4_2_0000000180036A2C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180035A64 4_2_0000000180035A64
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018003AAA0 4_2_000000018003AAA0
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180034AB8 4_2_0000000180034AB8
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180007ABC 4_2_0000000180007ABC
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180037AD4 4_2_0000000180037AD4
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180029AE8 4_2_0000000180029AE8
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180033B58 4_2_0000000180033B58
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180038B64 4_2_0000000180038B64
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180003B84 4_2_0000000180003B84
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180032B98 4_2_0000000180032B98
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180034BC0 4_2_0000000180034BC0
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180068BC8 4_2_0000000180068BC8
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180039C2C 4_2_0000000180039C2C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180036C30 4_2_0000000180036C30
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180046C2C 4_2_0000000180046C2C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180033C60 4_2_0000000180033C60
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180049C7C 4_2_0000000180049C7C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180032C9C 4_2_0000000180032C9C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018000DCA0 4_2_000000018000DCA0
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018000CCC4 4_2_000000018000CCC4
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180034CCC 4_2_0000000180034CCC
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018003ACD4 4_2_000000018003ACD4
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180037CE0 4_2_0000000180037CE0
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180041CF0 4_2_0000000180041CF0
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018001CCF0 4_2_000000018001CCF0
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018005BCF8 4_2_000000018005BCF8
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180047D08 4_2_0000000180047D08
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018000FD40 4_2_000000018000FD40
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180033D68 4_2_0000000180033D68
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180053D6C 4_2_0000000180053D6C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180038D90 4_2_0000000180038D90
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180032DC8 4_2_0000000180032DC8
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180003DE0 4_2_0000000180003DE0
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180031DF0 4_2_0000000180031DF0
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180052E20 4_2_0000000180052E20
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180039E30 4_2_0000000180039E30
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180034E38 4_2_0000000180034E38
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180010E48 4_2_0000000180010E48
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180036E5C 4_2_0000000180036E5C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180033E74 4_2_0000000180033E74
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180048EC4 4_2_0000000180048EC4
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180032ED0 4_2_0000000180032ED0
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018003AEE0 4_2_000000018003AEE0
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180004EE0 4_2_0000000180004EE0
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180037EEC 4_2_0000000180037EEC
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180031EFC 4_2_0000000180031EFC
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180012F00 4_2_0000000180012F00
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180034F40 4_2_0000000180034F40
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180073F98 4_2_0000000180073F98
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180038F94 4_2_0000000180038F94
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180032FD8 4_2_0000000180032FD8
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000022AB0980000 4_2_0000022AB0980000
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000021CE6CA0000 5_2_0000021CE6CA0000
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_027E0000 8_2_027E0000
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_029C8688 8_2_029C8688
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_029C78B4 8_2_029C78B4
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_029C58C0 8_2_029C58C0
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_029D32FC 8_2_029D32FC
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_029C18F0 8_2_029C18F0
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_029E5C1C 8_2_029E5C1C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_029CDC7C 8_2_029CDC7C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_029EAC7C 8_2_029EAC7C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_029D5E70 8_2_029D5E70
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_029DA788 8_2_029DA788
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_029D43B4 8_2_029D43B4
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_029DD5B0 8_2_029DD5B0
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_029E2334 8_2_029E2334
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_029C9D2C 8_2_029C9D2C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_029E9094 8_2_029E9094
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_029E0490 8_2_029E0490
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_029CFE84 8_2_029CFE84
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_029C2480 8_2_029C2480
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_029C56BC 8_2_029C56BC
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_029D84BC 8_2_029D84BC
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_029D90BC 8_2_029D90BC
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_029E6AB8 8_2_029E6AB8
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_029D64B0 8_2_029D64B0
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_029D68B0 8_2_029D68B0
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_029C98AC 8_2_029C98AC
