Windows Analysis Report
f_00321b.dll

Overview

General Information

Sample Name: f_00321b.dll
(renamed file extension from none to dll, renamed because original name is a hash value)
Original Sample Name: f_00321b
Analysis ID: 829552
MD5: bfc060937dc90b273eccb6825145f298
SHA1: c156c00c7e918f0cb7363614fb1f177c90d8108a
SHA256: 2f39c2879989ddd7f9ecf52b6232598e5595f8bf367846ff188c9dfbf1251253
Infos:

Detection

Emotet
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Early bird code injection technique detected
Multi AV Scanner detection for submitted file
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Snort IDS alert for network traffic
Queues an APC in another process (thread injection)
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Tries to load missing DLLs
Drops PE files to the windows directory (C:\Windows)
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Connects to several IPs in different countries
Registers a DLL
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: f_00321b.dll Virustotal: Detection: 60% Perma Link
Source: f_00321b.dll ReversingLabs: Detection: 79%
Antivirus detection for URL or domain
Source: https://45.235.8.30:8080/nnukk/upfurpftd/ltwomnfleb/0u Avira URL Cloud: Label: malware
Source: https://45.235.8.30:8080/nnukk/upfurpftd/ltwomnfleb// Avira URL Cloud: Label: malware
Source: https://213.239.212.5/~ Avira URL Cloud: Label: malware
Source: https://45.235.8.30:8080/nnukk/upfurpftd/ltwomnfleb/ Avira URL Cloud: Label: malware
Source: https://213.239.212.5/nnukk/upfurpftd/ltwomnfleb/ Avira URL Cloud: Label: malware
Source: https://119.59.103.152:8080/nnukk/upfurpftd/ltwomnfleb/ Avira URL Cloud: Label: malware
Source: https://82.223.21.224:8080/nnukk/upfurpftd/ltwomnfleb/ Avira URL Cloud: Label: malware
Source: https://107.170.39.149:8080/ Avira URL Cloud: Label: malware
Source: https://167.172.199.165:8080/Y Avira URL Cloud: Label: malware
Source: https://82.223.21.224:8080/ Avira URL Cloud: Label: malware
Source: https://91.207.28.33:8080/- Avira URL Cloud: Label: malware
Source: https://159.65.88.10:8080/nnukk/upfurpftd/ltwomnfleb/ Avira URL Cloud: Label: malware
Source: https://104.168.155.143:8080/nnukk/upfurpftd/ltwomnfleb/ Avira URL Cloud: Label: malware
Source: https://119.59.103.152:8080/nnukk/upfurpftd/ltwomnfleb/? Avira URL Cloud: Label: malware
Source: https://164.90.222.65/nnukk/upfurpftd/ltwomnfleb//K Avira URL Cloud: Label: malware
Source: https://164.90.222.65:443/nnukk/upfurpftd/ltwomnfleb/b/X Avira URL Cloud: Label: malware
Source: https://91.121.146.47:8080/nnukk/upfurpftd/ltwomnfleb/ Avira URL Cloud: Label: malware
Source: https://107.170.39.149:8080/nnukk/upfurpftd/ltwomnfleb/ Avira URL Cloud: Label: malware
Source: https://91.121.146.47:8080/ Avira URL Cloud: Label: malware
Source: https://119.59.103.152:8080/ Avira URL Cloud: Label: malware
Source: https://119.59.103.152:8080/l/z Avira URL Cloud: Label: malware
Source: https://167.172.199.165:8080/nnukk/upfurpftd/ltwomnfleb/ Avira URL Cloud: Label: malware
Source: https://187.63.160.88:80/nnukk/upfurpftd/ltwomnfleb/ Avira URL Cloud: Label: malware
Source: https://45.235.8.30:8080/ Avira URL Cloud: Label: malware
Source: https://167.172.199.165:8080/o Avira URL Cloud: Label: malware
Source: https://66.228.32.31:7080/ Avira URL Cloud: Label: malware
Source: https://167.172.199.165:8080/ Avira URL Cloud: Label: malware
Source: https://164.90.222.65/nnukk/upfurpftd/ltwomnfleb/w Avira URL Cloud: Label: malware
Source: https://164.90.222.65/nnukk/upfurpftd/ltwomnfleb/ Avira URL Cloud: Label: malware
Source: https://119.59.103.152:8080/nnukk/upfurpftd/ltwomnfleb/% Avira URL Cloud: Label: malware
Source: https://164.90.222.65/wn Avira URL Cloud: Label: malware
Source: https://45.235.8.30:8080/nnukk/upfurpftd/ltwomnfleb/Y Avira URL Cloud: Label: malware
Source: https://213.239.212.5:443/nnukk/upfurpftd/ltwomnfleb/N Avira URL Cloud: Label: malware
Source: 00000006.00000002.839010466.000000000072B000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: Emotet {"C2 list": ["91.121.146.47:8080", "66.228.32.31:7080", "182.162.143.56:443", "187.63.160.88:80", "167.172.199.165:8080", "164.90.222.65:443", "104.168.155.143:8080", "163.44.196.120:8080", "160.16.142.56:8080", "159.89.202.34:443", "159.65.88.10:8080", "186.194.240.217:443", "149.56.131.28:8080", "72.15.201.15:8080", "1.234.2.232:8080", "82.223.21.224:8080", "206.189.28.199:8080", "169.57.156.166:8080", "107.170.39.149:8080", "103.43.75.120:443", "91.207.28.33:8080", "213.239.212.5:443", "45.235.8.30:8080", "119.59.103.152:8080", "164.68.99.3:8080", "95.217.221.146:8080", "153.126.146.25:7080", "197.242.150.244:8080", "202.129.205.3:8080", "103.132.242.26:8080", "139.59.126.41:443", "110.232.117.186:8080", "183.111.227.137:8080", "5.135.159.50:443", "201.94.166.162:443", "103.75.201.2:443", "79.137.35.198:8080", "172.105.226.75:8080", "94.23.45.86:4143", "115.68.227.76:8080", "153.92.5.27:8080", "167.172.253.162:8080", "188.44.20.25:443", "147.139.166.154:8080", "129.232.188.93:443", "173.212.193.249:8080", "185.4.135.165:8080", "45.176.232.124:443"], "Public Key": ["RUNTMSAAAABAX3S2xNjcDD0fBno33Ln5t71eii+mofIPoXkNFOX1MeiwCh48iz97kB0mJjGGZXwardnDXKxI8GCHGNl0PFj50W/ClAAOAIo=", "RUNLMSAAAADzozW1Di4r9DVWzQpMKT588RDdy7BPILP6AiDOTLYMHkSWvrQO5slbmr1OvZ2Pz+AQWzRMggQmAtO6rPH7nyx2xW++lAAKAJA="]}
Source: unknown HTTPS traffic detected: 164.90.222.65:443 -> 192.168.2.4:49704 version: TLS 1.2
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180008D28 FindFirstFileExW, 3_2_0000000180008D28
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180008D28 FindFirstFileExW, 4_2_0000000180008D28

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\regsvr32.exe Network Connect: 159.65.88.10 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 164.90.222.65 443 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 213.239.212.5 443 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 186.194.240.217 443 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 104.168.155.143 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 119.59.103.152 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 159.89.202.34 443 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 160.16.142.56 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 91.121.146.47 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 91.207.28.33 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 103.43.75.120 443 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 45.235.8.30 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 72.15.201.15 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 163.44.196.120 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 206.189.28.199 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 107.170.39.149 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 187.63.160.88 80 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 66.228.32.31 7080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 82.223.21.224 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 149.56.131.28 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 169.57.156.166 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 182.162.143.56 443 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 1.234.2.232 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 167.172.199.165 8080 Jump to behavior
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2404308 ET CNC Feodo Tracker Reported CnC Server TCP group 5 192.168.2.4:49704 -> 164.90.222.65:443
Source: Traffic Snort IDS: 2404344 ET CNC Feodo Tracker Reported CnC Server TCP group 23 192.168.2.4:49695 -> 91.121.146.47:8080
Source: Traffic Snort IDS: 2404330 ET CNC Feodo Tracker Reported CnC Server TCP group 16 192.168.2.4:49697 -> 66.228.32.31:7080
Source: Traffic Snort IDS: 2404312 ET CNC Feodo Tracker Reported CnC Server TCP group 7 192.168.2.4:49698 -> 182.162.143.56:443
Source: Traffic Snort IDS: 2404314 ET CNC Feodo Tracker Reported CnC Server TCP group 8 192.168.2.4:49702 -> 187.63.160.88:80
Source: Traffic Snort IDS: 2404310 ET CNC Feodo Tracker Reported CnC Server TCP group 6 192.168.2.4:49703 -> 167.172.199.165:8080
Source: Traffic Snort IDS: 2404302 ET CNC Feodo Tracker Reported CnC Server TCP group 2 192.168.2.4:49705 -> 104.168.155.143:8080
Source: Traffic Snort IDS: 2404304 ET CNC Feodo Tracker Reported CnC Server TCP group 3 192.168.2.4:49719 -> 1.234.2.232:8080
Source: Traffic Snort IDS: 2404318 ET CNC Feodo Tracker Reported CnC Server TCP group 10 192.168.2.4:49721 -> 206.189.28.199:8080
Source: Traffic Snort IDS: 2404320 ET CNC Feodo Tracker Reported CnC Server TCP group 11 192.168.2.4:49729 -> 213.239.212.5:443
Source: Traffic Snort IDS: 2404324 ET CNC Feodo Tracker Reported CnC Server TCP group 13 192.168.2.4:49733 -> 45.235.8.30:8080
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 91.121.146.47:8080
Source: Malware configuration extractor IPs: 66.228.32.31:7080
Source: Malware configuration extractor IPs: 182.162.143.56:443
Source: Malware configuration extractor IPs: 187.63.160.88:80
Source: Malware configuration extractor IPs: 167.172.199.165:8080
Source: Malware configuration extractor IPs: 164.90.222.65:443
Source: Malware configuration extractor IPs: 104.168.155.143:8080
Source: Malware configuration extractor IPs: 163.44.196.120:8080
Source: Malware configuration extractor IPs: 160.16.142.56:8080
Source: Malware configuration extractor IPs: 159.89.202.34:443
Source: Malware configuration extractor IPs: 159.65.88.10:8080
Source: Malware configuration extractor IPs: 186.194.240.217:443
Source: Malware configuration extractor IPs: 149.56.131.28:8080
Source: Malware configuration extractor IPs: 72.15.201.15:8080
Source: Malware configuration extractor IPs: 1.234.2.232:8080
Source: Malware configuration extractor IPs: 82.223.21.224:8080
Source: Malware configuration extractor IPs: 206.189.28.199:8080
Source: Malware configuration extractor IPs: 169.57.156.166:8080
Source: Malware configuration extractor IPs: 107.170.39.149:8080
Source: Malware configuration extractor IPs: 103.43.75.120:443
Source: Malware configuration extractor IPs: 91.207.28.33:8080
Source: Malware configuration extractor IPs: 213.239.212.5:443
Source: Malware configuration extractor IPs: 45.235.8.30:8080
Source: Malware configuration extractor IPs: 119.59.103.152:8080
Source: Malware configuration extractor IPs: 164.68.99.3:8080
Source: Malware configuration extractor IPs: 95.217.221.146:8080
Source: Malware configuration extractor IPs: 153.126.146.25:7080
Source: Malware configuration extractor IPs: 197.242.150.244:8080
Source: Malware configuration extractor IPs: 202.129.205.3:8080
