Windows Analysis Report OZra.dll

Overview

General Information

Sample Name: OZra.dll
Analysis ID: 553242
MD5: 02f53c085fb91533e4353e7a99ff8d57
SHA1: d6325cb54c0f234d8cbd6573c5655e812ce22870
SHA256: 04b4a8ee23f3b9fa941c2ca67d4a3358bab9dd2ff608e15a05ab49f77473bbaa
Tags: dll
Infos:

Most interesting Screenshot:

Detection

Emotet
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Changes security center settings (notifications, updates, antivirus, firewall)
Machine Learning detection for sample
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Sigma detected: Suspicious Call by Ordinal
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
One or more processes crash
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Creates a DirectInput object (often for capturing keystrokes)
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
PE file contains strange resources
Tries to load missing DLLs
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Connects to several IPs in different countries
Potential key logger detected (key state polling based)
Registers a DLL
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries disk information (often used to detect virtual machines)
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection:

barindex
Found malware configuration
Source: 1.0.loaddll32.exe.1250000.2.raw.unpack Malware Configuration Extractor: Emotet {"C2 list": ["45.138.98.34:80", "69.16.218.101:8080", "51.210.242.234:8080", "185.148.168.220:8080", "142.4.219.173:8080", "54.38.242.185:443", "191.252.103.16:80", "104.131.62.48:8080", "62.171.178.147:8080", "217.182.143.207:443", "168.197.250.14:80", "37.44.244.177:8080", "66.42.57.149:443", "210.57.209.142:8080", "159.69.237.188:443", "116.124.128.206:8080", "128.199.192.135:8080", "195.154.146.35:443", "185.148.168.15:8080", "195.77.239.39:8080", "207.148.81.119:8080", "85.214.67.203:8080", "190.90.233.66:443", "78.46.73.125:443", "78.47.204.80:443", "37.59.209.141:8080", "54.37.228.122:443"], "Public Key": ["RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0", "RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW"]}
Multi AV Scanner detection for submitted file
Source: OZra.dll Virustotal: Detection: 37% Perma Link
Source: OZra.dll ReversingLabs: Detection: 44%
Machine Learning detection for sample
Source: OZra.dll Joe Sandbox ML: detected

Compliance:

barindex
Uses 32bit PE files
Source: OZra.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000D.00000003.286753179.0000000005421000.00000004.00000001.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000D.00000003.282406576.0000000003693000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.286753179.0000000005421000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.282326505.00000000050D9000.00000004.00000001.sdmp
Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000D.00000003.286783425.0000000003778000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.286869011.0000000003778000.00000004.00000040.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 0000000D.00000003.286765752.0000000003772000.00000004.00000040.sdmp
Source: Binary string: shcore.pdb!B source: WerFault.exe, 0000000D.00000003.286783425.0000000003778000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.286869011.0000000003778000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000D.00000003.286753179.0000000005421000.00000004.00000001.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000D.00000003.286753179.0000000005421000.00000004.00000001.sdmp
Source: Binary string: propsys.pdb source: WerFault.exe, 0000000D.00000003.286834752.0000000003770000.00000004.00000040.sdmp
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000D.00000003.286765752.0000000003772000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000D.00000003.282380661.000000000368D000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.286753179.0000000005421000.00000004.00000001.sdmp
Source: Binary string: wrpcrt4.pdbk source: WerFault.exe, 0000000D.00000003.286765752.0000000003772000.00000004.00000040.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 0000000D.00000003.286783425.0000000003778000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.286869011.0000000003778000.00000004.00000040.sdmp
Source: Binary string: wsspicli.pdbk source: WerFault.exe, 0000000D.00000003.286765752.0000000003772000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.286858130.0000000003775000.00000004.00000040.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000D.00000003.286753179.0000000005421000.00000004.00000001.sdmp
Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000D.00000003.286765752.0000000003772000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.286858130.0000000003775000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000D.00000003.286753179.0000000005421000.00000004.00000001.sdmp
Source: Binary string: oleaut32.pdbmBN source: WerFault.exe, 0000000D.00000003.286783425.0000000003778000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.286869011.0000000003778000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000D.00000003.286834752.0000000003770000.00000004.00000040.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 0000000D.00000003.286783425.0000000003778000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.286869011.0000000003778000.00000004.00000040.sdmp
Source: Binary string: wimm32.pdbyBR source: WerFault.exe, 0000000D.00000003.286783425.0000000003778000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.286869011.0000000003778000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000D.00000003.282867683.0000000003699000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.286753179.0000000005421000.00000004.00000001.sdmp
Source: Binary string: sechost.pdbk source: WerFault.exe, 0000000D.00000003.286765752.0000000003772000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000D.00000003.282867683.0000000003699000.00000004.00000001.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000D.00000003.286834752.0000000003770000.00000004.00000040.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 0000000D.00000003.286765752.0000000003772000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.286858130.0000000003775000.00000004.00000040.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000D.00000003.286753179.0000000005421000.00000004.00000001.sdmp
Source: Binary string: combase.pdbk source: WerFault.exe, 0000000D.00000003.286765752.0000000003772000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.286858130.0000000003775000.00000004.00000040.sdmp
Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000D.00000003.286783425.0000000003778000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.286869011.0000000003778000.00000004.00000040.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 0000000D.00000003.286753179.0000000005421000.00000004.00000001.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000D.00000003.286753179.0000000005421000.00000004.00000001.sdmp