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_029C6ADC 8_2_029C6ADC
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_029D16DC 8_2_029D16DC
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_029CBCD8 8_2_029CBCD8
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_029E0ED4 8_2_029E0ED4
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_029E6CD0 8_2_029E6CD0
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_029C72CC 8_2_029C72CC
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_029DC6CC 8_2_029DC6CC
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_029EB0C4 8_2_029EB0C4
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_029C9AC0 8_2_029C9AC0
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_029D7CC0 8_2_029D7CC0
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_029EB6C0 8_2_029EB6C0
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_029C36FC 8_2_029C36FC
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_029E88F8 8_2_029E88F8
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_029C12F0 8_2_029C12F0
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_029C40EC 8_2_029C40EC
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_029D54EC 8_2_029D54EC
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_029D66E8 8_2_029D66E8
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_029D14E0 8_2_029D14E0
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_029C421C 8_2_029C421C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_029DE61C 8_2_029DE61C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_029C7418 8_2_029C7418
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_029EB814 8_2_029EB814
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_029CF60C 8_2_029CF60C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_029DEC08 8_2_029DEC08
Found potential string decryption / allocating functions
Source: C:\Windows\System32\rundll32.exe Code function: String function: 0000000180004968 appears 32 times
Source: C:\Windows\System32\regsvr32.exe Code function: String function: 0000000180004968 appears 32 times
Contains functionality to communicate with device drivers
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000B10C: DeviceIoControl,GetLastError,GetLastError, 3_2_000000018000B10C
Tries to load missing DLLs
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc.dll
Source: kOiaWLNKXpjayWeM.dll ReversingLabs: Detection: 88%
Source: kOiaWLNKXpjayWeM.dll Virustotal: Detection: 73%
Source: kOiaWLNKXpjayWeM.dll Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll64.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\kOiaWLNKXpjayWeM.dll"
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\kOiaWLNKXpjayWeM.dll",#1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\kOiaWLNKXpjayWeM.dll
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\kOiaWLNKXpjayWeM.dll",#1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\kOiaWLNKXpjayWeM.dll,?AddArrayString@JKDefragLib@@QEAAPEAPEA_WPEAPEA_WPEA_W@Z
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\WVVZhuligM\KuLiEStglluewHbC.dll"
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\kOiaWLNKXpjayWeM.dll,?CallShowStatus@JKDefragLib@@QEAAXPEAUDefragDataStruct@@HH@Z
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6128 -s 480
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2424 -s 472
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\kOiaWLNKXpjayWeM.dll,?ColorizeItem@JKDefragLib@@QEAAXPEAUDefragDataStruct@@PEAUItemStruct@@_K2H@Z
Source: unknown Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe" "C:\Windows\system32\WVVZhuligM\KuLiEStglluewHbC.dll
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Users\user\AppData\Local\WrWLj\BwssvzQrG.dll"
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\kOiaWLNKXpjayWeM.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\kOiaWLNKXpjayWeM.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\kOiaWLNKXpjayWeM.dll,?AddArrayString@JKDefragLib@@QEAAPEAPEA_WPEAPEA_WPEA_W@Z Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\kOiaWLNKXpjayWeM.dll,?CallShowStatus@JKDefragLib@@QEAAXPEAUDefragDataStruct@@HH@Z Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\kOiaWLNKXpjayWeM.dll,?ColorizeItem@JKDefragLib@@QEAAXPEAUDefragDataStruct@@PEAUItemStruct@@_K2H@Z Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\kOiaWLNKXpjayWeM.dll",#1 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\WVVZhuligM\KuLiEStglluewHbC.dll" Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Users\user\AppData\Local\WrWLj\BwssvzQrG.dll" Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180007ABC GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetVolumePathNameW,swprintf,GetVolumeNameForVolumeMountPointW,GetLastError,swprintf,swprintf,_fread_nolock,CreateFileW,GetLastError,DeviceIoControl,GetLastError,CloseHandle,GetDiskFreeSpaceExW,DeviceIoControl,swprintf,swprintf,FlushFileBuffers,CloseHandle,FlushFileBuffers,CloseHandle,CloseHandle, 3_2_0000000180007ABC
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180007ABC GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetVolumePathNameW,swprintf,GetVolumeNameForVolumeMountPointW,GetLastError,swprintf,swprintf,_fread_nolock,CreateFileW,GetLastError,DeviceIoControl,GetLastError,CloseHandle,GetDiskFreeSpaceExW,DeviceIoControl,swprintf,swprintf,FlushFileBuffers,CloseHandle,FlushFileBuffers,CloseHandle,CloseHandle, 4_2_0000000180007ABC
Source: C:\Windows\System32\regsvr32.exe File created: C:\Users\user\AppData\Local\WrWLj\ Jump to behavior
Source: C:\Windows\System32\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER1F6F.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winDLL@21/8@0/47
Source: C:\Windows\System32\regsvr32.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180007ABC GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetVolumePathNameW,swprintf,GetVolumeNameForVolumeMountPointW,GetLastError,swprintf,swprintf,_fread_nolock,CreateFileW,GetLastError,DeviceIoControl,GetLastError,CloseHandle,GetDiskFreeSpaceExW,DeviceIoControl,swprintf,swprintf,FlushFileBuffers,CloseHandle,FlushFileBuffers,CloseHandle,CloseHandle, 3_2_0000000180007ABC
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_029C9D2C FindCloseChangeNotification,Process32NextW,CreateToolhelp32Snapshot,Process32FirstW, 8_2_029C9D2C
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\kOiaWLNKXpjayWeM.dll",#1