Source: Malware configuration extractor IPs: 103.132.242.26:8080
Source: Malware configuration extractor IPs: 139.59.126.41:443
Source: Malware configuration extractor IPs: 110.232.117.186:8080
Source: Malware configuration extractor IPs: 183.111.227.137:8080
Source: Malware configuration extractor IPs: 5.135.159.50:443
Source: Malware configuration extractor IPs: 201.94.166.162:443
Source: Malware configuration extractor IPs: 103.75.201.2:443
Source: Malware configuration extractor IPs: 79.137.35.198:8080
Source: Malware configuration extractor IPs: 172.105.226.75:8080
Source: Malware configuration extractor IPs: 94.23.45.86:4143
Source: Malware configuration extractor IPs: 115.68.227.76:8080
Source: Malware configuration extractor IPs: 153.92.5.27:8080
Source: Malware configuration extractor IPs: 167.172.253.162:8080
Source: Malware configuration extractor IPs: 188.44.20.25:443
Source: Malware configuration extractor IPs: 147.139.166.154:8080
Source: Malware configuration extractor IPs: 129.232.188.93:443
Source: Malware configuration extractor IPs: 173.212.193.249:8080
Source: Malware configuration extractor IPs: 185.4.135.165:8080
Source: Malware configuration extractor IPs: 45.176.232.124:443
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 8916410db85077a5460817142dcbc8de
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: POST /nnukk/upfurpftd/ltwomnfleb/ HTTP/1.1Connection: Keep-AliveContent-Length: 0Host: 164.90.222.65
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 159.65.88.10 159.65.88.10
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49695 -> 91.121.146.47:8080
Source: global traffic TCP traffic: 192.168.2.4:49697 -> 66.228.32.31:7080
Source: global traffic TCP traffic: 192.168.2.4:49703 -> 167.172.199.165:8080
Source: global traffic TCP traffic: 192.168.2.4:49705 -> 104.168.155.143:8080
Source: global traffic TCP traffic: 192.168.2.4:49706 -> 163.44.196.120:8080
Source: global traffic TCP traffic: 192.168.2.4:49707 -> 160.16.142.56:8080
Source: global traffic TCP traffic: 192.168.2.4:49712 -> 159.65.88.10:8080
Source: global traffic TCP traffic: 192.168.2.4:49717 -> 149.56.131.28:8080
Source: global traffic TCP traffic: 192.168.2.4:49718 -> 72.15.201.15:8080
Source: global traffic TCP traffic: 192.168.2.4:49719 -> 1.234.2.232:8080
Source: global traffic TCP traffic: 192.168.2.4:49720 -> 82.223.21.224:8080
Source: global traffic TCP traffic: 192.168.2.4:49721 -> 206.189.28.199:8080
Source: global traffic TCP traffic: 192.168.2.4:49722 -> 169.57.156.166:8080
Source: global traffic TCP traffic: 192.168.2.4:49723 -> 107.170.39.149:8080
Source: global traffic TCP traffic: 192.168.2.4:49728 -> 91.207.28.33:8080
Source: global traffic TCP traffic: 192.168.2.4:49733 -> 45.235.8.30:8080
Source: global traffic TCP traffic: 192.168.2.4:49734 -> 119.59.103.152:8080
Connects to several IPs in different countries
Source: unknown Network traffic detected: IP country count 17
Source: unknown Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown Network traffic detected: HTTP traffic on port 49698 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49698
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49701
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown TCP traffic detected without corresponding DNS query: 66.228.32.31
Source: unknown TCP traffic detected without corresponding DNS query: 66.228.32.31
Source: unknown TCP traffic detected without corresponding DNS query: 66.228.32.31
Source: unknown TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown TCP traffic detected without corresponding DNS query: 187.63.160.88
Source: unknown TCP traffic detected without corresponding DNS query: 187.63.160.88
Source: unknown TCP traffic detected without corresponding DNS query: 187.63.160.88
Source: unknown TCP traffic detected without corresponding DNS query: 167.172.199.165
Source: unknown TCP traffic detected without corresponding DNS query: 167.172.199.165
Source: unknown TCP traffic detected without corresponding DNS query: 167.172.199.165
Source: unknown TCP traffic detected without corresponding DNS query: 167.172.199.165
Source: unknown TCP traffic detected without corresponding DNS query: 167.172.199.165
Source: unknown TCP traffic detected without corresponding DNS query: 167.172.199.165
Source: unknown TCP traffic detected without corresponding DNS query: 167.172.199.165
Source: unknown TCP traffic detected without corresponding DNS query: 167.172.199.165
Source: unknown TCP traffic detected without corresponding DNS query: 167.172.199.165
Source: unknown TCP traffic detected without corresponding DNS query: 167.172.199.165
Source: unknown TCP traffic detected without corresponding DNS query: 164.90.222.65
Source: unknown TCP traffic detected without corresponding DNS query: 164.90.222.65
Source: unknown TCP traffic detected without corresponding DNS query: 164.90.222.65
Source: unknown TCP traffic detected without corresponding DNS query: 164.90.222.65
Source: unknown TCP traffic detected without corresponding DNS query: 164.90.222.65
Source: unknown TCP traffic detected without corresponding DNS query: 164.90.222.65
Source: unknown TCP traffic detected without corresponding DNS query: 164.90.222.65
Source: unknown TCP traffic detected without corresponding DNS query: 164.90.222.65
Source: unknown TCP traffic detected without corresponding DNS query: 164.90.222.65
Source: unknown TCP traffic detected without corresponding DNS query: 164.90.222.65
Source: regsvr32.exe, 00000006.00000003.405236343.0000000000797000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.490273767.0000000000797000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.839161422.0000000000797000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.490454644.0000000000797000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.490651926.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.489636970.0000000000797000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: regsvr32.exe, 00000006.00000003.403176312.00000000007F4000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.403664983.00000000007F4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/
Source: regsvr32.exe, 00000006.00000003.403176312.00000000007F4000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.403664983.00000000007F4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com//
Source: regsvr32.exe, 00000006.00000003.489636970.0000000000797000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.6.dr String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: regsvr32.exe, 00000006.00000003.403176312.00000000007F4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?1bee005e237d0
Source: regsvr32.exe, 00000006.00000003.405118809.000000000075A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.490542704.000000000075A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.404596026.000000000075A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.839083307.000000000075A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/end
Source: regsvr32.exe, 00000006.00000002.839305348.00000000007F4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://103.44.196.120:8080/
Source: regsvr32.exe, 00000006.00000002.839483293.000000000285E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://104.168.155.143:8080/nnukk/upfurpftd/ltwomnfleb/
Source: regsvr32.exe, 00000006.00000002.839305348.00000000007F4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://107.170.39.149:8080/
Source: regsvr32.exe, 00000006.00000002.839483293.000000000285E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://107.170.39.149:8080/nnukk/upfurpftd/ltwomnfleb/
Source: regsvr32.exe, 00000006.00000002.839305348.00000000007F4000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.839483293.00000000027F0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://119.59.103.152:8080/
Source: regsvr32.exe, 00000006.00000002.839305348.00000000007F4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://119.59.103.152:8080/l/z
Source: regsvr32.exe, 00000006.00000002.839161422.00000000007DE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://119.59.103.152:8080/nnukk/upfurpftd/ltwomnfleb/
Source: regsvr32.exe, 00000006.00000002.839305348.00000000007F4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://119.59.103.152:8080/nnukk/upfurpftd/ltwomnfleb/%
Source: regsvr32.exe, 00000006.00000002.839161422.0000000000797000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://119.59.103.152:8080/nnukk/upfurpftd/ltwomnfleb/?
Source: regsvr32.exe, 00000006.00000002.839483293.000000000285E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://159.65.88.10:8080/nnukk/upfurpftd/ltwomnfleb/
Source: regsvr32.exe, 00000006.00000003.490273767.0000000000797000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.490542704.0000000000755000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.839161422.0000000000797000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.490454644.0000000000797000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.490651926.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.489636970.0000000000797000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://164.90.222.65/
Source: regsvr32.exe, 00000006.00000003.490273767.0000000000797000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.839161422.0000000000797000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.490454644.0000000000797000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.490651926.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.489636970.0000000000797000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://164.90.222.65/nnukk/upfurpftd/ltwomnfleb/
Source: regsvr32.exe, 00000006.00000003.490273767.0000000000797000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.490454644.0000000000797000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.490651926.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.489636970.0000000000797000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://164.90.222.65/nnukk/upfurpftd/ltwomnfleb//K
Source: regsvr32.exe, 00000006.00000003.490273767.0000000000797000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.839161422.0000000000797000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.490454644.0000000000797000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.490651926.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.489636970.0000000000797000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://164.90.222.65/nnukk/upfurpftd/ltwomnfleb/w
Source: regsvr32.exe, 00000006.00000003.489636970.0000000000797000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://164.90.222.65/wn