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2404332 ET CNC Feodo Tracker Reported CnC Server TCP group 17 192.168.2.7:49715 -> 45.138.98.34:80
Source: Traffic Snort IDS: 2404338 ET CNC Feodo Tracker Reported CnC Server TCP group 20 192.168.2.7:49716 -> 69.16.218.101:8080
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 69.16.218.101 144 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 45.138.98.34 80 Jump to behavior
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 45.138.98.34:80
Source: Malware configuration extractor IPs: 69.16.218.101:8080
Source: Malware configuration extractor IPs: 51.210.242.234:8080
Source: Malware configuration extractor IPs: 185.148.168.220:8080
Source: Malware configuration extractor IPs: 142.4.219.173:8080
Source: Malware configuration extractor IPs: 54.38.242.185:443
Source: Malware configuration extractor IPs: 191.252.103.16:80
Source: Malware configuration extractor IPs: 104.131.62.48:8080
Source: Malware configuration extractor IPs: 62.171.178.147:8080
Source: Malware configuration extractor IPs: 217.182.143.207:443
Source: Malware configuration extractor IPs: 168.197.250.14:80
Source: Malware configuration extractor IPs: 37.44.244.177:8080
Source: Malware configuration extractor IPs: 66.42.57.149:443
Source: Malware configuration extractor IPs: 210.57.209.142:8080
Source: Malware configuration extractor IPs: 159.69.237.188:443
Source: Malware configuration extractor IPs: 116.124.128.206:8080
Source: Malware configuration extractor IPs: 128.199.192.135:8080
Source: Malware configuration extractor IPs: 195.154.146.35:443
Source: Malware configuration extractor IPs: 185.148.168.15:8080
Source: Malware configuration extractor IPs: 195.77.239.39:8080
Source: Malware configuration extractor IPs: 207.148.81.119:8080
Source: Malware configuration extractor IPs: 85.214.67.203:8080
Source: Malware configuration extractor IPs: 190.90.233.66:443
Source: Malware configuration extractor IPs: 78.46.73.125:443
Source: Malware configuration extractor IPs: 78.47.204.80:443
Source: Malware configuration extractor IPs: 37.59.209.141:8080
Source: Malware configuration extractor IPs: 54.37.228.122:443
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AS-CHOOPAUS AS-CHOOPAUS
Source: Joe Sandbox View ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 207.148.81.119 207.148.81.119
Source: Joe Sandbox View IP Address: 104.131.62.48 104.131.62.48
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.7:49716 -> 69.16.218.101:8080
Connects to several IPs in different countries
Source: unknown Network traffic detected: IP country count 12
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.98.34
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.98.34
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.98.34
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: svchost.exe, 0000001A.00000003.378406330.000001680759F000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","N equals www.facebook.com (Facebook)
Source: svchost.exe, 0000001A.00000003.378406330.000001680759F000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","N equals www.twitter.com (Twitter)
Source: svchost.exe, 0000001A.00000003.378434592.00000168075B0000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.378406330.000001680759F000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-01-07T11:33:20.1626869Z||.||d5cdcec3-04df-404e-ba07-3240047c89f9||1152921505694348672||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
Source: svchost.exe, 0000001A.00000003.378434592.00000168075B0000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.378406330.000001680759F000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-01-07T11:33:20.1626869Z||.||d5cdcec3-04df-404e-ba07-3240047c89f9||1152921505694348672||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
Source: svchost.exe, 0000001A.00000003.378406330.000001680759F000.00000004.00000001.sdmp String found in binary or memory: /tached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify - Music and Podcasts","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NCBCSZSJRSB","Properties":{"FulfillmentData":{"ProductId":"9NCBCSZSJRSB","WuCategoryId":"5c353b9c-7ac7-4d27-af07-923e7d9aa2e2","PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","SkuId":"0011"},"FulfillmentType":"WindowsUpdate","FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"Spotify"}],"Architectures":["x86"],"Capabilities":["internetClient","runFullTrust","Microsoft.storeFilter.core.notSupported_8wekyb3d8bbwe"],"ExperienceIds":[],"MaxDownloadSizeInBytes":104380919,"MaxInstallSizeInBytes":203345920,"PackageFormat":"Appx","PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","MainPackageFamilyNameForDlc":null,"PackageFullName":"SpotifyAB.SpotifyMusic_1.176.447.0_x86__zpdnekdrzrea0","PackageId":"3fbafb47-f476-4c26-4445-49acb9a726e6-X86","PackageRank":30001,"PlatformDependencies":[{"MaxTested":2814750754275328,"MinVersion":2814750710366559,"PlatformName":"Windows.Desktop"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.isMain\":false,\"content.packageId\":\"SpotifyAB.SpotifyMusic_1.176.447.0_x86__zpdnekdrzrea0\",\"content.productId\":\"caac1b9d-621b-4f96-b143-e10e1397740a\",\"content.targetPlatforms\":[{\"platform.maxVersionTested\":2814750754275328,\"platform.minVersion\":2814750710366559,\"platform.target\":3}],\"content.type\":7,\"policy\":{\"category.first\":\"app\",\"category.second\":\"Music\",\"optOut.backupRestore\":true,\"optOut.removeableMedia\":false},\"policy2\":{\"ageRating\":3,\"optOut.DVR\":false,\"thirdPartyAppRatings\":[{\"level\":9,\"systemId\":3},{\"level\":81,\
Source: svchost.exe, 0000001A.00000003.378406330.000001680759F000.00000004.00000001.sdmp String found in binary or memory: /tached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify - Music and Podcasts","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NCBCSZSJRSB","Properties":{"FulfillmentData":{"ProductId":"9NCBCSZSJRSB","WuCategoryId":"5c353b9c-7ac7-4d27-af07-923e7d9aa2e2","PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","SkuId":"0011"},"FulfillmentType":"WindowsUpdate","FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"Spotify"}],"Architectures":["x86"],"Capabilities":["internetClient","runFullTrust","Microsoft.storeFilter.core.notSupported_8wekyb3d8bbwe"],"ExperienceIds":[],"MaxDownloadSizeInBytes":104380919,"MaxInstallSizeInBytes":203345920,"PackageFormat":"Appx","PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","MainPackageFamilyNameForDlc":null,"PackageFullName":"SpotifyAB.SpotifyMusic_1.176.447.0_x86__zpdnekdrzrea0","PackageId":"3fbafb47-f476-4c26-4445-49acb9a726e6-X86","PackageRank":30001,"PlatformDependencies":[{"MaxTested":2814750754275328,"MinVersion":2814750710366559,"PlatformName":"Windows.Desktop"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.isMain\":false,\"content.packageId\":\"SpotifyAB.SpotifyMusic_1.176.447.0_x86__zpdnekdrzrea0\",\"content.productId\":\"caac1b9d-621b-4f96-b143-e10e1397740a\",\"content.targetPlatforms\":[{\"platform.maxVersionTested\":2814750754275328,\"platform.minVersion\":2814750710366559,\"platform.target\":3}],\"content.type\":7,\"policy\":{\"category.first\":\"app\",\"category.second\":\"Music\",\"optOut.backupRestore\":true,\"optOut.removeableMedia\":false},\"policy2\":{\"ageRating\":3,\"optOut.DVR\":false,\"thirdPartyAppRatings\":[{\"level\":9,\"systemId\":3},{\"level\":81,\
Source: svchost.exe, 0000000B.00000002.601913181.00000182A8286000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000002.304771996.00000000035D0000.00000004.00000020.sdmp, svchost.exe, 0000001A.00000002.395961914.0000016807500000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: WerFault.exe, 0000000D.00000002.304771996.00000000035D0000.00000004.00000020.sdmp String found in binary or memory: http://crl.m
Source: WerFault.exe, 0000000D.00000002.304771996.00000000035D0000.00000004.00000020.sdmp String found in binary or memory: http://crl.microsoft
Source: 77EC63BDA74BD0D0E0426DC8F80085060.10.dr String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: svchost.exe, 0000001A.00000003.373673525.0000016807590000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.373723149.00000168075D1000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.373559148.000001680756E000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.373703154.00000168075D1000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.373743807.00000168075B1000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.373767348.000001680756E000.00000004.00000001.sdmp String found in binary or memory: http://help.disneyplus.com.
Source: Amcache.hve.13.dr String found in binary or memory: http://upx.sf.net
Source: svchost.exe, 00000011.00000002.307697567.00000290A4E13000.00000004.00000001.sdmp String found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 0000000E.00000002.765124602.000001DBA1A44000.00000004.00000001.sdmp String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 0000000E.00000002.765124602.000001DBA1A44000.00000004.00000001.sdmp String found in binary or memory: https://%s.xboxlive.com
Source: rundll32.exe, 0000000A.00000003.280323978.0000000002799000.00000004.00000001.sdmp, rundll32.exe, 0000000A.00000003.280969774.0000000002799000.00000004.00000001.sdmp, rundll32.exe, 0000000A.00000003.279683399.0000000002797000.00000004.00000001.sdmp String found in binary or memory: https://45dl.windowsupdate.com/
Source: svchost.exe, 0000000E.00000002.765124602.000001DBA1A44000.00000004.00000001.sdmp String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 00000011.00000003.307216053.00000290A4E62000.00000004.00000001.sdmp String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 0000000E.00000002.765124602.000001DBA1A44000.00000004.00000001.sdmp String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 0000000E.00000002.765124602.000001DBA1A44000.00000004.00000001.sdmp String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000011.00000003.307254577.00000290A4E5A000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000011.00000003.307254577.00000290A4E5A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000002.307805579.00000290A4E5C000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 00000011.00000003.307216053.00000290A4E62000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 00000011.00000002.307746437.00000290A4E3D000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 00000011.00000003.307254577.00000290A4E5A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000002.307805579.00000290A4E5C000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
Source: svchost.exe, 00000011.00000003.307163466.00000290A4E68000.00000004.00000001.sdmp, svchost.exe, 00000011.00000002.307843602.00000290A4E6A000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
Source: svchost.exe, 00000011.00000003.307216053.00000290A4E62000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 00000011.00000003.307346261.00000290A4E4D000.00000004.00000001.sdmp, svchost.exe, 00000011.00000002.307789498.00000290A4E4E000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.307184911.00000290A4E48000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 00000011.00000003.307254577.00000290A4E5A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000002.307805579.00000290A4E5C000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 00000011.00000003.307216053.00000290A4E62000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 00000011.00000002.307746437.00000290A4E3D000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 00000011.00000003.307216053.00000290A4E62000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 00000011.00000003.307216053.00000290A4E62000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 00000011.00000003.307216053.00000290A4E62000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 00000011.00000003.285050405.00000290A4E31000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
Source: svchost.exe, 00000011.00000003.307281705.00000290A4E40000.00000004.00000001.sdmp, svchost.exe, 00000011.00000002.307761527.00000290A4E42000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.307316845.00000290A4E41000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 00000011.00000003.307281705.00000290A4E40000.00000004.00000001.sdmp, svchost.exe, 00000011.00000002.307761527.00000290A4E42000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.307316845.00000290A4E41000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 00000011.00000003.307216053.00000290A4E62000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 00000011.00000003.307254577.00000290A4E5A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.307281705.00000290A4E40000.00000004.00000001.sdmp, svchost.exe, 00000011.00000002.307805579.00000290A4E5C000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 0000001A.00000003.373673525.0000016807590000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.373723149.00000168075D1000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.373559148.000001680756E000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.373703154.00000168075D1000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.373743807.00000168075B1000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.373767348.000001680756E000.00000004.00000001.sdmp String found in binary or memory: https://disneyplus.com/legal.
Source: svchost.exe, 00000011.00000003.307254577.00000290A4E5A000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 00000011.00000003.307254577.00000290A4E5A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000002.307805579.00000290A4E5C000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000011.00000003.307254577.00000290A4E5A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000002.307805579.00000290A4E5C000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000011.00000003.307304685.00000290A4E45000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.t
Source: svchost.exe, 00000011.00000003.307216053.00000290A4E62000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 00000011.00000002.307746437.00000290A4E3D000.00000004.00000001.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000011.00000003.285050405.00000290A4E31000.00000004.00000001.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 00000011.00000002.307746437.00000290A4E3D000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 00000011.00000002.307746437.00000290A4E3D000.00000004.00000001.sdmp, svchost.exe, 00000011.00000002.307697567.00000290A4E13000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 00000011.00000003.285050405.00000290A4E31000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000011.00000003.307281705.00000290A4E40000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.307304685.00000290A4E45000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000011.00000003.285050405.00000290A4E31000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 00000011.00000003.285050405.00000290A4E31000.00000004.00000001.sdmp, svchost.exe, 00000011.00000002.307737412.00000290A4E3A000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 00000011.00000003.307346261.00000290A4E4D000.00000004.00000001.sdmp, svchost.exe, 00000011.00000002.307789498.00000290A4E4E000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.307184911.00000290A4E48000.00000004.00000001.sdmp String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
Source: svchost.exe, 0000001A.00000003.373673525.0000016807590000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.373723149.00000168075D1000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.373559148.000001680756E000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.373703154.00000168075D1000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.373743807.00000168075B1000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.373767348.000001680756E000.00000004.00000001.sdmp String found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
Source: svchost.exe, 0000001A.00000003.373673525.0000016807590000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.373723149.00000168075D1000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.373559148.000001680756E000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.373703154.00000168075D1000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.373743807.00000168075B1000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.373767348.000001680756E000.00000004.00000001.sdmp String found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
Source: svchost.exe, 0000001A.00000003.374752607.000001680758B000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.374939713.0000016807A19000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.374821455.00000168075AD000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.375120396.000001680758B000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.374852477.0000016807A19000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.374796392.000001680759C000.00000004.00000001.sdmp String found in binary or memory: https://www.tiktok.com/legal/report/feedback
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_100012D0 recvfrom, 3_2_100012D0