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6096:120:WilError_01
Source: C:\Windows\System32\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6128
Source: C:\Windows\System32\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2424
Source: C:\Windows\System32\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\rundll32.exe Automated click: OK
Source: C:\Windows\System32\rundll32.exe Automated click: OK
Source: C:\Windows\System32\regsvr32.exe Automated click: OK
Source: Window Recorder Window detected: More than 3 window changes detected
Source: kOiaWLNKXpjayWeM.dll Static PE information: Image base 0x180000000 > 0x60000000
Source: kOiaWLNKXpjayWeM.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: kOiaWLNKXpjayWeM.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: kOiaWLNKXpjayWeM.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: kOiaWLNKXpjayWeM.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: kOiaWLNKXpjayWeM.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: kOiaWLNKXpjayWeM.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: kOiaWLNKXpjayWeM.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: kOiaWLNKXpjayWeM.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: kOiaWLNKXpjayWeM.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: kOiaWLNKXpjayWeM.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: kOiaWLNKXpjayWeM.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: kOiaWLNKXpjayWeM.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02408A56 push ebp; iretd 3_2_02408A57
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02406212 push ebp; iretd 3_2_02406213
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02405A82 push ebp; iretd 3_2_02405A83
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02406870 push ebp; iretd 3_2_024068C4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_024230F3 push ebp; iretd 3_2_024230F4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02409097 push ebp; iretd 3_2_02409098
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02406957 push ebp; iretd 3_2_02406958
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02408E30 push ebp; iretd 3_2_02408E31
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02406633 push ebp; retf 3_2_02406634
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02408F44 push ebp; iretd 3_2_02408F45
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02406738 push 45C7D274h; iretd 3_2_0240673E
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02406415 push ebp; retf 3_2_02406416
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_024224FA push ebp; ret 3_2_024224FB
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02408D61 push ebp; iretd 3_2_02408D62
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0240658C push ebp; iretd 3_2_0240658D
Source: C:\Windows\System32\regsvr32.exe Code function: 22_2_02A35A82 push ebp; iretd 22_2_02A35A83
Source: C:\Windows\System32\regsvr32.exe Code function: 22_2_02A36633 push ebp; retf 22_2_02A36634
Source: C:\Windows\System32\regsvr32.exe Code function: 22_2_02A38E30 push ebp; iretd 22_2_02A38E31
Source: C:\Windows\System32\regsvr32.exe Code function: 22_2_02A36212 push ebp; iretd 22_2_02A36213
Source: C:\Windows\System32\regsvr32.exe Code function: 22_2_02A38A56 push ebp; iretd 22_2_02A38A57
Source: C:\Windows\System32\regsvr32.exe Code function: 22_2_02A36738 push 45C7D274h; iretd 22_2_02A3673E
Source: C:\Windows\System32\regsvr32.exe Code function: 22_2_02A38F44 push ebp; iretd 22_2_02A38F45
Source: C:\Windows\System32\regsvr32.exe Code function: 22_2_02A39097 push ebp; iretd 22_2_02A39098
Source: C:\Windows\System32\regsvr32.exe Code function: 22_2_02A530F3 push ebp; iretd 22_2_02A530F4
Source: C:\Windows\System32\regsvr32.exe Code function: 22_2_02A524FA push ebp; ret 22_2_02A524FB
Source: C:\Windows\System32\regsvr32.exe Code function: 22_2_02A36415 push ebp; retf 22_2_02A36416
Source: C:\Windows\System32\regsvr32.exe Code function: 22_2_02A36870 push ebp; iretd 22_2_02A368C4
Source: C:\Windows\System32\regsvr32.exe Code function: 22_2_02A3658C push ebp; iretd 22_2_02A3658D
Source: C:\Windows\System32\regsvr32.exe Code function: 22_2_02A38D61 push ebp; iretd 22_2_02A38D62
Source: C:\Windows\System32\regsvr32.exe Code function: 22_2_02A36957 push ebp; iretd 22_2_02A36958
PE file contains sections with non-standard names
Source: kOiaWLNKXpjayWeM.dll Static PE information: section name: _RDATA
Registers a DLL
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\kOiaWLNKXpjayWeM.dll
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\System32\regsvr32.exe PE file moved: C:\Windows\System32\WVVZhuligM\KuLiEStglluewHbC.dll Jump to behavior

Boot Survival
barindex
Creates an autostart registry key pointing to binary in C:\Windows
Source: C:\Windows\System32\regsvr32.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run KuLiEStglluewHbC.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run KuLiEStglluewHbC.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run KuLiEStglluewHbC.dll Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\System32\regsvr32.exe File opened: C:\Windows\system32\WVVZhuligM\KuLiEStglluewHbC.dll:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\System32\regsvr32.exe File opened: C:\Users\user\AppData\Local\WrWLj\BwssvzQrG.dll:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\regsvr32.exe TID: 3420 Thread sleep time: -30000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Uses the system / local time for branch decision (may execute only at specific dates)
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000B6FC GetSystemTimeAsFileTime followed by cmp: cmp dword ptr [rax+7ch], 01h and CTI: je 000000018000B7A2h 3_2_000000018000B6FC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000B6FC GetSystemTimeAsFileTime followed by cmp: cmp dword ptr [rax+00000080h], 01h and CTI: je 000000018000B7A2h 3_2_000000018000B6FC
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018000B6FC GetSystemTimeAsFileTime followed by cmp: cmp dword ptr [rax+7ch], 01h and CTI: je 000000018000B7A2h 4_2_000000018000B6FC
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018000B6FC GetSystemTimeAsFileTime followed by cmp: cmp dword ptr [rax+00000080h], 01h and CTI: je 000000018000B7A2h 4_2_000000018000B6FC
Found large amount of non-executed APIs
Source: C:\Windows\System32\regsvr32.exe API coverage: 5.8 %
Source: C:\Windows\System32\rundll32.exe API coverage: 5.5 %