Source: regsvr32.exe, 00000006.00000003.489477256.000000000285E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://164.90.222.65:443/nnukk/upfurpftd/ltwomnfleb/b/X
Source: regsvr32.exe, 00000006.00000003.489636970.00000000007F4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://167.172.199.165:8080/
Source: regsvr32.exe, 00000006.00000003.489636970.00000000007F4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://167.172.199.165:8080/Y
Source: regsvr32.exe, 00000006.00000003.489636970.00000000007F4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://167.172.199.165:8080/nnukk/upfurpftd/ltwomnfleb/
Source: regsvr32.exe, 00000006.00000003.489636970.00000000007F4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://167.172.199.165:8080/o
Source: regsvr32.exe, 00000006.00000003.490542704.000000000075A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://187.172.199.165:8080/
Source: regsvr32.exe, 00000006.00000003.489636970.0000000000797000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.489477256.000000000285E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://187.63.160.88:80/nnukk/upfurpftd/ltwomnfleb/
Source: regsvr32.exe, 00000006.00000002.839483293.00000000027F0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://189.56.131.28:8080/
Source: regsvr32.exe, 00000006.00000002.839483293.00000000027F0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://21.235.8.30:8080/
Source: regsvr32.exe, 00000006.00000002.839305348.00000000007F4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://213.239.212.5/nnukk/upfurpftd/ltwomnfleb/
Source: regsvr32.exe, 00000006.00000002.839305348.00000000007F4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://213.239.212.5/~
Source: regsvr32.exe, 00000006.00000002.839483293.000000000285E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://213.239.212.5:443/nnukk/upfurpftd/ltwomnfleb/N
Source: regsvr32.exe, 00000006.00000002.839305348.00000000007F4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://45.235.8.30:8080/
Source: regsvr32.exe, 00000006.00000002.839161422.0000000000797000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.839305348.00000000007F4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://45.235.8.30:8080/nnukk/upfurpftd/ltwomnfleb/
Source: regsvr32.exe, 00000006.00000002.839483293.000000000285E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://45.235.8.30:8080/nnukk/upfurpftd/ltwomnfleb//
Source: regsvr32.exe, 00000006.00000002.839161422.00000000007DE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://45.235.8.30:8080/nnukk/upfurpftd/ltwomnfleb/0u
Source: regsvr32.exe, 00000006.00000002.839305348.00000000007F4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://45.235.8.30:8080/nnukk/upfurpftd/ltwomnfleb/Y
Source: regsvr32.exe, 00000006.00000003.489636970.0000000000797000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://66.228.32.31:7080/
Source: regsvr32.exe, 00000006.00000002.839305348.00000000007F4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://82.223.21.224:8080/
Source: regsvr32.exe, 00000006.00000002.839161422.00000000007DE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://82.223.21.224:8080/nnukk/upfurpftd/ltwomnfleb/
Source: regsvr32.exe, 00000006.00000002.839010466.000000000072B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://91.121.146.47:8080/
Source: regsvr32.exe, 00000006.00000002.839010466.000000000072B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.839083307.0000000000783000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.490273767.0000000000783000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.404883022.0000000000783000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://91.121.146.47:8080/nnukk/upfurpftd/ltwomnfleb/
Source: regsvr32.exe, 00000006.00000002.839305348.00000000007F4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://91.207.28.33:8080/-
Source: unknown HTTP traffic detected: POST /nnukk/upfurpftd/ltwomnfleb/ HTTP/1.1Connection: Keep-AliveContent-Length: 0Host: 164.90.222.65
Source: unknown HTTPS traffic detected: 164.90.222.65:443 -> 192.168.2.4:49704 version: TLS 1.2

E-Banking Fraud
barindex
Yara detected Emotet
Source: Yara match File source: 00000006.00000002.839010466.000000000072B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 5.2.rundll32.exe.1caef360000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.24067ea0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.24067ea0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.22d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.22d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.1caef360000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.regsvr32.exe.1fe0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.regsvr32.exe.1fe0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.320583141.0000024067ED1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.839406801.0000000002031000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.839356776.0000000001FE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.319594851.0000000002301000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.319426857.00000000022D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.320938696.000001CAEF360000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.320487184.0000024067EA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.320983303.000001CAEF391000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Deletes files inside the Windows folder
Source: C:\Windows\System32\regsvr32.exe File deleted: C:\Windows\System32\ZbmMPnDvLqwXll\QyzgcRWJYZS.dll:Zone.Identifier Jump to behavior
Creates files inside the system directory
Source: C:\Windows\System32\regsvr32.exe File created: C:\Windows\system32\ZbmMPnDvLqwXll\ Jump to behavior
Detected potential crypto function
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180006818 3_2_0000000180006818
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000B878 3_2_000000018000B878
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180007110 3_2_0000000180007110
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180008D28 3_2_0000000180008D28
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180014555 3_2_0000000180014555
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_022A0000 3_2_022A0000
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0230263C 3_2_0230263C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02308BC8 3_2_02308BC8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02318FC8 3_2_02318FC8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0230CC14 3_2_0230CC14
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0231A000 3_2_0231A000
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0231709C 3_2_0231709C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02307D6C 3_2_02307D6C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0230BA2C 3_2_0230BA2C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02318A2C 3_2_02318A2C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02310E2C 3_2_02310E2C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0231662C 3_2_0231662C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02304214 3_2_02304214
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0230461C 3_2_0230461C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02315A00 3_2_02315A00
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02328A00 3_2_02328A00
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02318E08 3_2_02318E08
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02303E0C 3_2_02303E0C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0231020C 3_2_0231020C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02310A70 3_2_02310A70
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02303274 3_2_02303274
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0230A660 3_2_0230A660
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0230B258 3_2_0230B258
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0230F65C 3_2_0230F65C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0231A244 3_2_0231A244
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0230AAB8 3_2_0230AAB8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02304EB8 3_2_02304EB8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02303ABC 3_2_02303ABC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0231A6BC 3_2_0231A6BC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0230BE90 3_2_0230BE90
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02314A90 3_2_02314A90
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02308A8C 3_2_02308A8C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02324E8C 3_2_02324E8C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_023092F0 3_2_023092F0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_023196D4 3_2_023196D4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0231EAC0 3_2_0231EAC0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0230D6CC 3_2_0230D6CC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0230D33C 3_2_0230D33C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0231E310 3_2_0231E310
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0230EF14 3_2_0230EF14
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02313B14 3_2_02313B14
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02314F18 3_2_02314F18
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0231D770 3_2_0231D770
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0231CF70 3_2_0231CF70
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02308378 3_2_02308378
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0230F77C 3_2_0230F77C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0231E750 3_2_0231E750
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02304758 3_2_02304758
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0230975C 3_2_0230975C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02308FB0 3_2_02308FB0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0230FFB8 3_2_0230FFB8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02318BB8 3_2_02318BB8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0230DBA0 3_2_0230DBA0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02301B94 3_2_02301B94
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02315384 3_2_02315384
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0230A7F0 3_2_0230A7F0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_023227EC 3_2_023227EC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02313FD0 3_2_02313FD0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02302FD4 3_2_02302FD4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_023033D4 3_2_023033D4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_023197CC 3_2_023197CC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02311030 3_2_02311030
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0231EC30 3_2_0231EC30
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0230B83C 3_2_0230B83C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0232181C 3_2_0232181C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02301000 3_2_02301000
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02309408 3_2_02309408
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02307C08 3_2_02307C08
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02316C70 3_2_02316C70
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0230D474 3_2_0230D474
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02302C78 3_2_02302C78
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0230C078 3_2_0230C078
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0230B07C 3_2_0230B07C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0231B460 3_2_0231B460
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02325450 3_2_02325450
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0231C058 3_2_0231C058
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02307840 3_2_02307840
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0231C44C 3_2_0231C44C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0231A8B0 3_2_0231A8B0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0230DCB8 3_2_0230DCB8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_023294BC 3_2_023294BC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_023098AC 3_2_023098AC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0230AC94 3_2_0230AC94
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02315880 3_2_02315880
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02304C84 3_2_02304C84
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0231CC84 3_2_0231CC84
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02303CF4 3_2_02303CF4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_023090F8 3_2_023090F8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_023048FC 3_2_023048FC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_023120E0 3_2_023120E0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_023014D4 3_2_023014D4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02313CD4 3_2_02313CD4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_023018DC 3_2_023018DC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0230F8C4 3_2_0230F8C4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02315CC4 3_2_02315CC4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_023080CC 3_2_023080CC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_023108CC 3_2_023108CC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02307530 3_2_02307530
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0231B130 3_2_0231B130
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02306138 3_2_02306138
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02314D20 3_2_02314D20
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02311924 3_2_02311924
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0231AD28 3_2_0231AD28
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02329910 3_2_02329910
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02317518 3_2_02317518
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02328500 3_2_02328500
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0231610C 3_2_0231610C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_023095BC 3_2_023095BC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0231BDA0 3_2_0231BDA0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0231D5F0 3_2_0231D5F0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_023115C8 3_2_023115C8
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180006818 4_2_0000000180006818
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018000B878 4_2_000000018000B878
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180007110 4_2_0000000180007110
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180008D28 4_2_0000000180008D28
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180014555 4_2_0000000180014555
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000024067E90000 4_2_0000024067E90000
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000024067ED263C 4_2_0000024067ED263C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000024067ED7D6C 4_2_0000024067ED7D6C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000024067EE709C 4_2_0000024067EE709C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000024067EEA000 4_2_0000024067EEA000
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000024067EDCC14 4_2_0000024067EDCC14
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000024067ED8BC8 4_2_0000024067ED8BC8
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000024067EE8FC8 4_2_0000024067EE8FC8
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000024067EDBA2C 4_2_0000024067EDBA2C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000024067EE8A2C 4_2_0000024067EE8A2C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000024067EE0E2C 4_2_0000024067EE0E2C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000024067EE662C 4_2_0000024067EE662C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000024067ED3E0C 4_2_0000024067ED3E0C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000024067EE020C 4_2_0000024067EE020C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000024067EE8E08 4_2_0000024067EE8E08
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000024067EE5A00 4_2_0000024067EE5A00
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000024067EF8A00 4_2_0000024067EF8A00
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000024067ED461C 4_2_0000024067ED461C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000024067ED4214 4_2_0000024067ED4214
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000024067EED5F0 4_2_0000024067EED5F0
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000024067EE15C8 4_2_0000024067EE15C8
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000024067EEBDA0 4_2_0000024067EEBDA0
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000024067ED95BC 4_2_0000024067ED95BC
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000024067EEAD28 4_2_0000024067EEAD28
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000024067EE1924 4_2_0000024067EE1924
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000024067EE4D20 4_2_0000024067EE4D20
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000024067ED6138 4_2_0000024067ED6138
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000024067ED7530 4_2_0000024067ED7530
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000024067EEB130 4_2_0000024067EEB130
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000024067EE610C 4_2_0000024067EE610C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000024067EF8500 4_2_0000024067EF8500
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000024067EE7518 4_2_0000024067EE7518
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000024067EF9910 4_2_0000024067EF9910
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000024067EE20E0 4_2_0000024067EE20E0
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000024067ED48FC 4_2_0000024067ED48FC
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000024067ED90F8 4_2_0000024067ED90F8
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000024067ED3CF4 4_2_0000024067ED3CF4
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000024067ED80CC 4_2_0000024067ED80CC
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000024067EE08CC 4_2_0000024067EE08CC
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000024067EE5CC4 4_2_0000024067EE5CC4
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000024067EDF8C4 4_2_0000024067EDF8C4
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000024067ED18DC 4_2_0000024067ED18DC
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000024067ED14D4 4_2_0000024067ED14D4
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000024067EE3CD4 4_2_0000024067EE3CD4
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000024067ED98AC 4_2_0000024067ED98AC
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000024067EF94BC 4_2_0000024067EF94BC
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000024067EDDCB8 4_2_0000024067EDDCB8
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000024067EEA8B0 4_2_0000024067EEA8B0
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000024067ED4C84 4_2_0000024067ED4C84
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000024067EECC84 4_2_0000024067EECC84
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000024067EE5880 4_2_0000024067EE5880
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000024067EDAC94 4_2_0000024067EDAC94
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000024067EEB460 4_2_0000024067EEB460
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000024067EDB07C 4_2_0000024067EDB07C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000024067ED2C78 4_2_0000024067ED2C78
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000024067EDC078 4_2_0000024067EDC078
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000024067EDD474 4_2_0000024067EDD474
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000024067EE6C70 4_2_0000024067EE6C70
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000024067EEC44C 4_2_0000024067EEC44C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000024067ED7840 4_2_0000024067ED7840
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000024067EEC058 4_2_0000024067EEC058
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000024067EF5450 4_2_0000024067EF5450
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000024067EDB83C 4_2_0000024067EDB83C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000024067EE1030 4_2_0000024067EE1030
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000024067EEEC30 4_2_0000024067EEEC30
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000024067ED9408 4_2_0000024067ED9408
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000024067ED7C08 4_2_0000024067ED7C08
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000024067ED1000 4_2_0000024067ED1000
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000024067EF181C 4_2_0000024067EF181C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000024067EF27EC 4_2_0000024067EF27EC
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000024067EDA7F0 4_2_0000024067EDA7F0
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000024067EE97CC 4_2_0000024067EE97CC
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000024067ED2FD4 4_2_0000024067ED2FD4
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000024067ED33D4 4_2_0000024067ED33D4
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000024067EE3FD0 4_2_0000024067EE3FD0
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000024067EDDBA0 4_2_0000024067EDDBA0
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000024067EDFFB8 4_2_0000024067EDFFB8
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000024067EE8BB8 4_2_0000024067EE8BB8
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000024067ED8FB0 4_2_0000024067ED8FB0
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000024067EE5384 4_2_0000024067EE5384
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000024067ED1B94 4_2_0000024067ED1B94
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000024067EDF77C 4_2_0000024067EDF77C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000024067ED8378 4_2_0000024067ED8378
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000024067EED770 4_2_0000024067EED770
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000024067EECF70 4_2_0000024067EECF70
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000024067ED975C 4_2_0000024067ED975C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000024067ED4758 4_2_0000024067ED4758
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000024067EEE750 4_2_0000024067EEE750
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000024067EDD33C 4_2_0000024067EDD33C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000024067EE4F18 4_2_0000024067EE4F18
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000024067EDEF14 4_2_0000024067EDEF14
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000024067EE3B14 4_2_0000024067EE3B14
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000024067EEE310 4_2_0000024067EEE310
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000024067ED92F0 4_2_0000024067ED92F0
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000024067EDD6CC 4_2_0000024067EDD6CC
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000024067EEEAC0 4_2_0000024067EEEAC0
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000024067EE96D4 4_2_0000024067EE96D4
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000024067ED3ABC 4_2_0000024067ED3ABC
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000024067EEA6BC 4_2_0000024067EEA6BC
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000024067EDAAB8 4_2_0000024067EDAAB8
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000024067ED4EB8 4_2_0000024067ED4EB8
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000024067ED8A8C 4_2_0000024067ED8A8C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000024067EF4E8C 4_2_0000024067EF4E8C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000024067EDBE90 4_2_0000024067EDBE90
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000024067EE4A90 4_2_0000024067EE4A90
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000024067EDA660 4_2_0000024067EDA660
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000024067ED3274 4_2_0000024067ED3274
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000024067EE0A70 4_2_0000024067EE0A70
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000024067EEA244 4_2_0000024067EEA244
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000024067EDF65C 4_2_0000024067EDF65C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000024067EDB258 4_2_0000024067EDB258
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001CAEF350000 5_2_000001CAEF350000
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001CAEF3A8FC8 5_2_000001CAEF3A8FC8
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001CAEF398BC8 5_2_000001CAEF398BC8
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001CAEF3AA000 5_2_000001CAEF3AA000
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001CAEF39CC14 5_2_000001CAEF39CC14
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001CAEF39263C 5_2_000001CAEF39263C
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001CAEF3A709C 5_2_000001CAEF3A709C
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001CAEF397D6C 5_2_000001CAEF397D6C
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001CAEF39FFB8 5_2_000001CAEF39FFB8
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001CAEF3A8BB8 5_2_000001CAEF3A8BB8
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001CAEF398FB0 5_2_000001CAEF398FB0
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001CAEF39DBA0 5_2_000001CAEF39DBA0
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001CAEF391B94 5_2_000001CAEF391B94
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001CAEF399408 5_2_000001CAEF399408
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001CAEF397C08 5_2_000001CAEF397C08
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001CAEF391000 5_2_000001CAEF391000
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001CAEF3B27EC 5_2_000001CAEF3B27EC
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001CAEF39A7F0 5_2_000001CAEF39A7F0
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001CAEF392FD4 5_2_000001CAEF392FD4
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001CAEF3933D4 5_2_000001CAEF3933D4
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001CAEF3A97CC 5_2_000001CAEF3A97CC
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001CAEF3A3FD0 5_2_000001CAEF3A3FD0
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001CAEF39B83C 5_2_000001CAEF39B83C
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001CAEF397840 5_2_000001CAEF397840
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001CAEF3A1030 5_2_000001CAEF3A1030
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001CAEF3AEC30 5_2_000001CAEF3AEC30
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001CAEF3B181C 5_2_000001CAEF3B181C
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001CAEF3ACC84 5_2_000001CAEF3ACC84
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001CAEF394C84 5_2_000001CAEF394C84
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001CAEF39B07C 5_2_000001CAEF39B07C
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001CAEF3A5880 5_2_000001CAEF3A5880
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001CAEF39D474 5_2_000001CAEF39D474
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001CAEF392C78 5_2_000001CAEF392C78
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001CAEF39C078 5_2_000001CAEF39C078
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001CAEF3A6C70 5_2_000001CAEF3A6C70
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001CAEF3AB460 5_2_000001CAEF3AB460
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001CAEF3AC058 5_2_000001CAEF3AC058
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001CAEF3AC44C 5_2_000001CAEF3AC44C
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001CAEF3B5450 5_2_000001CAEF3B5450
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001CAEF3AA6BC 5_2_000001CAEF3AA6BC
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001CAEF393ABC 5_2_000001CAEF393ABC
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001CAEF3AEAC0 5_2_000001CAEF3AEAC0
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001CAEF39AAB8 5_2_000001CAEF39AAB8
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001CAEF394EB8 5_2_000001CAEF394EB8
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001CAEF3B4E8C 5_2_000001CAEF3B4E8C
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001CAEF398A8C 5_2_000001CAEF398A8C
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001CAEF3A4A90 5_2_000001CAEF3A4A90
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001CAEF39BE90 5_2_000001CAEF39BE90
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001CAEF3992F0 5_2_000001CAEF3992F0
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001CAEF3A96D4 5_2_000001CAEF3A96D4
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001CAEF39D6CC 5_2_000001CAEF39D6CC
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001CAEF39D33C 5_2_000001CAEF39D33C
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001CAEF39EF14 5_2_000001CAEF39EF14
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001CAEF3A3B14 5_2_000001CAEF3A3B14
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001CAEF3A4F18 5_2_000001CAEF3A4F18
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001CAEF3AE310 5_2_000001CAEF3AE310
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001CAEF3A5384 5_2_000001CAEF3A5384
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001CAEF39F77C 5_2_000001CAEF39F77C
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001CAEF398378 5_2_000001CAEF398378
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001CAEF3AD770 5_2_000001CAEF3AD770
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001CAEF3ACF70 5_2_000001CAEF3ACF70
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001CAEF39975C 5_2_000001CAEF39975C
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001CAEF394758 5_2_000001CAEF394758
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001CAEF3AE750 5_2_000001CAEF3AE750
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001CAEF3A15C8 5_2_000001CAEF3A15C8
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001CAEF3995BC 5_2_000001CAEF3995BC
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001CAEF3ABDA0 5_2_000001CAEF3ABDA0
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001CAEF3A8E08 5_2_000001CAEF3A8E08
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001CAEF3A5A00 5_2_000001CAEF3A5A00
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001CAEF3B8A00 5_2_000001CAEF3B8A00
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001CAEF3AD5F0 5_2_000001CAEF3AD5F0
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001CAEF3AA244 5_2_000001CAEF3AA244
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001CAEF3A8A2C 5_2_000001CAEF3A8A2C
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001CAEF3A0E2C 5_2_000001CAEF3A0E2C
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001CAEF3A662C 5_2_000001CAEF3A662C
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001CAEF39BA2C 5_2_000001CAEF39BA2C
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001CAEF39461C 5_2_000001CAEF39461C
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001CAEF394214 5_2_000001CAEF394214
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001CAEF3A020C 5_2_000001CAEF3A020C
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001CAEF393E0C 5_2_000001CAEF393E0C
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001CAEF393274 5_2_000001CAEF393274
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001CAEF3A0A70 5_2_000001CAEF3A0A70
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001CAEF39F65C 5_2_000001CAEF39F65C
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001CAEF39A660 5_2_000001CAEF39A660
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001CAEF39B258 5_2_000001CAEF39B258
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001CAEF3A5CC4 5_2_000001CAEF3A5CC4
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001CAEF39F8C4 5_2_000001CAEF39F8C4
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001CAEF3B94BC 5_2_000001CAEF3B94BC
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001CAEF39DCB8 5_2_000001CAEF39DCB8
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001CAEF3998AC 5_2_000001CAEF3998AC
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001CAEF3AA8B0 5_2_000001CAEF3AA8B0
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001CAEF39AC94 5_2_000001CAEF39AC94
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001CAEF3948FC 5_2_000001CAEF3948FC
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001CAEF3B8500 5_2_000001CAEF3B8500
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001CAEF393CF4 5_2_000001CAEF393CF4
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001CAEF3990F8 5_2_000001CAEF3990F8
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001CAEF3918DC 5_2_000001CAEF3918DC
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001CAEF3A20E0 5_2_000001CAEF3A20E0
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001CAEF3A3CD4 5_2_000001CAEF3A3CD4
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001CAEF3914D4 5_2_000001CAEF3914D4
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001CAEF3A08CC 5_2_000001CAEF3A08CC
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001CAEF3980CC 5_2_000001CAEF3980CC
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001CAEF396138 5_2_000001CAEF396138
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001CAEF3AB130 5_2_000001CAEF3AB130
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001CAEF397530 5_2_000001CAEF397530
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001CAEF3A1924 5_2_000001CAEF3A1924
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001CAEF3AAD28 5_2_000001CAEF3AAD28
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001CAEF3A4D20 5_2_000001CAEF3A4D20
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001CAEF3A7518 5_2_000001CAEF3A7518
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001CAEF3A610C 5_2_000001CAEF3A610C
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001CAEF3B9910 5_2_000001CAEF3B9910
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_01FD0000 6_2_01FD0000
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_02050618 6_2_02050618
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_02036E42 6_2_02036E42
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_02039B79 6_2_02039B79
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_020573A4 6_2_020573A4
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_02038BC8 6_2_02038BC8
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_02048FC8 6_2_02048FC8
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_02043FD0 6_2_02043FD0
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_020363F4 6_2_020363F4
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0203640A 6_2_0203640A
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0203CC14 6_2_0203CC14
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_020408CC 6_2_020408CC
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_02037D6C 6_2_02037D6C
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_02045A00 6_2_02045A00
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_02058A00 6_2_02058A00
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0204020C 6_2_0204020C
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_02048E08 6_2_02048E08
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_02033E0C 6_2_02033E0C
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_02034214 6_2_02034214
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0203461C 6_2_0203461C
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_02048A2C 6_2_02048A2C
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_02040E2C 6_2_02040E2C
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0204662C 6_2_0204662C
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0203BA2C 6_2_0203BA2C
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0203263C 6_2_0203263C
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0204A244 6_2_0204A244
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_02056E48 6_2_02056E48
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0203B258 6_2_0203B258
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0203F65C 6_2_0203F65C
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0203A660 6_2_0203A660
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_02040A70 6_2_02040A70
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_02033274 6_2_02033274
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_02052E84 6_2_02052E84
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_02054E8C 6_2_02054E8C
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_02038A8C 6_2_02038A8C
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0203BE90 6_2_0203BE90
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_02044A90 6_2_02044A90
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_02052AB0 6_2_02052AB0
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0204A6BC 6_2_0204A6BC
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_02047EBE 6_2_02047EBE
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0203AAB8 6_2_0203AAB8
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_02034EB8 6_2_02034EB8
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_02033ABC 6_2_02033ABC
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0204EAC0 6_2_0204EAC0
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0203D6CC 6_2_0203D6CC
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_020496D4 6_2_020496D4
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_020392F0 6_2_020392F0
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_020536FC 6_2_020536FC
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_02043B14 6_2_02043B14
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0204E310 6_2_0204E310
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_02058310 6_2_02058310
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0203EF14 6_2_0203EF14
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_02055B1C 6_2_02055B1C
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_02044F18 6_2_02044F18
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0203D33C 6_2_0203D33C
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0204E750 6_2_0204E750
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_02034758 6_2_02034758
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0203975C 6_2_0203975C
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_02058B68 6_2_02058B68
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0204D770 6_2_0204D770
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0204CF70 6_2_0204CF70
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_02038378 6_2_02038378
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0203F77C 6_2_0203F77C
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_02045384 6_2_02045384
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_02031B94 6_2_02031B94
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0204779A 6_2_0204779A
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0203DBA0 6_2_0203DBA0
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_020547A8 6_2_020547A8
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_02038FB0 6_2_02038FB0
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0203FFB8 6_2_0203FFB8
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_02048BB8 6_2_02048BB8
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_020497CC 6_2_020497CC
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_02032FD4 6_2_02032FD4
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_020333D4 6_2_020333D4
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_020527EC 6_2_020527EC
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0203A7F0 6_2_0203A7F0
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0204FFFC 6_2_0204FFFC
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_02031000 6_2_02031000
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0204A000 6_2_0204A000
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_02039408 6_2_02039408
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_02037C08 6_2_02037C08
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_02037410 6_2_02037410
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0205181C 6_2_0205181C
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_02041030 6_2_02041030
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0204EC30 6_2_0204EC30
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0203B83C 6_2_0203B83C
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_02037840 6_2_02037840
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0204C44C 6_2_0204C44C
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_02055450 6_2_02055450
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0204C058 6_2_0204C058
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0204B460 6_2_0204B460
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_02055868 6_2_02055868
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_02046C70 6_2_02046C70
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0203D474 6_2_0203D474
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_02032C78 6_2_02032C78
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0203C078 6_2_0203C078
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0203B07C 6_2_0203B07C
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0204CC84 6_2_0204CC84
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_02045880 6_2_02045880
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_02034C84 6_2_02034C84
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0205488C 6_2_0205488C
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_02051494 6_2_02051494
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0203AC94 6_2_0203AC94
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0204709C 6_2_0204709C
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_020544A8 6_2_020544A8
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_020398AC 6_2_020398AC
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0204A8B0 6_2_0204A8B0
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_020594BC 6_2_020594BC
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0203DCB8 6_2_0203DCB8
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_02045CC4 6_2_02045CC4
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0203F8C4 6_2_0203F8C4
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_020380CC 6_2_020380CC
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_02043CD4 6_2_02043CD4
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_02051CD4 6_2_02051CD4
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_020314D4 6_2_020314D4
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_020318DC 6_2_020318DC
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_020420E0 6_2_020420E0
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_02033CF4 6_2_02033CF4
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_020390F8 6_2_020390F8
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_020348FC 6_2_020348FC
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_02058500 6_2_02058500
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_02052100 6_2_02052100
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0204610C 6_2_0204610C
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_02059910 6_2_02059910
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_02047518 6_2_02047518
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_02041924 6_2_02041924
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_02044D20 6_2_02044D20
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0204AD28 6_2_0204AD28
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0204B130 6_2_0204B130
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_02036138 6_2_02036138
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_02054D64 6_2_02054D64
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0204BDA0 6_2_0204BDA0
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_020395BC 6_2_020395BC
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_020415C8 6_2_020415C8
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0204D5F0 6_2_0204D5F0
Contains functionality to call native functions
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180010C10 LdrFindResource_U,LdrAccessResource,NtAllocateVirtualMemory, 3_2_0000000180010C10
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180010AC0 ExitProcess,RtlQueueApcWow64Thread,NtTestAlert, 3_2_0000000180010AC0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180010DB0 ZwOpenSymbolicLinkObject,ZwOpenSymbolicLinkObject, 3_2_0000000180010DB0
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180010C10 LdrFindResource_U,LdrAccessResource,NtAllocateVirtualMemory, 4_2_0000000180010C10
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180010AC0 ExitProcess,RtlQueueApcWow64Thread,NtTestAlert, 4_2_0000000180010AC0
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180010DB0 ZwOpenSymbolicLinkObject,ZwOpenSymbolicLinkObject, 4_2_0000000180010DB0
Tries to load missing DLLs
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: f_00321b.dll Virustotal: Detection: 60%
Source: f_00321b.dll ReversingLabs: Detection: 79%
Source: f_00321b.dll Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll64.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\f_00321b.dll"
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\f_00321b.dll",#1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\f_00321b.dll
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\f_00321b.dll",#1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\f_00321b.dll,DllRegisterServer
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\ZbmMPnDvLqwXll\QyzgcRWJYZS.dll"
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\RymKYMmySRfU\EAqrfXJOpHznppsf.dll"
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\IzuSuDitBV\QmEREbzuu.dll"
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\f_00321b.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\f_00321b.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\f_00321b.dll,DllRegisterServer Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\f_00321b.dll",#1 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\ZbmMPnDvLqwXll\QyzgcRWJYZS.dll" Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\RymKYMmySRfU\EAqrfXJOpHznppsf.dll" Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\IzuSuDitBV\QmEREbzuu.dll" Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winDLL@17/2@0/48
Source: C:\Windows\System32\regsvr32.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02308BC8 Process32NextW,Process32FirstW,CreateToolhelp32Snapshot,FindCloseChangeNotification, 3_2_02308BC8
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\f_00321b.dll",#1
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2516:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:5432:120:WilError_01
Source: C:\Windows\System32\regsvr32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Automated click: OK
Source: C:\Windows\System32\regsvr32.exe Automated click: OK
Source: Window Recorder Window detected: More than 3 window changes detected
Source: f_00321b.dll Static PE information: Image base 0x180000000 > 0x60000000
Source: f_00321b.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: f_00321b.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: f_00321b.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: f_00321b.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: f_00321b.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: f_00321b.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: f_00321b.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: f_00321b.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: f_00321b.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: f_00321b.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: f_00321b.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: f_00321b.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180005C69 push rdi; ret 3_2_0000000180005C72
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800056DD push rdi; ret 3_2_00000001800056E4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0230A26E push ebp; ret 3_2_0230A26F
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02317EAF push 458BCC5Ah; retf 3_2_02317EBC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02309E8B push eax; retf 3_2_02309E8E
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0231C731 push esi; iretd 3_2_0231C732
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02306C9F pushad ; ret 3_2_02306CAA
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0230A0FC push ebp; iretd 3_2_0230A0FD
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_023180D7 push ebp; retf 3_2_023180D8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02306CDE push esi; iretd 3_2_02306CDF
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02317D3C push ebp; retf 3_2_02317D3D
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02317D25 push 4D8BFFFFh; retf 3_2_02317D2A
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02309D51 push ebp; retf 3_2_02309D5A
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02318157 push ebp; retf 3_2_02318158
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02317D4E push ebp; iretd 3_2_02317D4F
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02317987 push ebp; iretd 3_2_0231798F
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0230A1D2 push ebp; iretd 3_2_0230A1D3
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180005C69 push rdi; ret 4_2_0000000180005C72
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000001800056DD push rdi; ret 4_2_00000001800056E4
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000024067EDA1D2 push ebp; iretd 4_2_0000024067EDA1D3
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000024067EE7987 push ebp; iretd 4_2_0000024067EE798F
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000024067EE7D4E push ebp; iretd 4_2_0000024067EE7D4F
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000024067EE8157 push ebp; retf 4_2_0000024067EE8158
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000024067ED9D51 push ebp; retf 4_2_0000024067ED9D5A
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000024067EE7D25 push 4D8BFFFFh; retf 4_2_0000024067EE7D2A
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000024067EE7D3C push ebp; retf 4_2_0000024067EE7D3D
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000024067EDA0FC push ebp; iretd 4_2_0000024067EDA0FD
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000024067ED6CDE push esi; iretd 4_2_0000024067ED6CDF
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000024067EE80D7 push ebp; retf 4_2_0000024067EE80D8
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000024067ED6C9F pushad ; ret 4_2_0000024067ED6CAA
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000024067EEC731 push esi; iretd 4_2_0000024067EEC732
PE file contains sections with non-standard names
Source: f_00321b.dll Static PE information: section name: _RDATA
Registers a DLL
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\f_00321b.dll
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\System32\regsvr32.exe PE file moved: C:\Windows\System32\ZbmMPnDvLqwXll\QyzgcRWJYZS.dll Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\System32\regsvr32.exe File opened: C:\Windows\system32\ZbmMPnDvLqwXll\QyzgcRWJYZS.dll:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Windows\system32\RymKYMmySRfU\EAqrfXJOpHznppsf.dll:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Windows\system32\IzuSuDitBV\QmEREbzuu.dll:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\regsvr32.exe TID: 5164 Thread sleep time: -660000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Found large amount of non-executed APIs
Source: C:\Windows\System32\regsvr32.exe API coverage: 9.3 %
Source: C:\Windows\System32\regsvr32.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180008D28 FindFirstFileExW, 3_2_0000000180008D28
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180008D28 FindFirstFileExW, 4_2_0000000180008D28
Source: C:\Windows\System32\regsvr32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: regsvr32.exe, 00000006.00000003.405236343.0000000000797000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.490273767.0000000000797000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.839161422.0000000000797000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.490454644.0000000000797000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.489636970.0000000000797000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWN
Source: regsvr32.exe, 00000006.00000003.405236343.0000000000797000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.490273767.0000000000797000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.490273767.000000000074B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.839161422.0000000000797000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.490454644.0000000000797000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.489636970.0000000000797000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.404596026.000000000074B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.839083307.000000000074B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: rundll32.exe, 00000004.00000003.318175405.0000024067CAE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180001C48 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_0000000180001C48
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000A878 GetProcessHeap, 3_2_000000018000A878
Checks if the current process is being debugged
Source: C:\Windows\System32\loaddll64.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180010C10 LdrFindResource_U,LdrAccessResource,NtAllocateVirtualMemory, 3_2_0000000180010C10
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180001C48 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_0000000180001C48
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800082EC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_00000001800082EC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800017DC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_00000001800017DC
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180001C48 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_0000000180001C48
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000001800082EC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_00000001800082EC
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000001800017DC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 4_2_00000001800017DC

HIPS / PFW / Operating System Protection Evasion
barindex
Early bird code injection technique detected
Source: C:\Windows\System32\cmd.exe Process created / APC Queued / Resumed: C:\Windows\System32\rundll32.exe Jump to behavior
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\regsvr32.exe Network Connect: 159.65.88.10 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 164.90.222.65 443 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 213.239.212.5 443 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 186.194.240.217 443 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 104.168.155.143 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 119.59.103.152 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 159.89.202.34 443 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 160.16.142.56 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 91.121.146.47 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 91.207.28.33 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 103.43.75.120 443 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 45.235.8.30 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 72.15.201.15 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 163.44.196.120 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 206.189.28.199 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 107.170.39.149 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 187.63.160.88 80 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 66.228.32.31 7080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 82.223.21.224 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 149.56.131.28 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 169.57.156.166 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 182.162.143.56 443 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 1.234.2.232 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 167.172.199.165 8080 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Windows\System32\regsvr32.exe Thread APC queued: target process: C:\Windows\System32\rundll32.exe Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\f_00321b.dll",#1 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\regsvr32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800070A0 cpuid 3_2_00000001800070A0
Source: C:\Windows\System32\regsvr32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180001D98 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 3_2_0000000180001D98

Stealing of Sensitive Information
barindex
Yara detected Emotet
Source: Yara match File source: 00000006.00000002.839010466.000000000072B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 5.2.rundll32.exe.1caef360000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.24067ea0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.24067ea0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.22d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.22d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.1caef360000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.regsvr32.exe.1fe0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.regsvr32.exe.1fe0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.320583141.0000024067ED1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.839406801.0000000002031000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.839356776.0000000001FE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.319594851.0000000002301000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.319426857.00000000022D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.320938696.000001CAEF360000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.320487184.0000024067EA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.320983303.000001CAEF391000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 829552 Sample: f_00321b Startdate: 18/03/2023 Architecture: WINDOWS Score: 100 32 129.232.188.93 xneeloZA South Africa 2->32 34 185.4.135.165 TOPHOSTGR Greece 2->34 36 22 other IPs or domains 2->36 44 Snort IDS alert for network traffic 2->44 46 Antivirus detection for URL or domain 2->46 48 Multi AV Scanner detection for submitted file 2->48 50 2 other signatures 2->50 9 loaddll64.exe 1 2->9         started        signatures3 process4 process5 11 regsvr32.exe 2 9->11         started        14 cmd.exe 1 9->14         started        16 rundll32.exe 2 9->16         started        18 conhost.exe 9->18         started        signatures6 56 Hides that the sample has been downloaded from the Internet (zone.identifier) 11->56 58 Queues an APC in another process (thread injection) 11->58 20 regsvr32.exe 11->20         started        60 Early bird code injection technique detected 14->60 24 rundll32.exe 2 14->24         started        26 regsvr32.exe 16->26         started        28 conhost.exe 16->28         started        process7 dnsIp8 38 45.235.8.30, 49733, 8080 WIKINETTELECOMUNICACOESBR Brazil 20->38 40 169.57.156.166, 8080 SOFTLAYERUS United States 20->40 42 22 other IPs or domains 20->42 52 System process connects to network (likely due to code injection or exploit) 20->52 54 Hides that the sample has been downloaded from the Internet (zone.identifier) 24->54 30 regsvr32.exe 24->30         started        signatures9 process10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
159.65.88.10
 unknown United States
14061 DIGITALOCEAN-ASNUS true
172.105.226.75
 unknown United States
63949 LINODE-APLinodeLLCUS true
164.90.222.65
 unknown United States
14061 DIGITALOCEAN-ASNUS true
110.232.117.186
 unknown Australia
56038 RACKCORP-APRackCorpAU true
213.239.212.5
 unknown Germany
24940 HETZNER-ASDE true
5.135.159.50
 unknown France
16276 OVHFR true
186.194.240.217
 unknown Brazil
262733 NetceteraTelecomunicacoesLtdaBR true
103.132.242.26
 unknown India
45117 INPL-IN-APIshansNetworkIN true
104.168.155.143
 unknown United States
54290 HOSTWINDSUS true
119.59.103.152
 unknown Thailand
56067 METRABYTE-TH453LadplacoutJorakhaebuaTH true
79.137.35.198
 unknown France
16276 OVHFR true
159.89.202.34
 unknown United States
14061 DIGITALOCEAN-ASNUS true
91.121.146.47
 unknown France
16276 OVHFR true
160.16.142.56
 unknown Japan 9370 SAKURA-BSAKURAInternetIncJP true
201.94.166.162
 unknown Brazil
28573 CLAROSABR true
91.207.28.33
 unknown Kyrgyzstan
39819 PROHOSTKG true
103.75.201.2
 unknown Thailand
133496 CDNPLUSCOLTD-AS-APCDNPLUSCOLTDTH true
103.43.75.120
 unknown Japan 20473 AS-CHOOPAUS true
115.68.227.76
 unknown Korea Republic of
38700 SMILESERV-AS-KRSMILESERVKR true
188.44.20.25
 unknown Macedonia
57374 GIV-ASMK true
45.235.8.30
 unknown Brazil
267405 WIKINETTELECOMUNICACOESBR true
153.126.146.25
 unknown Japan 7684 SAKURA-ASAKURAInternetIncJP true
72.15.201.15
 unknown United States
13649 ASN-VINSUS true
163.44.196.120
 unknown Singapore
135161 GMO-Z-COM-THGMO-ZcomNetDesignHoldingsCoLtdSG true
206.189.28.199
 unknown United States
14061 DIGITALOCEAN-ASNUS true
107.170.39.149
 unknown United States
14061 DIGITALOCEAN-ASNUS true
66.228.32.31
 unknown United States
63949 LINODE-APLinodeLLCUS true
187.63.160.88
 unknown Brazil
28169 BITCOMPROVEDORDESERVICOSDEINTERNETLTDABR true
82.223.21.224
 unknown Spain
8560 ONEANDONE-ASBrauerstrasse48DE true
197.242.150.244
 unknown South Africa
37611 AfrihostZA true
173.212.193.249
 unknown Germany
51167 CONTABODE true
185.4.135.165
 unknown Greece
199246 TOPHOSTGR true
183.111.227.137
 unknown Korea Republic of
4766 KIXS-AS-KRKoreaTelecomKR true
45.176.232.124
 unknown Colombia
267869 CABLEYTELECOMUNICACIONESDECOLOMBIASASCABLETELCOC true
95.217.221.146
 unknown Germany
24940 HETZNER-ASDE true
149.56.131.28
 unknown Canada
16276 OVHFR true
169.57.156.166
 unknown United States
36351 SOFTLAYERUS true
164.68.99.3
 unknown Germany
51167 CONTABODE true
182.162.143.56
 unknown Korea Republic of
3786 LGDACOMLGDACOMCorporationKR true
139.59.126.41
 unknown Singapore
14061 DIGITALOCEAN-ASNUS true
1.234.2.232
 unknown Korea Republic of
9318 SKB-ASSKBroadbandCoLtdKR true
167.172.253.162
 unknown United States
14061 DIGITALOCEAN-ASNUS true
129.232.188.93
 unknown South Africa
37153 xneeloZA true
167.172.199.165
 unknown United States
14061 DIGITALOCEAN-ASNUS true
202.129.205.3
 unknown Thailand
45328 NIPA-AS-THNIPATECHNOLOGYCOLTDTH true
147.139.166.154
 unknown United States
45102 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC true
153.92.5.27
 unknown Germany
47583 AS-HOSTINGERLT true
94.23.45.86
 unknown France
16276 OVHFR true

Contacted Domains

Name IP Active
c-0001.c-msedge.net 13.107.4.50 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://164.90.222.65/nnukk/upfurpftd/ltwomnfleb/ true
  • Avira URL Cloud: malware
 unknown