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: loaddll32.exe, 00000001.00000000.277924800.00000000014AB000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Potential key logger detected (key state polling based)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_1000FF59 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA, 3_2_1000FF59
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_1000FF59 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA, 4_2_1000FF59

E-Banking Fraud:

barindex
Yara detected Emotet
Source: Yara match File source: 6.2.rundll32.exe.4db0000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.4c50000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.loaddll32.exe.1290000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.4c80000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.4c20000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.4b70000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.4f60000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.2c30000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.25d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.4c50000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.4b00000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.4d10000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.2af0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.4de0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.3fc0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.4c50000.15.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.4c80000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.4880000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.loaddll32.exe.1250000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.2af0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.4d10000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.loaddll32.exe.1250000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.4a40000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.loaddll32.exe.1290000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.3ff0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.4c20000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.loaddll32.exe.1250000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.4f60000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.2e50000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.4850000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.4f30000.19.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.4f00000.18.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2600000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.4cb0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.49b0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.4490000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.49b0000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.2c30000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.4c20000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.4770000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.4d40000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.4d80000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.loaddll32.exe.1250000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.4f00000.18.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.49e0000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.2b50000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.loaddll32.exe.1250000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.4d80000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.4d70000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.51b0000.21.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.4c20000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.loaddll32.exe.1290000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.5180000.20.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.2720000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.3fc0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.4b30000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.47a0000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.2720000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.4850000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.2e50000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.4d00000.16.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.4d70000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.4a10000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.4a10000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.2750000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.25d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.4c20000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.4da0000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.4b00000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.4b60000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.4b40000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.4b30000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.4d00000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.4b40000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.4de0000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.4d30000.17.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.loaddll32.exe.1250000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.4c20000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.45a0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.4b30000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.5180000.20.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.4f90000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.4e10000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.4770000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000000.277230906.0000000001291000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.245550881.00000000045A1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.767948147.0000000003FC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.277049276.0000000001250000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.769802750.0000000004F00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.254082981.0000000004D80000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.769053034.0000000004A41000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.273029517.0000000001250000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.769137988.0000000004B00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.254336408.0000000004F91000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.768874257.00000000049B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.769905105.0000000004F31000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.769584388.0000000004D31000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.287148041.0000000002751000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.768927905.00000000049E1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.768557651.00000000047A1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.287711363.0000000004C20000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.254190415.0000000004E11000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.305629952.0000000001291000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.287766425.0000000004C51000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.254016295.0000000004C51000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.770272394.00000000051B1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.288033255.0000000004DA1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.768503616.0000000004770000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.768707171.0000000004881000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.769181045.0000000004B31000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.287989838.0000000004D70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.770133690.0000000005180000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.769523785.0000000004D00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.286831940.0000000002AF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.287948778.0000000004D41000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.254155612.0000000004DE0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.766907831.0000000002601000.00000020.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.253882077.0000000004B61000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.766747209.00000000025D0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.287568705.0000000004B40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.273086006.0000000001291000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.253580540.0000000004491000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.245065589.0000000002E50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.769411597.0000000004C51000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.769343331.0000000004C20000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.769001829.0000000004A10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.768649477.0000000004850000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.305572210.0000000001250000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.253967626.0000000004C20000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.254267571.0000000004F60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.253441247.0000000002C30000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.287633180.0000000004B71000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.287090609.0000000002720000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.287860742.0000000004D10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.253851531.0000000004B30000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.255990628.0000000004CB1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.767995978.0000000003FF1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.254119219.0000000004DB1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.255916492.0000000004C80000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.286910091.0000000002B51000.00000020.00000001.sdmp, type: MEMORY

System Summary:

barindex
Uses 32bit PE files
Source: OZra.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
One or more processes crash
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4884 -ip 4884
Deletes files inside the Windows folder
Source: C:\Windows\SysWOW64\rundll32.exe File deleted: C:\Windows\SysWOW64\Ntodyweq\mtnyr.hby:Zone.Identifier Jump to behavior
Creates files inside the system directory
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\SysWOW64\Fwwghxehin\ Jump to behavior
Detected potential crypto function
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_012AEFDD 1_2_012AEFDD
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_01291F38 1_2_01291F38
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_012A8D3D 1_2_012A8D3D
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_012A5333 1_2_012A5333
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_012B2B09 1_2_012B2B09
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0129670B 1_2_0129670B
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_012AAD08 1_2_012AAD08
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0129EF0C 1_2_0129EF0C
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_012A5515 1_2_012A5515
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0129F369 1_2_0129F369
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_012A437A 1_2_012A437A
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_012A017B 1_2_012A017B
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_012A5779 1_2_012A5779
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_01296B7A 1_2_01296B7A
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_012A4F74 1_2_012A4F74
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_012A9774 1_2_012A9774
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_012A654A 1_2_012A654A
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0129D14C 1_2_0129D14C
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_012A2142 1_2_012A2142
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_012A7D5B 1_2_012A7D5B
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_012AFF58 1_2_012AFF58
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_012B2D53 1_2_012B2D53
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_012AE955 1_2_012AE955
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_012B07AA 1_2_012B07AA
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_012A8FAE 1_2_012A8FAE
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_012977A3 1_2_012977A3
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_012957B8 1_2_012957B8
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_012AD1BC 1_2_012AD1BC
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_012B17BD 1_2_012B17BD
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0129BFBE 1_2_0129BFBE
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0129238C 1_2_0129238C
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0129FB8E 1_2_0129FB8E
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_012A0F86 1_2_012A0F86
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_012A6187 1_2_012A6187
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_012A3D85 1_2_012A3D85
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_01292194 1_2_01292194
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_012A67E6 1_2_012A67E6
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_012AE1F8 1_2_012AE1F8
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_012A27F9 1_2_012A27F9
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_012A85FF 1_2_012A85FF
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_01294BFC 1_2_01294BFC
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_012955FF 1_2_012955FF
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_012A07F4 1_2_012A07F4
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_012A9DF5 1_2_012A9DF5
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0129C5D8 1_2_0129C5D8
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_012AFBDE 1_2_012AFBDE
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0129E7DE 1_2_0129E7DE
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_012AC5D5 1_2_012AC5D5
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0129B820 1_2_0129B820
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_01293431 1_2_01293431
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_01298636 1_2_01298636
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_012B2009 1_2_012B2009
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_012A7A0F 1_2_012A7A0F
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_012A9A01 1_2_012A9A01
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_012A8806 1_2_012A8806
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_012B3263 1_2_012B3263
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_012A4A66 1_2_012A4A66
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_012B0A64 1_2_012B0A64
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_01297E79 1_2_01297E79
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_01297078 1_2_01297078
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_012A567B 1_2_012A567B
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0129A871 1_2_0129A871
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_012ADC71 1_2_012ADC71
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0129DE74 1_2_0129DE74
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_012AA474 1_2_012AA474
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0129E640 1_2_0129E640
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_012AF840 1_2_012AF840
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_01297442 1_2_01297442
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0129A445 1_2_0129A445
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_012A4244 1_2_012A4244
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_012A2E5D 1_2_012A2E5D
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_012AB257 1_2_012AB257
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_012A3EAA 1_2_012A3EAA
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0129BAA9 1_2_0129BAA9
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_012B36AA 1_2_012B36AA
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_01291CA1 1_2_01291CA1
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_012AA2A5 1_2_012AA2A5
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_012A0ABA 1_2_012A0ABA
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0129C6B8 1_2_0129C6B8
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_012B46BD 1_2_012B46BD
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_012A0EBC 1_2_012A0EBC
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0129F0E9 1_2_0129F0E9
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_012B3EE9 1_2_012B3EE9
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_012B00EF 1_2_012B00EF
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_012AE4E5 1_2_012AE4E5
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_012ABEFD 1_2_012ABEFD
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_012980C0 1_2_012980C0
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_012AD8DB 1_2_012AD8DB
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_012ACCD9 1_2_012ACCD9
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_012ACAD5 1_2_012ACAD5
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_10020011 3_2_10020011
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_100181CA 3_2_100181CA
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_1001929D 3_2_1001929D
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_1002542D 3_2_1002542D
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_100274AE 3_2_100274AE
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_10026575 3_2_10026575
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_1001869D 3_2_1001869D
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_1001178A 3_2_1001178A
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_10016860 3_2_10016860
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_1002596F 3_2_1002596F
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_10022A5C 3_2_10022A5C
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_10018A71 3_2_10018A71
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_1001AAB7 3_2_1001AAB7
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_1001CB16 3_2_1001CB16
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_10018E7D 3_2_10018E7D
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_10025EB1 3_2_10025EB1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_10020011 4_2_10020011
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_100181CA 4_2_100181CA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_1001929D 4_2_1001929D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_1002542D 4_2_1002542D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_100274AE 4_2_100274AE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_10026575 4_2_10026575
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_1001869D 4_2_1001869D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_1001178A 4_2_1001178A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_10016860 4_2_10016860
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_1002596F 4_2_1002596F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_10022A5C 4_2_10022A5C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_10018A71 4_2_10018A71
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_1001AAB7 4_2_1001AAB7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_1001CB16 4_2_1001CB16
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_10018E7D 4_2_10018E7D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_10025EB1 4_2_10025EB1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_045B85FF 4_2_045B85FF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_045BEFDD 4_2_045BEFDD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_045A7442 4_2_045A7442
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_045AA445 4_2_045AA445
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_045BDC71 4_2_045BDC71
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_045BA474 4_2_045BA474
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_045A3431 4_2_045A3431
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_045BCCD9 4_2_045BCCD9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_045BE4E5 4_2_045BE4E5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_045A1CA1 4_2_045A1CA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_045B7D5B 4_2_045B7D5B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_045C2D53 4_2_045C2D53
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_045B654A 4_2_045B654A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_045B5515 4_2_045B5515
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_045BAD08 4_2_045BAD08
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_045B8D3D 4_2_045B8D3D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_045AC5D8 4_2_045AC5D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_045BC5D5 4_2_045BC5D5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_045A55FF 4_2_045A55FF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_045B9DF5 4_2_045B9DF5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_045B3D85 4_2_045B3D85
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_045AE640 4_2_045AE640
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_045B567B 4_2_045B567B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_045A7E79 4_2_045A7E79
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_045ADE74 4_2_045ADE74
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_045BBEFD 4_2_045BBEFD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_045C3EE9 4_2_045C3EE9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_045C46BD 4_2_045C46BD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_045AC6B8 4_2_045AC6B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_045B0EBC 4_2_045B0EBC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_045B3EAA 4_2_045B3EAA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_045C36AA 4_2_045C36AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_045BFF58 4_2_045BFF58
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_045B9774 4_2_045B9774
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_045B4F74 4_2_045B4F74
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_045A670B 4_2_045A670B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_045AEF0C 4_2_045AEF0C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_045A1F38 4_2_045A1F38
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_045AE7DE 4_2_045AE7DE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_045B27F9 4_2_045B27F9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_045B07F4 4_2_045B07F4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_045B67E6 4_2_045B67E6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_045B0F86 4_2_045B0F86
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_045C17BD 4_2_045C17BD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_045A57B8 4_2_045A57B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_045ABFBE 4_2_045ABFBE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_045B8FAE 4_2_045B8FAE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_045C07AA 4_2_045C07AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_045A77A3 4_2_045A77A3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_045BF840 4_2_045BF840
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_045A7078 4_2_045A7078
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_045AA871 4_2_045AA871
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_045C2009 4_2_045C2009
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_045B8806 4_2_045B8806
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_045AB820 4_2_045AB820
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_045BD8DB 4_2_045BD8DB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_045A80C0 4_2_045A80C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_045AF0E9 4_2_045AF0E9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_045C00EF 4_2_045C00EF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_045B2142 4_2_045B2142
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_045B017B 4_2_045B017B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_045BE1F8 4_2_045BE1F8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_045A91F6 4_2_045A91F6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_045A2194 4_2_045A2194
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_045B6187 4_2_045B6187
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_045BD1BC 4_2_045BD1BC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_045BB257 4_2_045BB257
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_045B4244 4_2_045B4244
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_045C0A64 4_2_045C0A64
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_045B4A66 4_2_045B4A66
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_045C3263 4_2_045C3263
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_045B7A0F 4_2_045B7A0F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_045B9A01 4_2_045B9A01
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_045BCAD5 4_2_045BCAD5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_045AD2CB 4_2_045AD2CB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_045B0ABA 4_2_045B0ABA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_045ABAA9 4_2_045ABAA9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_045AD2A2 4_2_045AD2A2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_045BA2A5 4_2_045BA2A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_045A6B7A 4_2_045A6B7A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_045B437A 4_2_045B437A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_045AF369 4_2_045AF369
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_045C2B09 4_2_045C2B09
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_045B5333 4_2_045B5333
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_045B5B28 4_2_045B5B28
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_045BFBDE 4_2_045BFBDE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_045A4BFC 4_2_045A4BFC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_045AFB8E 4_2_045AFB8E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_045A238C 4_2_045A238C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02B67A0F 5_2_02B67A0F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02B72009 5_2_02B72009
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02B5DE74 5_2_02B5DE74
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02B64A66 5_2_02B64A66
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02B591F6 5_2_02B591F6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02B6EFDD 5_2_02B6EFDD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02B5C5D8 5_2_02B5C5D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02B5670B 5_2_02B5670B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02B6AD08 5_2_02B6AD08
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02B6FF58 5_2_02B6FF58
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02B62142 5_2_02B62142
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02B6654A 5_2_02B6654A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02B60EBC 5_2_02B60EBC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02B746BD 5_2_02B746BD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02B60ABA 5_2_02B60ABA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02B5C6B8 5_2_02B5C6B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02B6A2A5 5_2_02B6A2A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02B51CA1 5_2_02B51CA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02B5BAA9 5_2_02B5BAA9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02B63EAA 5_2_02B63EAA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02B736AA 5_2_02B736AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02B6BEFD 5_2_02B6BEFD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02B6E4E5 5_2_02B6E4E5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02B700EF 5_2_02B700EF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02B5F0E9 5_2_02B5F0E9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02B73EE9 5_2_02B73EE9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02B6CAD5 5_2_02B6CAD5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02B6D8DB 5_2_02B6D8DB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02B6CCD9 5_2_02B6CCD9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02B580C0 5_2_02B580C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02B53431 5_2_02B53431
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02B5B820 5_2_02B5B820
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02B68806 5_2_02B68806
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02B69A01 5_2_02B69A01
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02B6A474 5_2_02B6A474
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02B5A871 5_2_02B5A871
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02B6DC71 5_2_02B6DC71
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02B57E79 5_2_02B57E79
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02B6567B 5_2_02B6567B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02B57078 5_2_02B57078
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02B70A64 5_2_02B70A64
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02B73263 5_2_02B73263
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02B6B257 5_2_02B6B257
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02B62E5D 5_2_02B62E5D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02B5A445 5_2_02B5A445
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02B64244 5_2_02B64244
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02B5E640 5_2_02B5E640
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02B6F840 5_2_02B6F840
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02B57442 5_2_02B57442
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02B6D1BC 5_2_02B6D1BC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02B717BD 5_2_02B717BD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02B5BFBE 5_2_02B5BFBE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02B557B8 5_2_02B557B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02B577A3 5_2_02B577A3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02B68FAE 5_2_02B68FAE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02B707AA 5_2_02B707AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02B52194 5_2_02B52194
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02B60F86 5_2_02B60F86
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02B66187 5_2_02B66187
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02B63D85 5_2_02B63D85
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02B5238C 5_2_02B5238C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02B5FB8E 5_2_02B5FB8E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02B607F4 5_2_02B607F4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02B69DF5 5_2_02B69DF5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02B685FF 5_2_02B685FF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02B54BFC 5_2_02B54BFC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02B555FF 5_2_02B555FF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02B6E1F8 5_2_02B6E1F8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02B627F9 5_2_02B627F9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02B667E6 5_2_02B667E6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02B6C5D5 5_2_02B6C5D5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02B6FBDE 5_2_02B6FBDE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02B5E7DE 5_2_02B5E7DE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02B65333 5_2_02B65333
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02B68D3D 5_2_02B68D3D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02B51F38 5_2_02B51F38
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02B65515 5_2_02B65515
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02B5EF0C 5_2_02B5EF0C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02B72B09 5_2_02B72B09
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02B69774 5_2_02B69774
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02B64F74 5_2_02B64F74
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02B6437A 5_2_02B6437A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02B6017B 5_2_02B6017B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02B56B7A 5_2_02B56B7A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02B65779 5_2_02B65779
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02B5F369 5_2_02B5F369
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02B6E955 5_2_02B6E955
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02B72D53 5_2_02B72D53
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02B67D5B 5_2_02B67D5B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02B5D14C 5_2_02B5D14C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0449A445 6_2_0449A445
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044AB257 6_2_044AB257
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044A4A66 6_2_044A4A66
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0449DE74 6_2_0449DE74
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044B2009 6_2_044B2009
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044A7A0F 6_2_044A7A0F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044A654A 6_2_044A654A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044A2142 6_2_044A2142
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044AFF58 6_2_044AFF58
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044AE955 6_2_044AE955
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0449670B 6_2_0449670B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044AAD08 6_2_044AAD08
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0449C5D8 6_2_0449C5D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044AEFDD 6_2_044AEFDD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044A85FF 6_2_044A85FF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044991F6 6_2_044991F6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044B17BD 6_2_044B17BD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0449E640 6_2_0449E640
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044AF840 6_2_044AF840
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04497442 6_2_04497442
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044A4244 6_2_044A4244
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044A2E5D 6_2_044A2E5D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044B3263 6_2_044B3263
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044B0A64 6_2_044B0A64
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04497E79 6_2_04497E79
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044A567B 6_2_044A567B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04497078 6_2_04497078
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0449A871 6_2_0449A871
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044ADC71 6_2_044ADC71
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044AA474 6_2_044AA474
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044A9A01 6_2_044A9A01
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044A8806 6_2_044A8806
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0449B820 6_2_0449B820
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04493431 6_2_04493431
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044980C0 6_2_044980C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044AD8DB 6_2_044AD8DB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044ACCD9 6_2_044ACCD9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044ACAD5 6_2_044ACAD5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0449F0E9 6_2_0449F0E9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044B3EE9 6_2_044B3EE9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044B00EF 6_2_044B00EF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044AE4E5 6_2_044AE4E5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044ABEFD 6_2_044ABEFD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0449BAA9 6_2_0449BAA9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044A3EAA 6_2_044A3EAA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044B36AA 6_2_044B36AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04491CA1 6_2_04491CA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044AA2A5 6_2_044AA2A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044A0ABA 6_2_044A0ABA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0449C6B8 6_2_0449C6B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044A0EBC 6_2_044A0EBC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044B46BD 6_2_044B46BD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0449D14C 6_2_0449D14C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044A7D5B 6_2_044A7D5B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044B2D53 6_2_044B2D53
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0449F369 6_2_0449F369
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044A437A 6_2_044A437A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044A017B 6_2_044A017B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04496B7A 6_2_04496B7A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044A5779 6_2_044A5779
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044A9774 6_2_044A9774
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044A4F74 6_2_044A4F74
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044B2B09 6_2_044B2B09
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0449EF0C 6_2_0449EF0C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044A5515 6_2_044A5515
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04491F38 6_2_04491F38
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044A8D3D 6_2_044A8D3D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044A5333 6_2_044A5333
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044AFBDE 6_2_044AFBDE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0449E7DE 6_2_0449E7DE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044AC5D5 6_2_044AC5D5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044A67E6 6_2_044A67E6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044AE1F8 6_2_044AE1F8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044A27F9 6_2_044A27F9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04494BFC 6_2_04494BFC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044955FF 6_2_044955FF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044A07F4 6_2_044A07F4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044A9DF5 6_2_044A9DF5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0449238C 6_2_0449238C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0449FB8E 6_2_0449FB8E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044A0F86 6_2_044A0F86
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044A6187 6_2_044A6187
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044A3D85 6_2_044A3D85
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04492194 6_2_04492194
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044B07AA 6_2_044B07AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044A8FAE 6_2_044A8FAE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044977A3 6_2_044977A3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044957B8 6_2_044957B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044AD1BC 6_2_044AD1BC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0449BFBE 6_2_0449BFBE
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: String function: 10017BC1 appears 68 times
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: String function: 1001984C appears 48 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 10017BC1 appears 68 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 1001984C appears 48 times
Sample file is different than original file name gathered from version info
Source: OZra.dll Binary or memory string: OriginalFilenameUDPTool.EXE: vs OZra.dll
PE file contains strange resources
Source: OZra.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Tries to load missing DLLs
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: xboxlivetitleid.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cdpsgshims.dll Jump to behavior
Source: OZra.dll Virustotal: Detection: 37%
Source: OZra.dll ReversingLabs: Detection: 44%
Source: OZra.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\OZra.dll"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\OZra.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\OZra.dll
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\OZra.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\OZra.dll,DllRegisterServer
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\OZra.dll",DllRegisterServer
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4884 -ip 4884
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Ntodyweq\mtnyr.hby",XUkCH
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Ntodyweq\mtnyr.hby",DllRegisterServer
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4884 -ip 4884
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4884 -s 512
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\OZra.dll",DllRegisterServer
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\svchost.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\OZra.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\OZra.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\OZra.dll,DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\OZra.dll",#1 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\OZra.dll",DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\OZra.dll",DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Ntodyweq\mtnyr.hby",XUkCH Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4884 -ip 4884 Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4884 -ip 4884 Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4884 -s 512 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Ntodyweq\mtnyr.hby",DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Windows\System32\svchost.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER64CE.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winDLL@38/17@0/29
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\OZra.dll",#1
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:6832:120:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \BaseNamedObjects\Local\SM0:724:64:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4884
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_100126F9 FindResourceA,LoadResource,LockResource,FreeResource, 3_2_100126F9
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000D.00000003.286753179.0000000005421000.00000004.00000001.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000D.00000003.282406576.0000000003693000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.286753179.0000000005421000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.282326505.00000000050D9000.00000004.00000001.sdmp
Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000D.00000003.286783425.0000000003778000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.286869011.0000000003778000.00000004.00000040.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 0000000D.00000003.286765752.0000000003772000.00000004.00000040.sdmp
Source: Binary string: shcore.pdb!B source: WerFault.exe, 0000000D.00000003.286783425.0000000003778000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.286869011.0000000003778000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000D.00000003.286753179.0000000005421000.00000004.00000001.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000D.00000003.286753179.0000000005421000.00000004.00000001.sdmp
Source: Binary string: propsys.pdb source: WerFault.exe, 0000000D.00000003.286834752.0000000003770000.00000004.00000040.sdmp
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000D.00000003.286765752.0000000003772000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000D.00000003.282380661.000000000368D000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.286753179.0000000005421000.00000004.00000001.sdmp
Source: Binary string: wrpcrt4.pdbk source: WerFault.exe, 0000000D.00000003.286765752.0000000003772000.00000004.00000040.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 0000000D.00000003.286783425.0000000003778000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.286869011.0000000003778000.00000004.00000040.sdmp
Source: Binary string: wsspicli.pdbk source: WerFault.exe, 0000000D.00000003.286765752.0000000003772000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.286858130.0000000003775000.00000004.00000040.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000D.00000003.286753179.0000000005421000.00000004.00000001.sdmp
Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000D.00000003.286765752.0000000003772000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.286858130.0000000003775000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000D.00000003.286753179.0000000005421000.00000004.00000001.sdmp
Source: Binary string: oleaut32.pdbmBN source: WerFault.exe, 0000000D.00000003.286783425.0000000003778000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.286869011.0000000003778000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000D.00000003.286834752.0000000003770000.00000004.00000040.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 0000000D.00000003.286783425.0000000003778000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.286869011.0000000003778000.00000004.00000040.sdmp
Source: Binary string: wimm32.pdbyBR source: WerFault.exe, 0000000D.00000003.286783425.0000000003778000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.286869011.0000000003778000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000D.00000003.282867683.0000000003699000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.286753179.0000000005421000.00000004.00000001.sdmp
Source: Binary string: sechost.pdbk source: WerFault.exe, 0000000D.00000003.286765752.0000000003772000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000D.00000003.282867683.0000000003699000.00000004.00000001.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000D.00000003.286834752.0000000003770000.00000004.00000040.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 0000000D.00000003.286765752.0000000003772000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.286858130.0000000003775000.00000004.00000040.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000D.00000003.286753179.0000000005421000.00000004.00000001.sdmp
Source: Binary string: combase.pdbk source: WerFault.exe, 0000000D.00000003.286765752.0000000003772000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.286858130.0000000003775000.00000004.00000040.sdmp
Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000D.00000003.286783425.0000000003778000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.286869011.0000000003778000.00000004.00000040.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 0000000D.00000003.286753179.0000000005421000.00000004.00000001.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000D.00000003.286753179.0000000005421000.00000004.00000001.sdmp
Source: OZra.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: OZra.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: OZra.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: OZra.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: OZra.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_01291195 push cs; iretd 1_2_01291197
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_10019891 push ecx; ret 3_2_100198A4
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_10017C60 push ecx; ret 3_2_10017C73
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_10019891 push ecx; ret 4_2_100198A4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_10017C60 push ecx; ret 4_2_10017C73
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_045A1195 push cs; iretd 4_2_045A1197
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02B51195 push cs; iretd 5_2_02B51197
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04491195 push cs; iretd 6_2_04491197
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_10023A79 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__invoke_watson,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__invoke_watson,__decode_pointer,__decode_pointer,__decode_pointer, 3_2_10023A79
PE file contains an invalid checksum
Source: OZra.dll Static PE information: real checksum: 0x66354 should be: 0x70258
Registers a DLL
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\OZra.dll

Persistence and Installation Behavior:

barindex
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\SysWOW64\rundll32.exe PE file moved: C:\Windows\SysWOW64\Ntodyweq\mtnyr.hby Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Fwwghxehin\jciimdknbnmehlt.ipm:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Ntodyweq\mtnyr.hby:Zone.Identifier read attributes | delete Jump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_1000D804 IsIconic,GetWindowPlacement,GetWindowRect, 3_2_1000D804
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_10008B90 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon, 3_2_10008B90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_1000D804 IsIconic,GetWindowPlacement,GetWindowRect, 4_2_1000D804
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_10008B90 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon, 4_2_10008B90
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\SysWOW64\rundll32.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Source: C:\Windows\SysWOW64\rundll32.exe Evasive API call chain: GetPEB, DecisionNodes, ExitProcess
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\svchost.exe TID: 4860 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 3104 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 2968 Thread sleep time: -210000s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Windows\SysWOW64\regsvr32.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Queries disk information (often used to detect virtual machines)
Source: C:\Windows\System32\svchost.exe File opened: PhysicalDrive0 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Windows\SysWOW64\regsvr32.exe API coverage: 4.2 %
Source: C:\Windows\SysWOW64\rundll32.exe API coverage: 4.9 %
Source: C:\Windows\System32\svchost.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rundll32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: Amcache.hve.13.dr Binary or memory string: VMware
Source: Amcache.hve.13.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: svchost.exe, 0000000B.00000002.601887638.00000182A8262000.00000004.00000001.sdmp Binary or memory string: "@Hyper-V RAW
Source: Amcache.hve.13.dr Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.13.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.13.dr Binary or memory string: VMware, Inc.
Source: svchost.exe, 0000001A.00000002.395697452.0000016806CA8000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAWp
Source: Amcache.hve.13.dr Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.13.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.13.dr Binary or memory string: VMware7,1
Source: Amcache.hve.13.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.13.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.13.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: svchost.exe, 0000000B.00000002.601850259.00000182A824C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000002.601491610.00000182A2A2A000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000002.305029959.00000000050B8000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.303188413.00000000050A3000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.303239827.00000000050B7000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000002.305012334.00000000050A5000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000002.395663380.0000016806C71000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000002.395753259.0000016806CE7000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: Amcache.hve.13.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.13.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.13.dr Binary or memory string: VMware, Inc.me
Source: Amcache.hve.13.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.13.dr Binary or memory string: VMware-42 35 44 6e 75 85 11 47-bd a2 bb ed 21 43 9f 89
Source: WerFault.exe, 0000000D.00000003.301196253.00000000050CF000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.301053412.00000000050CF000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000002.765277643.000001DBA1A68000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000002.765054909.000001E2E6A2A000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.13.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_1001C49A _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_1001C49A
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_10023A79 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__invoke_watson,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__invoke_watson,__decode_pointer,__decode_pointer,__decode_pointer, 3_2_10023A79
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_100178B6 GetProcessHeap,GetProcessHeap,HeapAlloc,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,__heap_term,__RTC_Initialize,GetCommandLineA,___crtGetEnvironmentStringsA,__ioinit,__mtterm,__setargv,__setenvp,__cinit,__ioterm,__ioterm,__mtterm,__heap_term,___set_flsgetvalue,__calloc_crt,__decode_pointer,__initptd,GetCurrentThreadId,__freeptd, 3_2_100178B6
Contains functionality to read the PEB
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0129F7F7 mov eax, dword ptr fs:[00000030h] 1_2_0129F7F7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_045AF7F7 mov eax, dword ptr fs:[00000030h] 4_2_045AF7F7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02B5F7F7 mov eax, dword ptr fs:[00000030h] 5_2_02B5F7F7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0449F7F7 mov eax, dword ptr fs:[00000030h] 6_2_0449F7F7
Checks if the current process is being debugged
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_01296B7A LdrInitializeThunk, 1_2_01296B7A
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_1001C49A _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_1001C49A
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_10021743 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_10021743
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_100167D5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_100167D5
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_1001FC21 SetUnhandledExceptionFilter,__encode_pointer, 3_2_1001FC21
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_1001FC43 __decode_pointer,SetUnhandledExceptionFilter, 3_2_1001FC43
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_1001C49A _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 4_2_1001C49A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_10021743 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_10021743
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_100167D5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 4_2_100167D5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_1001FC21 SetUnhandledExceptionFilter,__encode_pointer, 4_2_1001FC21
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_1001FC43 __decode_pointer,SetUnhandledExceptionFilter, 4_2_1001FC43

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 69.16.218.101 144 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 45.138.98.34 80 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\OZra.dll",#1 Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4884 -ip 4884 Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4884 -ip 4884 Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4884 -s 512 Jump to behavior
Source: loaddll32.exe, 00000001.00000000.278076137.0000000001B30000.00000002.00020000.sdmp, loaddll32.exe, 00000001.00000000.275472964.0000000001B30000.00000002.00020000.sdmp, rundll32.exe, 0000000A.00000002.767849850.0000000002B30000.00000002.00020000.sdmp Binary or memory string: uProgram Manager
Source: loaddll32.exe, 00000001.00000000.278076137.0000000001B30000.00000002.00020000.sdmp, loaddll32.exe, 00000001.00000000.275472964.0000000001B30000.00000002.00020000.sdmp, rundll32.exe, 0000000A.00000002.767849850.0000000002B30000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000001.00000000.278076137.0000000001B30000.00000002.00020000.sdmp, loaddll32.exe, 00000001.00000000.275472964.0000000001B30000.00000002.00020000.sdmp, rundll32.exe, 0000000A.00000002.767849850.0000000002B30000.00000002.00020000.sdmp Binary or memory string: Progman
Source: loaddll32.exe, 00000001.00000000.278076137.0000000001B30000.00000002.00020000.sdmp, loaddll32.exe, 00000001.00000000.275472964.0000000001B30000.00000002.00020000.sdmp, rundll32.exe, 0000000A.00000002.767849850.0000000002B30000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: GetThreadLocale,GetLocaleInfoA,GetACP, 3_2_10027704
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: _strcpy_s,__snprintf_s,GetLocaleInfoA,LoadLibraryA, 3_2_1000A803
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: GetLocaleInfoA, 3_2_10023880
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetThreadLocale,GetLocaleInfoA,GetACP, 4_2_10027704
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _strcpy_s,__snprintf_s,GetLocaleInfoA,LoadLibraryA, 4_2_1000A803
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA, 4_2_10023880
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_10022853 cpuid 3_2_10022853
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_1001F914 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 3_2_1001F914
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_100178B6 GetProcessHeap,GetProcessHeap,HeapAlloc,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,__heap_term,__RTC_Initialize,GetCommandLineA,___crtGetEnvironmentStringsA,__ioinit,__mtterm,__setargv,__setenvp,__cinit,__ioterm,__ioterm,__mtterm,__heap_term,___set_flsgetvalue,__calloc_crt,__decode_pointer,__initptd,GetCurrentThreadId,__freeptd, 3_2_100178B6

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Changes security center settings (notifications, updates, antivirus, firewall)
Source: C:\Windows\System32\svchost.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval Jump to behavior
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA &apos;AntiVirusProduct&apos; OR TargetInstance ISA &apos;FirewallProduct&apos; OR TargetInstance ISA &apos;AntiSpywareProduct&apos;
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.13.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: svchost.exe, 00000014.00000002.765054467.000001D0A0A40000.00000004.00000001.sdmp Binary or memory string: (@V%ProgramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 00000014.00000002.765139141.000001D0A0B02000.00000004.00000001.sdmp, svchost.exe, 00000014.00000002.764997555.000001D0A0A2A000.00000004.00000001.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Stealing of Sensitive Information:

barindex
Yara detected Emotet
Source: Yara match File source: 6.2.rundll32.exe.4db0000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.4c50000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.loaddll32.exe.1290000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.4c80000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.4c20000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.4b70000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.4f60000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.2c30000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.25d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.4c50000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.4b00000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.4d10000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.2af0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.4de0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.3fc0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.4c50000.15.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.4c80000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.4880000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.loaddll32.exe.1250000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.2af0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.4d10000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.loaddll32.exe.1250000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.4a40000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.loaddll32.exe.1290000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.3ff0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.4c20000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.loaddll32.exe.1250000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.4f60000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.2e50000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.4850000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.4f30000.19.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.4f00000.18.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2600000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.4cb0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.49b0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.4490000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.49b0000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.2c30000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.4c20000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.4770000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.4d40000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.4d80000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.loaddll32.exe.1250000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.4f00000.18.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.49e0000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.2b50000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.loaddll32.exe.1250000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.4d80000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.4d70000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.51b0000.21.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.4c20000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.loaddll32.exe.1290000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.5180000.20.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.2720000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.3fc0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.4b30000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.47a0000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.2720000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.4850000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.2e50000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.4d00000.16.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.4d70000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.4a10000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.4a10000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.2750000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.25d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.4c20000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.4da0000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.4b00000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.4b60000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.4b40000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.4b30000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.4d00000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.4b40000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.4de0000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.4d30000.17.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.loaddll32.exe.1250000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.4c20000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.45a0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.4b30000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.5180000.20.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.4f90000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.4e10000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.4770000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000000.277230906.0000000001291000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.245550881.00000000045A1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.767948147.0000000003FC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.277049276.0000000001250000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.769802750.0000000004F00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.254082981.0000000004D80000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.769053034.0000000004A41000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.273029517.0000000001250000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.769137988.0000000004B00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.254336408.0000000004F91000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.768874257.00000000049B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.769905105.0000000004F31000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.769584388.0000000004D31000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.287148041.0000000002751000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.768927905.00000000049E1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.768557651.00000000047A1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.287711363.0000000004C20000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.254190415.0000000004E11000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.305629952.0000000001291000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.287766425.0000000004C51000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.254016295.0000000004C51000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.770272394.00000000051B1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.288033255.0000000004DA1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.768503616.0000000004770000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.768707171.0000000004881000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.769181045.0000000004B31000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.287989838.0000000004D70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.770133690.0000000005180000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.769523785.0000000004D00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.286831940.0000000002AF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.287948778.0000000004D41000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.254155612.0000000004DE0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.766907831.0000000002601000.00000020.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.253882077.0000000004B61000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.766747209.00000000025D0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.287568705.0000000004B40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.273086006.0000000001291000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.253580540.0000000004491000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.245065589.0000000002E50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.769411597.0000000004C51000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.769343331.0000000004C20000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.769001829.0000000004A10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.768649477.0000000004850000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.305572210.0000000001250000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.253967626.0000000004C20000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.254267571.0000000004F60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.253441247.0000000002C30000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.287633180.0000000004B71000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.287090609.0000000002720000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.287860742.0000000004D10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.253851531.0000000004B30000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.255990628.0000000004CB1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.767995978.0000000003FF1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.254119219.0000000004DB1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.255916492.0000000004C80000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.286910091.0000000002B51000.00000020.00000001.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_100011C0 WSAStartup,_memset,htonl,htons,socket,bind,setsockopt, 3_2_100011C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_100011C0 WSAStartup,_memset,htonl,htons,socket,bind,setsockopt, 4_2_100011C0
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 553242 Sample: OZra.dll Startdate: 14/01/2022 Architecture: WINDOWS Score: 100 57 210.57.209.142 UNAIR-AS-IDUniversitasAirlanggaID Indonesia 2->57 59 85.214.67.203 STRATOSTRATOAGDE Germany 2->59 61 23 other IPs or domains 2->61 69 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->69 71 Found malware configuration 2->71 73 Multi AV Scanner detection for submitted file 2->73 75 4 other signatures 2->75 11 loaddll32.exe 1 2->11         started        13 svchost.exe 2->13         started        16 svchost.exe 4 2->16         started        18 9 other processes 2->18 signatures3 process4 dnsIp5 21 cmd.exe 1 11->21         started        23 rundll32.exe 2 11->23         started        26 regsvr32.exe 11->26         started        28 WerFault.exe 6 9 11->28         started        83 Changes security center settings (notifications, updates, antivirus, firewall) 13->83 30 MpCmdRun.exe 13->30         started        32 WerFault.exe 16->32         started        34 WerFault.exe 16->34         started        63 127.0.0.1 unknown unknown 18->63 signatures6 process7 signatures8 36 rundll32.exe 21->36         started        79 Hides that the sample has been downloaded from the Internet (zone.identifier) 23->79 39 rundll32.exe 26->39         started        41 conhost.exe 30->41         started        process9 signatures10 77 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 36->77 43 rundll32.exe 2 36->43         started        process11 dnsIp12 65 192.168.2.1 unknown unknown 43->65 81 Hides that the sample has been downloaded from the Internet (zone.identifier) 43->81 47 rundll32.exe 43->47         started        signatures13 process14 process15 49 rundll32.exe 47->49         started        dnsIp16 53 45.138.98.34, 49715, 80 M247GB Germany 49->53 55 69.16.218.101, 49716, 8080 LIQUIDWEBUS United States 49->55 67 System process connects to network (likely due to code injection or exploit) 49->67 signatures17
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
207.148.81.119
 unknown United States
20473 AS-CHOOPAUS true
104.131.62.48
 unknown United States
14061 DIGITALOCEAN-ASNUS true
85.214.67.203
 unknown Germany
6724 STRATOSTRATOAGDE true
191.252.103.16
 unknown Brazil
27715 LocawebServicosdeInternetSABR true
168.197.250.14
 unknown Argentina
264776 OmarAnselmoRipollTDCNETAR true
66.42.57.149
 unknown United States
20473 AS-CHOOPAUS true
185.148.168.15
 unknown Germany
44780 EVERSCALE-ASDE true
51.210.242.234
 unknown France
16276 OVHFR true
217.182.143.207
 unknown France
16276 OVHFR true
69.16.218.101
 unknown United States
32244 LIQUIDWEBUS true
159.69.237.188
 unknown Germany
24940 HETZNER-ASDE true
45.138.98.34
 unknown Germany
9009 M247GB true
116.124.128.206
 unknown Korea Republic of
9318 SKB-ASSKBroadbandCoLtdKR true
78.46.73.125
 unknown Germany
24940 HETZNER-ASDE true
37.59.209.141
 unknown France
16276 OVHFR true
210.57.209.142
 unknown Indonesia
38142 UNAIR-AS-IDUniversitasAirlanggaID true
185.148.168.220
 unknown Germany
44780 EVERSCALE-ASDE true
54.37.228.122
 unknown France
16276 OVHFR true
190.90.233.66
 unknown Colombia
18678 INTERNEXASAESPCO true
142.4.219.173
 unknown Canada
16276 OVHFR true
54.38.242.185
 unknown France
16276 OVHFR true
195.154.146.35
 unknown France
12876 OnlineSASFR true
195.77.239.39
 unknown Spain
60493 FICOSA-ASES true
78.47.204.80
 unknown Germany
24940 HETZNER-ASDE true
37.44.244.177
 unknown Germany
47583 AS-HOSTINGERLT true
62.171.178.147
 unknown United Kingdom
51167 CONTABODE true
128.199.192.135
 unknown United Kingdom
14061 DIGITALOCEAN-ASNUS true

Private
IP
192.168.2.1
127.0.0.1