Source: C:\Windows\System32\regsvr32.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000E504 GetSystemTime,SystemTimeToFileTime,FindFirstFileW,swprintf,swprintf,CloseHandle,swprintf,FindNextFileW,FindClose, 3_2_000000018000E504
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018000E504 GetSystemTime,SystemTimeToFileTime,FindFirstFileW,swprintf,swprintf,CloseHandle,swprintf,FindNextFileW,FindClose, 4_2_000000018000E504
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_029D32FC FindNextFileW,FindFirstFileW,FindClose, 8_2_029D32FC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000DCA0 RegCreateKeyExW,RegQueryValueExW,RegCloseKey,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLastError, 3_2_000000018000DCA0
Source: C:\Windows\System32\regsvr32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\regsvr32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: regsvr32.exe, 00000008.00000002.768165460.0000000000FA0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000002.768182445.0000000000FA8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.468875093.0000000000F9F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.468641649.0000000000FA2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.468687202.0000000000F98000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.339812172.0000000000F95000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: regsvr32.exe, 00000008.00000003.468708556.0000000000F61000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000002.767971584.0000000000F61000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW`
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180025630 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_0000000180025630
Checks if the current process is being debugged
Source: C:\Windows\System32\loaddll64.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180025630 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_0000000180025630
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001579C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_000000018001579C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180015984 SetUnhandledExceptionFilter, 3_2_0000000180015984
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180014A60 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_0000000180014A60
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180025630 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_0000000180025630
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018001579C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_000000018001579C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180015984 SetUnhandledExceptionFilter, 4_2_0000000180015984
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180014A60 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 4_2_0000000180014A60

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\regsvr32.exe Network Connect: 218.38.121.17 443 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\kOiaWLNKXpjayWeM.dll",#1 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\regsvr32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180006024 GetSystemTime,SystemTimeToFileTime, 3_2_0000000180006024
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018005F03C _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation, 3_2_000000018005F03C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180001850 GetCommandLineW,CommandLineToArgvW,GetVersionExA, 3_2_0000000180001850

Stealing of Sensitive Information
barindex
Yara detected Emotet
Source: Yara match File source: 00000008.00000002.767607073.0000000000F14000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 5.2.rundll32.exe.21ce8590000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.21ce8590000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.b00000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.rundll32.exe.21ce8590000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.rundll32.exe.22ab0780000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.rundll32.exe.22ab0780000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.b00000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.regsvr32.exe.2a00000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.rundll32.exe.22ab0780000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.22ab0780000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.rundll32.exe.21ce8590000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.regsvr32.exe.2990000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.rundll32.exe.22ab0780000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.rundll32.exe.21ce8590000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.22ab0780000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.regsvr32.exe.2a00000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.rundll32.exe.21ce8590000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.regsvr32.exe.2990000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000000.253014513.0000022AB0991000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.254435708.0000000002401000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.253546936.0000021CE85C1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.371644938.0000000002A00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.254242832.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.371681565.0000000002A31000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.768911804.00000000029C1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.287369701.0000022AB0780000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.254193655.0000022AB0991000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.253580195.0000022AB0780000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.287814441.0000022AB0991000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.255111695.0000021CE8590000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.287467703.0000021CE8590000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.768771937.0000000002990000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.255327053.0000021CE85C1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.253497739.0000021CE8590000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.287612874.0000021CE85C1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.251796872.0000022AB0780000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY